CISSP* CBK (ISC) GUIDE TO THE. OFFICIAL (ISCf. \Xjfl^J Taylor &. Francis Group ' Boca Raton London New York. CRC Press THIRD EDITION

Transcription

1 CISSP, OFFICIAL (ISCf GUIDE TO THE CISSP* CBK THIRD EDITION Edited by Harold F.Tipton Steven Hernandez CISSPISSAP, ISSMP CAP, SSCP, CSS LP (ISC) CRC Press \Xjfl^J Taylor &. Francis Group ' Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Group, an informa business AN AUERBACH BOOK

2 Foreword Introduction Editors Contributors xv xviii xxx xxxiv DOMAIN 7 ACCESS CONTROL gjv»" life Key Access Control Concepts 4 ACCESS CONTROL PRINCIPLES 17 TYPES & CATEGORIES OFACCESS CONTROLS 44 ACCESS CONTROL TYPES 53 ACCESS CONTROL TECHNIQUES 81 IDENTIFICATION AND AUTHENTICATION 94 DECENTRALIZED/DISTRIBUTEDACCESS CONTROL TECHNIQUES 149 LOGGING AND MONITORING 175 Access Control Attacks 194 UNDERSTANDING THREATS 194 THREAT MODELING 227 ASSET VALUATION 230 ACCESS AGGREGATION 234 V

3 Official (ISC)2 Guide to the CiSSP CBK: Third Edition Assess Effectiveness of Access Controls 235 USER ENTITLEMENT 252 ACCESS REVIEW & AUDIT 253 Identity and Access Provisioning Lifecycle 256 DOMAIN 2 ^ g^m^^tbs^: TELECOMMUNICATIONS & NETWORK SECURlH Secure Network Architecture and Design 271 OSI and TCP/IP 273 IP NETWORKING 288 IMPLICATIONS OF MULTILAYER PROTOCOLS 312 Securing Network Components 316 HARDWARE 321 TRANSMISSION MEDIA 328 NETWORKACCESS CONTROL DEVICES 347 ENDPOINT SECURITY 354 Secure Communication Channels 355 VOICE 364 MULTIMEDIA COLLABORATION 371 REMOTEACCESS 381 DATA COMMUNICATIONS 388 Network Attacks 416 DOMAIN 3 INFORMATION SECURITY GOVERNANCE & RISK MANAGEMENT & Understand and Align Security Function 467 Understand and Apply Security Governance 470 ORGANIZATIONAL PROCESSES 473 SECURITY ROLES AND RESPONSIBILITIES 475 VI

4 Contents LEGISLATIVE AND REGULATORY COMPLIANCE 482 PRIVACY REQUIREMENTS COMPLIANCE 484 CONTROL FRAMEWORKS 485 DUE CARE 487 DUE DILIGENCE 488 Concepts of Confidentiality, Integrity and Availability 489 Develop and Implement Security Policy 492 SECURITY POLICIES 495 STANDARDS/BASELINES 500 PROCEDURES 503 GUIDELINES 504 DOCUMENTATION 505 Manage the Information Life Cycle 507 Manage ThirdParty Governance 5io Understand and Apply Risk Management Concepts 512 QUANTITATIVE RISKASSESSMENTS 527 IDENTIFY THREATS AND VULNERABILITIES 529 RISKASSESSMENT/ANALYSIS 532 RISKASSIGNMENT/ACCEPTANCE 538 COUNTERMEASURE SELECTION 541 TANGIBLE AND INTANGIBLEASSET VALUATION 543 Manage Personnel Security 547 EMPLOYMENTCANDIDATE SCREENING 548 EMPLOYMENTAGREEMENTS AND POLICIES 557 EMPLOYEE TERMINATION PROCESSES 562 VENDOR, CONSULTANTAND CONTRACTOR CONTROLS 564 Security Education, Training and Awareness 566 Manage the Security Function 574 BUDGET. 588 METRICS 590 RESOURCES 591 vii

5 Official (ISC)2 Guide to the OSSP CBK: Third Edition DEVELOP AND IMPLEMENT INFORMATION SECURITY STRATEGIES 593 EFFECTIVENESS OF THE SECURITY PROGRAM 596 DOMAIN 4 SOFTWARE DEVELOPMENT SECURITY ffpp ': III Security in the Software Development Life Cycle 614 DEVELOPMENT LIFE CYCLE 618 MATURITY MODELS 626 OPERATION AND MAINTENANCE 629 CHANGE MANAGEMENT 630 Environment and Security Controls 632 SECURITY OF THESOFTWARE ENVIRONMENT 676 SECURITY ISSUES OFPROGRAMMING LANGUAGES 681 SECURITY ISSUES IN SOURCE CODE 699 CONFIGURATION MANAGEMENT 747 Assess the Effectiveness of Software Security 748 DOMAIN 5 CRYPTOGRAPHY illfe The Application and Use of Cryptography 764 DATA AT REST 771 DATA IN TRANSIT 771 THE CRYPTOGRAPHICLIFECYCLE 773 ENCRYPTION CONCEPTS 778 SYMMETRIC CRYPTOGRAPHY 801 ASYMMETRIC CRYPTOGRAPHY 822 HYBRID CRYPTOGRAPHY 829 MESSAGE DIGESTS 831 HASHING 832 Key Management Processes 838 CREATION AND DISTRIBUTION OF KEYS 848 VIII

6 Contents KEY STORAGE AND DESTRUCTION 855 KEYRECOVERY 860 KEY ESCROW 860 Digital Signatures 862 NonRepudiation 865 Methods of Cryptanalytic Attacks 866 CHOSEN PLAINTEXT 866 SOCIAL ENGINEERING FOR KEY DISCOVERY 866 BRUTE FORCE..866 CIPHERTEXTONLY ATTACK 868 KNOW PLAINTEXT 869 FREQUENCYANALYSIS 869 CHOSEN CIPHERTEXT 869 IMPLEMENTATION ATTACKS 871 NETWORK SECURITY AND CRYPTOGRAPHY 873 APPLICATION SECURITY AND CRYPTOGRAPHY 876 PUBLIC KEY INFRASTRUCTURE (PKI) 879 CERTIFICATE RELATED ISSUES 882 INFORMATION HIDING ALTERNATIVES 885 Fundamental Concepts of Security Models 902 Information Systems Security Evaluation Models 945 PRODUCT EVALUATION MODELS 948 INDUSTRY AND INTERNATIONAL SECURITY IMPLEMENTATION GUIDELINES 956 Security Capabilities of Information Systems 963 VULNERABILITIES OF SECURITY ARCHITECTURES 970 SYSTEM 970 TECHNOLOGYAND PROCESS INTEGRATION 974 ix

7 Official (ISC)2 Guide to the CISSP CBK: Third Edition Software and System Vulnerabilities and Threats 979 WEBBASED 979 CLIENTBASED VULNERABILITIES 983 SERVERBASED VULNERABILITIES 986 DATABASE SECURITY 989 DISTRIBUTED SYSTEMS 992 Countermeasure Principles 999 Security Operations Concepts 1014 NEED TOKNOW/LEASTPRIVILEGE 1017 SEPARATION OF DUTIES AND RESPONSIBILITIES 1021 MONITOR SPECIAL PRIVILEGES 1026 JOB ROTATION 1027 MARKING, HANDLING, STORING AND DESTROYING OF SENSITIVE INFORMATION 1027 RECORD RETENTION 1031 Employ Resource Protection 1032 MEDIA MANAGEMENT 1035 ASSETMANAGEMENT 1041 Manage Incident Response 1043 DETECTION 1047 RESPONSE 1051 REPORTING 1052 RECOVERY 1052 REMEDIATION AND REVIEW 1053 X

8 Contents DOMAIN 8 BUSINESS CONTINUITY & DISASTER RECOVERY PLANNING IlllliS' wat Jptff^ MiStflli'' wafer '' Wmi fill? Preventative Measure against Attacks 1056 Patch and Vulnerability Management 1058 Change and Configuration Management 1063 System Resilience/Fault Tolerance Requirements 1068 Business Continuity Requirements i092 DEVELOPAND DOCUMENTPROJECTSCOPE AND PLAN 1095 Conduct Business Impact Analysts 1108 IDENTIFYAND PRIORITIZE CRITICAL ORGANIZATION FUNCTIONS 1108 DETERMINE MAXIMUM TOLERABLE DOWNTIME AND OTHER CRITERIA 1110 ASSESS EXPOSURE TO OUTAGES 1111 DEFINE RECOVERY OBJECTIVES 1115 Develop a Recovery Strategy 1117 IMPLEMENT A BACKUP STORAGE STRATEGY 1118 RECOVERY SITE STRATEGIES 1121 The Disaster Recovery Process 1127 RESPONSE 1129 PERSONNEL 1135 COMMUNICATIONS 1136 ASSESSMENT 1138 RESTORATION 1139 PROVIDE TRAINING 1141 Exercise, Assess and Maintain the Plan 1143

9 Official (ISC)2 Guide to the CISSP CBK: Third Edition ^^^KnjjLi^fc^J^^^ pvhh *rf1 Legal Issues Internationally 1168 COMPUTER CRIME 1176 LICENSING AND INTELLECTUAL PROPERTY 1180 IMPORT/EXPORT 1184 TRANSBORDER DATA FLOW 1184 PRIVACY 1184 Understand Professional Ethics 1193 (ISC)2 CODE OF PROFESSIONAL ETHICS 1208 SUPPORTORGANIZATION'S CODE OF ETHICS 1210 Understand and Support Investigations 1217 POLICY, ROLES AND RESPONSIBILITIES 1223 INCIDENT HANDLING AND RESPONSE 1225 EVIDENCE COLLECTION AND HANDLING 1232 REPORTING AND DOCUMENTING 1234 Understand Forensic Procedures 1235 MEDIA ANALYSIS 1236 NETWORKANALYSIS 1236 SOFTWAREANALYSIS 1237 HARDWARE/EMBEDDED DEVICEANALYSIS 1238 Understand Compliance Requirements and Procedures 1240 REGULATORY ENVIRONMENT 1240 AUDITS 1240 REPORTING 1241 Contractual Agreements and Procurement Processes 1242 xii

10 Contents DOMAIN 10 PHYSICAL (ENVIRONMENTAL) SECURITY Understand Site and Facility Design Considerations 1256 Support the Implementation and Operation of Perimeter Security 1275 Support the Implementation of Internal Security 1308 Support the Implementation and Operation of Facilities Security 1331 COMMUNICATIONS AND SERVER ROOMS 1337 RESTRICTED AND WORK AREA SECURITY 1339 DATA CENTER SECURITY 1340 UTILITIESAND HVAC CONSIDERATIONS 1343 WATER ISSUES 1347 FIRE PREVENTION, DETECTION AND SUPPRESSION 1347 Support the Protection and Securing of Equipment 1351 Personnel Privacy and Safety 1357 DOMAIN 1 ACCESS CONTROL 1371 DOMAIN 2 TELECOMMUNICATIONS AND NETWORK SECURITY 1379 DOMAIN 3 INFORMATION SECURITY GOVERNANCE AND RISK 1387 DOMAIN 4 SOFTWARE DEVELOPMENTSECURITY 1395 DOMAINS CRYPTOGRAPHY 1406 DOMAIN 6 DOMAIN 7 DOMAIN 8 SECURITY ARCHITECTUREAND DESIGN 1412 SECURITY OPERATIONS 1422 BUSINESS CONTINUITY& DISASTER RECOVERY PLANNING 1431 DOMAIN 9 LEGAL, REGULATIONS, INVESTIGATIONS, AND COMPLIANCE 1439 DOMAIN 10 PHYSICAL (ENVIRONMENTAL) SECURITY Index 1452 xiii