CHAPTER 11_Security Operations Flashcards Preview

CISSP_TEST > CHAPTER 11_Security Operations > Flashcards

Flashcards in CHAPTER 11_Security Operations Deck (329):
1

authenticate

authenticate To verify the identity of a subject requesting the use of a system and/or access to network resources. The steps to giving a subject access to an object should be identification, authentication, and authorization.

2

Media Protection

Now, what is a media librarian responsible for again?

  • Marking
  • Logging
  • Integrity verification
  • Physical access protection
  • Environmental protection
  • Transmittal
  • Disposition

3

CHAPTER 3

Security Architecture and Design

This domain includes questions from the following topics:

  • System architecture
  • Computer hardware architecture
  • Operating system architecture
  • System security architecture
  • Trusted computing base and security mechanisms
  • Information security software models
  • Assurance evaluation criteria and ratings
  • Certification and accreditation processes

4

About the Technical Editor

Polisetty Veera Subrahmanya Kumar, CISSP, CISA, PMP, PMI-RMP, MCPM, ITIL, has more than 20 years’ experience in the field of information technology. His areas of specialization include information security, business continuity, project management, and risk management. Currently he is serving his term as chairperson for the Project Management Institute’s PMI-RMP (PMI-Risk Management Professional) Credentialing Committee. In the past he has worked as content development team leader on a variety of PMI standards development projects. He was a lead instructor for the PMI PMBOK review seminars. He is also serving his term as a member of ISACA’s India Growth Task Force team.

5

physical controls

physical controls Controls that pertain to controlling individual access into the facility and different departments, locking systems and removing unnecessary floppy or CD-ROM drives, protecting the perimeter of the facility, monitoring for intrusion, and checking environmental controls.

6

acceptable use policy

Companies should have an acceptable use policy, which indicates what software users can install and informs users that the environment will be surveyed from time to time to verify compliance. Technical controls should be emplaced to prevent unauthorized users from being able to install unauthorized software in the environment.

7

Asset Identification and Management

Asset management is easily understood as "knowing what the company owns." In a retail store, this may be called inventory management, and is part of routine operations to ensure that sales records and accounting systems are accurate and that theft is discovered. While these same principles may apply to an IT environment, there’s much more to it than just the physical and financial aspect.

8

least privilege

least privilege The security principle that requires each subject to be granted the most restrictive set of privileges needed for the performance of authorized tasks. The application of this principle limits the damage that can result from accident, error, or unauthorized use.

9

system cold start

A system cold start takes place when an unexpected kernel or media failure happens and the regular recovery procedure cannot recover the system to a more consistent state. The system, kernel, and user objects may remain in an inconsistent state while the system attempts to recover itself, and intervention may be required by the user or administrator to restore the system.

10

Vulnerability Testing

Vulnerability testing, whether manual, automated, or—preferably—a combination of both, requires staff and/or consultants with a deep security background and the highest level of trustworthiness. Even the best automated vulnerability scanning tool will produce output that can be misinterpreted as crying wolf (false positive) when there is only a small puppy in the room, or alert you to something that is indeed a vulnerability but that either does not matter to your environment or is adequately compensated elsewhere. There may also be two individual vulnerabilities that exist, which by themselves are not very important but when put together are critical. And of course, false negatives will also crop up, such as an obscure element of a single vulnerability that matters greatly to your environment but that is not called out by the tool.

11

11. What is the difference between hierarchical storage management and storage area network technologies?

A. HSM uses optical or tape jukeboxes, and SAN is a standard of how to develop and implement this technology.

B. HSM and SAN are one and the same. The difference is in the implementation.

C. HSM uses optical or tape jukeboxes, and SAN is a network of connected storage.

D. SAN uses optical or tape jukeboxes, and HSM is a network of connected storage systems.

Extended Questions:

CORRECT C. Hierarchical storage management (HSM) provides continuous online backup functionality. It combines hard disk technology with the cheaper and slower optical or tape jukeboxes. The HSM system dynamically manages the storage and recovery of files, which are copied to storage media devices that vary in speed and cost. The faster media hold the data that is accessed more often, and the seldom-used files are stored on the slower devices, or near-line devices. The storage media could include optical disks, magnetic disks, and tapes. This functionality happens in the background without the knowledge of the user or any need for user intervention. A storage area network, on the other hand, consists of large amounts of storage devices linked together by a high-speed private network and storage-specific switches. When a user makes a request for a file, he does not need to know which server or tape drive to go to—the SAN software finds it and provides it to the user.

WRONG A is incorrect because SAN is not a standard for how to develop and implement HSM. A SAN is a network of connected storage devices. SANs provide redundancy, fault tolerance, reliability, and backups, and they allow the users and administrators to interact with the SAN as one virtual entity. Because the network that carries the data in the SAN is separate from a company’s regular data network, all of this performance, reliability, and flexibility come, without impact to the data networking capabilities of the systems on the network.

WRONG B is incorrect because HSM and SAN are not the same. Hierarchical storage management (HSM) uses conventional hard disk backup processes combined with optical/tape jukeboxes. A storage area network (SAN) uses a networked system of storage devices integrated into an established network.

WRONG D is incorrect because the statement is backward. HSM uses optical or tape jukeboxes, and SAN is a network of connected storage systems. HSM was created to save money and time. It provides an economical and efficient way of storing data by combining higher-speed, higher-cost storage media for frequently accessed data with lower-speed, lower-cost media for infrequently accessed data. SANs, on the other hand, are for companies that have to keep track of terabytes of data and have the funds for this type of technology. They are not commonly used in large or mid-sized companies.

12

challenge-response method

challenge-response method A method used to verify the identity of a subject by sending the subject an unpredictable or random value. If the subject responds with the expected value in return, the subject is authenticated.

13

Direct Access Storage Device (DASD)

Direct Access Storage Device (DASD) is a general term for magnetic disk storage devices, which historically have been used in mainframe and minicomputer (mid-range computer) environments. RAID is a type of DASD. The key distinction between Direct Access and Sequential Access storage devices is that any point on a Direct Access Storage Device may be promptly reached, whereas every point in between the current position and the desired position of a Sequential Access Storage Device must be traversed in order to reach the desired position. Tape drives are Sequential Access Storage Devices. Some tape drives have minimal amounts of Direct Access intelligence built in. These include multitrack tape devices that store at specific points on the tape and cache in the tape drive information about where major sections of data on the tape begin, allowing the tape drive to more quickly reach a track and a point on the track from which to begin the now much shorter traversal of data from that indexed point to the desired point. While this makes such tape drives noticeably faster than their purely sequential peers, the difference in performance between Sequential and Direct Access Storage Devices is orders of magnitude.

14

Supercomputers

Supercomputers might be considered a special class of mainframe. They share many architectural similarities, but where mainframes are designed for very high quantities of general processing, supercomputers are optimized for extremely complex central processing (which also happens to require the vast I/O capability of the mainframe architecture). Where a mainframe’s several processors will balance the load of a very high number of general processes, a supercomputer’s possibly massive number of processes may be custom designed to allow a large number of very highly parallelized copies of a particular application to communicate in real time, or a very small number of extremely complex scientific algorithms to leverage vast amounts of data at once.

email Security

15

33. C. Some of the weaknesses and characteristics of packet-filtering firewalls are as follows:

  • They cannot prevent attacks that employ application-specific vulnerabilities or functions.
  • The logging functionality present in packet-filtering firewalls is limited.
  • Most packet-filtering firewalls do not support advanced user authentication schemes.
  • Many packet-filtering firewalls cannot detect spoofed addresses.
  • They may not be able to detect packet fragmentation attacks.

16

Assurance Levels

When products are evaluated for the level of trust and assurance they provide, many times operational assurance and life-cycle assurance are part of the evaluation process. Operational assurance concentrates on the product’s architecture, embedded features, and functionality that enable a customer to continually obtain the necessary level of protection when using the product. Examples of operational assurances examined in the evaluation process are access control mechanisms, the separation of privileged and user program code, auditing and monitoring capabilities, covert channel analysis, and trusted recovery when the product experiences unexpected circumstances.

17

compensating controls

compensating controls Controls that are alternative procedures designed to reduce the risk. They are used to "counterbalance" the effects of an internal control weakness.

18

9. Which of the following incorrectly describes IP spoofing and session hijacking?

A. Address spoofing helps an attacker to hijack sessions between two users without being noticed.

B. IP spoofing makes it harder to track down an attacker.

C. Session hijacking can be prevented with mutual authentication.

D. IP spoofing is used to hijack SSL and IPSec secure communications.

Extended Questions:

CORRECT D. Secure Sockets Layer (SSL) and IPSec can protect the integrity, authenticity, and confidentiality of network traffic. Even if an attacker spoofed an IP address, he would not be able to successfully manipulate or read SSL- or IPSec-encrypted traffic, as he would not have access to the keys and other cryptographic material required.

WRONG A is incorrect because the statement is true. Address spoofing helps an attacker to hijack sessions between two users without being noticed. If an attacker wanted to take over a session between two computers, she would need to put herself in the middle of their conversation without being detected. Tools like Juggernaut and the HUNT Project enable the attacker to spy on the TCP connection and then hijack it.

WRONG B is incorrect because the statement is true. Spoofing is the presentation of false information, usually within packets, to trick other systems and hide the origin of the message. This is usually done by hackers so that their identity cannot be successfully uncovered.

WRONG C is incorrect because the statement is true. If session hijacking is a concern on a network, the administrator can implement a protocol, such as IPSec or Kerberos, that requires mutual authentication between users or systems.

19

secure configuration management

secure configuration management Implementing the set of appropriate procedures to control the life cycle of an application, document the necessary change control activities, and ensure that the changes will not violate the security policy.

20

annualized loss expectancy (ALE)

annualized loss expectancy (ALE) A dollar amount that estimates the loss potential from a risk in a span of a year.

21

Vulnerability Scanning Recap : Vulnerability scanners provide the following capabilities:

  • The identification of active hosts on the network
  • The identification of active and vulnerable services (ports) on hosts
  • The identification of applications and banner grabbing
  • The identification of operating systems
  • The identification of vulnerabilities associated with discovered operating systems and applications
  • The identification of misconfigured settings
  • Test for compliance with host applications’ usage/security policies
  • The establishment of a foundation for penetration testing

22

simple security property

simple security property A Bell-LaPadula security model rule that stipulates that a subject cannot read data at a higher security level.

23

1. Which of the following is not a common component of configuration management change control steps?

A. Tested and presented

B. Service-level agreement approval

C. Report change to management

D. Approval of the change

Extended Questions:

CORRECT B. A well-structured change management process should be established to aid staff members through many different types of changes to the environment. This process should be laid out in the change control policy. Although the types of changes vary, a standard list of procedures can help keep the process under control and ensure it is carried out in a predictable manner. A change control policy should include procedures for requesting a change to take place, approving the change, documentation of the change, testing and presentation, implementation, and reporting the change to management. Configuration management change control processes do not commonly have an effect on service-level agreement approvals.

WRONG A is incorrect because testing and presentation should be included in a standard change control policy. All changes must be fully tested to uncover any unforeseen results. Depending on the severity of the change and the company’s organization, the change and implementation may need to be presented to a change control committee. This helps show different sides to the purpose and outcome of the change and the possible ramifications.

WRONG C is incorrect because a procedure for reporting a change to management should be included in a standard change control policy. After a change is implemented, a full report summarizing the change should be submitted to management. This report can be submitted on a periodic basis to keep management up to date and ensure continual support.

WRONG D is incorrect because a procedure for obtaining approval for the change should be included in a standard change control policy. The individual requesting the change must justify the reasons and clearly show the benefits and possible pitfalls of the change. Sometimes the requester is asked to conduct more research and provide more information before the change is approved.

24

Configuration Management

The only thing that is constant is change.

Every company should have a policy indicating how changes take place within a facility, who can make the changes, how the changes are approved, and how the changes are documented and communicated to other employees. Without these policies in place, people can make changes that others do not know about and that have not been approved, which can result in a confusing mess at the lowest end of the impact scale, and a complete breakdown of operations at the high end. Heavily regulated industries such as finance, pharmaceuticals, and energy have very strict guidelines regarding what specifically can be done and at exactly what time and under which conditions. These guidelines are intended to avoid problems that could impact large segments of the population or downstream partners. Without strict controls and guidelines, vulnerabilities can be introduced into an environment. Tracking down and reversing the changes after everything is done can be a very complicated and nearly impossible task.

25

A

access A subject’s ability to view, modify, or communicate with an object. Access enables the flow of information between the subject and the object.

26

Hack and Attack Methods

Several types of attacks have been explained in the chapters throughout this book. This section brings together these attack methods, and others that have not been presented, to show how they are related, how they can be detected, and how they can be countered.

27

overt channel

overt channel A path within a computer system or network that is designed for the authorized transfer of data.

28

Tracking the number and location of backup versions

(both onsite and offsite). This is necessary to ensure proper disposal of information when the information reaches the end of its lifespan, to account for the location and accessibility of information during audits, and to find a backup copy of information if the primary source of the information is lost or damaged.

29

Session Hijacking

Many attackers spoof their addresses, meaning that the address within the frame that is used to commit the attack has an IP address that is not theirs. This makes it much harder to track down the attacker, which is the attacker’s purpose for spoofing in the first place. This also enables an attacker to hijack sessions between two users without being noticed.

30

5. Which of the following refers to the amount of time it will be expected to take to get a device fixed and back into production?

A. SLA

B. MTTR

C. Hot swap

D. MTBF

Extended Questions:

CORRECT B. Mean time to repair (MTTR) is the amount of time it will be expected to take to get a device fixed and back into production. For a hard drive in a redundant array, the MTTR is the amount of time between the actual failure and the time when, after noticing the failure, someone has replaced the failed drive and the redundant array has completed rewriting the information on the new drive. This is likely to be measured in hours. For a nonredundant hard drive in a desktop PC, the MTTR is the amount of time between when the drive goes down and the time when the replaced hard drive has been reloaded with the operating system, software, and any backed-up data belonging to the user. This is likely to be measured in days. For an unplanned reboot, the MTTR is the amount of time between the failure of the system and the point in time when it has rebooted its operating system, checked the state of its disks, restarted its applications, allowed its applications to check the consistency of their data, and once again begun processing transactions.

WRONG A is incorrect because a service-level agreement (SLA) addresses the degree of availability that will be provided to a customer, whether that customer be an internal department within the same organization or an external customer. The MTTR is the amount of time it will be expected to get a device fixed and back into production. The MTTR may pertain to fixing a component or the device or replacing the device.

WRONG C is incorrect because hot-swapping refers to the replacement of a failed component while the system continues to run and information remains available. Usually degraded performance results, but unplanned downtime is avoided. Hot-swapping does not refer to the amount of time needed to get a system back up and running.

WRONG D is incorrect because MTBF refers to mean time between failure, which is the estimated lifespan of a piece of equipment. It is calculated by the vendor of the equipment or a third party. The reason for using this value is to know approximately when a particular device will need to be replaced. It is used as a benchmark for reliability by predicting the average time that will pass in the operation of a component or a system until it needs to be replaced.

31

15. Organizations should keep system documentation on hand to ensure that the system is properly cared for, that changes are controlled, and that the organization knows what’s on the system. What does not need to be in this type of documentation?

A. Functionality

B. Changes

C. Volume of transactions

D. Identity of system owner

Extended Questions:

CORRECT C. It is not important to have the amount of work that the system carries out included in the system documentation. The number of transactions usually changes daily and thus is usually captured through some type of automated performance tool if the company needs to keep track of this information.

WRONG A is incorrect because system documentation should include a description of the system’s functionality. Functionality is the reason we have systems and software. The functionality of a system and how it interacts with other systems should be fully understood and documented.

WRONG B is incorrect because changes made to the system should be included in the system documentation. Documentation is very important for data processing and networked environments. If changes are not properly documented, employees will forget what actually took place with each device. If the environment needs to be rebuilt, for example, it may be done incorrectly if the procedure was poorly or improperly documented.

WRONG D is incorrect because the system owner’s identity should be included in the system documentation. The system owner is responsible for the functionality and availability of the system. If something goes wrong, the system owner needs to be contacted; thus, this information must be documented.

32

12. What is the purpose of SMTP?

  A. To enable users to decrypt mail messages from a server

  B. To enable users to view and modify mail messages from a server

  C. To transmit mail messages from the client to the mail server

  D. To encrypt mail messages before being transmitted

12. B. The first step is evaluation. Evaluation involves reviewing the product’s protection functionality and assurance ratings. The next phase is certification. Certification involves testing the newly purchased product within the company’s environment. The final stage is accreditation, which is management’s formal approval.

33

13. If a company has been contacted because its mail server has been used to spread spam, what is most likely the problem?

  A. The internal mail server has been compromised by an internal hacker.

  B. The mail server in the DMZ has private and public resource records.

  C. The mail server has e-mail relaying misconfigured.

  D. The mail server has SMTP enabled.

13. B. Security through obscurity is depending upon complexity or secrecy as a protection method. Some organizations feel that since their proprietary code is not standards based, outsiders will not know how to compromise its components. This is an insecure approach. Defense-in-depth is a better approach with the assumption that anyone can figure out how something works.

34

protocol analyzers

A network sniffer is a tool that monitors traffic as it traverses a network. Administrators and network engineers often use sniffers to diagnose network problems. Sniffers are also referred to as network analyzers or protocol analyzers. When used as a diagnostic tool, a sniffer enables the administrator to see what type of traffic is being generated in the hope of getting closer to the root of the network problem. When a sniffer is used as a tool by an attacker, the sniffer can capture usernames, passwords, and confidential information as they travel over the network.

35

5. Which of the following best describes separation of duties and job rotation?

  A. Separation of duties ensures that more than one employee knows how to perform the tasks of a position, and job rotation ensures that one person cannot perform a high-risk task alone.

  B. Separation of duties ensures that one person cannot perform a high-risk task alone, and job rotation can uncover fraud and ensure that more than one person knows the tasks of a position.

  C. They are the same thing, but with different titles.

  D. They are administrative controls that enforce access control and protect the company’s resources.

5. C. DNSSEC (DNS security, which is part of the many current implementations of DNS server software) works within a PKI and uses digital signatures, which allows DNS servers to validate the origin of a message to ensure that it is not spoofed and potentially malicious. If DNSSEC were enabled on server A, then server A would, upon receiving a response, validate the digital signature on the message before accepting the information to make sure that the response is from an authorized DNS server. So even if an attacker sent a message to a DNS server, the DNS server would discard it because the message would not contain a valid digital signature. DNSSEC allows DNS servers to send and receive only authenticated and authorized messages between themselves, and thwarts the attacker’s goal of poisoning a DNS cache table.

36

due diligence

due diligence The process of systematically evaluating information to identify vulnerabilities, threats, and issues relating to an organization’s overall risk.

37

certification

certification The technical evaluation of the security components and their compliance for the purpose of accreditation. A certification process can use safeguard evaluation, risk analysis, verification, testing, and auditing techniques to assess the appropriateness of a specific system processing a certain level of information within a particular environment. The certification is the testing of the security component or system, and the accreditation is the approval from management of the security component or system.

38

Ensuring media integrity

by verifying on a media-type and environment-appropriate basis that each piece of media remains usable, and transferring still-valuable information from pieces of media reaching their obsolescence date to new pieces of media. Every type of media has an expected lifespan under certain conditions, after which it can no longer be expected that the media will reliably retain information. For example, a commercially produced CD or DVD stored in good environmental conditions should be reliable for at least ten years, whereas an inexpensive CD-R or DVD-R sitting on a shelf in a home office may become unreliable after just one year. All types of media in use at a company should have a documented (and conservative) expected lifespan. When the information on a piece of media has more remaining lifespan before its scheduled obsolescence/destruction date than does the piece of media on which the information is recorded, then the information must be transcribed to a newer piece or a newer format of media. Even the availability of hardware to read media in particular formats must be taken into account. A media format that is physically stable for decades, but for which no working device remains available to read, is of no value. Additionally, as part of maintaining the integrity of the specific contents of a piece of media, if the information on that media is highly valuable or mandated to be kept by some regulation or law, a cryptographic signature of the contents of the media may be maintained, and the contents of the piece of media verified against that signature on a regular basis.

39

dedicated security mode

dedicated security mode The mode in which a system operates if all users have the clearance or authorization to access, and the need to know about, all data processed within the system. All users have been given formal access approval for all information on the system and have signed nondisclosure agreements pertaining to this information.

40

37. D. The individual objectives of a project must be analyzed to ensure that each is actually attainable. A part of scope analysis that may prove useful is SWOT analysis. SWOT stands for Strengths/Weaknesses/Opportunities/Threats, and its basic tenets are as follows:

  • Strengths: characteristics of the project team that give it an advantage over others.
  • Weaknesses: characteristics that place the team at a disadvantage relative to others.
  • Opportunities: elements that could contribute to the project’s success.
  • Threats: elements that could contribute to the project’s failure.

41

25. Which of the following controls might force a person in operations into collusion with personnel assigned organizationally within a different function for the sole purpose of gaining access to data he is not authorized to access?

  A. Limiting the local access of operations personnel

  B. Enforcing auditing

  C. Enforcing job rotation

  D. Limiting control of management personnel

25. A. If operations personnel are limited in what they can access, they would need to collude with someone who actually has access to the resource. This question is not very clear, but it is very close to the way many CISSP exam questions are formatted.

42

data classification

data classification Assignments to data that indicate the level of availability, integrity, and confidentiality that is required for each type of information.

43

strategic goals

strategic goals Long-term goals that are broad, general statements of intent. Operational and tactical goals support strategic goals and all are a part of a planning horizon.

44

Mean time to repair (MTTR)

Mean time to repair (MTTR) is the amount of time it will be expected to take to get a device fixed and back into production. For a hard drive in a redundant array, the MTTR is the amount of time between the actual failure and the time when, after noticing the failure, someone has replaced the failed drive and the redundant array has completed rewriting the information on the new drive. This is likely to be measured in hours. For a nonredundant hard drive in a desktop PC, the MTTR is the amount of time between when the user emits a loud curse and calls the help desk, and the time when the replaced hard drive has been reloaded with the operating system, software, and any backed-up data belonging to the user. This is likely to be measured in days. For an unplanned reboot, the MTTR is the amount of time between the failure of the system and the point in time when it has rebooted its operating system, checked the state of its disks (hopefully finding nothing that its file systems cannot handle), and restarted its applications, and its applications have checked the consistency of their data (hopefully finding nothing that their journals cannot handle) and once again begun processing transactions. For well-built hardware running high-quality, well-managed operating systems and software, this may be only minutes. For commodity equipment without high-performance journaling file systems and databases, this may be hours, or, worse, days if automated recovery/rollback does not work and a restore of data from tape is required:

45

lattice-based access control model

lattice-based access control model A mathematical model that allows a system to easily represent the different security levels and control access attempts based on those levels. Every pair of elements has a highest lower bound and a lowest upper bound of access rights. The classes stemmed from military designations.

46

computer fraud

computer fraud Computer-related crimes involving deliberate misrepresentation, modification, or disclosure of data in order to compromise a system or obtain something of value.

47

physical security

physical security Controls and procedures put into place to prevent intruders from physically accessing a system or facility. The controls enforce access control and authorized access.

48

Troubleshooting

This software runs inside of your Internet browser. You must have its preferences set for correct playback of QuickTime movies to view the video. The QuickTime installer (free download from www.apple.com/quicktime) may not change all of your file helpers properly.

49

Initial program load (IPL)

Initial program load (IPL) is a mainframe term for loading the operating system’s kernel into the computer’s main memory. On a personal computer, booting into the operating system is the equivalent to IPLing. This activity takes place to prepare the computer for user operation.

50

The goals of the assessment are to

  • Evaluate the true security posture of an environment (don’t cry wolf, as discussed earlier).
  • Identify as many vulnerabilities as possible, with honest evaluations and prioritizations of each.
  • Test how systems react to certain circumstances and attacks, to learn not only what the known vulnerabilities are (such as this version of the database, that version of the operating system, or a user ID with no password set), but also how the unique elements of the environment might be abused (SQL injection attacks, buffer overflows, and process design flaws that facilitate social engineering).
  • Before the scope of the test is decided and agreed upon, the tester must explain the testing ramifications. Vulnerable systems could be knocked offline by some of the tests, and production could be negatively affected by the loads the tests place on the systems.

51

add-on security

add-on security Security protection mechanisms that are hardware or software retrofitted to a system to increase that system’s protection level.

52

Penetration testing

Penetration testing is the process of simulating attacks on a network and its systems at the request of the owner, senior management. Penetration testing uses a set of procedures and tools designed to test and possibly bypass the security controls of a system. Its goal is to measure an organization’s level of resistance to an attack and to uncover any weaknesses within the environment. Organizations need to determine the effectiveness of their security measures and not just trust the promises of the security vendors. Good computer security is based on reality, not on some lofty goals of how things are supposed to work.

53

File descriptor attacks

File descriptors are numbers many operating systems use to represent open files in a process. Certain file descriptor numbers are universal, meaning the same thing to all programs. If a program makes unsafe use of a file descriptor, an attacker may be able to cause unexpected input to be provided to the program, or cause output to go to an unexpected place with the privileges of the executing program.

54

Polisetty Veera Subrahmanya Kumar

Polisetty Veera Subrahmanya Kumar, CISSP, CISA, PMP, PMI-RMP, MCPM, ITIL, has more than 20 years’ experience in the field of information technology. His areas of specialization include information security, business continuity, project management, and risk management. Currently he is serving his term as chairperson for the Project Management Institute’s PMI-RMP (PMI-Risk Management Professional) Credentialing Committee. In the past he has worked as content development team leader on a variety of PMI standards development projects. He was a lead instructor for the PMI PMBOK review seminars. He is also serving his term as a member of ISACA’s India Growth Task Force team.

55

Race conditions

Race conditions exist when the design of a program puts it in a vulnerable condition before ensuring that those vulnerable conditions are mitigated. Examples include opening temporary files without first ensuring the files cannot be read, or written to, by unauthorized users or processes, and running in privileged mode or instantiating dynamic load library functions without first verifying that the dynamic load library path is secure. Either of these may allow an attacker to cause the program (with its elevated privileges) to read or write unexpected data or to perform unauthorized commands.

56

Summary of Technologies Used to Keep the Juices Flowing : The following are the items you will most likely run into when taking the CISSP exam:

  • Disk shadowing (mirroring)
  • Redundant servers
  • RAID, MAID, RAIT
  • Clustering
  • Backups
  • Dual backbones
  • Direct Access Storage Device
  • Redundant power
  • Mesh network topology instead of star, bus, or ring

57

Other Vulnerability Types

As noted earlier, vulnerability scans find the potential vulnerabilities. Actual penetration testing is required to identify those vulnerabilities that can actually be exploited in the environment and cause damage.

58

technical controls

technical controls These controls, also called logical access control mechanisms, work in software to provide confidentiality, integrity, or availability protection. Some examples are passwords, identification and authentication methods, security devices, auditing, and the configuration of the network.

59

Countermeasure

Ensure that security patches to operating systems—after sufficient testing—are promptly deployed in the environment to keep the window of vulnerability as small as possible.

60

Media Center Download

To access the video download, visit McGraw-Hill Professional’s Media Center by clicking the link below and entering this eBook’s ISBN and your e-mail address. You will then receive an e-mail message with a download link for the additional content.

http://mhprofessional.com/mediacenter/

61

System-forced shutdown should not be allowed

. To reduce the possibility of an unauthorized configuration change taking effect, and to reduce the possibility of denial of service through an inappropriate shutdown, only administrators should have the ability to instruct critical systems to shut down.

62

confinement

confinement Controlling information in a manner that prevents sensitive data from being leaked from a program to another program, subject, or object in an unauthorized manner.

63

U.S. GOVERNMENT RESTRICTED RIGHTS:

U.S. GOVERNMENT RESTRICTED RIGHTS: Any software included in the Product is provided with restricted rights subject to subparagraphs (c), (1) and (2) of the Commercial Computer Software-Restricted Rights clause at 48 C.F.R. 52.227-19. The terms of this Agreement applicable to the use of the data in the Product are those under which the data are generally made available to the general public by McGraw-Hill. Except as provided herein, no reproduction, use, or disclosure rights are granted with respect to the data included in the Product and no right to modify or create derivative works from any such data is hereby granted.

64

penetration

penetration A successful attempt at circumventing security controls and gaining access to a system.

65

Mandatory vacations

Mandatory vacations are another type of administrative control, though the name may sound a bit odd at first. Chapter 2 touched on reasons to make sure employees take their vacations. Reasons include being able to identify fraudulent activities and enabling job rotation to take place. If an accounting employee has been performing a salami attack by shaving off pennies from multiple accounts and putting the money into his own account, a company would have a better chance of figuring this out if that employee is required to take a vacation for a week or longer. When the employee is on vacation, another employee has to fill in. She might uncover questionable documents and clues of previous activities, or the company may see a change in certain patterns once the employee who is committing fraud is gone for a week or two.

66

14. There are often scenarios where the IT staff must react to emergencies and quickly apply fixes or change configurations. When dealing with such emergencies, which of the following is the best approach to making changes?

A. Review the changes within 48 hours of making them.

B. Review and document the emergency changes after the incident is over.

C. Activity should not take place in this manner.

D. Formally submit the change to a change control committee and follow the complete change control process.

Extended Questions:

CORRECT B. After the incident or emergency is over, the staff should review the changes to ensure that they are correct and do not open security holes or affect interoperability. The changes need to be properly documented and the system owner needs to be informed of changes.

WRONG A is incorrect because it is not the best answer. The changes should be reviewed after the incident is over, but not necessarily within 48 hours. Many times the changes should be reviewed hours after they are implemented—not days.

WRONG C is incorrect because, while it would be nice if emergencies didn’t happen, they are unavoidable. At one point or another, for example, an IT administrator will have to roll out a patch or change configurations to protect systems against a high-profile vulnerability.

WRONG D is incorrect because if an emergency is taking place, then there is no time to go through the process of submitting a change to the change control committee and following the complete change control process. These steps usually apply to large changes that take place to a network or environment. These types of changes are typically expensive and can have lasting effects on a company.

67

mainframe

If you see the term operators on the exam, it is dealing specifically with mainframe operators even if the term mainframe is not used in the question.

68

confidentiality

confidentiality A security principle that works to ensure that information is not disclosed to unauthorized subjects.

69

After QuickTime is installed, if movies take a very long time to load or don’t load at all, verify that your browser associates the file type .mov with the QuickTime plug-in. To verify this, do the following:

  • If using Internet Explorer for Windows, go to Tools | Internet Options | Advanced | Multimedia Or Control Panels | QuickTime.
  • If using Internet Explorer for Macintosh, go to Preferences | Receiving Files | Helpers.

70

Implements and maintains security devices and software

Despite some security vendors’ claims that their products will provide effective security with "set it and forget it" deployments, security products require monitoring and maintenance in order to provide their full value. Version updates and upgrades may be required when new capabilities become available to combat new threats, and when vulnerabilities are discovered in the security products themselves.

71

life-cycle assurance

life-cycle assurance Confidence that a trusted system is designed, developed, and maintained with formal designs and controls. This includes design specification and verification, implementation, testing, configuration management, and distribution.

72

An operating system’s response to a type of failure can be classified as one of the following:

  • System reboot
  • Emergency system restart
  • System cold start

73

17. How do network sniffers work?

  A. They probe systems on a network segment.

  B. They listen for ARP requests and ICMP packets.

  C. They require an extra NIC to be installed and configured.

  D. They put the NIC into promiscuous mode.

17. B. Most cable providers comply with Data-Over-Cable Service Interface Specifications (DOCSIS), which is an international telecommunications standard that allows for the addition of high-speed data transfer to an existing cable TV (CATV) system. DOCSIS includes MAC-layer security services in its Baseline Privacy Interface/Security (BPI/SEC) specifications. This protects individual user traffic by encrypting the data as they travel over the provider’s infrastructure. Sharing the same medium brings up a slew of security concerns, because users with network sniffers can easily view their neighbors’ traffic and data as both travel to and from the Internet. Many cable companies are now encrypting the data that go back and forth over shared lines through a type of data link encryption.

74

Licensing Issues

Companies have the ethical obligation to use only legitimately purchased software applications. Software makers and their industry representation groups such as the Business Software Alliance (BSA) use aggressive tactics to target companies that use pirated (illegal) copies of software.

75

Evaluated Products List (EPL)

Evaluated Products List (EPL) A list of products that have been evaluated and assigned an assurance rating. The products could be evaluated using several different criteria: TCSEC, ITSEC, or Common Criteria.

76

Partial knowledge

The team has some information about the target.

77

21. Which of the following would not be considered an operations media control task?

  A. Compressing and decompressing storage materials

  B. Erasing data when its retention period is over

  C. Storing backup information in a protected area

  D. Controlling access to media and logging activities

21. D. The correct steps for setting up a risk management program are as follows:

78

trusted path

trusted path A mechanism within the system that enables the user to communicate directly with the TCB. This mechanism can be activated only by the user or the TCB and not by an untrusted mechanism or process.

79

data remanence

data remanence A measure of the magnetic flux density remaining after removal of the applied magnetic force, which is used to erase data. Refers to any data remaining on magnetic storage media.

80

end-to-end encryption

end-to-end encryption A technology that encrypts the data payload of a packet.

81

26. Which of the following is not considered a countermeasure to port scanning and operating system fingerprinting?

A. Allow access at the perimeter network to all internal ports

B. Remove as many banners as possible within operating systems and applications

C. Use TCP wrappers on vulnerable services that have to be available

D. Disable unnecessary ports and services

Extended Questions:

CORRECT A. Access to internal ports is not a countermeasure. Several countermeasures should be put in place to reduce this threat:

• Disable unnecessary ports and services.

• Block access at the perimeter network using firewalls, routers, and proxy servers.

• Use an IDS to identify this type of activity.

• Use TCP wrappers on vulnerable services that have to be available.

• Remove as many banners as possible within operating systems and applications.

• Upgrade or update to more secure operating systems, applications, and protocols.

WRONG B is incorrect because removing banners from operating systems and applications are countermeasures that should be put into place to make it harder for an attacker to fingerprint (identify) the software that is running on a system.

WRONG C is incorrect because TCP wrappers (software components) monitor incoming network traffic to the host computer and control what can and cannot access the services mapped to specific ports. When a request comes to a computer at a specific port, the target operating system will check to see if this port is enabled. If it is enabled and the operating system sees that the corresponding service is wrapped, it knows to look at an access control list, which spells out who can access this service.

WRONG D is incorrect because disabling ports and services is a critical countermeasure to reduce potential fingerprinting efforts. Enabled ports and services are clues used by the attacker to learn more about an environment. This knowledge enables the attacker to figure out the most successful ways of attacking.

27. ___________ provides for availability and scalability. It groups physically different systems and combines them logically, which helps to provide immunity to faults and improves performance.

A. Disc duping

B. Clustering

C. RAID

D. Virtualization

CORRECT B. Clustering is a fault-tolerant server technology that is similar to redundant servers, except each server takes part in processing services that are requested. A server cluster is a group of servers that are viewed logically as one server to users and can be managed as a single logical system. Clustering provides for availability and scalability. It groups physically different systems and combines them logically, which helps to provide immunity to faults and improves performance. Clusters work as an intelligent unit to balance traffic, and users who access the cluster do not know they may be accessing different systems at different times. To the users, all servers within the cluster are seen as one unit.

WRONG A is incorrect because this is a distracter answer. There is not an official technology with this name.

WRONG C is incorrect because redundant array of inexpensive disks (RAID) provides fault tolerance for hard drives and can improve system performance. Redundancy and speed are provided by breaking up the data and writing them across several disks so different disk heads can work simultaneously to retrieve the requested information. RAID does not address scalability and performance.

WRONG D is incorrect because virtualization is the creation of a virtual version of something, such as a hardware platform, operating system, storage device, or network resource. Hardware virtualization or platform virtualization refers to the creation of a virtual machine that acts like a real system with an operating system. Software executed on these virtual machines is separated from the underlying hardware resources by an abstraction layer.

28. Bob is a new security administrator at a financial institution. The organization has experienced some suspicious activity on one of the critical servers that contain customer data. When reviewing how the systems are administered, he uncovers some concerning issues pertaining to remote administration. Which of the following should not be put into place to reduce these concerns?

  i. Commands and data should not be sent in cleartext.

 ii.  Secure Shell (SSH) should be used, not Telnet.

iii.  Truly critical systems should be administered locally instead of remotely.

iv. Only a small number of administrators should be able to carry out remote functionality.

 v. Strong authentication should be in place for any administration activities.

A. i, ii

B. None of them

C. ii, iv

D. All of them

CORRECT B. All of these countermeasures should be put into place for proper remote administration activities.

WRONG A is incorrect because sensitive commands and data should not be sent in cleartext (that is, they should be encrypted) to critical systems. For example, SSH should be used, not Telnet. SSH is a network protocol for secure data communication. It allows for remote shell services and command execution and other secure network services between two networked systems. It was designed as a replacement for Telnet and other insecure remote shell protocols such as the Berkeley rsh and rexec protocols, which send information, notably passwords, in plaintext, rendering them susceptible to interception and disclosure.

WRONG C is incorrect because sensitive commands and data should not be sent in cleartext (that is, they should be encrypted). For example, SSH should be used, not Telnet. Truly critical systems should be administered locally instead of remotely. Only a small number of administrators should be able to carry out this remote functionality.

WRONG D is incorrect because all of these countermeasures should be put into place for proper remote administration activities.

The following scenario will be used for questions 29 and 30.

82

Crystal Bedell

Crystal Bedell is the principal of Bedell Communications, a full-service copywriting and editing firm specializing in technology and B2B communications. She has more than 15 years of combined editing, writing, and marketing experience, including eight years at TechTarget, where she developed Web content for IT professionals. Having worked as both a member of the press and in marketing, Crystal has unique insights into the information needs of IT professionals as well as an understanding of their work environment and the constraints of the typical IT decision maker. She knows how to speak their language and distill marketing language into plain English.

83

Numerous changes can take place in a company, some of which are as follows:

  • New computers installed
  • New applications installed
  • Different configurations implemented
  • Patches and updates installed
  • New technologies integrated
  • Policies, procedures, and standards updated
  • New regulations and requirements implemented
  • Network or system problems identified and fixes implemented
  • Different network configuration implemented
  • New networking devices integrated into the network
  • Company acquired by, or merged with, another company

84

Documenting the history of changes to media

. For example, when a particular version of a software application kept in the library has been deemed obsolete, this fact must be recorded so the obsolete version of the application is not used unless that particular obsolete version is required. Even once no possible need for the actual media or its content remains, retaining a log of the former existence and the time and method of its deletion may be useful to demonstrate due diligence.

85

Bootup sequence (C:, A:, D:) should not be available to reconfigure

. To ensure that systems recover to a secure state, the design of the system must prevent an attacker from changing the bootup sequence of the system. For example, on a Windows workstation or server, only authorized users should have access to BIOS settings to allow the user to change the order in which bootable devices are checked by the hardware. If the approved boot order is C: (the main hard drive) only, with no other hard drives and no removable devices (for example CD/DVD, or USB) allowed, then the hardware settings must prohibit the user (and the attacker) from changing those device selections and the order in which they are used. If the user or attacker can change the bootable devices selections or order, and can cause the system to reboot (which is always possible with physical access to a system), they can boot their own media and attack the software and/or data on the system.

86

14. Which of the following is not a reason fax servers are used in many companies?

  A. They save money by not needing individual fax devices and the constant use of fax paper.

  B. They provide a secure way of faxing instead of having faxed papers sitting in bins waiting to be picked up.

  C. Faxes can be routed to employees’ electronic mailboxes.

  D. They increase the need for other communication security mechanisms.

14. C. ISO/IEC 27005 is the international standard for risk assessments and analysis.

87

risk management

risk management The process of identifying, assessing, and reducing the risk to an acceptable level and implementing the right mechanisms to maintain that level of risk.

88

formal security policy model

formal security policy model A mathematical statement of a security policy. When an operating system is created, it can be built upon a pre-developed model that lays out how all activities will take place in each and every situation. This model can be expressed mathematically, which is then translated into a programming language.

89

CHAPTER 9

Software Development Security

This domain includes questions from the following topics:

  • Common software development issues
  • Software development life cycles
  • Secure software development approaches
  • Change control and configuration management
  • Programming language types
  • Database concepts and security issues
  • Expert systems and artificial intelligence
  • Malware types and attacks

90

1. Which of the following best describes operations security?

  A. Continual vigilance about hacker activity and possible vulnerabilities

  B. Enforcing access control and physical security

  C. Taking steps to make sure an environment, and the things within it, stay at a certain level of protection

  D. Doing strategy planning to develop a secure environment and then implementing it properly

1. A. While they are all issues to be concerned with, risk is a combination of probability and business impact. The largest business impact out of this list and in this situation is the fact that intellectual property for product development has been lost. If a competitor can produce the product and bring it to market quickly, this can have a long-lasting financial impact on the company.

91

protection ring

protection ring An architecture that provides hierarchies of privileged operation modes of a system, which gives certain access rights to processes that are authorized to operate in that mode. Supports the integrity and confidentiality requirements of multitasking operating systems and enables the operating system to protect itself from user programs and rogue processes.

92

database shadowing

database shadowing A mirroring technology used in databases, in which information is written to at least two hard drives for the purpose of redundancy.

93

7. There are classifications for operating system failures. Which of the following refers to what takes place when an unexpected kernel or media failure happens and the regular recovery procedure cannot recover the system to a more consistent state, requiring an administrator to intervene?

A. Emergency system restart

B. Trusted recovery

C. System cold start

D. System reboot

Extended Questions:

CORRECT C. An operating system’s response to a failure can be classified as either a system reboot, an emergency system restart, or a system cold start. A system cold start takes place when an unexpected kernel or media failure happens and the regular recovery procedure cannot recover the system to a more consistent state. The system, kernel, and user objects may remain in an inconsistent state while the system attempts to recover itself, and intervention is commonly required by the user or administrator to restore the system.

WRONG A is incorrect because an emergency system restart takes place after a system failure happens in an uncontrolled manner without the need of a person to be involved. The failure could be a kernel or media failure caused by lower-privileged user processes attempting to access memory segments that are restricted. The system sees this as an insecure activity that it cannot properly recover from without rebooting. The kernel and user objects could be in an inconsistent state, and data could be lost or corrupted. The system thus reboots itself and goes into maintenance mode and recovers from the actions taken. Then it is brought back up in a consistent and stable state.

WRONG B is incorrect because trusted recovery is not one of the three classifications for an operating system’s response to a type of failure. Trusted recovery is a general term that means that when an operating system or application crashes or freezes, it should not put the system in any type of insecure state. The usual reason for a system crash in the first place is that it encountered something it perceived as insecure or did not understand and decided it was safer to freeze, shut down, or reboot than to perform the current activity.

WRONG D is incorrect because a system reboot takes place after the system shuts itself down in a controlled manner in response to a kernel (trusted computing base) failure and does not require a person to be involved. If the system finds inconsistent object data structures, or if there is not enough space in some critical tables, a system reboot may take place. This releases resources and returns the system to a more stable and safer state.

94

11. If SSL is being used to encrypt messages that are transmitted over the network, what is a major concern of the security professional?

  A. The network segments have systems that use different versions of SSL.

  B. The user may have encrypted the message with an application-layer product that is incompatible with SSL.

  C. Network tapping and wiretapping.

  D. The networks that the message will travel that the company does not control.

11. B. AS/NZS 4360 takes a much broader approach to risk management than just information security. This Australian and New Zealand methodology can be used to understand a company’s financial, capital, human safety, and business decisions risks. Although it can be used to analyze security risks, it was not created specifically for this purpose. This risk management standard is more focused on the health of a company from a business point of view, not security.

95

RAIT (redundant array of independent tapes)

RAIT (redundant array of independent tapes) is similar to RAID, but uses tape drives instead of disk drives. Tape storage is the lowest-cost option for very large amounts of data, but is very slow compared to disk storage. For very large write-mostly storage applications where MAID is not economical and where a higher performance than typical tape storage is desired, or where tape storage provides appropriate performance and higher reliability is required, RAIT may fit.

96

trusted computer system

trusted computer system A system that has the necessary controls to ensure that the security policy will not be compromised and that can process a range of sensitive or classified information simultaneously.

97

Remote Administration : To gain the benefits of remote access without taking on unacceptable risks, remote administration needs to take place securely. The following are just a few of the guidelines to use:

  • Commands and data should not take place in cleartext (that is, they should be encrypted). For example, Secure Shell (SSH) should be used, not Telnet.
  • Truly critical systems should be administered locally instead of remotely.
  • Only a small number of administrators should be able to carry out this remote functionality.
  • Strong authentication should be in place for any administration activities.
  • Anyone who wears green shoes really should not be able to access these systems. They are weird.

98

compartmented mode workstation (CMW)

compartmented mode workstation (CMW) A workstation that contains the necessary controls to be able to operate as a trusted computer. The system is trusted to keep data from different classification levels and categories in separate compartments and properly protected.

99

Buffer overflows

Poor programming practices, or sometimes bugs in libraries, allow more input than the program has allocated space to store it. This overwrites data or program memory after the end of the allocated buffer, and sometimes allows the attacker to inject program code and then cause the processor to execute it. This gives the attacker the same level of access as that held by the program that was attacked. If the program was run as an administrative user or by the system itself, this can mean complete access to the system.

100

supervisor state

supervisor state One of several states in which an operating system may operate, and the only one in which privileged instructions may be executed by the CPU.

101

keystroke monitoring

keystroke monitoring A type of auditing that can review or record keystrokes entered by a user during an active session.

102

reference monitor concept

reference monitor concept An access control concept that refers to an abstract machine that mediates all accesses to objects by subjects. The security kernel enforces the reference monitor concept.

103

availability

availability The reliability and accessibility of data and resources to authorized individuals in a timely manner.

104

Environmental Controls

The operations department is also responsible for a majority of the items covered in Chapter 5. This includes server room temperature and humidity; fire protection; heating, ventilation, and air conditioning (HVAC); water protection; power sources; positive air pressure to protect against contaminants; and a closed-loop, recirculating air-conditioning system.

105

LIMITED WARRANTY FOR DISC:

LIMITED WARRANTY FOR DISC: To the original licensee only, McGraw-Hill warrants that the enclosed disc on which the Product is recorded is free from defects in materials and workmanship under normal use and service for a period of ninety (90) days from the date of purchase. In the event of a defect in the disc covered by the foregoing warranty, McGraw-Hill will replace the disc.

106

22. Guidelines should be followed to allow secure remote administration. Which of the following is not one of those guidelines?

A. A small number of administrators should be allowed to carry out remote functionality.

B. Critical systems should be administered locally instead of remotely.

C. Strong authentication should be in place.

D. Telnet should be used to send commands and data.

Extended Questions:

CORRECT D. Telnet should not be allowed for remote administration because it sends all data, including administrator credentials, in cleartext. This type of communication should go over more secure protocols, as in SSH.

WRONG A is incorrect because it is true that only a small number of administrators should be able to carry out remote functionality. This helps minimize the risk posed to the network.

WRONG B is incorrect because it is true that critical systems should be administered locally instead of remotely. It is safer to send administrative commands over the internal, private network than it is to do so over a public network.

WRONG C is incorrect because it is true that strong authentication should be in place for any administration activities. Anything less than strong authentication, such as a password, would be easy for an attacker to crack and thereby gain administrative access.

107

Direct Access Storage Device

Direct Access Storage Device (DASD) is a general term for magnetic disk storage devices, which historically have been used in mainframe and minicomputer (mid-range computer) environments. RAID is a type of DASD. The key distinction between Direct Access and Sequential Access storage devices is that any point on a Direct Access Storage Device may be promptly reached, whereas every point in between the current position and the desired position of a Sequential Access Storage Device must be traversed in order to reach the desired position. Tape drives are Sequential Access Storage Devices. Some tape drives have minimal amounts of Direct Access intelligence built in. These include multitrack tape devices that store at specific points on the tape and cache in the tape drive information about where major sections of data on the tape begin, allowing the tape drive to more quickly reach a track and a point on the track from which to begin the now much shorter traversal of data from that indexed point to the desired point. While this makes such tape drives noticeably faster than their purely sequential peers, the difference in performance between Sequential and Direct Access Storage Devices is orders of magnitude.

108

Sniffers

A network sniffer is a tool that monitors traffic as it traverses a network. Administrators and network engineers often use sniffers to diagnose network problems. Sniffers are also referred to as network analyzers or protocol analyzers. When used as a diagnostic tool, a sniffer enables the administrator to see what type of traffic is being generated in the hope of getting closer to the root of the network problem. When a sniffer is used as a tool by an attacker, the sniffer can capture usernames, passwords, and confidential information as they travel over the network.

109

identification

identification A subject provides some type of data to an authentication service. Identification is the first step in the authentication process.

110

8. Various levels of RAID dictate the type of activity that will take place within the RAID system. Which level is associated with byte-level parity?

A. RAID Level 0

B. RAID Level 3

C. RAID Level 5

D. RAID Level 10

Extended Questions:

CORRECT B. Redundant array of inexpensive disks (RAID) provides fault tolerance for hard drives and can improve system performance. Redundancy and speed are provided by breaking up the data and writing it across several disks so that different disk heads can work simultaneously to retrieve the requested information. Recovery data is also created—this is called parity—so that if one disk fails, the parity data can be used to reconstruct the corrupted or lost information. Different activities that provide fault tolerance or performance improvements occur at different levels of a RAID system. RAID Level 3 is a scheme employing byte-level striping and a dedicated parity disk. Data is striped over all but the last drive with parity data held on only the last drive. If a drive fails, it can be reconstructed from the parity drive. The most common RAID levels used today are Levels 1, 3, and 5.

WRONG A is incorrect because only striping occurs at Level 0. Data are striped over several drives. No redundancy or parity is involved. If one volume fails, the entire volume can be unusable. Level 0 is used for performance only.

WRONG C is incorrect because RAID 5 employs block-level striping and interleaving parity across all disks. Data are written in disk block units to all drives. Parity is written to all drives also, which ensures there is no single point of failure. RAID Level 5 is the most commonly used mode.

WRONG D is incorrect because Level 10 is associated with striping and mirroring. It is a combination of Levels 1 and 0. Data are simultaneously mirrored and striped across several drives and can support multiple drive failures.

111

multilevel security

multilevel security A class of systems containing information with different classifications. Access decisions are based on the subject’s security clearances, need to know, and formal approval.

112

CHAPTER 1

Information Security Governance and Risk Management

This domain includes questions from the following topics:

  • Security terminology and principles
  • Protection control types
  • Security frameworks, models, standards, and best practices
  • Security enterprise architecture
  • Risk management
  • Security documentation
  • Information classification and protection
  • Security awareness training
  • Security governance

113

risk analysis

risk analysis A method of identifying risks and assessing the possible damage that could be caused in order to justify security safeguards.

114

Change Control Documentation

Failing to document changes to systems and networks is only asking for trouble, because no one will remember, for example, what was done to that one server in the demilitarized zone (DMZ) six months ago or how the main router was fixed when it was acting up last year. Changes to software configurations and network devices take place pretty often in most environments, and keeping all of these details properly organized is impossible, unless someone maintains a log of this type of activity.

115

Browsing

I am looking for something, but I have no idea what it looks like.

Browsing is a general technique used by intruders to obtain information they are not authorized to access. This type of attack takes place when an attacker is looking for sensitive data but does not know the format of the data (word processing document, spreadsheet, database, piece of paper). Browsing can be accomplished by looking through another person’s files kept on a server or workstation, rummaging through garbage looking for information that was carelessly thrown away, or reviewing information that has been saved on USB Flash drives. A more advanced and sophisticated example of browsing is when an intruder accesses residual information on storage media. The original user may have deleted the files from a USB Flash drive, but, as stated earlier, this only removes the pointers to the files within the file system on that disk. The talented intruder can access these data (residual information) and access information he is unauthorized to obtain.

116

Configures and maintains security labels in mandatory access control (MAC) environments

MAC environments, mostly found in government and military agencies, have security labels set on data objects and subjects. Access decisions are based on comparing the object’s classification and the subject’s clearance, as covered extensively in Chapter 3. It is the responsibility of the security administrator to oversee the implementation and maintenance of these access controls.

117

access control mechanism

access control mechanism Administrative, physical, or technical control that is designed to detect and prevent unauthorized access to a resource or environment.

118

cryptanalysis

cryptanalysis The practice of breaking cryptosystems and algorithms used in encryption and decryption processes.

119

John is a network administrator and has been told by one of his network staff members that two servers on the network have recently had suspicious traffic traveling to them and then from them in a sporadic manner. The traffic has been mainly ICMP, but the patterns were unusual compared to other servers over the last 30 days. John lists the directories and subdirectories on the systems and finds nothing unusual. He inspects the running processes and again finds nothing suspicious. He sees that the systems’ NICs are not in promiscuous mode, so he is assured that sniffers have not been planted.

29. Which of the following describes the most likely situation as described in this scenario?

A. Servers are not infected, but the traffic illustrates attack attempts.

B. Servers have been infected with rootkits.

C. Servers are vulnerable and need to be patched.

D. Servers have been infected by spyware.

Extended Questions:

CORRECT B. Once the level of access is achieved, the attacker can upload a bundle of tools, collectively called a rootkit. A rootkit is software that implements stealth capabilities that are designed to hide the existence of certain processes or programs. Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it.

WRONG A is incorrect because in the situation laid out in the scenario, the system most likely is infected. The ICMP traffic is probably the commands and status data sent between the attacker and the compromised systems.

WRONG C is incorrect because it is not the best answer. The servers may be vulnerable and may need to be patched, but that is not what is being asked in the question. Plus applying a patch will not eradicate an infected system of a rootkit.

WRONG D is incorrect because it is not the best answer. The scenario best describes a situation where rootkits have been installed. Spyware may be a component of the rootkit, but Trojaned files are most likely installed, which can only happen with rootkits, not spyware.

120

Reviews audit logs

While some of the strongest security protections come from preventive controls (such as firewalls that block unauthorized network activity), detective controls such as reviewing audit logs are also required. The firewall blocked 60,000 unauthorized access attempts yesterday. The only way to know if that’s a good thing or an indication of a bad thing is for the security administrator (or automated technology under his control) to review those firewall logs to look for patterns. If those 60,000 blocked attempts were the usual low-level random noise of the Internet, then things are (probably) normal; but if those attempts were advanced and came from a concentrated selection of addresses on the Internet, a more deliberate (and more possibly successful) attack may be underway. The security administrator’s review of audit logs detects bad things as they occur and, hopefully, before they cause real damage.

121

Clipping Levels

I am going to keep track of how many mistakes you make.

Companies can set predefined thresholds for the number of certain types of errors that will be allowed before the activity is considered suspicious. The threshold is a baseline for violation activities that may be normal for a user to commit before alarms are raised. This baseline is referred to as a clipping level. Once this clipping level has been exceeded, further violations are recorded for review. Most of the time, IDS software is used to track these activities and behavior patterns, because it would be too overwhelming for an individual to continually monitor stacks of audit logs and properly identify certain activity patterns. Once the clipping level is exceeded, the IDS can e-mail a message to the network administrator, send a message to his pager, or just add this information to the logs, depending on how the IDS software is configured.

122

trusted computing base (TCB)

trusted computing base (TCB) All of the protection mechanisms within a computer system (software, hardware, and firmware) that are responsible for enforcing a security policy.

123

26. What does the following graphic represent and what is the technology’s importance?

  A. Hierarchical storage management

  B. Storage access network

  C. Network redundancy

  D. Single point of failure

26. C. Network redundancy is duplicated network equipment that can provide a backup in case of network failures. This technology protects the company from single points of failure.

124

operational goals

operational goals Daily goals to be accomplished to ensure the proper operation of an environment.

125

Physical testing

Physical testing includes reviewing facility and perimeter protection mechanisms. For instance, do the doors actually close automatically, and does an alarm sound if a door is held open too long? Are the interior protection mechanisms of server rooms, wiring closets, sensitive systems, and assets appropriate? (For example, is the badge reader working, and does it really limit access to only authorized personnel?) Is dumpster diving a threat? (In other words, is sensitive information being discarded without proper destruction?) And what of protection mechanisms for manmade, natural, or technical threats? Is there a fire suppression system? Does it work, and is it safe for the people and the equipment in the building? Are sensitive electronics kept above raised floors so they survive a minor flood? And so on.

126

dictionary attack

dictionary attack A form of attack in which an attacker uses a large set of likely combinations to guess a secret, usually a password.

127

Ensuring environmental conditions do not endanger media

. Each media type may be susceptible to damage from one or more environmental influences. For example, all media formats are susceptible to fire, and most are susceptible to liquids, smoke, and dust. Magnetic media formats are susceptible to strong magnetic fields. Magnetic and optical media formats are susceptible to variations in temperature and humidity. A media library and any other space where reference copies of information are stored must be physically built so all types of media will be kept within their environmental parameters, and the environment must be monitored to ensure conditions do not range outside of those parameters. Media libraries are particularly useful when large amounts of information must be stored and physically/environmentally protected so that the high cost of environmental control and media management may be centralized in a small number of physical locations, and so that cost is spread out over the large number of items stored in the library.

128

qualitative risk analysis

qualitative risk analysis A risk analysis method that uses intuition and experience to judge an organization’s exposure to risks. It uses scenarios and ratings systems. Compare to quantitative risk analysis.

129

Mean time between failures (MTBF)

Mean time between failures (MTBF) is the estimated lifespan of a piece of equipment. MTBF is calculated by the vendor of the equipment or a third party. The reason for using this value is to know approximately when a particular device will need to be replaced. Either based on historical data or scientifically estimated by vendors, it is used as a benchmark for reliability by predicting the average time that will pass in the operation of a component or a system until its final death.

130

C. The common law system is broken down into the following:

  • Criminal
  • Based on common law, statutory law, or a combination of both.
  • Addresses behavior that is considered harmful to society.
  • Punishment usually involves a loss of freedom, such as incarceration, or monetary fines.
  • Civil/tort
  • Offshoot of criminal law.
  • Under civil law, the defendant owes a legal duty to the victim. In other words, the defendant is obligated to conform to a particular standard of conduct, usually set by what a "reasonable man of ordinary prudence" would do to prevent foreseeable injury to the victim.
  • Administrative (regulatory)
  • Laws and legal principles created by administrative agencies to address a number of areas, including international trade, manufacturing, environment, and immigration.

131

Network and Resource Availability

In the triangle of security services, availability is one of the foundational components, the other two being confidentiality and integrity. Network and resource availability often is not fully appreciated until it is gone. That is why administrators and engineers need to implement effective backup and redundant systems to make sure that when something happens (and something will happen), users’ productivity will not be drastically affected.

132

Tracking

(audit logging) who has custody of each piece of media at any given moment. This creates the same kind of audit trail as any audit logging activity—to allow an investigation to determine where information was at any given time, who had it, and, for particularly sensitive information, why they accessed it. This enables an investigator to focus efforts on particular people, places, and time if a breach is suspected or known to have happened.

133

operational assurance

operational assurance A level of confidence of a trusted system’s architecture and implementation that enforces the system’s security policy. This can include system architecture, covert channel analysis, system integrity, and trusted recovery.

134

playback attack

playback attack Capturing data and resending the data at a later time in the hope of tricking the receiving system. This is usually carried out to obtain unauthorized access to specific resources.

135

16. Fred is a new security officer who wants to implement a control for detecting and preventing users who attempt to exceed their authority by misusing the access rights that have been assigned to them. Which of the following best fits this need?

A. Management review

B. Two-factor identification and authentication

C. Capturing this data in audit logs

D. Implementation of a strong security policy

Extended Questions:

CORRECT A. The goal of this question is for you to realize that management and supervisor involvement is critical to ensure that these types of things do not take place or are properly detected and acted upon if they do take place. If the users know that management will take action if they misbehave, this can be considered preventive in nature. The activities will only be known of after they take place, which means that the security office has to carry out some type of detective activity so that he can then inform management.

WRONG B is incorrect because identification and authentication is preventive, not detective.

WRONG C is incorrect because audit logs are detective but not preventive. However, in order to be detective, the audit logs must be reviewed by a security administrator. While some of the strongest security protections come from preventive controls, detective controls such as reviewing audit logs are also required.

WRONG D is incorrect because a security policy is preventive, not detective. A security policy is developed and implemented to inform users of what is expected of them and the potential ramifications if they do not follow the constructs of the policy.

136

Full knowledge

The team has intimate knowledge of the target.

137

shoulder surfing

shoulder surfing When a person looks over another person’s shoulder and watches keystrokes or watches data as it appears on the screen in order to uncover information in an unauthorized manner.

138

Mean Time Between Failures

Mean time between failures (MTBF) is the estimated lifespan of a piece of equipment. MTBF is calculated by the vendor of the equipment or a third party. The reason for using this value is to know approximately when a particular device will need to be replaced. Either based on historical data or scientifically estimated by vendors, it is used as a benchmark for reliability by predicting the average time that will pass in the operation of a component or a system until its final death.

139

pseudo-flaw

pseudo-flaw An apparent loophole deliberately implanted in an operating system or program as a trap for intruders.

140

In This Book

We’ve organized this book so that each chapter consists of a battery of practice exam questions representing a single CISSP exam domain, appropriate for experienced information security professionals as well as newcomers to security-related concepts. Each chapter covers a major domain of the exam, with the answer explanations providing the emphasis on the "why" as well as the "how-to" of working with and supporting the technology and concepts.

141

Internal and external labeling

of each piece of media in the library should include

142

Audio and Video Training

The audio and video training features Shon Harris teaching CISSP concepts and carrying out extensive review sessions. You can download all of the audio files in a single zip file. The video files have been separated into five zip files for ease of downloading. To play all, or any number, of the video segments consecutively without interruption, copy and paste all of the segments to be viewed into a single folder. Then select these segments, right-click on the first segment selected, and click Play.

143

3. What is the difference between due care and due diligence?

  A. Due care is the continual effort of ensuring that the right thing takes place, and due diligence is the continual effort to stay compliant with regulations.

  B. Due care and due diligence are in contrast to the "prudent person" concept.

  C. They mean the same thing.

  D. Due diligence involves investigating the risks, while due care involves carrying out the necessary steps to mitigate these risks.

3. C. In this situation the e-mail server most likely is misconfigured or has a programming flaw that can be exploited. Either of these would be considered a vulnerability. The threat is that someone would find out about this vulnerability and exploit it. In this scenario since the server is compromised, it is the item that is providing exposure to the company. This exposure is allowing sensitive data to be accessed in an unauthorized manner.

144

12. John and his team are conducting a penetration test of a client’s network. The team will conduct its testing armed only with knowledge it acquired from the Web. The network staff is aware that the testing will take place, but the penetration testing team will only work with publicly available data and some information from the client. What is the degree of the team’s knowledge and what type of test is the team carrying out?

A. Full knowledge; blind test

B. Partial knowledge; blind test

C. Partial knowledge; double-blind test

D. Zero knowledge; targeted test

Extended Questions:

CORRECT B. The penetration testing team can have varying degrees of knowledge about the penetration target before the tests are actually carried out. These degrees of knowledge are zero knowledge, partial knowledge, and full knowledge. John and his team have partial knowledge; the team has some information about the target. Tests may also be blind, double-blind, or targeted. John’s team is carrying out a blind test, meaning that the network staff knows that the test will take place.

WRONG A is incorrect because John and his team do not have full knowledge of the target. Full knowledge means that the team has intimate knowledge of the target and fully understands the network, its software, and configurations. John’s team has information it gathered from the Web and partial information from the client. This is partial knowledge. The rest of the answer is correct; the team is conducting a blind test.

WRONG C is incorrect because John and his team are not conducting a double-blind test. A double-blind test, also called a stealth assessment, is when the assessor carries out a blind test without the security staff’s knowledge. This enables the test to evaluate the network’s security level and the staff’s responses, log monitoring, and escalation processes, and is a more realistic demonstration of the likely success or failure of an attack.

WRONG D is incorrect because John and his team do not have zero knowledge, nor are they conducting a targeted test. Zero knowledge means that the team does not have any knowledge of the target and must start from ground zero. John’s team is starting the project with knowledge it acquired about the target online and with information provided by the client. Targeted tests commonly involve external consultants and internal staff carrying out focused tests on specific areas of interest. For example, before a new application is rolled out, the team might test it for vulnerabilities before installing it into production. John’s team is not focusing its testing efforts on any one specific area.

145

Fault-tolerant technologies

keep information available against not only individual storage device faults but even against whole system failures. Fault tolerance is among the most expensive possible solutions, and is justified only for the most mission-critical information. All technology will eventually experience a failure of some form. A company that would suffer irreparable harm from any unplanned downtime, or that would accumulate millions of dollars in losses for even a very brief unplanned downtime, can justify paying the high cost for fault-tolerant systems.

146

accountability

accountability A security principle indicating that individuals must be identifiable and must be held responsible for their actions.

147

Redundant hardware

ready for "hot swapping" keeps information highly available by having multiple copies of information (mirroring) or enough extra information available to reconstruct information in case of partial loss (parity, error correction). Hot swapping allows the administrator to replace the failed component while the system continues to run and information remains available; usually degraded performance results, but unplanned downtime is avoided.

148

sensitive information

sensitive information Information that would cause a negative effect on the company if it were lost or compromised.

149

System Requirements

To watch and hear the training, you must have a media player installed—either Windows Media Player, QuickTime Player, or an equivalent.

150

Technical Support

For questions regarding the operation of the site, email techsolutions@mhedu.com or visit http://www.mhprofessional.com/techsupport/.

151

On the Web

More than 500 practice questions and 24 hours of audio lectures are available to you for free with the purchase of this book. You should use these tools along with the material in the book to best prepare you for the CISSP exam. You’ll find the online questions and MP3 audio lecture files at www.mhprofessional.com/CISSPExams.

152

Types of Tests

A vulnerability assessment identifies a wide range of vulnerabilities in the environment. This is commonly carried out through a scanning tool. By contrast, in a penetration test, the security professional exploits one or more vulnerabilities to prove to the customer (or your boss) that a hacker can actually gain access to company resources.

153

18. Brandy could not figure out how Sam gained unauthorized access to her system, since he has little computer experience. Which of the following is most likely the attack Sam used?

A. Dictionary attack

B. Shoulder surfing attack

C. Covert channel attack

D. Timing attack

Extended Questions:

CORRECT B. Shoulder surfing is a type of browsing attack in which an attacker looks over another’s shoulder to see items on that person’s monitor or what is being typed in at the keyboard. Sam probably viewed Brandy’s password as she typed it. Of the attacks listed, this is the easiest to execute in that it does not require any real knowledge of computer systems.

WRONG A is incorrect because a dictionary attack is an automated attack involving the use of tools like Crack or L0phtcrack. Sam would need to be aware of these tools and know how to find and use them. A dictionary attack requires more knowledge of how computer systems work compared to shoulder surfing.

WRONG C is incorrect because a covert channel attack requires computer expertise. A covert channel is a communications path that enables a process to transmit information in a way that violates the system’s security policy. Identifying and using a covert channel requires a lot more computer expertise compared to a shoulder surfing attack.

WRONG D is incorrect because a timing attack requires intimate knowledge of how software executes its instruction sets so that they can be manipulated. Commonly a person who could successfully carry out this attack requires programming experience.

154

denial of service (DoS)

denial of service (DoS) Any action, or series of actions, that prevents a system, or its resources, from functioning in accordance with its intended purpose.

155

24. A device that generates coercive magnetic force for the purpose of reducing magnetic flux density to zero on media is called

  A. Magnetic saturation

  B. Magnetic field

  C. Physical destruction

  D. Degausser

24. D. A degausser is a device that generates a magnetic field (coercive magnetic force) that changes the orientation of the bits held on the media (reducing magnetic flux density to zero).

156

3. The requirement of erasure is the end of the media life cycle if it contains sensitive information. Which of the following best describes purging?

A. Changing the polarization of the atoms on the media.

B. It is uacceptable when media are to be reused in the same physical environment for the same purposes.

C. Data formerly on the media is made unrecoverable by overwriting it with a pattern.

D. Information is made unrecoverable, even with extraordinary effort.

Extended Questions:

CORRECT D. Purging is the removal of sensitive data from a system, storage device, or peripheral device with storage capacity at the end of a processing period. This action is performed in such a way that there is assurance proportional to the sensitivity of the data that the data cannot be reconstructed. Deleting files on a medium does not actually make the data disappear; it only deletes the pointers to where the data in those files still live on the medium. This is how companies that specialize in restoration can recover the deleted files intact after they have been apparently/accidentally destroyed. Even simply overwriting media with new information may not eliminate the possibility of recovering the previously written information. This is why zeroization and secure overwriting algorithms are required. And, if any part of a medium containing highly sensitive information cannot be cleared or purged, then physical destruction must take place.

WRONG A is incorrect because it describes degaussing, which is an example of purging. A device that performs degaussing generates a coercive magnetic force that reduces the magnetic flux density of the storage media to zero. This magnetic force is what properly erases data from media. Data is stored on magnetic media by the representation of the polarization of the atoms. Degaussing changes this polarization by using a type of large magnet to bring it back to its original flux (magnetic alignment).

WRONG B is incorrect because purging is required when media will be repurposed to a different compartment. When media are erased (cleared of their contents), they are said to be sanitized. This means erasing information so that it is not readily retrieved using routine operating system commands or commercially available forensic/data recovery software.

WRONG C is incorrect because it describes zeroization, which is an example of purging but does not describe purging itself. Media holding sensitive data must be properly purged, which can be accomplished through zeroization, degaussing, or media destruction.

157

Media Controls

Media and devices that can be found in an operations environment require a variety of controls to ensure they are properly preserved and that the integrity, confidentiality, and availability of the data held on them are not compromised. For the purposes of this discussion, "media" may include both electronic (disk, CD/DVD, tape, Flash devices such as USB "thumb drives," and so on) and nonelectronic (paper) forms of information; and media libraries may come into custody of media before, during, and/or after the information content of the media is entered into, processed on, and/or removed from systems.

158

Operators’ Responsibilities

Mainframe operators have a long list of responsibilities: reassigning ports, mounting input and output volumes, overseeing and controlling the flow of the submitted jobs, renaming (or relabeling) resources, taking care of any IPLs, and buying donuts for the morning meetings.

159

Grid Computing

I am going to use a bit of the processing power of every computer and take over the world.

Grid computing is another load-balanced parallel means of massive computation, similar to clusters, but implemented with loosely coupled systems that may join and leave the grid randomly. Most computers have extra CPU processing power that is not being used many times throughout the day. So some smart people thought that was wasteful and came up with a way to use all of this extra processing power. Just like the power grid provides electricity to entities on an as-needed basis (if you pay your bill), computers can volunteer to allow their extra processing power to be available to different groups for different projects. The first project to use grid computing was SETI (Search for Extraterrestrial Intelligence), where people allowed their systems to participate in scanning the universe looking for aliens who are trying to talk to us.

160

server cluster

Clustering is a fault-tolerant server technology that is similar to redundant servers, except each server takes part in processing services that are requested. A server cluster is a group of servers that are viewed logically as one server to users and can be managed as a single logical system. Clustering provides for availability and scalability. It groups physically different systems and combines them logically, which provides immunity to faults and improves performance. Clusters work as an intelligent unit to balance traffic, and users who access the cluster do not know they may be accessing different systems at different times. To the users, all servers within the cluster are seen as one unit. Clusters may also be referred to as server farms.

161

trusted recovery

trusted recovery A set of procedures that restores a system and its data in a trusted manner after the system has been disrupted or a system failure has occurred.

162

Asset management

Asset management is easily understood as "knowing what the company owns." In a retail store, this may be called inventory management, and is part of routine operations to ensure that sales records and accounting systems are accurate and that theft is discovered. While these same principles may apply to an IT environment, there’s much more to it than just the physical and financial aspect.

163

message authentication code (MAC)

message authentication code (MAC) In cryptography, a message authentication code (MAC) is a generated value used to authenticate a message. A MAC can be generated by HMAC or CBC-MAC methods. The MAC protects both a message’s integrity (by ensuring that a different MAC will be produced if the message has changed) as well as its authenticity, because only someone who knows the secret key could have modified the message.

164

star property (*-property)

star property (*-property) A Bell-LaPadula security model rule that stipulates that a subject cannot write data to an object at a lower security level.

165

Operational Responsibilities

Operations security encompasses safeguards and countermeasures to protect resources, information, and the hardware on which the resources and information reside. The goal of operations security is to reduce the possibility of damage that could result from unauthorized access or disclosure by limiting the opportunities of misuse.

166

4. Device backup and other availability solutions are chosen to balance the value of having information available against the cost of keeping that information available. Which of the following best describes fault-tolerant technologies?

A. They are among the most expensive solutions and are usually only for the most mission-critical information.

B. They help service providers identify appropriate availability services for the specific customer.

C. They are required to maintain integrity, regardless of the other technologies in place.

D. They allow a failed component to be replaced while the system continues to run.

Extended Questions:

CORRECT A. Fault-tolerant technologies keep information available not only against individual storage device faults but even against whole system failures. Fault tolerance is among the most expensive possible solutions for availability and is commonly justified only for the most mission-critical information. All technology will eventually experience a failure of some form. A company that would suffer irreparable harm from any unplanned downtime can justify paying the high cost for fault-tolerant systems.

WRONG B is incorrect because service-level agreements (SLAs) help service providers, whether they are an internal IT operation or an outsourcer, decide what type of availability technology and service is appropriate. From this determination, the price of a service or the budget of the IT operation can be set. The process of developing an SLA with a business is also beneficial to the business. While some businesses have performed this type of introspection on their own, many have not, and being forced to go through the exercise as part of budgeting for their internal IT operations or external sourcing helps the business understand the real value of its information.

WRONG C is incorrect because fault-tolerant technologies do not necessarily have anything to do with data or system integrity.

WRONG D is incorrect because "hot-swappable" hardware does not require shutting down the system and may or may not be considered a fault-tolerant technology. Hot-swapping allows the administrator to replace the failed component while the system continues to run and information remains available; usually degraded performance results, but unplanned downtime is avoided.

167

Solid operational procedures

are also required to maintain availability. The most reliable hardware with the highest redundancy or fault tolerance, designed for the fastest mean time to repair, will mostly be a waste of money if operational procedures, training, and continuous improvement are not part of the operational environment: one slip of the finger by an IT administrator can halt the most reliable system.

168

Cryptography Video Sample

The QuickTime video file is a portion of a complete CISSP training product featuring Shon Harris. The QuickTime player must be installed on your computer to play this file. QuickTime is available from www.apple.com. After downloading the file, double-click the video file to start QuickTime. If QuickTime does not launch automatically, choose QuickTime from the Programs menu.

169

Initial program load (IPL)

Initial program load (IPL) is a mainframe term for loading the operating system’s kernel into the computer’s main memory. On a personal computer, booting into the operating system is the equivalent to IPLing. This activity takes place to prepare the computer for user operation.

170

CHAPTER 5

Telecommunications and Network Security

This domain includes questions from the following topics:

  • OSI and TCP/IP models
  • Protocol types and security issues
  • LAN, WAN, MAN, intranet, and extranet technologies
  • Cable types and data transmission types
  • Network devices and services
  • Communications security management
  • Telecommunications devices and technologies
  • Remote connectivity technologies
  • Wireless technologies
  • Threat and attack types

171

Password Cracking

Chapter 3 discussed access control and authentication methods in depth. Although there are various ways of authenticating a user, most of the time a static password is the method of choice for many companies. The main reason for this is that the computing society is familiar with using static passwords. It is how many systems and applications have their authentication processes coded, and it is an easier technique to maintain—and cheaper—than other options such as smart cards or biometrics.

172

30. Which of the following best explains why John does not see anything suspicious on the reported systems?

A. The systems have not yet been infected.

B. He is not running the correct tools. He needs to carry out a penetration test on the two systems.

C. Trojaned files have been loaded and executed.

D. A back door has been installed and the attacker enters the system sporadically.

Extended Questions:

CORRECT C. The other tools in the rootkit may vary, but they usually comprise utilities that are used to cover the attacker’s tracks. For example, every operating system has basic utilities that a root or administrator user can use to detect the presence of the rootkit, an installed sniffer, and the back door. The hacker replaces these default utilities with new utilities, which share the same name. They are referred to as "Trojaned programs" because they carry out the intended functionality but do some devious activity in the background.

WRONG A is incorrect because it is not the best answer. It is possible that the systems are not infected, but this question asks what is the most likely situation.

WRONG B is incorrect because most rootkits have Trojaned programs that replace these utilities, because the root user could run ps or top and see there is a back-door service running, and thus detect the presence of an attack. Most rootkits also contain sniffers, so the data can be captured and reviewed by the attacker. For a sniffer to work, the system’s NIC must be put into promiscuous mode, which just means it can "hear" all the traffic on the network link. The default ipconfig utility allows the root user to employ a specific parameter to see whether or not the NIC is running in promiscuous mode. So, the rootkit also contains a Trojaned ipconfig program, which hides the fact that the NIC is in promiscuous mode.

WRONG D is incorrect because there is most likely more than just installed back doors on these servers. Rootkits include back-door programs to allow attackers to remotely control compromised systems, but rootkits contain many other tools also.

173

A is incorrect because a role, or a team, needs to be created to carry out a damage assessment once a disaster has taken place. The assessment procedures should be properly documented and include the following steps:

  • Determine the cause of the disaster.
  • Determine the potential for further damage.
  • Identify the affected business functions and areas.
  • Identify the level of functionality for the critical resources.
  • Identify the resources that must be replaced immediately.
  • Estimate how long it will take to bring critical functions back online.
  • If it will take longer than the previously estimated Maximum Tolerable Downtime (MTD) values to restore operations, then a disaster should be declared and the Business Continuity Planning (BCP) should be put into action.

174

15. If a company wants to protect fax data while it is in transmission, which of the following are valid mechanisms?

  A. PGP and MIME

  B. PEM and TSL

  C. Data link encryption or fax encryptor

  D. Data link encryption and MIME

15. C. The ISO/IEC 27799 is a guideline for information security management in health organizations. It deals with how organizations that store and process sensitive medical information should protect it.

175

22. How is the use of clipping levels a way to track violations?

  A. They set a baseline for normal user errors, and any violations that exceed that threshold should be recorded and reviewed to understand why they are happening.

  B. They enable the administrator to view all reduction levels that have been made to user codes and that have incurred violations.

  C. They disallow the administrator to customize the audit trail to record only those violations deemed security related.

  D. They enable the administrator to customize the audit trail to capture only access violations and denial-of-service attacks.

22. A. Clipping levels are thresholds of acceptable user errors and suspicious activities. If the threshold is exceeded, it should be logged and the administrator should decide if malicious activities are taking place or if the user needs more training.

176

CISSP Boxed Set, Second Edition

The CISSP Boxed Set, Second Edition features audio and video training from Shon Harris. These resources are available for download from McGraw-Hill Professional’s Media Center.

177

public key encryption

public key encryption A type of encryption that uses two mathematically related keys to encrypt and decrypt messages. The private key is known only to the owner, and the public key is available to anyone.

178

authorization

authorization Granting access to an object after the subject has been properly identified and authenticated.

179

What’s the Real Deal?

MTBF can be misleading. Putting aside questions of whether manufacturer-predicted MTBFs are believable, consider a desktop PC with a single hard drive installed, where the hard drive has an MTBF estimate by the manufacturer of 30,000 hours. Thus, 30,000 hours/8,760 hours/year = a little over three years MTBF. This suggests that this model of hard drive, on average, will last over three years before it fails. Put aside the notions of whether the office environment in which that PC is located is temperature-, humidity-, shock-, and coffee spill-controlled, and install a second identical hard drive in that PC. The possibility of failure has now doubled, giving two chances in that three-year period of suffering a failure of a hard drive in the PC. Extrapolate this to a data center with thousands of these hard drives in it, and it becomes clear that a hard drive replacement budget is required each year, along with redundancy for important data.

180

Ping of death

This is a type of DoS attack in which oversized ICMP packets are sent to the victim. Systems that are vulnerable to this type of attack do not know how to handle ICMP packets over a specific size and may freeze or reboot. Countermeasures are to patch the systems and implement ingress filtering to detect these types of packets.

181

reliability

reliability The assurance of a given system, or individual component, performing its mission adequately for a specified period of time under the expected operating conditions.

182

permissions

permissions The type of authorized interactions that a subject can have with an object. Examples include read, write, execute, add, modify, and delete.

183

email Security

The Internet was first developed mainly for government agencies and universities to communicate and share information, but today businesses need it for productivity and profitability. Millions of individuals also depend upon it as their window to a larger world and as a quick and efficient communications tool.

184

security label

security label An identifier that represents the security level of an object.

185

Postmortem

Once the tests are over and the interpretation and prioritization are done, management will have in its hands a Booke of Doome showing many of the ways the company could be successfully attacked. This is the input to the next cycle in the remediation strategy. There exists only so much money, time, and personnel, and thus only so much of the total risk can be mitigated. Balancing the risks and risk appetite of the company, and the costs of possible mitigations and the value gained from each, management must direct the system and security administrators as to where to spend those limited resources. An oversight program is required to ensure that the mitigations work as expected and that the estimated cost of each mitigation action is closely tracked by the actual cost of implementation. Any time the cost rises significantly or the value is found to be far below what was expected, the process should be briefly paused and reevalu-ated. It may be that a risk-versus-cost option initially considered less desirable will now make more sense than continuing with the chosen path.

186

Inventorying the media on a scheduled basis

to detect if any media has been lost/changed. This can reduce the amount of damage a violation of the other media protection responsibilities could cause by detecting such violations sooner rather than later, and is a necessary part of the media management life cycle by which the controls in place are verified as being sufficient.

187

Input and Output Controls

Garbage in, garbage out.

What is input into an application has a direct correlation to what that application outputs. Thus, input needs to be monitored for errors and suspicious activity. If a checker at a grocery store continually puts in the amount of $1.20 for each prime rib steak customers buy, the store could eventually lose a good amount of money. This activity could be done either by accident, which would require proper retraining, or on purpose, which would require disciplinary actions.

188

CHAPTER 7

Business Continuity and Disaster Recovery

This domain includes questions from the following topics:

  • Business continuity management
  • Business continuity planning components
  • Standards and best practices
  • Selecting, developing, and implementing disaster and continuity solutions
  • Recovery and redundant technologies
  • Backup and offsite facilities
  • Types of drills and tests

189

administrative controls

administrative controls Security mechanisms that are management’s responsibility and referred to as "soft" controls. These controls include the development and publication of policies, standards, procedures, and guidelines; the screening of personnel; security-awareness training; the monitoring of system activity; and change control procedures.

190

Data Encryption Standard (DES)

Data Encryption Standard (DES) Symmetric key encryption algorithm that was adopted by the government as a federal standard for protecting sensitive unclassified information. DES was later replaced with Advanced Encryption Standard (AES).

191

control zone

control zone The space within a facility that is used to protect sensitive processing equipment. Controls are in place to protect equipment from physical or technical unauthorized entry or compromise. The zone can also be used to prevent electrical waves carrying sensitive data from leaving the area.

192

residual risk

residual risk The remaining risk after the security controls have been applied. The conceptual formulas that explain the difference between total and residual risk are

193

66. D. These are all issues that are directly related to Kerberos. These items are as follows:

  • The KDC can be a single point of failure. If the KDC goes down, no one can access needed resources. Redundancy is necessary for the KDC.
  • The KDC must be able to handle the number of requests it receives in a timely manner. It must be scalable.
  • Secret keys are temporarily stored on the users’ workstations, which means it is possible for an intruder to obtain these cryptographic keys.
  • Session keys are decrypted and reside on the users’ workstations, either in a cache or in a key table. Again, an intruder can capture these keys.
  • Kerberos is vulnerable to password guessing. The KDC does not know if a dictionary attack is taking place.

194

Deviations from Standards

In this instance, "standards" pertains to computing service levels and how they are measured. Each device can have certain standards applied to it: the hours of time to be online, the number of requests that can be processed within a defined period of time, bandwidth usage, performance counters, and more. These standards provide a baseline that is used to determine whether there is a problem with the device. For example, if a device usually accepts approximately 300 requests per minute, but suddenly it is only able to accept 3 per minute, the operations team would need to investigate the deviation from the standard that is usually provided by this device. The device may be failing or under a denial-of-service (DoS) attack, or be subject to legitimate business-use cases that had not been foreseen when the device was first implemented.

195

security policy

security policy Documentation that describes senior management’s directives toward the role that security plays within the organization. It provides a framework within which an organization establishes needed levels of information security to achieve the desired confidentiality, availability, and integrity goals. A policy is a statement of information values, protection responsibilities, and organization commitment managing risks.

196

Unusual or Unexplained Occurrences

Networks, and the hardware and software within them, can be complex and dynamic. At times, conditions occur that are at first confusing and possibly unexplainable. It is up to the operations department to investigate these issues, diagnose the problem, and come up with a logical solution.

197

repudiation

repudiation When the sender of a message denies sending the message. The countermeasure to this is to implement digital signatures.

198

Kernel flaws

These are problems that occur below the level of the user interface, deep inside the operating system. Any flaw in the kernel that can be reached by an attacker, if exploitable, gives the attacker the most powerful level of control over the system.

199

File and directory permissions

Many of the previously described attacks rely on inappropriate file or directory permissions—that is, an error in the access control of some part of the system, on which a more secure part of the system depends. Also, if a system administrator makes a mistake that results in decreasing the security of the permissions on a critical file, such as making a password database accessible to regular users, an attacker can take advantage of this to add an unauthorized user to the password database, or an untrusted directory to the dynamic load library search path.

200

7. Why is it important to control and audit input and output values?

  A. Incorrect values can cause mistakes in data processing and be evidence of fraud.

  B. Incorrect values can be the fault of the programmer and do not comply with the due care clause.

  C. Incorrect values can be caused by brute force attacks.

  D. Incorrect values are not security issues.

7. B. A vulnerability is a lack or weakness of a control. In this situation the access control may be weak in nature, thus exploitable. The vulnerability is that the user, who must be given access to the sensitive data, is not properly monitored to deter and detect a willful breach of security. The threat is that any internal entity might misuse given access. The risk is the business impact of losing sensitive data. One control that could be put into place is monitoring so that access activities can be closely watched.

201

CHAPTER 2

Access Control

This domain includes questions from the following topics:

  • Identification methods and technologies
  • Authentication methods, models, and technologies
  • Discretionary, mandatory, and nondiscretionary models
  • Accountability, monitoring, and auditing practices
  • Emanation security and technologies
  • Intrusion detection systems
  • Threats to access control practices and technologies

202

audit trail

audit trail A chronological set of logs and records used to provide evidence of a system’s performance or activity that took place on the system. These logs and records can be used to attempt to reconstruct past events and track the activities that took place, and possibly detect and identify intruders.

203

brute force attack

brute force attack An attack that continually tries different inputs to achieve a predefined goal, which can be used to obtain credentials for unauthorized access.

204

CHAPTER 8

Legal, Regulations, Investigations, and Compliance

This domain includes questions from the following topics:

  • Computer crimes types
  • Motives and profiles of attackers
  • Various types of evidence
  • Laws and acts put into effect to fight computer crime
  • Computer crime investigation process and evidence collection
  • Incident-handling procedures
  • Ethics pertaining to information security and best practices

205

20. John is responsible for providing a weekly report to his manager outlining the week’s security incidents and mitigation steps. What steps should he take if a report has no information?

A. Send his manager an e-mail telling her so.

B. Deliver last week’s report and make sure it’s clearly dated.

C. Deliver a report that states "No output."

D. Don’t do anything.

Extended Questions:

CORRECT C. If a report has no information (nothing to report), it should state, "No output." This ensures that the manager is aware that there is no information to report and that John isn’t just slacking in his responsibilities.

WRONG A is incorrect because John should still deliver his manager a report. It should say "No output." Even though an e-mail achieves the objective of communicating that there’s nothing to report, a report should still be delivered for consistency.

WRONG B is incorrect because delivering last week’s report does not provide documentation or communicate to John’s manager that there is nothing to report this week. He should give his manager a report that reads, "No output."

WRONG D is incorrect because if John doesn’t do anything when there is nothing to report, his manager must track John down and ask him for the report. For all she knows, John is slacking on his job duties. By providing a report that reads, "No output," John is communicating this information to his manager in an efficient manner that she has come to expect.

206

Mean time between failures (MTBF)

Mean time between failures (MTBF) is the estimated lifespan of a piece of equipment. MTBF is calculated by the vendor of the equipment or a third party. The reason for using this value is to know approximately when a particular device will need to be replaced. Either based on historical data or scientifically estimated by vendors, it is used as a benchmark for reliability by predicting the average time that will pass in the operation of a component or a system until its final death.

207

Carrying out secure disposal activities

. Disposition includes the lifetime after which the information is no longer valuable and the minimum necessary measures for the disposal of the media/information. Secure disposal of media/information can add significant cost to media management. Knowing that only a certain percentage of the information must be securely erased at the end of its life may significantly reduce the long-term operating costs of the company. Similarly, knowing that certain information must be disposed of securely can reduce the possibility of a piece of media being simply thrown in a dumpster and then found by someone who publicly embarrasses or blackmails the company over the data security breach represented by that inappropriate disposal of the information. It is the business that creates the information stored on media, not the person, library, or librarian who has custody of the media, that is responsible for setting the lifetime and disposition of that information. The business must take into account the useful lifetime of the information to the business, legal and regulatory restrictions, and, conversely, the requirements for retention and archiving when making these decisions. If a law or regulation requires the information to be kept beyond its normally useful lifetime for the business, then disposition may involve archiving—moving the information from the ready (and possibly more expensive) accessibility of a library to a long-term stable and (with some effort) retrievable format that has lower storage costs.

208

Facsimile Security

Your covert strategic plans on how we are going to attack our enemy are sitting in a fax bin in the front office.

Faxing data is a very popular way of delivering information today and, like other types of communications channels, it must be incorporated into the security policy and program of companies.

209

social engineering

social engineering The act of tricking another person into providing confidential information by posing as an individual who is authorized to receive that information.

210

Personnel testing

Personnel testing includes reviewing employee tasks and thus identifying vulnerabilities in the standard practices and procedures that employees are instructed to follow, demonstrating social-engineering attacks and the value of training users to detect and resist such attacks, and reviewing employee policies and procedures to ensure those security risks that cannot be reduced through physical and logical controls are met with the final control category: administrative.

211

tactical goals

tactical goals Midterm goals to accomplish. These may be milestones to accomplish within a project or specific projects to accomplish in a year. Strategic, tactical, and operational goals make up a planning horizon.

212

double-blind test

A double-blind test (stealth assessment) is also a blind test to the assessor as mentioned previously, plus the security staff is not notified. This enables the test to evaluate the network’s security level and the staff’s responses, log monitoring, and escalation processes, and is a more realistic demonstration of the likely success or failure of an attack.

213

top-down approach

top-down approach An approach in which the initiation, support, and direction for a project come from top management and work their way down through middle management and then to staff members.

214

remote journaling

remote journaling A method of transmitting changes to data to an offsite facility. This takes place as parallel processing of transactions, meaning that changes to the data are saved locally and to an off-site facility. These activities take place in real time and provide redundancy and fault tolerance.

215

Zero knowledge

The team does not have any knowledge of the target and must start from ground zero.

216

Teardrop

This attack sends malformed fragmented packets to a victim. The victim’s system usually cannot reassemble the packets correctly and freezes as a result. Countermeasures to this attack are to patch the system and use ingress filtering to detect these packet types.

217

formal verification

formal verification Validating and testing of highly trusted systems. The tests are designed to show design verification, consistency between the formal specifications and the formal security policy model, implementation verification, consistency between the formal specifications, and the actual implementation of the product.

218

17. Which of the following is the best way to reduce brute-force attacks that allow intruders to uncover users’ passwords?

A. Increase the clipping level.

B. Lock out an account for a certain amount of time after the clipping level is reached.

C. After a threshold of failed login attempts is met, the administrator must physically lock out the account.

D. Choose a weaker algorithm that encrypts the password file.

Extended Questions:

CORRECT B. A brute-force attack is an attack that continually tries different inputs to achieve a predefined goal, which can then be used to obtain credentials for unauthorized access. A brute-force attack to uncover passwords means that the intruder is attempting all possible sequences of characters to uncover the correct password. If the account would be disabled (or locked out) after this type of attack attempt took place, this would prove to be a good countermeasure.

WRONG A is incorrect because clipping levels should be implemented to establish a baseline of user activity and acceptable errors. An entity attempting to log in to an account should be locked out once the clipping level is met. A higher clipping level gives an attacker more attempts between alerts or lockout. Decreasing the clipping level would be a good countermeasure.

WRONG C is incorrect because it is not practical to have an administrator physically lock out accounts. This type of activity can easily be taken care of through automated software mechanisms. Accounts should be automatically locked out for a certain amount of time after a threshold of failed login attempts has been met.

WRONG D is incorrect because using a weaker algorithm that encrypts passwords and/or password files would increase the likelihood of success of a brute-force attack.

219

18. Which of the following is not an attack against operations?

  A. Brute force

  B. Denial-of-service

  C. Buffer overflow

  D. ICMP sting

18. B. Corroborative evidence cannot stand alone, but instead is used as supporting information in a trial. It is often testimony indirectly related to the case but offers enough correlation to supplement the lawyer’s argument. The other choices are all types of evidence that can stand alone.

220

emergency system restart

An emergency system restart takes place after a system failure happens in an uncontrolled manner. This could be a kernel or media failure caused by lower-privileged user processes attempting to access memory segments that are restricted. The system sees this as an insecure activity that it cannot properly recover from without rebooting. The kernel and user objects could be in an inconsistent state, and data could be lost or corrupted. The system thus goes into a maintenance mode and recovers from the actions taken. Then it is brought back up in a consistent and stable state.

221

single point of failure

A single point of failure poses a lot of potential risk to a network, because if the device fails, a segment or even the entire network is negatively affected. Devices that could represent single points of failure are firewalls, routers, network access servers, T1 lines, switches, bridges, hubs, and authentication servers—to name a few. The best defenses against being vulnerable to these single points of failure are proper maintenance, regular backups, redundancy, and fault tolerance.

222

Man-in-the-middle attack

An intruder injects herself into an ongoing dialog between two computers so she can intercept and read messages being passed back and forth. These attacks can be countered with digital signatures and mutual authentication techniques.

223

quantitative risk analysis

quantitative risk analysis A risk analysis method that attempts to use percentages in damage estimations and assigns real numbers to the costs of countermeasures for particular risks and the amount of damage that could result from the risk. Compare to qualitative risk analysis.

224

access control

access control Mechanisms, controls, and methods of limiting access to resources to authorized subjects only.

225

Security Concerns

When an operating system moves into any type of unstable state, there are always concerns that the system is vulnerable in some fashion. The system needs to be able to protect itself and the sensitive data that it maintains. The following lists just a few of the security issues that should be addressed properly in a trusted recovery process.

226

personnel security

personnel security The procedures that are established to ensure that all personnel who have access to sensitive information have the required authority as well as appropriate clearances. Procedures confirm a person’s background and provide assurance of necessary trustworthiness.

227

Downloading the Total Tester

Downloading the Total Tester

To download the Total Tester CISSP Practice Exam Software, simply click the link below and follow the directions for free online registration.

228

CHAPTER 10

Security Operations

This domain includes questions from the following topics:

  • Administrative management responsibilities
  • Operations department responsibilities
  • Configuration management
  • Trusted recovery states
  • Redundancy and fault-tolerant systems
  • E-mail security
  • Threats to operations security

229

4. Why should employers make sure employees take their vacations?

  A. They have a legal obligation.

  B. It is part of due diligence.

  C. It is a way for fraud to be uncovered.

  D. To ensure the employee does not get burnt out.

4. C. Diameter is a protocol that has been developed to build upon the functionality of RADIUS and to overcome many of its limitations. Diameter is an AAA protocol that provides the same type of functionality as RADIUS and TACACS+ but also provides more flexibility and capabilities, including working with EAP. RADIUS uses UDP, and cannot effectively deal well with remote access, IP mobility, and policy control.

230

Redundant array of independent disks (RAID)

Redundant array of independent disks (RAID) is a technology used for redundancy and/or performance improvement. It combines several physical disks and aggregates them into logical arrays. When data are saved, the information is written across all drives. A RAID appears as a single drive to applications and other devices.

231

security kernel

security kernel The hardware, firmware, and software elements of a trusted computing base (TCB) that implement the reference monitor concept. The kernel must mediate all access between subjects and objects, be protected from modification, and be verifiable as correct.

232

6. If a programmer is restricted from updating and modifying production code, what is this an example of?

  A. Rotation of duties

  B. Due diligence

  C. Separation of duties

  D. Controlling input values

6. C. It is important to deal with the issue of "reasonable expectation of privacy" (REP) when it comes to employee monitoring. In the U.S. legal system the expectation of privacy is used when defining the scope of the privacy protections provided by the Fourth Amendment of the Constitution. If it is not specifically explained to an employee that monitoring is possible and/or probable, when the monitoring takes place he could claim that his privacy rights have been violated and launch a civil suit against a company.

233

information owner

information owner The person who has final corporate responsibility of data protection and would be the one held liable for any negligence when it comes to protecting the company’s information assets. The person who holds this role—usually a senior executive within the management group of the company—is responsible for assigning a classification to the information and dictating how the information should be protected.

234

Redundant array of independent disks (RAID)

Redundant array of independent disks (RAID) is a technology used for redundancy and/or performance improvement. It combines several physical disks and aggregates them into logical arrays. When data are saved, the information is written across all drives. A RAID appears as a single drive to applications and other devices.

235

Data Leakage

Leaks of personal information can cause large dollar losses. The costs commonly include investigation, contacting affected individuals to inform them, penalties and fines to regulatory agencies and contract liabilities, and mitigating expenses (such as credit reporting) and direct damages to affected individuals. In addition to financial loss, a company’s reputation may be damaged and individual identities can be stolen. The most common cause of data breach for a business is a lack of awareness and discipline among employees. Negligence commonly leads to an overwhelming majority of all leaks.

236

electronic vaulting

electronic vaulting The transfer of backup data to an offsite location. This process is primarily a batch process of transmitting data through communications lines to a server at an alternative location.

237

single loss expectancy (SLE)

single loss expectancy (SLE) A dollar amount that is assigned to a single event that represents the company’s potential loss amount if a specific threat were to take place.

238

security perimeter

security perimeter An imaginary boundary between the components within the trusted computing base (TCB) and mechanisms that do not fall within the TCB. It is the distinction between trusted and untrusted processes.

239

All the controls mentioned in the previous sections must be in place and must continue to function in a predictable and secure fashion to ensure that the systems, applications, and the environment as a whole continue to be operational. Let’s look at a few more issues that can cause problems if not dealt with properly:

  • Online transactions must be recorded and timestamped.
  • Data entered into a system should be in the correct format and validated to ensure such data are not malicious.
  • Ensure output reaches the proper destinations securely:
  • A signed receipt should always be required before releasing sensitive output.
  • A heading and trailing banner should indicate who the intended receiver is.
  • Once output is created, it must have the proper access controls implemented, no matter what its format (paper, digital, tape).
  • If a report has no information (nothing to report), it should contain "no output."

240

penetration testing

penetration testing Penetration testing is a method of evaluating the security of a computer system or network by simulating an attack that a malicious hacker would carry out. This is done so that vulnerabilities and weaknesses can be uncovered.

241

The following are the recommended system requirements for the cryptography video sample:

  • Windows 2000, 2 GHz Pentium IV, 48X CD-ROM drive, 128MB RAM, 1024×768 monitor, millions of colors, QuickTime 6, Microsoft Internet Explorer 5.5 or Netscape Navigator 4.7, and speakers or headphones
  • Macintosh OS 10.1, 800 MHz G4, 48X CD-ROM drive, 128MB RAM, 1024×768 monitor, millions of colors, QuickTime 6, Microsoft Internet Explorer 5.5 or Netscape Navigator 4.7, and speakers or headphones

242

23. Tape library management is an example of operations security through which of the following?

  A. Archival retention

  B. The review of clipping levels

  C. Resource protection

  D. Change management

23. C. The reason to have tape library management is to have a centralized and standard way of protecting how media is stored, accessed, and destroyed.

243

Fake login screens

A fake login screen is created and installed on the victim’s system. When the user attempts to log into the system, this fake screen is presented to the user, requesting he enter his credentials. When he does so, the screen captures the credentials and exits, showing the user the actual login screen for his system. Usually the user just thinks he mistyped his password and attempts to authenticate again without knowing anything malicious just took place. A host-based IDS can be used to detect this type of activity.

244

LICENSE AGREEMENT

THIS PRODUCT (THE "PRODUCT") CONTAINS PROPRIETARY SOFTWARE, DATA AND INFORMATION (INCLUDING DOCUMENTATION) OWNED BY THE McGRAW-HILL COMPANIES, INC. ("McGRAW-HILL") AND ITS LICENSORS. YOUR RIGHT TO USE THE PRODUCT IS GOVERNED BY THE TERMS AND CONDITIONS OF THIS AGREEMENT.

245

disaster recovery plan

disaster recovery plan A plan developed to help a company recover from a disaster. It provides procedures for emergency response, extended backup operations, and post-disaster recovery when an organization suffers a loss of computer processing capability or resources and physical facilities.

246

masquerading

masquerading Impersonating another user, usually with the intention of gaining unauthorized access to a system.

247

Job rotation

Job rotation means that, over time, more than one person fulfills the tasks of one position within the company. This enables the company to have more than one person who understands the tasks and responsibilities of a specific job title, which provides backup and redundancy if a person leaves the company or is absent. Job rotation also helps identify fraudulent activities, and therefore can be considered a detective type of control. If Keith has performed David’s position, Keith knows the regular tasks and routines that must be completed to fulfill the responsibilities of that job. Thus, Keith is better able to identify whether David does something out of the ordinary and suspicious.

248

System Requirements : The following system requirements are needed to access and interact with the online content:

  • Internet connection
  • Flash Player 7 or later is recommended, and one of the following browsers:

249

loss potential

loss potential The potential losses that can be accrued if a threat agent actually exploits a vulnerability.

250

backdoor

A backdoor is a program that is installed by an attacker to enable her to come back into the computer at a later date without having to supply login credentials or go through any type of authorization process. Access control is thwarted by the attacker because she can later gain access to the compromised computer. The backdoor program actually listens on specific ports for the attacker, and once the attacker accesses those ports, the backdoor program lets her come right in.

251

CHAPTER 4

Physical and Environmental Security

This domain includes questions from the following topics:

  • Administrative, technical, and physical controls
  • Facility location, construction, and management
  • Physical security risks, threats, and countermeasures
  • Fire prevention, detection, and suppression
  • Intrusion detection systems

252

security testing

security testing Testing all security mechanisms and features within a system to determine the level of protection they provide. Security testing can include penetration testing, formal design and implementation verification, and functional testing.

253

spoof

It is very easy to spoof e-mail messages, which means to alter the name in the From field. All an attacker needs to do is modify information within the Preferences section of his mail client and restart the application. As an example of a spoofed e-mail message, an attacker could change the name in the From field to the name of the network administrator and send an e-mail message to the CEO’s secretary, telling her the IT department is having problems with some servers and needs her to change her network logon to "password." If she receives this e-mail and sees the From field has the network administrator’s name in it, she will probably fulfill this request without thinking twice.

254

Storage Area Networks

Drawing from the local area network (LAN), wide area network (WAN), and metropolitan area network (MAN) nomenclature, a storage area network (SAN) consists of large amounts of storage devices linked together by a high-speed private network and storage-specific switches. This creates a "fabric" that allows users to attach to and interact in a transparent mode. When a user makes a request for a file, he does not need to know which server or tape drive to go to—the SAN software finds it and magically provides it to the user.

255

8. What is the difference between least privilege and need to know?

  A. A user should have least privilege that restricts her need to know.

  B. A user should have a security clearance to access resources, a need to know about those resources, and least privilege to give her full control of all resources.

  C. A user should have a need to know to access particular resources, and least privilege should be implemented to ensure she only accesses the resources she has a need to know.

  D. They are two different terms for the same issue.

8. C. An administrator does not need to revoke and reassign permissions to individual users as they change jobs. Instead, the administrator assigns permissions and rights to a role, and users are plugged into those roles.

256

system reboot

A system reboot takes place after the system shuts itself down in a controlled manner in response to a kernel (trusted computing base) failure. If the system finds inconsistent object data structures or if there is not enough space in some critical tables, a system reboot may take place. This releases resources and returns the system to a more stable and safer state.

257

CHAPTER 6

Cryptography

This domain includes questions from the following topics:

  • Cryptography components and their relationships
  • Symmetric and asymmetric key algorithms
  • Public key infrastructure (PKI) concepts and mechanisms
  • Hashing algorithms and uses
  • Types of attacks on cryptosystems

258

classification

classification A systematic arrangement of objects into groups or categories according to a set of established criteria. Data and resources can be assigned a level of sensitivity as they are being created, amended, enhanced, stored, or transmitted. The classification level then determines the extent to which the resource needs to be controlled and secured, and is indicative of its value in terms of information assets.

259

System Requirements : The following are the minimum system requirements for the cryptography video sample:

  • Windows 98, 800 MHz Pentium II, 24X CD-ROM drive, 64MB RAM, 800×600 monitor, millions of colors, QuickTime 5, Microsoft Internet Explorer 5 or Netscape Navigator 4.5, and speakers or headphones
  • Macintosh OS 9.2.1, 450 MHz G3, 24X CD-ROM drive, 64MB RAM, 800×600 monitor, millions of colors, QuickTime 5, Microsoft Internet Explorer 5 or Netscape Navigator 4.5, and speakers or headphones.

260

Orange Book

Orange Book The common name for the Trusted Computer Security Evaluation Criteria (TCSEC).

261

Symbolic links

Though the attacker may be properly blocked from seeing or changing the content of sensitive system files and data, if a program follows a symbolic link (a stub file that redirects the access to another place) and the attacker can compromise the symbolic link, then the attacker may be able to gain unauthorized access. (Symbolic links are used in Unix and Linux type systems.) This may allow the attacker to damage important data and/or gain privileged access to the system. A historical example of this was to use a symbolic link to cause a program to delete a password database, or replace a line in the password database with characters that, in essence, created an unpassworded root-equivalent account.

262

Targeted tests

Targeted tests can involve external consultants and internal staff carrying out focused tests on specific areas of interest. For example, before a new application is rolled out, the team might test it for vulnerabilities before installing it into production. Another example is to focus specifically on systems that carry out e-commerce transactions and not the other daily activities of the company.

263

Direct Access Storage Device (DASD)

Direct Access Storage Device (DASD) is a general term for magnetic disk storage devices, which historically have been used in mainframe and minicomputer (mid-range computer) environments. RAID is a type of DASD. The key distinction between Direct Access and Sequential Access storage devices is that any point on a Direct Access Storage Device may be promptly reached, whereas every point in between the current position and the desired position of a Sequential Access Storage Device must be traversed in order to reach the desired position. Tape drives are Sequential Access Storage Devices. Some tape drives have minimal amounts of Direct Access intelligence built in. These include multitrack tape devices that store at specific points on the tape and cache in the tape drive information about where major sections of data on the tape begin, allowing the tape drive to more quickly reach a track and a point on the track from which to begin the now much shorter traversal of data from that indexed point to the desired point. While this makes such tape drives noticeably faster than their purely sequential peers, the difference in performance between Sequential and Direct Access Storage Devices is orders of magnitude.

264

cryptography

cryptography The science of secret writing that enables storage and transmission of data in a form that is available only to the intended individuals.

265

System and network testing

System and network testing are perhaps what most people think of when discussing information security vulnerability testing. For efficiency, an automated scanning product identifies known system vulnerabilities, and some may (if management has signed off on the performance impact and the risk of disruption) attempt to exploit vulnerabilities.

266

Unscheduled Initial Program Loads (aka Rebooting)

Initial program load (IPL) is a mainframe term for loading the operating system’s kernel into the computer’s main memory. On a personal computer, booting into the operating system is the equivalent to IPLing. This activity takes place to prepare the computer for user operation.

267

communications security

communications security Controls in place to protect information as it is being transmitted, especially by telecommunications mechanisms.

268

storage area network (SAN)

Drawing from the local area network (LAN), wide area network (WAN), and metropolitan area network (MAN) nomenclature, a storage area network (SAN) consists of large amounts of storage devices linked together by a high-speed private network and storage-specific switches. This creates a "fabric" that allows users to attach to and interact in a transparent mode. When a user makes a request for a file, he does not need to know which server or tape drive to go to—the SAN software finds it and magically provides it to the user.

269

9. Which of the following would not require updated documentation?

  A. An antivirus signature update

  B. Reconfiguration of a server

  C. A change in security policy

  D. The installation of a patch to a production server

9. A. It is possible to determine how beneficial and effective your physical security program is only if it is monitored through a performance-based approach. This means you should devise measurements and metrics to gauge the effectiveness of your countermeasures. This enables management to make informed business decisions when investing in the protection of the organization’s physical security. The goal is to increase the performance of the physical security program and decrease the risk to the company in a cost-effective manner. You should establish a baseline of performance and thereafter continually evaluate performance to make sure that the company’s protection objectives are being met.

270

recovery planning

recovery planning The advance planning and preparations that are necessary to minimize loss and to ensure the availability of the critical information systems of an organization after a disruption in service or a disaster.

271

Traffic analysis

This is a method of uncovering information by watching traffic patterns on a network. For example, heavy traffic between the HR department and headquarters could indicate an upcoming layoff. Traffic padding can be used to counter this kind of attack, in which decoy traffic is sent out over the network to disguise patterns and make it more difficult to uncover them.

272

covert storage channel

covert storage channel A covert channel that involves writing to a storage location by one process and the direct or indirect reading of the storage location by another process. Covert storage channels typically involve a resource (for example, sectors on a disk) that is shared by two subjects at different security levels.

273

19. Why should user IDs be included in data captured by auditing procedures?

  A. They show what files were attacked.

  B. They establish individual accountability.

  C. They are needed to detect a denial-of-service attack.

  D. They activate corrective measures.

19. B. A CAPTCHA is a skewed representation of characteristics a person must enter to prove that the subject is a human and not an automated tool, as in a software robot. It is the graphical representation of data.

274

13. What type of exploited vulnerability allows more input than the program has allocated space to store it?

A. Symbolic links

B. File descriptors

C. Kernel flaws

D. Buffer overflows

Extended Questions:

CORRECT D. Poor programming practices allow more input than the software has allocated space to store it. This overwrites data or program memory after the end of the allocated buffer, and sometimes it allows the attacker to inject program code and then cause the processor to execute it in what is called a buffer overflow. This gives the attacker the same level of access as that held by the software that was successfully attacked. If the program was run as an administrative user or by the system itself, this can mean complete access to the system. Good programming practice, automated source code scanners, enhanced programming libraries, and strongly typed languages that disallow buffer overflows are all ways of reducing this type of vulnerability.

WRONG A is incorrect because a symbolic link is a stub file that redirects access to system files or data to another place. If an attacker can compromise the symbolic link, then the attacker may be able to gain unauthorized access. (Symbolic links are used in Unix and Linux type systems.) This may allow the attacker to damage important data and/or gain privileged access to the system. A historical example of this was to use a symbolic link to cause a program to delete a password database, or replace a line in the password database with characters that, in essence, created an unpassworded root-equivalent account. Programs, and especially scripts, must be written to assure that the full path to the file cannot be circumvented.

WRONG B is incorrect because file descriptors are exploited if a program makes unsafe use of a file descriptor and an attacker is able to cause unexpected input to be provided to the program, or cause output to go to an unexpected place with the privileges of the executing program. File descriptors are numbers many operating systems use to represent open files in a process. Certain file descriptor numbers are universal, meaning the same thing to all programs. Good programming practices, automated source code scanners, and application security testing are all ways of reducing file descriptor attacks.

WRONG C is incorrect because kernel flaws are problems that occur below the level of the user interface, deep inside the operating system. Flaws in the kernel that can be reached by an attacker, if exploitable, give the attacker the most powerful level of control over the system. It is important to ensure that security patches to operating systems—after sufficient testing—are promptly deployed in the environment to keep the window of vulnerability as small as possible.

275

object reuse

object reuse Reassigning to a subject media that previously contained information. Object reuse is a security concern because if insufficient measures were taken to erase the information on the media, the information may be disclosed to unauthorized personnel.

276

Denial-of-service (DoS) attack

An attacker sends multiple service requests to the victim’s computer until they eventually overwhelm the system, causing it to freeze, reboot, and ultimately not be able to carry out regular tasks.

277

automated information system (AIS)

automated information system (AIS) A computer system that is used to process and transmit data. It is a collection of hardware, software, and firmware that works together to accept, compute, communicate, store, process, transmit, and control data-processing functions.

278

B. When forensics teams are deployed to investigate a potential crime, they should be properly equipped with all of the tools and supplies needed. The following are some of the common items in the forensics field kits:

  • Documentation tools—Tags, labels, and timelined forms
  • Disassembly and removal tools—Antistatic bands, pliers, tweezers, screwdrivers, wire cutters, and so on
  • Package and transport supplies—Antistatic bags, evidence bags and tape, cable ties, and others

279

Sets initial passwords for users

New accounts must be protected from attackers who might know patterns used for passwords, or might find accounts that have been newly created without any passwords, and take over those accounts before the authorized user accesses the account and changes the password. The security administrator operates automated new password generators or manually sets new passwords, and then distributes them to the authorized user so attackers cannot guess the initial or default passwords on new accounts, and so new accounts are never left unprotected.

280

Single Points of Failure

Don’t put all your eggs in one basket, or all your electrons in one device.

A single point of failure poses a lot of potential risk to a network, because if the device fails, a segment or even the entire network is negatively affected. Devices that could represent single points of failure are firewalls, routers, network access servers, T1 lines, switches, bridges, hubs, and authentication servers—to name a few. The best defenses against being vulnerable to these single points of failure are proper maintenance, regular backups, redundancy, and fault tolerance.

281

2. Which of the following describes why operations security is important?

  A. An environment continually changes and has the potential of lowering its level of protection.

  B. It helps an environment be functionally sound and productive.

  C. It ensures there will be no unauthorized access to the facility or its resources.

  D. It continually raises a company’s level of protection.

2. D. The attackers are the entities that have exploited a vulnerability; thus, they are the threat agent.

282

discretionary access control (DAC)

discretionary access control (DAC) An access control model and policy that restricts access to objects based on the identity of the subjects and the groups to which those subjects belong. The data owner has the discretion of allowing or denying others access to the resources it owns.

283

2. A change management process should include a number of procedures. Which of the following incorrectly describes a characteristic or component of a change control policy?

A. Changes that are unanimously approved by the change control committee must be tested to uncover any unforeseen results.

B. Changes approved by the change control committee should be entered into a change log.

C. A schedule that outlines the projected phases of the change should be developed.

D. An individual or group should be responsible for approving proposed changes.

Extended Questions:

CORRECT A. A well-structured change management process should be put into place to aid staff members through many different types of changes to the environment. This process should be laid out in the change control policy. Although the types of changes vary, a standard list of procedures can help keep the process under control and ensure it is carried out in a predictable manner. All changes approved by the change control committee must be fully tested to uncover any unforeseen results. Depending on the severity of the change and the company’s organization, the change and implementation may need to be presented to a change control committee. This helps show different sides to the purpose and outcome of the change and the possible ramifications.

WRONG B is incorrect because it is true that changes approved by the change control committee should be entered into a change log. The log should be updated as the process continues toward completion. It is important to track and document all changes that are approved and implemented.

WRONG C is incorrect because once a change is fully tested and approved, a schedule should be developed that outlines the projected phases of the change being implemented and the necessary milestones. These steps should be fully documented, and progress should be monitored.

WRONG D is incorrect because requests should be presented to an individual or group that is responsible for approving changes and overseeing the activities of changes that take place within an environment.

284

Grid computing

Grid computing is another load-balanced parallel means of massive computation, similar to clusters, but implemented with loosely coupled systems that may join and leave the grid randomly. Most computers have extra CPU processing power that is not being used many times throughout the day. So some smart people thought that was wasteful and came up with a way to use all of this extra processing power. Just like the power grid provides electricity to entities on an as-needed basis (if you pay your bill), computers can volunteer to allow their extra processing power to be available to different groups for different projects. The first project to use grid computing was SETI (Search for Extraterrestrial Intelligence), where people allowed their systems to participate in scanning the universe looking for aliens who are trying to talk to us.

285

cost/benefit analysis

cost/benefit analysis An assessment that is performed to ensure that the cost of a safeguard does not outweigh the benefit of the safeguard. Spending more to protect an asset than the asset is actually worth does not make good business sense. All possible safeguards must be evaluated to ensure that the most security-effective and cost-effective choice is made.

286

System Controls

System controls are also part of operations security. Within the operating system itself, certain controls must be in place to ensure that instructions are being executed in the correct security context. The system has mechanisms that restrict the execution of certain types of instructions so they can take place only when the operating system is in a privileged or supervisor state. This protects the overall security and state of the system and helps ensure it runs in a stable and predictable manner.

287

handshaking procedure

handshaking procedure A dialog between two entities for the purpose of identifying and authenticating the entities to one another. The dialog can take place between two computers or two applications residing on different computers. It is an activity that usually takes place within a protocol.

288

security evaluation

security evaluation Assesses the degree of trust and assurance that can be placed in systems for the secure handling of sensitive information.

289

Creates and maintains user profiles and implements and maintains access control mechanisms

The security administrator puts into practice the security policies of least privilege and oversees accounts that exist, along with the permissions and rights they are assigned.

290

92. B. The following are rules for object organization within a database based on the X.500 standard:

  • The directory has a tree structure to organize the entries using a parent-child configuration.
  • Each entry has a unique name.
  • The attributes used in the directory are dictated by the defined schema.
  • The unique identifiers are called distinguished names.

291

About the Developmental Editor

Crystal Bedell is the principal of Bedell Communications, a full-service copywriting and editing firm specializing in technology and B2B communications. She has more than 15 years of combined editing, writing, and marketing experience, including eight years at TechTarget, where she developed Web content for IT professionals. Having worked as both a member of the press and in marketing, Crystal has unique insights into the information needs of IT professionals as well as an understanding of their work environment and the constraints of the typical IT decision maker. She knows how to speak their language and distill marketing language into plain English.

292

Service level agreements (SLAs)

help service providers, whether they are an internal IT operation or an outsourcer, decide what type of availability technology is appropriate. From this determination, the price of a service or the budget of the IT operation can be set. The process of developing an SLA with a business is also beneficial to the business. While some businesses have performed this type of introspection on their own, many have not, and being forced to go through the exercise as part of budgeting for their internal IT operations or external sourcing helps the business understand the real value of its information.

293

Carries out security assessments

As a service to the business that the security administrator is working to secure, a security assessment leverages the knowledge and experience of the security administrator to identify vulnerabilities in the systems, networks, software, and in-house developed products used by a business. These security assessments enable the business to understand the risks it faces and to make sensible business decisions about products and services it considers purchasing, and risk mitigation strategies it chooses to fund versus risks it chooses to accept, transfer (by buying insurance), or avoid (by not doing something it had earlier considered doing but that isn’t worth the risk or risk mitigation cost).

294

Backdoors

Chapter 4 discussed backdoors and some of the potential damage that can be caused by them. It also looked at how backdoors are inserted into the code so a developer can access the software at a later time, bypassing the usual security authentication and authorization steps. Now we will look at how and why attackers install backdoors on victims’ computers.

295

6. Which of the following correctly describes Direct Access and Sequential Access storage devices?

A. Any point on a Direct Access Storage Device may be promptly reached, whereas every point in between the current position and the desired position of a Sequential Access Storage Device must be traversed in order to reach the desired position.

B. RAIT is an example of a Direct Access Storage Device, while RAID is an example of a Sequential Access Storage Device.

C. MAID is a Direct Access Storage Device, while RAID is an example of a Sequential Access Storage Device.

D. As an example of Sequential Access Storage, tape drives are faster than Direct Access Storage Devices.

Extended Questions:

CORRECT A. Direct Access Storage Device (DASD) is a general term for magnetic disk storage devices, which historically have been used in mainframe and minicomputer (mid-range computer) environments. A redundant array of independent disks (RAID) is a type of DASD. The key distinction between Direct Access and Sequential Access storage devices is that any point on a Direct Access Storage Device may be promptly reached, whereas every point in between the current position and the desired position of a Sequential Access Storage Device must be traversed in order to reach the desired position. Tape drives are Sequential Access Storage Devices. Tape storage is the lowest-cost option for very large amounts of data but is very slow compared to disk storage.

WRONG B is incorrect because RAIT stands for redundant array of independent tapes. RAIT uses tape drives, which are Sequential Access Storage Devices. In RAIT, data are striped in parallel to multiple tape drives, with or without a redundant parity drive. This provides the high capacity at low cost typical of tape storage, with higher than usual tape data transfer rates, and optional data integrity. RAID, or redundant array of independent disks, is a type of Direct Access Storage Device. RAID combines several physical disks and aggregates them into logical arrays. When data is saved, the information is written across all drives. A RAID appears as a single drive to applications and other devices.

WRONG C is incorrect because both MAID, a massive array of inactive disks, and RAID, a redundant array of independent disks, are examples of Direct Access Storage Devices. Any point on these magnetic disk storage devices can be reached without traversing every point between the current and desired positions. This makes Direct Access Storage Devices faster than Sequential Access Storage Devices.

WRONG D is incorrect because Sequential Access Storage Devices are slower than Direct Access Storage Devices. Tape drives are an example of Sequential Access Storage Device technology.

296

A. Access to internal ports is not a countermeasure. Several countermeasures should be put in place to reduce this threat:

  • Disable unnecessary ports and services.
  • Block access at the perimeter network using firewalls, routers, and proxy servers.
  • Use an IDS to identify this type of activity.
  • Use TCP wrappers on vulnerable services that have to be available.
  • Remove as many banners as possible within operating systems and applications.
  • Upgrade or update to more secure operating systems, applications, and protocols.

297

Mail bombing

This is an attack used to overwhelm mail servers and clients with unrequested emails. Using e-mail filtering and properly configuring e-mail relay functionality on mail servers can be used to protect against this type of DoS attack.

298

Remote Access Security

I have my can that is connected to another can with a string. Can you put the other can up to my computer monitor? I have work to do.

Remote access is a major component of normal operations, and a great enabler of organizational resilience in the face of certain types of disasters. If a regional disaster makes it impractical for large numbers of employees to commute to their usual work site, but the data center—or a remote backup data center—remains operational, remote access to computer resources can allow many functions of a company to continue almost as usual. Remote access can also be a way to reduce normal operational costs by reducing the amount of office space that must be owned or rented, furnished, cleaned, cooled and heated, and provided with parking, since employees will instead be working from home. Remote access may also be the only way to enable a mobile workforce, such as traveling salespeople, who need access to company information while in several different cities each week to meet with current and potential customers.

299

Do too many users have rights and privileges to sensitive or restricted data or resources?

• Do too many users have rights and privileges to sensitive or restricted data or resources? The answer would indicate whether access rights to the data and resources need to be reevaluated, whether the number of individuals accessing them needs to be reduced, and/or whether the extent of their access rights should be modified.

300

20. Which of the following controls requires separate entities, operating together, to complete a task?

  A. Least privilege

  B. Data hiding

  C. Dual control

  D. Administrative

20. B. The CPO is a newer position, created mainly because of the increasing demands on organizations to protect a long laundry list of different types of data. This role is responsible for ensuring that customer, company, and employee data are secure and kept secret, which keeps the company out of criminal and civil courts and hopefully out of the headlines.

301

maintenance hook

maintenance hook Instructions within a program’s code that enable the developer or maintainer to enter the program without having to go through the usual access control and authentication processes. Maintenance hooks should be removed from the code before it is released to production; otherwise, they can cause serious security risks. Also called trapdoor or backdoor.

302

Wardialing

This is a brute force attack in which an attacker has a program that systematically dials a large bank of phone numbers with the goal of finding ones that belong to modems instead of telephones. These modems can provide easy access into an environment. The countermeasures are to not publicize these telephone numbers and to implement tight access control for modems and modem pools.

303

16. What is the purpose of TCP wrappers?

  A. To monitor requests for certain ports and control access to sensitive files

  B. To monitor requests for certain services and control access to password files

  C. To monitor requests for certain services and control access to those services

  D. To monitor requests to system files and ensure they are not modified

16. D. A maskable interrupt is assigned to an event that may not be overly important, and the programmer can indicate that if that interrupt calls, the program does not stop what it is doing. This means the interrupt is ignored. Nonmaskable interrupts can never be overridden by an application because the event that has this type of interrupt assigned to it is critical.

304

10. If sensitive data are stored on a CD-ROM and are no longer needed, which would be the proper way of disposing of the data?

  A. Degaussing

  B. Erasing

  C. Purging

  D. Physical destruction

10. D. Regression testing should take place after a change to a system takes place, retesting to ensure functionality, performance, and protection.

305

About the Download

This eBook comes with free downloads, including Total Seminars’ Total Tester Software, with over 1,400 practice questions covering all ten CISSP domains, and a sample cryptography video presented by Shon Harris. The Total Tester software can be installed on any Windows XP/Vista/7 computer and must be installed to access the Total Tester practice exams. See below for more information on the Total Tester and the number of questions in the test engine. All these features can be downloaded using the links in this appendix.

Downloading the Total Tester

306

Quick Tips

  • Facilities that house systems that process sensitive information should have physical access controls to limit access to authorized personnel only.
  • Data should be classified, and the necessary technical controls should be put into place to protect its integrity, confidentiality, and availability.
  • Hacker tools are becoming increasingly more sophisticated while requiring increasingly less knowledge by the attacker about how they work.
  • Quality assurance involves the verification that supporting documentation requirements are met.
  • Quality control ensures that an asset is operating within accepted standards.
  • System and audit logs should be monitored and protected from unauthorized modification.
  • Repetitive errors can indicate lack of training or issues resulting from a poorly designed system.
  • Sensitive data should not be printed and left at stand-alone printers or fax devices.
  • Users should have the necessary security level to access data and resources, but must also have a need to know.
  • Clipping levels should be implemented to establish a baseline of user activity and acceptable errors.
  • Separation of responsibilities and duties should be in place so that if fraud takes place, it requires collusion.
  • Sensitive information should contain the correct markings and labels to indicate the corresponding sensitivity level.
  • Contract and temporary staff members should have more restrictive controls put upon their accounts.
  • Access to resources should be limited to authorized personnel, applications, and services and should be audited for compliance to stated policies.
  • Change control and configuration management should be put in place so changes are approved, documented, tested, and properly implemented.
  • Activities that involve change management include requesting a change, approving a change, documenting a change, testing a change, implementing a change, and reporting to management.
  • Systems should not allow their bootup sequences to be altered in a way that could bypass operating system security mechanisms.
  • Potential employees should have background investigations, references, experience, and education claims checked out.
  • Proper fault-tolerant mechanisms should be put in place to counter equipment failure.
  • Antivirus and IDS signatures should be updated on a continual basis.
  • System, network, policy, and procedure changes should be documented and communicated.
  • When media is reused, it should contain no residual data.
  • Media holding sensitive data must be properly purged, which can be accomplished through zeroization, degaussing, or media destruction.
  • Life-cycle assurance involves protecting a system from inception to development to operation to removal.
  • The key aspects of operations security include resource protection, change control, hardware and software controls, trusted system recovery, separation of duties, and least privilege.
  • Least privilege ensures that users, administrators, and others accessing a system have access only to the objects they absolutely require to complete their job.
  • Vulnerability assessments should be done on a regular basis to identify new vulnerabilities.
  • The operations department is responsible for any unusual or unexplained occurrences, unscheduled initial program loads, and deviations from standards.
  • Standards need to be established that indicate the proper startup and shutdown sequence, error handling, and restoration procedures.
  • A teardrop attack involves sending malformed fragmented packets to a vulnerable system.
  • Improper mail relay configurations allow for mail servers to be used to forward spam messages.
  • Phishing involves an attacker sending false messages to a victim in the hopes that the victim will provide personal information that can be used to steal their identity.
  • A browsing attack occurs when an attacker looks for sensitive information without knowing what format it is in.
  • A fax encryptor encrypts all fax data leaving a fax server.
  • A system can fail in one of the following manners: system reboot, emergency system restart, and system cold start.
  • The main goal of operations security is to protect resources.
  • Operational threats include disclosure, theft, corruption, interruption, and destruction.
  • Operations security involves balancing the necessary level of security with ease of use, compliance, and cost constraints.

307

fax servers

Some companies use fax servers, which are systems that manage incoming and outgoing faxed documents. When a fax is received by the fax server, the fax server properly routes it to the individual it is addressed to so it is kept in electronic form rather than being printed. Typically, the received fax is routed to the recipient’s electronic mailbox.

308

Output should not be able to be rerouted

. Diagnostic output from a system can contain sensitive information. The diagnostic log files, including console output, must be protected by access controls from being read by anyone other than authorized administrators. Unauthorized users must not be able to redirect the destination of diagnostic logs and console output.

309

Writing actions to system logs should not be able to be bypassed

. Through separation of duties and access controls, system logs and system state files must be preserved against attempts by users/attackers to hide their actions or change the state to which the system will next restart. If any system configuration file can be changed by an unauthorized user, and then the user can find a way to cause the system to restart, the new—possibly insecure—configuration will take effect.

310

countermeasure

countermeasure A control, method, technique, or procedure that is put into place to prevent a threat agent from exploiting a vulnerability. A countermeasure is put into place to mitigate risk. Also called a safeguard or control.

311

LIMITATION OF LIABILITY:

LIMITATION OF LIABILITY: NEITHER McGRAW-HILL, ITS LICENSORS NOR THE AUTHORS SHALL BE LIABLE FOR ANY INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES, SUCH AS BUT NOT LIMITED TO, LOSS OF ANTICIPATED PROFITS OR BENEFITS, RESULTING FROM THE USE OR INABILITY TO USE THE PRODUCT EVEN IF ANY OF THEM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF LIABILITY SHALL APPLY TO ANY CLAIM OR CAUSE WHATSOEVER WHETHER SUCH CLAIM OR CAUSE ARISES IN CONTRACT, TORT, OR OTHERWISE. Some states do not allow the exclusion or limitation of indirect, special or consequential damages, so the above limitation may not apply to you.

312

access control list (ACL)

access control list (ACL) A list of subjects that are authorized to access a particular object. Typically, the types of access are read, write, execute, append, modify, delete, and create.

313

need to know

need to know A security principle stating that users should have access only to the information and resources necessary to complete their tasks that fulfill their roles within an organization. Need to know is commonly used in access control criteria by operating systems and applications.

314

21. Brian, a security administrator, is responding to a virus infection. The antivirus application reports that a file has been infected with a dangerous virus and disinfecting it could damage the file. What course of action should Brian take?

A. Replace the file with the file saved from the day before.

B. Disinfect the file and contact the vendor.

C. Restore an uninfected version of the patched file from backup media.

D. Back up the data and disinfect the file.

Extended Questions:

CORRECT C. The best course of action is to install an uninfected version of a patched file from backup media. Attempts to disinfect the file could corrupt it, and it is important to restore a file that is known to be "clean."

WRONG A is incorrect because the previous day’s file could also be infected. It is best to replace the file entirely with a freshly installed and patched version.

WRONG B is incorrect because disinfecting the file could cause damage, as stated in the question. In addition, the vendor of the application will not necessarily be useful in this situation. It is easier to restore a clean version of the file and move on with production.

WRONG D is incorrect because backing up the file will also back up the virus, and as the question stated, disinfecting the file will cause damage and potential data loss.

315

Atoms and Data

A device that performs degaussing generates a coercive magnetic force that reduces the magnetic flux density of the storage media to zero. This magnetic force is what properly erases data from media. Data are stored on magnetic media by the representation of the polarization of the atoms. Degaussing changes this polarization (magnetic alignment) by using a type of large magnet to bring it back to its original flux (magnetic alignment).

316

contingency plan

contingency plan A plan put in place before any potential emergencies, with the mission of dealing with possible future emergencies. It pertains to training personnel, performing backups, preparing critical facilities, and recovering from an emergency or disaster so that business operations can continue.

317

Clustering

Okay, everyone gather over here and perform the same tasks.

Clustering is a fault-tolerant server technology that is similar to redundant servers, except each server takes part in processing services that are requested. A server cluster is a group of servers that are viewed logically as one server to users and can be managed as a single logical system. Clustering provides for availability and scalability. It groups physically different systems and combines them logically, which provides immunity to faults and improves performance. Clusters work as an intelligent unit to balance traffic, and users who access the cluster do not know they may be accessing different systems at different times. To the users, all servers within the cluster are seen as one unit. Clusters may also be referred to as server farms.

318

cryptosystem

cryptosystem The hardware or software implementation of cryptography.

319

Testing Oneself

Some of the same tactics an attacker may use when wardialing may be useful to the system administrator, such as wardialing at night to reduce disruption to the business. Be aware, when performing wardialing proactively, that dialing at night may also miss some unauthorized modems that are attached to systems that are turned off by their users at the end of the day. Wardialers can be configured to avoid certain numbers or blocks of numbers, so the system administrator can avoid dialing numbers known to be voice-only, such as help desks. This can also be done on more advanced PBXs, with any number assigned to a digital voice device that is configured to not support a modem.

320

19. The relay agent on a mail server plays a role in spam prevention. Which of the following incorrectly describes mail relays?

A. Antispam features on mail servers are actually antirelaying features.

B. Relays should be configured "wide open" to receive any e-mail message.

C. Relay agents are used to send messages from one mail server to another.

D. If a relay is configured "wide open," the mail server can be used to send spam.

Extended Questions:

CORRECTB. Most companies have their public mail servers in their DMZ and may have one or more servers within their LAN. The mail servers in the DMZ are in this protected space because they are directly connected to the Internet. These servers should be tightly locked down and their relaying mechanisms should be correctly configured. If relays are configured "wide open" on a mail server, the mail server can be used to receive any mail message and send it on to the intended recipients, thereby contributing to the distribution of spam. Therefore, mail relays should not be configured "wide open."

WRONG A is incorrect because it is true that antispam features are actually antire-laying features. It is important that mail servers have the proper antispam features enabled. Many companies also employ antivirus and content-filtering applications on their mail servers to try to stop the spread of malicious code, and not allow unacceptable messages through the e-mail gateway. It is important to filter both incoming and outgoing messages. This helps ensure that inside employees are not spreading viruses or sending out messages that are against company policy.

WRONG C is incorrect because it is true that mail servers use a relay agent to send a message from one mail server to another. This relay agent needs to be properly configured so that a company’s mail server is not used by another for spamming activity. Spamming usually is illegal, so the people doing the spamming do not want the traffic to seem as though it originated from their equipment. They will find mail servers on the Internet or within company DMZs that have loosely configured relaying mechanisms and use these computers to send their spam.

WRONG D is incorrect because it is true that if a relay is configured "wide open" the mail server can be used to send spam—and any other mail message it receives. This means that the server can be used to distribute advertisements for other companies, spam messages, and pornographic material.

321

10. RAID systems use a number of techniques to provide redundancy and performance. Which of the following activities divides and writes data over several drives?

A. Parity

B. Mirroring

C. Striping

D. Hot-swapping

Extended Questions:

CORRECT C. Redundant array of inexpensive disks (RAID) is a technology used for redundancy and/or performance improvement. It combines several physical disks and aggregates them into logical arrays. When data is saved, the information is written across all drives. A RAID appears as a single drive to applications and other devices. When striping is used, data is written across all drives. This activity divides and writes the data over several drives. Both write and read performance are increased dramatically because more than one head is reading or writing data at the same time.

WRONG A is incorrect because parity is used to rebuild lost or corrupted data. Various levels of RAID dictate the type of activity that will take place within the RAID system. Some levels deal only with performance issues, while other levels deal with performance and fault tolerance. If fault tolerance is one of the services a RAID level provides, parity is involved. If a drive fails, the parity is basically instructions that tell the RAID system how to rebuild the lost data on the new hard drive. Parity is used to rebuild a new drive so that all the information is restored.

WRONG B is incorrect because mirroring occurs when data is written to two drives at once. If one drive fails, the other drive has the exact same data available. Mirroring provides redundancy. Mirroring occurs at Level 1 of RAID systems, and with striping in Level 10.

WRONG D is incorrect because hot-swappable refers to a type of disk that is in most RAID systems. RAID systems with hot-swapping disks are able to replace drives while the system is running. When a drive is swapped out, or added, the parity data is used to rebuild the data on the new disk that was just added.

322

declassification

declassification An administrative decision or procedure to remove or reduce the security classification information.

323

intrusion detection system (IDS)

intrusion detection system (IDS) Software employed to monitor and detect possible attacks and behaviors that vary from the normal and expected activity. The IDS can be network based, which monitors network traffic, or host based, which monitors activities of a specific system and protects system files and control mechanisms.

324

exposure factor

exposure factor The percentage of loss a realized threat could have on a certain asset.

325

sensitivity label

sensitivity label A piece of information that represents the security level of an object. Sensitivity labels are used by the TCB as the basis for mandatory access control (MAC) decisions.

326

Security and Network Personnel

The security administrator should not report to the network administrator, because their responsibilities have different focuses. The network administrator is under pressure to ensure high availability and performance of the network and resources and to provide the users with the functionality they request. But many times this focus on performance and user functionality is at the cost of security. Security mechanisms commonly decrease performance in either processing or network transmission because there is more involved: content filtering, virus scanning, intrusion detection prevention, anomaly detection, and so on. Since these are not the areas of focus and responsibility of many network administrators, a conflict of interest could arise. The security administrator should be within a different chain of command from that of the network personnel to ensure that security is not ignored or assigned a lower priority.

327

compartment

compartment A class of information that has need-to-know access controls beyond those normally provided for access to confidential, secret, or top-secret information. A compartment is the same thing as a category within a security label. Just because a subject has the proper classification, that does not mean it has a need to know. The category, or compartment, of the security label enforces the subject’s need to know.

328

Slamming and cramming

Slamming is when a user’s service provider has been changed without that user’s consent. Cramming is adding on charges that are bogus in nature that the user did not request. Properly monitoring charges on bills is really the only countermeasure to these types of attacks.

329

configuration management

configuration management The identification, control, accounting, and documentation of all changes that take place to system hardware, software, firmware, supporting documentation, and test results throughout the lifespan of the system.