Official (ISC)2 Guide to the CISSP CBK, Second Edition ((ISC)2 Press)

AU8231_C000.fm Page i Thursday, October 19, 2006 6:55 AM Half OFFICIAL Title Page (ISC) GUIDE TO THE 2 ® CISSP CBK ...

Author: Harold F. Tipton

118 downloads 975 Views 14MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!

Report copyright / DMCA form

DOWNLOAD PDF

AU8231_C000.fm Page i Thursday, October 19, 2006 6:55 AM

Half OFFICIAL Title Page

(ISC) GUIDE TO THE 2

®

CISSP CBK ®

®

AU8231_C000.fm Page ii Thursday, October 19, 2006 6:55 AM

OTHER BOOKS IN THE (ISC)2® PRESS SERIES

Building and Implementing a Security Certification and Accreditation Program: Official (ISC)2® Guide to the CAPcm CBK® Patrick D. Howard ISBN: 0-8493-2062-3 Official (ISC)2® Guide to the SSCP® CBK® Diana-Lynn Contesti, Douglas Andre, Eric Waxvik, Paul A. Henry, and Bonnie A. Goins ISBN: 0-8493-2774-1 Official (ISC)2® Guide to the CISSP®-ISSEP® CBK® Susan Hansche ISBN: 0-8493-2341-X Official (ISC)2® Guide to the CISSP® CBK® Harold F. Tipton and Kevin Henry, Editors ISBN: 0-8493-8231-9

AU8231_C000.fm Page iii Thursday, October 19, 2006 6:55 AM

OFFICIAL Title Page

(ISC) GUIDE TO THE 2

®

CISSP CBK ®

®

Edited by Harold F. Tipton, CISSP-ISSAP, ISSMP, and Kevin Henry, CISSP-ISSEP, ISSMP, CAP, SSCP

Boca Raton New York

Auerbach Publications is an imprint of the Taylor & Francis Group, an informa business

AU8231_C000.fm Page iv Thursday, October 19, 2006 6:55 AM

This edition published in the Taylor & Francis e-Library, 2008. “To purchase your own copy of this or any of Taylor & Francis or Routledge’s collection of thousands of eBooks please go to www.eBookstore.tandf.co.uk.” Glossary © 2007 by Taylor & Francis Group, LLC.

Auerbach Publications Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2007 by (ISC)2® Auerbach is an imprint of Taylor & Francis Group, an Informa business ISBN 0-203-88893-6 Master e-book ISBN

International Standard Book Number-10: 0-8493-8231-9 (Hardcover) International Standard Book Number-13: 978-0-8493-8231-4 (Hardcover) This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable eﬀorts have been made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use. No part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microﬁlming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www. copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC) 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-proﬁt organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identiﬁcation and explanation without intent to infringe. Library of Congress Cataloging-in-Publication Data Tipton, Harold F. Oﬃcial (ISC) 2® guide to the CISSP® CBK® : (ISC)2® Press / Harold F. Tipton, Kevin Henry. p. cm. Includes bibliographical references and index. ISBN 0-8493-8231-9 (alk. paper) 1. Electronic data processing personnel--Certiﬁcation. 2. Computer networks--Examinations--Study guides. I. Henry, Kevin. II. Title. QA76.3.T565 2006 004.6--dc22 Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the Auerbach Web site at http://www.auerbach-publications.com

2006043032

AU8231_C000.fm Page v Thursday, October 19, 2006 6:55 AM

Foreword to CBK® Study Guide As the networked world continues to shape and impact every aspect of our lives, threats to the global network infrastructure continue to rise in parallel. That’s why there has never been a greater urgency for a global standard of excellence for those who protect the networked world. That has been the mission of the International Information Systems Security Certification Consortium (ISC)2® from its inception. Formed in 1989 by multiple professional associations to develop an accepted industry standard for the practice of information security, (ISC)2 created the information security industry’s first and only CBK®, a global compendium of industry best practices. Continually updated to incorporate rapidly changing technologies and threats, the CBK continues to serve as the basis for (ISC)2’s education and certification programs. To date, (ISC)2 has certified more than 40,000 security professionals and practitioners in over 100 countries and continues to meet the growing demand for information security accreditation. Just as technology and its impact on society have dramatically changed since (ISC)2 was first envisioned, so has the role of information security professionals. The need for highly qualified information security professionals to protect information assets has now been accepted by organizations worldwide both private and public. In recent years, the rise of the Chief Information Security Officer position has been a watershed event in the influence and significance of the information security professional in maintaining effective IT governance and risk management. Results from the 2005 Global Information Security Workforce Study, conducted by global analyst firm IDC and sponsored by (ISC)2, revealed that ultimate responsibility for information security moved up the management hierarchy, with more respondents identifying the board of directors and CEO, or a CISO/CSO as being accountable for their company’s information security. The study also showed that nearly 75 percent of all respondents believed their influence with executives and the board of directors would v

AU8231_C000.fm Page vi Thursday, October 19, 2006 6:55 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® increase in the coming year. These findings bode well for the profession and for effectively securing infrastructure. (ISC)2 is continuing to do its part to assist all those who choose this profession and proliferate standards for professionalism, whether by creating the first information security career guide for high school and college students to meet the growing demand for new talented entries into the field, establishing Affiliated Local Interest Groups to meet the peer networking and professional growth needs of (ISC)2 members and other information security professionals worldwide, working with top organizations such as Microsoft to require certifications of security partners, or organizing seminars around the world with the most respected thought leaders in the industry. With the ever-growing importance to organizations and society-at-large, (ISC)2 remains committed to ensuring the highest standards of information security are maintained by certified professionals worldwide. Its Certified Information Systems Security Professional (CISSP) certification, considered the Gold Standard in the information security industry, continues to be an invaluable tool in independently validating a candidate’s expertise in developing information security policies, standards and procedures as well as managing implementation across the enterprise. In addition to passing the six-hour CISSP exam, applicants must be endorsed by an existing (ISC)2 credential-holder, demonstrate sufficient professional experience in one or more of the CBK domains, and subscribe to the (ISC)2 Code of Ethics. The Code of Ethics describes the professional behavior expected of the CISSP. A major factor that sets the CISSP apart from other security certifications is the breadth of knowledge and the experience necessary to pass the exam. CISSP candidates can’t be overly specialized in just one domain — they must know and understand the full spectrum of the CBK to become certified. In order to maintain their certification, holders of the CISSP are required to earn 120 Continuing Professional Education (CPE) credits every three years. CPE credits are earned through activities related to the information security profession including, but not limited to, the following: • • • • • • • •

vi

Attending educational courses or seminars Attending security conferences Being a member of an association chapter and attending meetings Listening to vendor presentations Completing university/college courses Providing security training Publishing security articles or books Serving on industry boards

AU8231_C000.fm Page vii Thursday, October 19, 2006 6:55 AM

Foreword to CBK® Study Guide • Self-study • Completing volunteer work, including serving on (ISC)2 volunteer committees Re-certification is required for information security professionals to maintain their CISSP title. In addition, the CISSP was the first information security credential to be accredited by ANSI (American National Standards Institute) under ISO/IEC Standard 17024. ISO/IEC 17024 establishes a global benchmark for certification of personnel and is becoming increasingly important to organizations for ensuring competency in different professions. This is the only document that addresses all of the topics and sub-topics contained in the CISSP CBK. The authors and editors of this comprehensive textbook have provided an extensive supplement to the official CISSP CBK Review Seminars, which are designed to help candidates study for CISSP certification. The Official (ISC)2® Guide to the CISSP® CBK® is ideal not only for information security professionals attempting to achieve CISSP certification but also for those who are trying to decide which, if any, certification to pursue. Executives and organizational managers who want a more complete understanding of all the elements that are required in effectively protecting their enterprise will also find this guide extremely useful. Sincerely,

Tony Baratta, CISSP-ISSAP, ISSMP, SSCP Director of Professional Programs (ISC)2®

vii

AU8231_C000.fm Page viii Thursday, October 19, 2006 6:55 AM

AU8231_C000.fm Page ix Thursday, October 19, 2006 6:55 AM

About the Editors Harold F. Tipton, CISSP-ISSAP, ISSMP, currently an independent consultant and past president of the International Information System Security Certification Consortium, was director of computer security for Rockwell International Corporation for 15 years. He initiated the Rockwell computer and data security program in 1977, and then continued to administer, develop, enhance, and expand the program to accommodate the control needs produced by technological advances until his retirement from Rockwell in 1994. He has been a member of the Information Systems Security Association (ISSA) since 1982, was president of the Los Angeles chapter in 1984, and president of the national organization of ISSA from 1987 to 1989. He was added to the ISSA Hall of Fame and the ISSA Honor Role in 2000. He received the Computer Security Institute Lifetime Achievement Award in 1994 and the (ISC)2 Hal Tipton Award in 2001. He was a member of the National Institute of Standards and Technology (NIST) Computer and Telecommunications Security Council and the National Research Council Secure Systems Study Committee (for the National Academy of Science). He has a B.S. in engineering from the U.S. Naval Academy, an M.A. in personnel administration from George Washington University, and a certificate in computer science from the University of California at Irvine. He has published several papers on information security issues in Information Security Management Handbook, Data Security Management, Information Systems Security, and the National Academy of Sciences report, Computers at Risk. He has been a speaker at all of the major information security conferences, including Computer Security Institute, the ISSA Annual Working Conference, the Computer Security Workshop, MIS conferences, AIS Security for Space Operations, DOE Computer Security Conference, National Computer Security Conference, IIA Security Conference, EDPAA, UCCEL Security and Audit Users Conference, and Industrial Security Awareness Conference. He has conducted and participated in information security seminars for (ISC)2, Frost & Sullivan, UCI, CSULB, system exchange seminars, and the Institute for International Research. He is currently serving as editor of Data Security Management and Information Security Management Handbook.

ix

AU8231_C000.fm Page x Thursday, October 19, 2006 6:55 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Kevin Henry, CISSP-ISSEP, ISSMP, CAP, SSCP, is a well-known speaker and consultant in the field of information security and business continuity planning. Kevin provides educational and consulting services to organizations throughout the world and is an official instructor for (ISC)2, the world’s leading certification body in information security. He is responsible for course development and delivery for several (ISC)2 programs. Kevin has a broad range of experience in both technology and management of information technology and information security programs. He has worked for clients ranging from the largest telecommunications firms in the world to governments, military, and small home-based operations. Kevin is a highly respected presenter at conferences, seminars, and educational programs worldwide. With over 20 years in telecommunications and government experience, he brings a relevant and interesting approach to information security and provides practical and meaningful solutions to the information security challenges, threats, and regulations we face today.

x

AU8231_C000.fm Page xi Thursday, October 19, 2006 6:55 AM

Contributors Alec Bass, CISSP, is a senior security specialist in the Boston area. During his 25-year career, Alec has developed solutions that significantly reduce risk to the digital assets of high-profile manufacturing, communications, home entertainment, financial, research, and federal organizations. He has helped enterprises enhance their network’s security posture, performed penetration testing, and administered client firewalls for an application service provider. Before devoting his career to information security, Alec supported the IT infrastructure for a multinational Fortune 200 company and fixed operating system bugs for a leading computer firm. Peter Berlich, CISSP-ISSMP, is working as an IT security manager on a large outsourcing account at IBM Integrated Technology Services, coming from a progression of IT security- and compliance-related roles in IBM. Before joining IBM, he was global Information security manager at ABB, after a succession of technical and project management roles with a focus on network security management. Peter is a member of the (ISC)2 European Advisory Board and the Information Security Forum (ISF) Council. He is the author of various articles on the subject of security and privacy management in publications such as Infosecurity Today. With a degree in physics, his personal motto is to give clarity and empowerment. Todd Fitzgerald, CISSP, CISA, CISM, is the director of information systems security and a systems security officer for United Government Services, LLC (UGS), Milwaukee, WI. Todd has authored articles on information security for publications such as Information Security Magazine, The Information Security Handbook, The HIPAA Program Reference Book, and Managing an Information Security and Privacy Awareness and Training Program. Todd, a member of the editorial board for Information Systems Security: (The ISC)2 Journal, is frequently called upon to present at national and local conferences, and has received several security industry leadership awards. Todd holds a B.S. in business administration from the University of Wisconsin–LaCrosse and an M.B.A. from Oklahoma State University. xi

AU8231_C000.fm Page xii Thursday, October 19, 2006 6:55 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Bonnie Goins, CISSP, with over 17 years of experience in management consulting, information technology, and security, is a recognized subject matter expert in information security management. Her security and business expertise has been put to use by many organizations to enhance or develop world-class operations. Bonnie holds an M.S. in information systems and a bachelor’s degree in psychology, as well as the following certifications: BS 7799 lead auditor, Certified Information Systems Security Professional (CISSP), National Security Agency information assurance methodology (NSA IAM) certified assessor, global information assurance certification (GIAC), certified information security manager (CISM), and Internet security specialist (ISS). Paul Hansford, CISSP, Dip.Infosec, CISMP, FBCS, FCIPD, CLAS, is a principal consultant with Insight Consulting, part of Siemens Communications. He has worked in risk analysis and management policy development, system accreditation, security training, competency, and certification issues. In 2001, he established the U.K. Government’s Infosec Training Paths and Competencies scheme and, between 2004 and 2006, delivered the Infosec syllabus at the U.K. National School of Government. Paul is a member of the (ISC)2 European Advisory Board and the CBK Committee, and in 2005 was involved in the development of the new U.K. Institute for Information Security Professionals (IISP). Kevin Henry, CISSP-ISSEP, ISSMP, CAP, SSCP, is a well-known speaker and consultant in the field of information security and business continuity planning. He provides educational and consulting services to organizations throughout the world and is an official instructor for (ISC)2, the world’s leading certification body in information security. He is responsible for course development and delivery for several (ISC)2 programs. Kevin has a broad range of experience in both technology and management of information technology and information security programs. He has worked for clients ranging from the largest telecommunications firms in the world to governments, military, and small home-based operations. He is a highly respected presenter at conferences, seminars, and educational programs worldwide. With over 20 years of telecommunications and government experience, he brings a relevant and interesting approach to information security and provides practical and meaningful solutions to the information security challenges, threats, and regulations we face today. Rebecca Herold, CISSP, CISM, CISA, FLMI, is an information privacy, security, and compliance consultant, author, and instructor with over 16 years of experience assisting organizations of all sizes in all industries throughout the world. Rebecca has written numerous books, including Managing an Information Security and Privacy Awareness and Training Program (Auerxii

AU8231_C000.fm Page xiii Thursday, October 19, 2006 6:55 AM

Contributors bach Publications) and The Privacy Management Toolkit (Information Shield), along with dozens of book chapters and hundreds of published articles. Rebecca speaks often at conferences, and develops and teaches workshops for the Computer Security Institute. Rebecca is resident editor for the IT Compliance Community and also an adjunct professor for the Norwich University Master of Science in Information Assurance (MSIA) program. Rebecca has a B.S. in math and computer science and an M.A. in computer science and education. Carl B. Jackson, CISSP, is the Business Continuity Program Director for Pacific Life Insurance Company in Newport Beach, California. He brings more than 30 years of experience in the areas of continuity planning, information security, and information technology internal control and quality assurance reviews and audits. He has also served with various consultancies specializing in Business Continuity Planning and Information Security where his responsibilities included development and oversight of continuity methodologies, project management, tools acquisition, and ongoing testing/maintenance/training/measurement of the enterprisewide business continuity planning. Carl recently served as Chairman of the Information Systems Security Association (ISSA) International Board of Directors. Previously, he was a founding board member and past-president of the ISSA as well as serving as a founding board member of the Houston, Texas, chapter of the Association of Contingency Planners (ACP). He is a past member and past Emeritus member of the Computer Security Institute (CSI) Advisory Council and is the recipient of the 1997 CSI Lifetime Achievement Award. He has also served on the editorial and advisory boards of both the Contingency Planning Management (CPM) magazine and Datapro Reports on Information Security. William Lipiczky has practiced in the information technology and security arena for over two decades, beginning his career as a mainframe operator. As information technology and security evolved, he evolved as well. His experience includes networking numerous operating systems (UNIX, NetWare, and Windows) and networking hardware platforms. He currently is a principal in a security consulting and management firm, as well as a lead CISSP instructor for the International Information System Security Certification Consortium. Sean M. Price, CISSP, is an independent information security consultant located in the Washington, D.C. area. He provides security consulting and engineering support for commercial and government entities. His experience includes nine years as an electronics technician in metrology for the U.S. Air Force. He has completed a B.S. in accounting and an M.S. in computer information systems. Sean is continually immersed in research and development activities for secure systems. xiii

AU8231_C000.fm Page xiv Thursday, October 19, 2006 6:55 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Marcus K. Rogers, Ph.D., CISSP, CCCI, is the chair of the Cyber Forensics Program in the Department of Computer and Information Technology at Purdue University. He is an associate professor and research faculty at CERIAS. Dr. Rogers was a senior instructor for (ISC)2, is a member of the quality assurance board for the SCCP designation, and member of the international CBK committee. He is a former police detective who worked in the area of fraud and computer crime investigations, and he sits on the editorial board for several professional journals and is a member of various national and international committees. Robert M. Slade, CISSP, is an information security and management consultant from Vancouver, Canada. His research into computer viral programs started when they first appeared as a major problem “in the wild”; he is best known for a series of review and tutorial articles that were eventually published as Robert Slade’s Guide to Computer Viruses. As an outgrowth of the virus research, he prepared the world’s first course on forensic programming, which became the first book on software forensics. As a senior instructor for (ISC)2, he is currently working on a glossary of security terms, as well as references for CISSP candidate students. James S. Tiller, CISSP, CISA, is an accomplished executive with over 14 years of information security and information technology experience and leadership. He has provided comprehensive, forward-thinking solutions encompassing a broad spectrum of challenges and industries. Jim has spent much of his career assisting organizations throughout North America, Europe, and most recently Asia, in meeting their security goals and objectives. He is the author of The Ethical Hack: Framework for Business Value Penetration Testing and A Technical Guide to IPsec Virtual Private Networks. Jim has been a contributing author to the Information Security Management Handbook for the last five years, in addition to several other publications. Also, he is the managing editor of the Information System Security journal. Currently, Jim is the managing vice president of security services for INS.

xiv

AU8231_C000.fm Page xv Thursday, October 19, 2006 6:55 AM

Introduction to the (ISC)2® CISSP® CBK® Textbook The Official (ISC)2® Guide to the CISSP® CBK® is an important milestone in the history of (ISC)2. Since its days as a small volunteer organization in 1989 to today’s position as a leader in the field of information security, (ISC)2 recognizes, educates, and supports the critical role that information security professionals play in the stability of the global infrastructure. Current industry changes have caused information security professionals to reflect on the key role that each individual plays in designing, developing, implementing, and maintaining a strong information security program and aligning personal objectives with the requirements of business, organizations, society, governments, and the military. To write this valuable reference, skilled authors, who are experts in their fields, were chosen to contribute the various chapters and share their passion for their areas of expertise. This book was written as an authoritative reference that can be used not only for gaining better understanding of the CISSP CBK, (ISC)2’s global compendium of information security best practices, but as a reference book that will hold a prominent position on every CISSP’s bookshelf to be turned to repeatedly for insight into the vast field of information security. The (ISC)2 CISSP CBK is a taxonomy — a collection of topics relevant to information security professionals around the world. The CISSP CBK establishes a common framework of information security terms and principles that allows information security professionals worldwide to discuss, debate, and resolve matters pertaining to the profession with a common understanding. Understanding the CBK allows intelligent discussion with peers on information security issues. The CISSP CBK is continuously evolving. Every year the (ISC)2 CBK committee reviews the content of the CBK and updates it with a consensus of xv

AU8231_C000.fm Page xvi Thursday, October 19, 2006 6:55 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® best practices from an in-depth job analysis survey of CISSPs around the world. These best practices may address implementing new technologies, dealing with new threats, incorporating new security tools, and, of course, managing the human factor of security. (ISC)2 strives to represent changes and trends in the industry through our award-winning CISSP CBK Review Seminars and other educational materials. One of the most obvious changes in this book is the streamlining of the domains of the CISSP. While the number of domains still stands at 10, the content in some of the domains has been shifted to other domains to allow for a more appropriate placement in the flow of material. Some of the domain titles have also been revised to reflect changing terminology and emphasis in the security professional’s day-to-day world. The following revised ten domains of the CISSP CBK with brief descriptions, are in the order recommended for (ISC)2 review seminar instructors and are in the order you will find them in this book: • Information Security and Risk Management Addresses the framework and policies, concepts, principles, structures, and standards used to establish criteria for the protection of information assets, to inculcate holistically the criteria, and to assess the effectiveness of that protection. It includes issues of governance, organizational behavior, ethics, and security awareness. This domain also addresses risk assessment and risk management. • Access Control The collection of mechanisms and procedures that permits managers of a system to exercise a directing or restraining influence over the behavior, use, and content of a system. Access control permits management to specify what users or processes can do, which resources they can access, and what operations they can perform on a system. • Cryptography Addresses the principles, means, and methods of disguising information to ensure its integrity, confidentiality, and authenticity in transit and in storage. • Physical (Environmental) Security Addresses the common physical and procedural risks that may exist in the environment in which an information system is managed. This domain also addresses physical and procedural defensive and recovery strategies, countermeasures, and resources available to the information security professional. These resources include staff, the configuration of the physical environment, security policies and procedures, and an array of physical security tools. xvi

AU8231_C000.fm Page xvii Thursday, October 19, 2006 6:55 AM

Introduction to the (ISC)2® CISSP® CBK® Textbook • Security Architecture and Design Addresses the high level and detailed processes, concepts, principles, structures, and standards used to define, design, implement, monitor, and secure/assure operating systems, applications, equipment, and networks. It addresses the technical security policies of the organization, as well as the implementation and enforcement of those policies. Security Architecture and Design must clearly address the design, implementation and operation of those controls used to enforce various levels of confidentiality, integrity, and availability to ensure effective operation and compliance (with governance and other drivers). • Business Continuity and Disaster Recovery Planning Addresses the preparation, processes, and practices required to ensure the preservation of the business in the face of major disruptions to normal business operations. BCP and DRP involve the identification, selection, implementation, testing, and updating of processes and specific actions necessary to prudently protect critical business processes from the effects of major system and network disruptions and to ensure the timely restoration of business operations if significant disruptions occur. • Telecommunications and Network Security Encompasses the structures, transmission methods, transport formats, and security measures used to provide integrity, availability, authentication, and confidentiality for transmissions over private and public communications networks and media. • Application Security Refers to the controls that are included within and applied to system and application software. Application software includes agents, applets, operating systems, databases, data warehouses, knowledge-based systems, etc. These may be used in distributed or centralized environment. • Operations Security Addresses the protection and control of data processing resources in both centralized (data center) and distributed (client/server, etc.) environments. Although Operations Security involves the confidentiality and integrity of information and processes, a major focus is on ensuring the availability of systems for business units and their end users. • Legal, Regulations, Compliance and Investigations Addresses general computer crime legislation and regulations, the investigative measures and techniques that can be used to determine if an incident has occurred, and the gathering, analysis, and management of evidence if it exists. The focus is on concepts and international generally accepted methods, processes, and procedures. xvii

AU8231_C000.fm Page xviii Thursday, October 19, 2006 6:55 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® This textbook has been developed to help information security professionals who want to better understand the knowledge requirements of their profession and have that knowledge validated by the CISSP certification. Since few practitioners have significant work experience in all 10 domains, the authors highly recommend that they attend a CBK Review Seminar to identify those areas where more concentrated study is necessary, then read the sections on the selected domains in-depth in this book where they feel they are most deficient. Another way to utilize this book is to test yourself first on the 200 CISSP exam sample questions dispersed throughout following each domain chapter. When you find you don’t know the answer to a domain question, simply read the preceding chapter. Although this book includes a broad range of important material, the information security field is so wide that professionals are advised to review other references as well. A list of (ISC)2 recommended reading can be found at https://www.isc2.org/cgi-bin/content.cgi?category=698. We would like to thank the authors who contributed to this book and the efforts of the many people who made an undertaking such as this successful. We trust that you will find this to be a valuable reference that will lead you to a greater appreciation of the important field of information security.

xviii

AU8231_bookTOC.fm Page xix Monday, October 23, 2006 12:52 PM

Contents Domain 1 Information Security and Risk Management............................................ 1 Todd Fitzgerald, CISSP, Bonnie Goins, CISSP, and Rebecca Herold, CISSP Introduction.................................................................................................... 1 CISSP Expectations ................................................................................... 2 The Business Case for Information Security Management ...................... 4 Core Information Security Principles: Confidentiality, Availability, Integrity (CIA).................................................................... 5 Confidentiality....................................................................................... 5 Integrity ................................................................................................. 6 Availability............................................................................................. 6 Security Management Practice................................................................ 7 Information Security Management Governance ........................................ 7 Security Governance Defined .................................................................. 8 Security Policies, Procedures, Standards, Guidelines, and Baselines .................................................................................................. 9 Security Policy Best Practices .......................................................... 10 Types of Security Policies ................................................................. 12 Standards............................................................................................. 13 Procedures .......................................................................................... 14 Baselines.............................................................................................. 15 Guidelines............................................................................................ 16 Combination of Policies, Standards, Baselines, Procedures, and Guidelines .................................................................................. 16 Policy Analogy .................................................................................... 16 Audit Frameworks for Compliance ....................................................... 17 COSO .................................................................................................... 17 ITIL........................................................................................................ 18 COBIT ................................................................................................... 18 ISO 17799/BS 7799............................................................................... 18 Organizational Behavior ............................................................................. 19 Organizational Structure Evolution ...................................................... 20 Today’s Security Organizational Structure..................................... 21 Best Practices .......................................................................................... 22 xix

AU8231_bookTOC.fm Page xx Monday, October 23, 2006 12:52 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Job Rotation ........................................................................................ 23 Separation of Duties ........................................................................... 23 Least Privilege (Need to Know) ........................................................ 25 Mandatory Vacations ......................................................................... 25 Job Position Sensitivity...................................................................... 25 Responsibilities of the Information Security Officer .......................... 26 Communicate Risks to Executive Management .............................. 26 Budget for Information Security Activities...................................... 27 Ensure Development of Policies, Procedures, Baselines, Standards, and Guidelines............................................................... 28 Develop and Provide Security Awareness Program....................... 28 Understand Business Objectives...................................................... 28 Maintain Awareness of Emerging Threats and Vulnerabilities..... 29 Evaluate Security Incidents and Response...................................... 29 Develop Security Compliance Program ........................................... 29 Establish Security Metrics................................................................. 29 Participate in Management Meetings............................................... 30 Ensure Compliance with Government Regulations........................ 30 Assist Internal and External Auditors .............................................. 30 Stay Abreast of Emerging Technologies .......................................... 30 Reporting Model ...................................................................................... 31 Business Relationships ...................................................................... 31 Reporting to the CEO ......................................................................... 31 Reporting to the Information Technology (IT) Department ......... 32 Reporting to Corporate Security ...................................................... 32 Reporting to the Administrative Services Department.................. 33 Reporting to the Insurance and Risk Management Department ....................................................................................... 33 Reporting to the Internal Audit Department ................................... 33 Reporting to the Legal Department.................................................. 34 Determining the Best Fit .................................................................... 34 Enterprisewide Security Oversight Committee................................... 34 Vision Statement................................................................................. 34 Mission Statement .............................................................................. 35 Security Planning..................................................................................... 42 Strategic Planning ............................................................................... 43 Tactical Planning ................................................................................ 43 Operational and Project Planning .................................................... 43 Personnel Security .................................................................................. 44 Hiring Practices................................................................................... 44 Security Awareness, Training, and Education ......................................... 51 Why Conduct Formal Security Awareness Training? ......................... 51 Training Topics ................................................................................... 52 What Might a Course in Security Awareness Look Like?............... 52 Awareness Activities and Methods....................................................... 54 xx

AU8231_bookTOC.fm Page xxi Monday, October 23, 2006 12:52 PM

Contents Job Training ............................................................................................. 55 Professional Education........................................................................... 56 Performance Metrics .............................................................................. 56 Risk Management......................................................................................... 56 Risk Management Concepts................................................................... 57 Qualitative Risk Assessments ........................................................... 58 Quantitative Risk Assessments ........................................................ 60 Selecting Tools and Techniques for Risk Assessment .................. 62 Risk Assessment Methodologies ...................................................... 62 Risk Management Principles ................................................................. 64 Risk Avoidance ................................................................................... 64 Risk Transfer ....................................................................................... 64 Risk Mitigation .................................................................................... 65 Risk Acceptance ................................................................................. 65 Who Owns the Risk?........................................................................... 66 Risk Assessment...................................................................................... 66 Identify Vulnerabilities ...................................................................... 66 Identify Threats .................................................................................. 67 Determination of Likelihood ............................................................. 67 Determination of Impact.................................................................... 68 Determination of Risk ........................................................................ 68 Reporting Findings ............................................................................. 69 Countermeasure Selection ................................................................ 69 Information Valuation ........................................................................ 70 Ethics............................................................................................................. 71 Regulatory Requirements for Ethics Programs................................... 73 Example Topics in Computer Ethics .................................................... 74 Computers in the Workplace ............................................................ 74 Computer Crime ................................................................................. 74 Privacy and Anonymity ..................................................................... 75 Intellectual Property .......................................................................... 75 Professional Responsibility and Globalization ............................... 75 Common Computer Ethics Fallacies..................................................... 75 The Computer Game Fallacy............................................................. 76 The Law-Abiding Citizen Fallacy....................................................... 76 The Shatterproof Fallacy ................................................................... 76 The Candy-from-a-Baby Fallacy ........................................................ 77 The Hacker’s Fallacy .......................................................................... 77 The Free Information Fallacy ............................................................ 77 Hacking and Hacktivism......................................................................... 77 The Hacker Ethic ................................................................................ 78 Ethics Codes of Conduct and Resources ............................................. 78 The Code of Fair Information Practices........................................... 78 xxi

AU8231_bookTOC.fm Page xxii Monday, October 23, 2006 12:52 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Internet Activities Board (IAB) (now the Internet Architecture Board) and RFC 1087 ................................................ 79 Computer Ethics Institute (CEI)........................................................ 79 National Conference on Computing and Values ............................. 80 The Working Group on Computer Ethics ........................................ 80 National Computer Ethics and Responsibilities Campaign (NCERC)............................................................................................. 80 (ISC)2 Code of Ethics .......................................................................... 81 Organizational Ethics Plan of Action .................................................... 82 How a Code of Ethics Applies to CISSPs............................................... 84 References..................................................................................................... 87 Other References ......................................................................................... 87 Sample Questions ........................................................................................ 88 Domain 2 Access Control.......................................................................................... 93 James S. Tiller, CISSP Introduction.................................................................................................. 93 CISSP® Expectations................................................................................ 93 Confidentiality, Integrity, and Availability ........................................... 93 Definitions and Key Concepts .................................................................... 94 Determining Users................................................................................... 95 Defining Resources.................................................................................. 96 Specifying Use.......................................................................................... 97 Accountability.......................................................................................... 97 Access Control Principles ...................................................................... 98 Separation of Duties ........................................................................... 98 Least Privilege ................................................................................... 101 Information Classification .................................................................... 101 Data Classification Benefits ............................................................. 102 Establishing a Data Classification Program................................... 103 Labeling and Marking ....................................................................... 107 Data Classification Assurance......................................................... 107 Summary ............................................................................................ 108 Access Control Categories and Types .................................................... 108 Control Categories ................................................................................ 108 Preventative ...................................................................................... 108 Deterrent............................................................................................ 109 Detective ............................................................................................ 109 Corrective .......................................................................................... 110 Recovery ............................................................................................ 111 Compensating ................................................................................... 111 Types of Controls .................................................................................. 112 Administrative................................................................................... 113 xxii

AU8231_bookTOC.fm Page xxiii Monday, October 23, 2006 12:52 PM

Contents Physical.............................................................................................. 124 Technical ........................................................................................... 125 Access Control Threats ............................................................................ 130 Denial of Service.................................................................................... 130 Buffer Overflows.................................................................................... 131 Mobile Code ........................................................................................... 132 Malicious Software................................................................................ 133 Password Crackers ............................................................................... 134 Spoofing/Masquerading ....................................................................... 136 Sniffers, Eavesdropping, and Tapping................................................ 137 Emanations ............................................................................................ 138 Shoulder Surfing.................................................................................... 139 Object Reuse.......................................................................................... 139 Data Remanence.................................................................................... 140 Unauthorized Targeted Data Mining .................................................. 142 Dumpster Diving.................................................................................... 143 Backdoor/Trapdoor.............................................................................. 144 Theft........................................................................................................ 144 Social Engineering................................................................................. 145 E-mail Social Engineering ................................................................ 145 Help Desk Fraud................................................................................ 146 Access to Systems ..................................................................................... 147 Identification and Authentication ....................................................... 147 Types of Identification ..................................................................... 148 Types of Authentication .................................................................. 149 Authentication Method Summary .................................................. 167 Identity and Access Management ....................................................... 169 Identity Management............................................................................ 170 Identity Management Challenges ................................................... 172 Identity Management Technologies............................................... 173 Access Control Technologies .............................................................. 179 Single Sign-On.................................................................................... 179 Kerberos ............................................................................................ 181 Secure European System for Applications in a Multi-Vendor Environment (SESAME) ................................................................. 184 Security Domain ............................................................................... 185 Section Summary.............................................................................. 186 Access to Data............................................................................................ 186 Discretionary and Mandatory Access Control .................................. 186 Access Control Lists ........................................................................ 188 Access Control Matrix ..................................................................... 188 Rule-Based Access Control ............................................................. 188 Role-Based Access Control ............................................................. 189 Content-Dependent Access Control............................................... 191 Constrained User Interface ............................................................. 191 xxiii

AU8231_bookTOC.fm Page xxiv Monday, October 23, 2006 12:52 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Capability Tables .............................................................................. 191 Temporal (Time-Based) Isolation................................................... 192 Centralized Access Control ............................................................. 192 Decentralized Access Control ......................................................... 192 Section Summary .............................................................................. 192 Intrusion Detection and Prevention Systems......................................... 194 Intrusion Detection Systems................................................................ 195 Network Intrusion Detection System ............................................. 196 Host-Based Intrusion Detection System ........................................ 197 Analysis Engine Methods ..................................................................... 198 Pattern/Stateful Matching Engine ................................................... 199 Anomaly-Based Engine..................................................................... 200 Intrusion Responses ............................................................................. 201 Alarms and Signals ........................................................................... 203 IDS Management .................................................................................... 204 Access Control Assurance ........................................................................ 205 Audit Trail Monitoring .......................................................................... 205 Audit Event Types ............................................................................ 205 Auditing Issues and Concerns......................................................... 206 Information Security Activities............................................................ 207 Penetration Testing .......................................................................... 208 Types of Testing ............................................................................... 213 Summary ............................................................................................ 215 References................................................................................................... 215 Sample Questions ...................................................................................... 215 Domain 3 Cryptography ......................................................................................... 219 Kevin Henry, CISSP Introduction................................................................................................ 219 CISSP Expectations................................................................................ 219 Core Information Security Principles: Confidentiality, Integrity, and Availability.................................................................................... 219 Key Concepts and Definitions .................................................................. 220 The History of Cryptography............................................................... 222 The Early (Manual) Era .................................................................... 222 The Mechanical Era .......................................................................... 222 The Modern Era ................................................................................ 223 Emerging Technology ........................................................................... 223 Quantum Cryptography ................................................................... 223 Protecting Information ......................................................................... 225 Data Storage ...................................................................................... 225 Data Transmission............................................................................ 225 Uses of Cryptography ........................................................................... 226 xxiv

AU8231_bookTOC.fm Page xxv Monday, October 23, 2006 12:52 PM

Contents Availability......................................................................................... 226 Confidentiality................................................................................... 226 Integrity ............................................................................................. 226 Additional Features of Cryptographic Systems ................................ 226 Nonrepudiation................................................................................. 227 Authentication .................................................................................. 227 Access Control.................................................................................. 227 Methods of Cryptography.................................................................... 227 Stream-Based Ciphers...................................................................... 227 Block Ciphers.................................................................................... 229 Encryption Systems................................................................................... 229 Substitution Ciphers............................................................................. 229 Playfair Cipher .................................................................................. 229 Transposition Ciphers ..................................................................... 230 Monoalphabetic and Polyalphabetic Ciphers .............................. 231 Modular Mathematics and the Running Key Cipher.................... 233 One-Time Pads.................................................................................. 234 Steganography .................................................................................. 235 Watermarking.................................................................................... 235 Code Words....................................................................................... 235 Symmetric Ciphers........................................................................... 236 Examples of Symmetric Algorithms ............................................... 237 Advantages and Disadvantages of Symmetric Algorithms ......... 252 Asymmetric Algorithms ....................................................................... 253 Confidential Messages ..................................................................... 253 Open Message................................................................................... 254 Confidential Messages with Proof of Origin.................................. 254 RSA ..................................................................................................... 254 Diffie–Hellmann Algorithm .............................................................. 257 El Gamal ............................................................................................. 258 Elliptic Curve Cryptography ........................................................... 258 Advantages and Disadvantages of Asymmetric Key Algorithms....................................................................................... 258 Hybrid Cryptography....................................................................... 259 Message Integrity Controls....................................................................... 260 Checksums ............................................................................................. 260 Hash Function........................................................................................ 260 Simple Hash Functions .................................................................... 261 MD5 Message Digest Algorithm...................................................... 261 Secure Hash Algorithm (SHA) and SHA-1 ...................................... 262 HAVAL................................................................................................ 262 RIPEMD-160 ....................................................................................... 262 Attacks on Hashing Algorithms and Message Authentication Codes .................................................................... 263 Message Authentication Code (MAC) ................................................ 264 xxv

AU8231_bookTOC.fm Page xxvi Monday, October 23, 2006 12:52 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® HMAC.................................................................................................. 264 Digital Signatures ....................................................................................... 265 Digital Signature Standard (DSS)......................................................... 265 Uses of Digital Signatures..................................................................... 266 Encryption Management ........................................................................... 266 Key Management ................................................................................... 266 Key Recovery .................................................................................... 267 Key Distribution Centers ................................................................. 268 Standards for Financial Institutions.................................................... 268 Public Key Infrastructure (PKI) ........................................................... 269 Revocation of a Certificate .............................................................. 271 Cross-Certification............................................................................ 271 Legal Issues Surrounding Cryptography ............................................ 271 Cryptanalysis and Attacks ........................................................................ 271 Ciphertext-Only Attack ......................................................................... 271 Known Plaintext Attack ........................................................................ 271 Chosen Plaintext Attack ....................................................................... 272 Chosen Ciphertext Attack .................................................................... 272 Social Engineering ................................................................................. 272 Brute Force............................................................................................. 272 Differential Power Analysis .................................................................. 273 Frequency Analysis ............................................................................... 273 Birthday Attack...................................................................................... 273 Dictionary Attack................................................................................... 273 Replay Attack ......................................................................................... 273 Factoring Attacks .................................................................................. 273 Reverse Engineering ............................................................................. 273 Attacking the Random Number Generators....................................... 274 Temporary Files..................................................................................... 274 Encryption Usage ....................................................................................... 274 E-mail Security Using Cryptography ................................................... 274 Protocols and Standards ...................................................................... 275 Pretty Good Privacy (PGP)................................................................... 275 Secure/Multipurpose Internet Mail Extension (S/MIME) ................. 275 Internet and Network Security ............................................................ 275 IPSec ................................................................................................... 275 SSL/TLS .............................................................................................. 276 References................................................................................................... 276 Sample Questions ...................................................................................... 277 Domain 4 Physical (Environmental) Security........................................................ 281 Paul Hansford, CISSP Introduction................................................................................................ 281 xxvi

AU8231_bookTOC.fm Page xxvii Monday, October 23, 2006 12:52 PM

Contents CISSP Expectations ............................................................................... 282 Physical (Environmental) Security Challenges...................................... 282 Threats and Vulnerabilities ................................................................. 283 Threat Types..................................................................................... 283 Vulnerabilities................................................................................... 285 Site Location............................................................................................... 285 Site Fabric and Infrastructure ............................................................. 285 The Layered Defense Model..................................................................... 286 Physical Considerations....................................................................... 287 Working with Others to Achieve Physical and Procedural Security............................................................................................ 287 Physical and Procedural Security Methods, Tools, and Techniques...................................................................................... 288 Procedural Controls......................................................................... 288 Infrastructure Support Systems .......................................................... 290 Fire Prevention, Detection, and Suppression ............................... 290 Boundary Protection........................................................................ 292 Building Entry Points............................................................................ 293 Keys and Locking Systems .............................................................. 293 Walls, Doors, and Windows ............................................................ 295 Access Controls ................................................................................ 296 Closed-Circuit Television (CCTV) .................................................. 296 Intrusion Detection Systems ........................................................... 298 Portable Device Security ................................................................. 299 Asset and Risk Registers ................................................................. 299 Information Protection and Management Services............................... 300 Managed Services ................................................................................. 300 Audits, Drills, Exercises, and Testing ................................................. 300 Vulnerability and Penetration Tests................................................... 301 Maintenance and Service Issues ......................................................... 301 Education, Training, and Awareness .................................................. 301 Summary ..................................................................................................... 302 References .................................................................................................. 302 Sample Questions ...................................................................................... 303 Domain 5 Security Architecture and Design ......................................................... 307 William Lipiczky, CISSP Introduction................................................................................................ 307 CISSP® Expectations.............................................................................. 307 Security Architecture and Design Components and Principles .......... 308 Security Frameworks: ISO/IEC 17799:2005, BS 7799:2, ISO 270001................................................................................................... 308 Design Principles................................................................................... 309 xxvii

AU8231_bookTOC.fm Page xxviii Monday, October 23, 2006 12:52 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Diskless Workstations, Thin Clients, and Thin Processing ......... 309 Operating System Protection .......................................................... 310 Hardware ................................................................................................ 311 Personal Digital Assistants (PDAs) and Smart Phones................ 314 Central Processing Unit (CPU)........................................................ 315 Storage ............................................................................................... 316 Input/Output Devices ....................................................................... 318 Communications Devices ................................................................ 319 Networks and Partitioning............................................................... 319 Software .................................................................................................. 320 Operating Systems............................................................................ 320 Application Programs ...................................................................... 321 Processes and Threads.................................................................... 322 Firmware................................................................................................. 323 Trusted Computer Base (TCB) ............................................................ 323 Reference Monitor................................................................................. 324 Security Models and Architecture Theory ............................................. 324 Lattice Models ....................................................................................... 324 State Machine Models........................................................................... 325 Research Models ................................................................................... 325 Noninterference Models .................................................................. 325 Information Flow Models ................................................................. 325 Bell–LaPadula Confidentiality Model.................................................. 325 Biba Integrity Model.............................................................................. 326 Clark–Wilson Integrity Model .............................................................. 326 Access Control Matrix and Information Flow Models ...................... 327 Information Flow Models ................................................................. 328 Graham–Denning Model .................................................................. 328 Harrison–Ruzzo–Ullman Model....................................................... 328 Brewer–Nash (Chinese Wall) .......................................................... 328 Security Product Evaluation Methods and Criteria............................... 329 Rainbow Series ...................................................................................... 329 Trusted Computer Security Evaluation Criteria (TCSEC) ........... 329 Information Technology Security Evaluation Criteria (ITSEC)........ 330 Common Criteria ................................................................................... 331 Software Engineering Institute’s Capability Maturity Model Integration (SEI-CMMI) ....................................................................... 331 Certification and Accreditation ........................................................... 332 Sample Questions ...................................................................................... 332 Domain 6 Business Continuity and Disaster Recovery Planning......................... 337 Carl B. Jackson, CISSP Introduction................................................................................................ 337 xxviii

AU8231_bookTOC.fm Page xxix Monday, October 23, 2006 12:52 PM

Contents CISSP Expectations ............................................................................... 338 Core Information Security Principles: Availability, Integrity, Confidentiality (AIC)........................................................................... 339 Why Continuity Planning?.................................................................... 339 Reality of Terrorist Attack............................................................... 339 Natural Disasters .............................................................................. 340 Internal and External Audit Oversight........................................... 340 Legislative and Regulatory Requirements .................................... 340 Industry and Professional Standards ................................................. 341 NFPA 1600.......................................................................................... 341 ISO 17799 ........................................................................................... 341 Defense Security Service (DSS)....................................................... 341 National Institute of Standards and Technology (NIST) ............. 341 Good Business Practice or the Standard of Due Care ................. 341 Enterprise Continuity Planning and Its Relationship to Business Continuity and Disaster Recovery Planning ................... 341 Revenue Loss .................................................................................... 342 Extra Expense ................................................................................... 343 Compromised Customer Service.................................................... 343 Embarrassment or Loss of Confidence Impact ............................ 343 Hidden Benefits of Continuity Planning......................................... 343 Organization of the BCP/DRP Domain Chapter ..................................... 344 Project Initiation Phase ........................................................................ 344 Current State Assessment Phase ........................................................ 345 Design and Development Phase.......................................................... 345 Implementation Phase.......................................................................... 345 Management Phase ............................................................................... 346 Project Initiation Phase Description................................................... 346 Project Scope Development and Planning .................................... 346 Executive Management Support..................................................... 348 BCP Project Scope and Authorization ........................................... 348 Executive Management Leadership and Awareness.................... 350 Continuity Planning Project Team Organization and Management.................................................................................... 351 Disaster or Disruption Avoidance and Mitigation........................ 353 Project Initiation Phase Activities and Tasks Work Plan ............ 354 Current State Assessment Phase Description................................... 354 Understanding Enterprise Strategy, Goals, and Objectives........ 354 Enterprise Business Processes Analysis ....................................... 355 People and Organizations ............................................................... 355 Time Dependencies.......................................................................... 355 Motivation, Risks, and Control Objectives.................................... 355 Budgets .............................................................................................. 355 Technical Issues and Constraints .................................................. 356 Continuity Planning Process Support Assessment........................... 356 xxix

AU8231_bookTOC.fm Page xxx Monday, October 23, 2006 12:52 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Threat Assessment ........................................................................... 356 Risk Management.............................................................................. 358 Business Impact Assessment (BIA) ................................................ 359 Benchmarking and Peer Review ..................................................... 362 Sample Current State Assessment Phase Activities and Tasks Work Plan ............................................................................. 363 Development Phase Description ......................................................... 363 Recovery Strategy Development .................................................... 363 Work Plan Development .................................................................. 366 Develop and Design Recovery Strategies ...................................... 366 Data and Software Backup Approaches......................................... 369 DRP Recovery Strategies for IT....................................................... 370 BCP Recovery Strategies for Enterprise Business Processes ..... 371 Developing Continuity Plan Documents and Infrastructure Strategies ......................................................................................... 373 Developing Testing/Maintenance/Training Strategies................. 373 Plan Development Phase Description............................................ 374 Building Continuity Plans ................................................................ 375 Contrasting Crisis Management and Continuity Planning Approaches ..................................................................................... 379 Building Crisis Management Plans ................................................. 379 Testing/Maintenance/Training Development Phase Description...................................................................................... 381 Developing Continuity and Crisis Management Process Training and Awareness Strategies.............................................. 386 Sample Phase Activities and Tasks Work Plan ............................. 386 Implementation Phase Description..................................................... 386 Analyze CPPT Implementation Work Plans................................... 386 Program Short- and Long-Term Testing ........................................ 388 Continuity Plan Testing (Exercise) Procedure Deployment ....... 388 Program Training, Awareness, and Education.............................. 391 Emergency Operations Center (EOC) ............................................ 392 Management Phase Description.......................................................... 392 Program Oversight ........................................................................... 392 Continuity Planning Manager Roles and Responsibilities........... 392 Terminology................................................................................................ 395 References................................................................................................... 398 Sample Questions ...................................................................................... 398 Appendix A: Addressing Legislative Compliance within Business Continuity Plans....................................................................................... 401 Rebecca Herold, CISSP HIPAA ...................................................................................................... 401 xxx

AU8231_bookTOC.fm Page xxxi Monday, October 23, 2006 12:52 PM

Contents GLB.......................................................................................................... 402 Patriot Act .............................................................................................. 402 Other Issues ........................................................................................... 404 OCC Banking Circular 177 ............................................................... 404 Domain 7 Telecommunications and Network Security......................................... 407 Alec Bass, CISSP and Peter Berlich, CISSP-ISSMP Introduction................................................................................................ 407 CISSP® Expectations.............................................................................. 408 Basic Concepts........................................................................................... 408 Network Models .................................................................................... 408 OSI Reference Model ........................................................................ 409 TCP/IP Model .................................................................................... 413 Network Security Architecture ........................................................... 414 The Role of the Network in IT Security.......................................... 414 Network Security Objectives and Attack Modes.......................... 416 Methodology of an Attack ............................................................... 419 Network Security Tools ................................................................... 421 Layer 1: Physical Layer ............................................................................. 423 Concepts and Architecture.................................................................. 423 Communication Technology........................................................... 423 Network Topology............................................................................ 424 Technology and Implementation ........................................................ 427 Cable .................................................................................................. 427 Twisted Pair ...................................................................................... 428 Coaxial Cable..................................................................................... 429 Fiber Optics....................................................................................... 429 Patch Panels...................................................................................... 430 Modems ............................................................................................. 430 Wireless Transmission Technologies ............................................ 431 Layer 2: Data-Link Layer ........................................................................... 433 Concepts and Architecture.................................................................. 433 Architecture ...................................................................................... 433 Transmission Technologies ............................................................ 434 Technology and Implementation ........................................................ 441 Ethernet ............................................................................................. 441 Wireless Local Area Networks ........................................................ 445 Address Resolution Protocol (ARP)............................................... 450 Point-to-Point Protocol (PPP) ......................................................... 450 Layer 3: Network Layer ............................................................................. 450 Concepts and Architecture.................................................................. 450 Local Area Network (LAN) .............................................................. 450 xxxi

AU8231_bookTOC.fm Page xxxii Monday, October 23, 2006 12:52 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Wide Area Network (WAN) Technologies ..................................... 452 Metropolitan Area Network (MAN) ................................................ 462 Global Area Network (GAN) ............................................................ 463 Technology and Implementation ........................................................ 464 Routers............................................................................................... 464 Firewalls ............................................................................................. 464 End Systems ...................................................................................... 468 Internet Protocol (IP) ....................................................................... 471 Virtual Private Network (VPN)........................................................ 475 Tunneling ........................................................................................... 479 Dynamic Host Configuration Protocol (DHCP) ............................. 479 Internet Control Message Protocol (ICMP) ................................... 480 Internet Group Management Protocol (IGMP).............................. 481 Layer 4: Transport Layer .......................................................................... 482 Concepts and Architecture .................................................................. 482 Transmission Control Protocol (TCP) ........................................... 483 User Datagram Protocol (UDP)....................................................... 484 Technology and Implementation ........................................................ 484 Scanning Techniques ....................................................................... 484 Denial of Service ............................................................................... 486 Layer 5: Session Layer............................................................................... 486 Concepts and Architecture .................................................................. 486 Technology and Implementation ........................................................ 486 Remote Procedure Calls .................................................................. 486 Directory Services ............................................................................ 487 Access Services................................................................................. 493 Layer 6: Presentation Layer...................................................................... 495 Concepts and Architecture .................................................................. 495 Technology and Implementation ........................................................ 496 Transport Layer Security (TLS) ...................................................... 496 Layer 7: Application Layer........................................................................ 497 Concepts and Architecture .................................................................. 497 Technology and Implementation ........................................................ 497 Asynchronous Messaging (E-mail and News) ............................... 497 Instant Messaging ............................................................................. 502 Data Exchange (World Wide Web) ................................................. 506 Peer-to-Peer Applications and Protocols....................................... 512 Administrative Services ................................................................... 512 Remote-Access Services .................................................................. 514 Information Services ........................................................................ 517 Voice-over-IP (VoIP) ......................................................................... 518 General References .................................................................................... 520 Sample Questions ...................................................................................... 521 Endnotes ..................................................................................................... 525 xxxii

AU8231_bookTOC.fm Page xxxiii Monday, October 23, 2006 12:52 PM

Contents Domain 8 Application Security .............................................................................. 537 Robert M. Slade, CISSP Domain Description and Introduction .................................................... 537 Current Threats and Levels ................................................................. 537 Application Development Security Outline ....................................... 538 Expectation of the CISSP in This Domain........................................... 539 Applications Development and Programming Concepts and Protection................................................................................................. 540 Current Software Environment ........................................................... 541 Open Source .......................................................................................... 542 Full Disclosure .................................................................................. 543 Programming ......................................................................................... 543 Process and Elements...................................................................... 544 The Programming Procedure ......................................................... 545 The Software Environment .................................................................. 547 Threats in the Software Environment ................................................ 549 Buffer Overflow................................................................................. 549 Citizen Programmers ....................................................................... 550 Covert Channel ................................................................................. 550 Malicious Software (Malware) ........................................................ 551 Malformed Input Attacks................................................................. 551 Memory Reuse (Object Reuse) ....................................................... 551 Executable Content/Mobile Code................................................... 551 Social Engineering ............................................................................ 552 Time of Check/Time of Use (TOC/TOU) ........................................ 553 Trapdoor/Backdoor ......................................................................... 553 Application Development Security Protections and Controls ........ 554 System Life Cycle and Systems Development .............................. 554 Systems Development Life Cycle (SDLC) ...................................... 555 Software Development Methods .................................................... 561 Java Security ..................................................................................... 564 Object-Oriented Technology and Programming .......................... 566 Object-Oriented Security................................................................. 568 Distributed Object-Oriented Systems............................................ 569 Software Protection Mechanisms ....................................................... 571 Security Kernels................................................................................ 571 Processor Privilege States............................................................... 571 Security Controls for Buffer Overflows ......................................... 573 Controls for Incomplete Parameter Check and Enforcement..... 573 Memory Protection .......................................................................... 574 Covert Channel Controls ................................................................. 575 Cryptography.................................................................................... 575 Password Protection Techniques .................................................. 575 xxxiii

AU8231_bookTOC.fm Page xxxiv Monday, October 23, 2006 12:52 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Inadequate Granularity of Controls................................................ 576 Control and Separation of Environments ...................................... 576 Time of Check/Time of Use (TOC/TOU) ........................................ 577 Social Engineering ............................................................................ 577 Backup Controls ............................................................................... 577 Software Forensics ........................................................................... 578 Mobile Code Controls ...................................................................... 580 Programming Language Support .................................................... 582 Audit and Assurance Mechanisms .......................................................... 582 Information Integrity............................................................................. 583 Information Accuracy ........................................................................... 583 Information Auditing............................................................................. 583 Certification and Accreditation ........................................................... 584 Information Protection Management.................................................. 584 Change Management............................................................................. 585 Configuration Management.................................................................. 586 Malicious Software (Malware).................................................................. 586 Malware Types....................................................................................... 589 Viruses ............................................................................................... 589 Worms ................................................................................................ 592 Hoaxes................................................................................................ 593 Trojans ............................................................................................... 593 Remote-Access Trojans (RATs) ...................................................... 595 DDoS Zombies ................................................................................... 596 Logic Bombs ...................................................................................... 596 Spyware and Adware........................................................................ 597 Pranks................................................................................................. 597 Malware Protection............................................................................... 598 Scanners............................................................................................. 599 Activity Monitors .............................................................................. 599 Change Detection.............................................................................. 599 Antimalware Policies........................................................................ 600 Malware Assurance ............................................................................... 601 The Database and Data Warehousing Environment.............................. 602 DBMS Architecture................................................................................ 602 Hierarchical Database Management Model................................... 604 Network Database Management Model ......................................... 605 Relational Database Management Model ...................................... 605 Object-Oriented Database Model ................................................... 609 Database Interface Languages ............................................................. 609 Open Database Connectivity (ODBC) ............................................ 609 Java Database Connectivity (JDBC) ............................................... 610 eXtensible Markup Language (XML) .............................................. 610 Object Linking and Embedding Database (OLE DB) .................... 611 Accessing Databases through the Internet ................................... 612 xxxiv

AU8231_bookTOC.fm Page xxxv Monday, October 23, 2006 12:52 PM

Contents Data Warehousing................................................................................. 613 Metadata ............................................................................................ 614 Online Analytical Processing (OLAP) ............................................ 616 Data Mining ....................................................................................... 616 Database Vulnerabilities and Threats ................................................ 617 DBMS Controls ...................................................................................... 620 Lock Controls.................................................................................... 621 Other DBMS Access Controls ......................................................... 622 View-Based Access Controls........................................................... 622 Grant and Revoke Access Controls................................................ 622 Security for Object-Oriented (OO) Databases .............................. 623 Metadata Controls............................................................................ 623 Data Contamination Controls ......................................................... 623 Online Transaction Processing (OLTP)......................................... 623 Knowledge Management ...................................................................... 624 Web Application Environment................................................................. 626 Web Application Threats and Protection .......................................... 627 Summary ..................................................................................................... 628 References .................................................................................................. 629 Sample Questions ...................................................................................... 629 Domain 9 Operations Security ............................................................................... 633 Sean M. Price, CISSP Introduction................................................................................................ 633 Privileged Entity Controls......................................................................... 633 Operators ............................................................................................... 633 Ordinary Users ...................................................................................... 634 System Administrators......................................................................... 635 Security Administrators ....................................................................... 637 File Sensitivity Labels ...................................................................... 637 System Security Characteristics..................................................... 637 Clearances ......................................................................................... 637 Passwords ......................................................................................... 637 Account Characteristics .................................................................. 638 Security Profiles................................................................................ 638 Audit Data Analysis and Management ........................................... 639 System Accounts................................................................................... 640 Account Management........................................................................... 640 Resource Protection.................................................................................. 642 Facilities ................................................................................................. 642 Hardware................................................................................................ 642 Software.................................................................................................. 644 Documentation ...................................................................................... 644 xxxv

AU8231_bookTOC.fm Page xxxvi Monday, October 23, 2006 12:52 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Threats to Operations .......................................................................... 645 Disclosure .......................................................................................... 645 Destruction ........................................................................................ 645 Interruption and Nonavailability .................................................... 645 Corruption and Modification........................................................... 645 Theft ................................................................................................... 645 Espionage........................................................................................... 646 Hackers and Crackers ...................................................................... 646 Malicious Code.................................................................................. 646 Control Types ........................................................................................ 646 Preventative Controls ...................................................................... 646 Detective Controls ............................................................................ 646 Corrective Controls .......................................................................... 647 Directive Controls............................................................................. 647 Recovery Controls ............................................................................ 647 Deterrent Controls............................................................................ 647 Compensating Controls ................................................................... 647 Control Methods.................................................................................... 648 Separation of Responsibilities ........................................................ 648 Least Privilege ................................................................................... 648 Job Rotation ...................................................................................... 648 Need to Know .................................................................................... 648 Security Audits and Reviews........................................................... 649 Supervision........................................................................................ 649 Input/Output Controls ..................................................................... 650 Antivirus Management ..................................................................... 650 Media Types and Protection Methods ............................................... 650 Object Reuse .......................................................................................... 651 Sensitive Media Handling ..................................................................... 653 Marking .............................................................................................. 653 Handling ............................................................................................. 653 Storing ................................................................................................ 653 Destruction ........................................................................................ 653 Declassification ................................................................................. 654 Misuse Prevention................................................................................. 654 Record Retention................................................................................... 655 Continuity of Operations .......................................................................... 655 Fault Tolerance ................................................................................. 656 Data Protection...................................................................................... 657 Software .................................................................................................. 659 Hardware ................................................................................................ 660 Communications.................................................................................... 660 Facilities.................................................................................................. 661 Problem Management........................................................................... 663 System Component Failure.............................................................. 664 xxxvi

AU8231_bookTOC.fm Page xxxvii Monday, October 23, 2006 12:52 PM

Contents Power Failure .................................................................................... 664 Telecommunications Failure........................................................... 664 Physical Break-In .............................................................................. 664 Tampering ......................................................................................... 664 Production Delay.............................................................................. 665 Input/Output Errors ......................................................................... 665 System Recovery................................................................................... 667 Intrusion Detection System ................................................................. 668 Vulnerability Scanning ......................................................................... 668 Business Continuity Planning.............................................................. 669 Change Control Management................................................................... 669 Configuration Management ................................................................. 670 Production Software ............................................................................. 671 Software Access Control ...................................................................... 671 Change Control Process....................................................................... 672 Requests ............................................................................................ 672 Impact Assessment .......................................................................... 672 Approval/Disapproval...................................................................... 672 Build and Test................................................................................... 672 Notification........................................................................................ 673 Implementation................................................................................. 673 Validation .......................................................................................... 673 Documentation ................................................................................. 673 Library Maintenance............................................................................. 673 Patch Management ............................................................................... 673 Summary ..................................................................................................... 677 References .................................................................................................. 677 Sample Questions ...................................................................................... 678 Domain 10 Legal, Regulations, Compliance and Investigations ............................ 683 Marcus K. Rogers, Ph.D., CISSP Introduction................................................................................................ 683 CISSP® Expectations.............................................................................. 684 Major Legal Systems.................................................................................. 685 Common Law ......................................................................................... 686 Criminal Law ..................................................................................... 687 Tort Law............................................................................................. 687 Administrative Law .......................................................................... 687 Civil Law ................................................................................................. 688 Customary Law ................................................................................. 688 Religious Law......................................................................................... 689 Mixed Law .............................................................................................. 689 Information Technology Laws and Regulations .................................... 690 xxxvii

AU8231_bookTOC.fm Page xxxviii Monday, October 23, 2006 12:52 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Intellectual Property Laws ................................................................... 690 Patent ................................................................................................. 690 Trademark ......................................................................................... 690 Copyright ........................................................................................... 691 Trade Secret ...................................................................................... 691 Licensing Issues ................................................................................ 691 Privacy .................................................................................................... 692 Liability ................................................................................................... 694 Computer Crime .................................................................................... 695 International Cooperation ............................................................... 697 Incident Response...................................................................................... 698 Response Capability ............................................................................. 699 Incident Response and Handling......................................................... 700 Triage ................................................................................................. 700 Investigative Phase........................................................................... 701 Containment ...................................................................................... 701 Analysis and Tracking ...................................................................... 702 Recovery Phase ..................................................................................... 703 Recovery and Repair ........................................................................ 704 Debriefing/Feedback ............................................................................. 704 Computer Forensics .................................................................................. 705 Crime Scene............................................................................................ 707 Digital/Electronic Evidence.................................................................. 708 General Guidelines ................................................................................ 709 Conclusions ................................................................................................ 710 References................................................................................................... 712 Sample Questions ...................................................................................... 715 Appendix A Answers to Sample Questions ............................................................... 719 Domain 1: Information Security and Risk Management ........................ 719 Domain 2: Access Control......................................................................... 724 Domain 3: Cryptography ........................................................................... 728 Domain 4: Physical (Environmental) Security ....................................... 731 Domain 5: Security Architecture and Design ......................................... 734 Domain 6: Business Continuity and Disaster Recovery Planning .................................................................................................... 737 Domain 7: Telecommunications and Network Security........................ 740 Domain 8: Application Security................................................................ 746 Domain 9: Operations Security ................................................................ 748 Domain 10: Legal, Regulations, Compliance and Investigation............ 752 xxxviii

AU8231_bookTOC.fm Page xxxix Monday, October 23, 2006 12:52 PM

Contents Appendix B Certified Information Systems Security Professional (CISSP®) Candidate Information Bulletin ............................................................ 757 1 — Information Security and Risk Management .................................. 758 Overview ................................................................................................ 758 Key Areas of Knowledge....................................................................... 759 2 — Access Control ................................................................................... 759 Overview ................................................................................................ 759 Key Areas of Knowledge....................................................................... 760 3 — Cryptography ..................................................................................... 760 Overview ................................................................................................ 760 Key Areas of Knowledge....................................................................... 760 4 — Physical (Environmental) Security.................................................. 760 Overview ................................................................................................ 760 Key Areas of Knowledge....................................................................... 761 5 — Security Architecture and Design.................................................... 761 Overview ................................................................................................ 761 Key Areas of Knowledge....................................................................... 761 6 — Business Continuity and Disaster Recovery Planning .................. 762 Overview ................................................................................................ 762 Key Areas of Knowledge....................................................................... 762 7 — Telecommunications and Network Security .................................. 763 Overview ................................................................................................ 763 Key Areas of Knowledge....................................................................... 763 8 — Application Security .......................................................................... 764 Overview ................................................................................................ 764 Key Areas of Knowledge....................................................................... 764 9 — Operations Security........................................................................... 764 Overview ................................................................................................ 764 Key Areas of Knowledge....................................................................... 764 10 — Legal, Regulations, Compliance and Investigations .................... 765 Overview ................................................................................................ 765 Key Areas of Knowledge....................................................................... 765 References .................................................................................................. 766 General Examination Information............................................................ 770 Appendix C Glossary .................................................................................................. 775 Index ..................................................................................................... 1023

xxxix

AU8231_bookTOC.fm Page xl Monday, October 23, 2006 12:52 PM

AU8231_C001.fm Page 1 Thursday, October 19, 2006 7:00 AM

Domain 1

Information Security and Risk Management Todd Fitzgerald, CISSP, Bonnie Goins, CISSP, and Rebecca Herold, CISSP

Introduction The information security and risk management domain of the Certified Information Systems Security Professional (CISSP)® Common Body of Knowledge (CBK)® addresses the framework and policies, concepts, principles, structures, and standards used to establish criteria for the protection of information assets, to inculcate holistically the criteria, and to assess the effectiveness of that protection. It includes issues of governance, organizational behavior, and security awareness. Information security management establishes the foundation for a comprehensive security program to ensure the protection of an organization’s information assets. Today’s environment of highly interconnected, interdependent systems necessitates the requirement to understand the linkage between information technology and meeting the business objectives set forth by management. Information security management communicates the risks accepted by the organization due to the currently implemented security controls, and continually works to cost effectively enhance the controls to minimize the risk to the company. Security management encompasses the administrative, technical, and physical controls necessary to adequately protect the confidentiality, integrity, and availability of the information assets. The controls are manifested through the implementation of policies, procedures, standards, baselines, and guidelines. Management practices utilized to reduce the risk of loss of data, unavailability and inaccessibility of information, intentional and unintentional data destruction or modification, loss of company reputation, and disclosure of information include such tools as risk assessment, risk analysis, 1

AU8231_C001.fm Page 2 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® data classification, and security awareness training. Information assets are classified, and through risk analysis, the threats and vulnerabilities related to these assets are identified, along with the appropriate safeguards that can limit the risk of compromise of the asset. Risk management minimizes loss to information assets through identification, measurement, and control, and minimizes loss due to events. It encompasses the overall security review, risk analysis, selection and evaluation of safeguards, cost–benefit analysis, management decision, safeguard implementation, and ongoing effectiveness review. Risk management provides the mechanism to the organization to ensure that executive management knows current risks, and decisions are made to accept the risks or implement safeguards to minimize the risks and accept the lower residual risks. Security management is concerned with regulator y, customer, employee, and business partner requirements for management of the data as it flows between these parties to support the processing and business use of the information. Confidentiality, integrity, and the availability of the information must be maintained throughout the process. CISSP Expectations The Certified Information Systems Security Professional (CISSP) is expected to fully understand: • The planning, organization, and roles of individuals in identifying and securing an organization’s information assets • The development of effective employment agreements; employee hiring practices, including background checks and job descriptions; security clearances; separation of duties and responsibilities; job rotation; and hiring and termination practices • The development and use of policies stating management’s views and positions on particular topics and the use of guidelines, standards, baselines, and procedures to support those policies. • The differences between policies, standards, baselines, and procedures in terms of their application to security administration • The importance of security awareness training to make employees aware of the need for information security, its significance, and the specific security-related requirements relative to the employees’ position • The importance of data classification, including sensitive, confidential, proprietary, private, and critical information • The application of security policies, standards, baselines, and procedures to ensure the privacy, confidentiality, integrity, and availability of information 2

AU8231_C001.fm Page 3 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management • The importance of risk management practices and tools to identify, rate, and reduce the risk to specific information assets • Asset identification and evaluation • Threat identification and assessment • Vulnerability and exposures’ identification and assessment • Calculation of single occurrence loss (single loss expectancy) and annual loss expectancy • Safeguards and countermeasure identification and evaluation, including risk management practices and tools to identify, rate, and reduce the risk to specific information assets • Calculation of the resulting annual loss expectancy and residual risk • Communication of the residual risk to be assigned (i.e., insured against) or accepted by management • The regulatory and ethical requirements to protect individuals from substantial harm, embarrassment, or inconvenience, due to the inappropriate collection, storage, or dissemination of personal information • The principles and controls that protect data against compromise or inadvertent disclosure • The principles and controls that ensure the logical correctness of an information system; the consistency of data structures; and the accuracy, precision, and completeness of the data stored • The principles and controls that ensure that a computer resource will be available to authorized users when they need it • The purpose of and process used for reviewing system records, event logs, and activities; understands the purpose and processes used to review system records, event logs, and activities • The importance of managing change and the change control process, and certification and accreditation • The application of commonly accepted best practices for system security administration, including the concepts of least privilege, separation of duties, job rotation, monitoring, and incident response Internal control standards reduce risk. Internal control standards are required to satisfy obligations with respect to the law, safeguard the organization’s assets, and account for the accurate revenue and expense tracking. There are three categories of internal control standards: general standards, specific standards, and audit resolution standards: • General standards must provide reasonable assurance, support the internal controls, provide for competent personnel, and assist in establishing control objectives and techniques • Specific standards must be documented, clear, and available to the personnel. They allow for the prompt recording of transactions and the prompt execution of authorized transactions. Specific 3

AU8231_C001.fm Page 4 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® standards establish separation of duties, qualified supervision, and accountability. • Audit resolution standards require that the manager promptly resolve audit findings. Managers must evaluate, determine the corrective action required, and take that action. The Business Case for Information Security Management Information security practices protect the assets of the organization through the implementation of managerial, technical, and operational controls. Information assets must be managed appropriately to reduce the risk of financial loss — just as financial assets are managed through finance departments and human assets (people) are managed and cared for by the human resources department and associated code of conduct and employment policies and practices. Failure to protect the information assets from loss, destruction, or unexpected alteration can result in significant losses of productivity, reputation, or finances. Information is an asset that must be protected, as well as the software and hardware, which support the storage and retrieval of the information. Security management ensures that the appropriate policies, procedures, standards, and guidelines are implemented to provide the proper balance of security controls with business operations. Security exists to support the vision, mission, and business objectives of the organization. Effective security management requires judgment based upon the risk tolerance of the organization, the costs to implement the security controls, and the benefit to the business. Although attaining 100 percent security of access to the information systems may appear to be an admirable goal, in practice this would be unrealistic. Even if this goal were able to be attained through the training of all users with access to the systems, timely installation of software patches, rigorous internal controls, realtime monitoring and response to intrusions, and a budget that would support each of these activities, on “day 2,” when a new vulnerability or exploit was known or a new user was added to the system, risks would again be introduced. Furthermore, the cost of providing this level of security would be excessive for most organizations, as these dollars would most likely come at the expense of other new product initiatives, decreased customer service expenditures, or decreased profits for the organization. Because most organizations are in a competitive environment that requires continuous product innovation and reduction of administrative costs, funding information security at the 100 percent level would be cost prohibitive. Therefore, effective security management requires understanding the business objectives of the organization, the management’s tolerance for risk, the costs of the various security alternatives, and subsequently utilizing judgment to match the appropriate security controls to the business initiatives. 4

AU8231_C001.fm Page 5 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management The security professionals leading the information security program are relied upon for their knowledge of the managerial, operational, and technical safeguards that can be implemented to reduce the risks of loss, waste, reputation, and business disruption. Senior management ultimately makes the final decision on the level of security expenditures and the risk they are willing to take. Security professionals should view their role as risk advisors to the organization, as they are not the decision makers. There may be situations where the risk is viewed as an infrequent occurrence and very unlikely to happen, and therefore, management is willing to take the risk due to reasons that the security professional may not know. For example, the decision to accept operating in a regional office without a sprinkler system may be appropriate if the company has been operating in that office for ten years without a fire and management has undisclosed plans to relocate the office within the next six months. Or, the company may be under intense pressure by Wall Street to make the quarterly forecasts, which will affect their ability to provide longer-term investments. Alternatively, there may be government mandates to comply with new regulations or audit findings that have a higher priority. Senior management must weigh all of the risks to the business, and security represents one of those risks that must be considered. This is why the security professional must exercise good judgment in communicating the risks and possible security solutions. There will always be residual risk that is accepted by the organization, and effective security management will minimize this risk to a level that is not “betting the business,” while simultaneously contributing to the organizational mission and the bottom line. Core Information Security Principles: Confidentiality, Availability, Integrity (CIA) The information security program must ensure that the core concepts of availability, integrity, and confidentiality are understood and supported through the implementation of security controls designed to mitigate or reduce the risks of loss, disruption, or corruption of information. Confidentiality. Confidentiality is the principle that only authorized individuals, processes, or systems should have access to information on a need-to-know basis. In recent years, much press has been dedicated to the privacy of information and the need to protect it from individuals, who may be able to commit crimes by viewing the information. Identity theft is the act of assuming one’s identity through knowledge of confidential information obtained from various sources. Information must be classified to determine the level of confidentiality required, or who should have access to the information (public, internal use only, or confidential). Identification, authentication, and authorization through access controls are prac5

AU8231_C001.fm Page 6 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® tices that support maintaining the confidentiality of information. Encrypting information also supports confidentiality by limiting the usability of the information in the event it is viewed while still encrypted. Unauthorized users should be prevented access to the information, and monitoring controls should be implemented to detect and respond per organizational policies to unauthorized attempts. Authorized users of information also represent a risk, as they may have ill intentions by accessing the information for personal knowledge, personal monetary gain, or to support improper disclosures. Integrity. Integrity is the principle that information should be protected from intentional, unauthorized, or accidental changes. Information stored within the files, databases, systems, and networks must be able to be relied upon to accurately process transactions and provide accurate information for business decision making. Controls are put in place to ensure that information is modified through the accepted practices. Management controls such as the segregation of duties, specification of the systems development life cycle with approval checkpoints, and implementation of testing practices assist in providing information integrity. Well-formed transactions and security of the update programs provide consistent methods of applying changes to systems. Limiting update access to those individuals with a need to access limits the exposure to intentional and unintentional modification. Availability. Availability is the principle that information is accessible by users when needed. The two primary areas affecting the availability of systems are (1) denial of services due to a lack of adequate security controls and (2) loss of service due to a disaster, such as an earthquake, tornado, blackout, hurricane, fire, flood, and so forth. In either case, the end user does not have access to information needed to perform his or her job duties. The criticality of the system to the user and its importance to the survival of the organization will determine how significant the impact of the extended downtime becomes.

A lack of security controls increases the risk of viruses, destruction of data, external penetrations, or denial-of-service (DOS) attacks. DOS attacks prevent the system from being used by normal users by sending large amounts of traffic or exploit code to a particular device to cause a system the inability to respond to access requests. Without the proper virus protection controls, viruses or worms can swamp a network with traffic, thus slowing the response time and making the system inaccessible. Business continuity planning ensures that the department can function without the computer system within a defined period using alternate processes. Disaster recovery planning ensures the recovery of the information technology processing capability at a permanent site to an acceptable operational state. These work together to recover from system unavailability. 6

AU8231_C001.fm Page 7 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management

Assess Risk & Determine Needs

Central Management

Implement Policies & Controls

Monitor & Evaluate

Promote Awareness

Figure 1.1. Security management relationships.

When considering the design and implementation of an application or management process, evaluation of the impact to confidentiality, integrity, and availability should be understood. Will it enhance any of these core security principles? Different security controls apply to different core security principles. For example, selection of a backup tape procedure, software, and hardware to perform backups would be most oriented toward the availability aspect of information security, whereas the selection of a security token utilizing strong, two-factor authentication would be most related to the enhancement of the confidentiality of information through the improvement of the authentication function. Security Management Practice Security management is the glue that ensures the risks are identified and an adequate control environment is established to mitigate the risks. Security management ensures the interrelationships among assessing risk, implementing policies and controls in response to the risks, promoting awareness of the expectations, monitoring the effectiveness of the controls, and using this knowledge as input to the next risk assessment. These relationships are shown in Figure 1.1. Information Security Management Governance The increased corporate governance requirements have caused companies to examine their internal control structures more closely to ensure that controls are in place and operating effectively. Organizations are 7

AU8231_C001.fm Page 8 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® increasingly competing in the global marketplace, which is governed by multiple laws and supported by various best practices (i.e., ITIL, ISO 17799, COSO, COBIT). Appropriate information technology investment decisions must be made that are in alignment with the mission of the business. Information technology is no longer a back-office accounting function in most businesses, but rather is a core operational necessity to the business, which must have the proper visibility to the board of directors and management attention of the program. This dependence on information technology mandates ensuring the proper alignment and understanding of the risk to the business. Substantial investments are made in these technologies (which must be appropriately managed), company reputations are at risk for insecure systems, and the trust in the systems needs to be demonstrated to all parties involved, including the shareholders, employees, business partners, and consumers. Information security governance provides the mechanisms for the board of directors and management to have the proper oversight to manage the risk to the enterprise to an acceptable level. Security Governance Defined Although there is no universally accepted definition for security governance at this juncture, the intent of the governance is to guarantee that the appropriate information security activities are being performed to ensure that the risks are appropriately reduced, the information security investments are appropriately directed, and the executive management has visibility into the program and is asking the appropriate questions to determine the effectiveness of the program. The IT Governance Institute (ITGI) defines IT governance as “a structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.” The ITGI proposes that information security governance should be considered part of IT governance, and that the board of directors become informed about information security, set direction to drive policy and strategy, provide resources to security efforts, assign management responsibilities, set priorities, support changes required, define cultural values related to risk assessment, obtain assurance from internal or external auditors, and insist that security investments are made measurable and reported on for program effectiveness. Additionally, the ITGI suggests that management write security policies with business input and ensure that roles and responsibilities are defined and clearly understood, threats and vulnerabilities are identified, security infrastructures are implemented, control frameworks (standards, measures, practices, and procedures) are implemented after policy approved by the governing body, priorities are implemented in a timely manner, breaches are monitored, periodic reviews and tests are conducted, awareness education is viewed as critical and 8

AU8231_C001.fm Page 9 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management delivered, and security is built into the systems development life cycle. These concepts are further delineated in this section. Security Policies, Procedures, Standards, Guidelines, and Baselines Imagine the day-to-day operation of an organization without any policies. Individuals would have to make decisions about what is right or wrong for the company based upon their personal values or their own past experience. This could potentially consist of as many values as there are people in the organization. Management would also be failing to demonstrate due diligence by not putting practices in place to protect the investors and manage the employees of the organization. Policies establish the glue that ensures everyone has a common set of expectations and communicates management’s goals and objectives. Procedures, standards, guidelines, and baselines (illustrated in Figure 1.2) are different components that support the implementation of the security policy. A policy without mechanisms for its implementation is analogous to an organization having a business strategy without action plans to execute the strategy. In this situation, there would be limited chance of success, as expectations to achieve the higher-level business strategy would not be clear to the workforce. Similarly, policies communicate management’s expectations, which are fulfilled through the execution of procedures and adherence to standards, baselines, and guidelines.

Figure 1.2. Relationships among policies, standards, procedures, baselines, and guidelines. 9

AU8231_C001.fm Page 10 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Security officers and their teams have typically been charged with the responsibility of creating the security policies. The policies must be written and communicated at a level that is understood by the end users of the organization, if there is to be any chance of compliance. If the policies are poorly written, or written at too high of an education level (common industry practice is to focus the content for general users at the sixth- to eighthgrade reading level), they will not be understood. Although security officers may be charged with the development of the policies, the effort is typically collaborative to ensure that the business issues are addressed. Utilization of an executive oversight committee or a subgroup of that committee, depending upon the policy being drafted, is an approach that considers the business impacts of security policy decisions. Developing the policies solely within the IT department and then distributing them without business input is likely to miss important business considerations. As always, deciding on the appropriate security controls is a decision of risk by the organization, which ultimately should be decided by the business leaders. The organization is also more likely to accept security policies that have been approved and endorsed by the business leaders versus the security officer or the IT department. Once these different documents have been created, the basis for ensuring compliance is established. These deliverables form the basis for organizational compliance with the security policies. The most current version of the documents needs to be readily accessible by those that are expected to follow them. Many organizations have placed these documents electronically on their intranets or shared file folders to facilitate their communication. Such placement of these documents plus checklists, forms, and sample documents can save time for the individual and be an added value provided by the security department. Policies define what the organization needs to accomplish at a high level and serves as management’s intentions to control the operation of the organization to meet business objectives. The why should be stated in the form of a policy summary statement or purpose. If end users understand the why, they are more apt to follow the policy. As children, we were told what to do by our parents and we just did it. As we grew older, we challenged those beliefs (as four- and five-year-olds and again as teenagers) and needed to understand the reasoning. The rules had to make sense to us. Today’s organizations are no different; people need to understand the why before they can really commit. Security Policy Best Practices. Someone once said, “Writing security policies is like making sausage, you don’t want to know what goes into it, but what comes out is pretty good.” Writing policies does not have to be a

10

AU8231_C001.fm Page 11 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management mystery, and there are several guidelines for creating good security policies practiced in the industry: • Clearly define policy creation practice. A clearly defined process for initiating, creating, reviewing, recommending, approving, and distributing the policies communicates the responsibilities of all parties and the time expectations of their participation. This can be accomplished by process flows, swim lanes, flowcharts, or written documentation. • Write policies that will survive at least two or three years. Policies are high-level statements of the objectives of the organization. The underlying methods and technologies to implement the controls to support the policies may change. By including these in the other related documents (procedures, standards, guidelines, and baselines), the policy statements will need less frequent change. This avoids frequent updates and subsequent distribution to the organization. • Use directive wording. Policies represent expectations to be complied with. As such, statements including such words as must, will, and shall communicate this requirement versus using weaker directives such as should, may, or can. This latter type of language is better reserved for guidelines or areas where there are options. • Avoid technical implementation details. Policies should be written to be technology independent, as the implemented technology may change over time. • Keep length to a minimum. Policies published online should be limited in length to two or three pages maximum per policy. The intent for the policies is for the end user to understand, and not to create long documents for the sake of documentation. • Provide navigation from the policy to the supporting documents. If the implementation of the policy is placed online, then hyperlinking the procedures, standards, guidelines, and baselines can be an effective method to ensure that the appropriate procedures are followed. Some of the internal security procedures would not be appropriate for general knowledge, such as the procedure for monitoring intrusions or reviewing log files, and these need to be accessible by the security department and properly secured from general distribution. • Thoroughly review before publishing. Proofreading of policies by multiple individuals allows errors to be caught that may not be readily seen by the author. • Conduct management review and sign-off. Senior management must endorse the policies if they are to be effectively accepted by all management levels, and subsequently the end users of the organization. • Avoid techno-speak. Policies are oriented to communicate to nontechnical users. Technical jargon is acceptable in technical documentation, but not in high-level security policies.

11

AU8231_C001.fm Page 12 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® • Review incidents and adjust policies. Review of the security incidents that have occurred may indicate the need for a new policy, a revision to an existing policy, or the need to redistribute the current policy to reinforce compliance. • Periodically review policies. A formalized review process provides a mechanism to ensure that the security policies are still in alignment with the business objectives. • Develop sanctions for noncompliance. Effective policies have consistent sanctions as deterrents and enable action when the policies are not followed. These sanctions may include “disciplinary action up to and including termination.” Stronger language can also be added to warn of prosecution for serious offenses. Policies provide the foundation for a comprehensive and effective security program. The company is protected from surprises that may occur and gives the necessary authority to the security activities of the organization. By communicating the company policies as directives, accountability and personal responsibility for adhering to the security practices are established. The policies are utilized in determining or interpreting any conflicts that may arise. The policies also define the elements, scope, and functions of the security management. Types of Security Policies. Security policies may consist of different

types, depending upon the specific need for the policy. The different security policies work together to meet the objectives of a comprehensive security program. Different policy types include: • Organizational or program policy: This policy is issued by a senior management individual, who creates the authority and scope for the security program. The purpose of the program is described, and the assigned responsibility is defined for carrying out the information security mission. The goals of confidentiality, integrity, and availability are addressed in the policy. Specific areas of security focus may be stressed, such as the protection of confidential information for a credit card company or health insurance company, or the availability focus for a company maintaining mission-critical, high-availability systems. The policy should be clear as to the facilities, hardware, software, information, and personnel that are in scope for the security program. In most cases, the scope will be the entire organization. In larger organizations, however, the security program may be limited in scope to a division or geographic location. The organization policy sets out the high-level authority to define the appropriate sanctions for failure to comply with the policy. • Functional, issue-specific policies: While the organizational security policies are broad in scope, the functional or issue-specific policies address areas of particular security concern requiring clarification. 12

AU8231_C001.fm Page 13 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management The issue-specific policies may be focused on the different domains of security and address areas such as access control, contingency planning, segregation of duties, principles, and so forth. They may also address specific technical areas of existing and emerging technologies, such as use of the Internet, e-mail and corporate communication systems, wireless access, or remote system access. For example, an acceptable use policy may define the responsibilities of the end user for using the corporate computer systems for business purposes only, or may allow the person some incidental personal use, provided the restriction of ensuring that usage is free from viruses, spyware, the downloading of inappropriate pictures or software, or the sending of chain letters through e-mail. These policies will depend upon the business needs and the tolerance for risk. They contain the statement of the issue, the statement of the organization’s position on the issue, the applicability of the issue, compliance requirements, and sanctions for not following the policy. • System-specific policies: Areas where it is desired to have clearer direction or greater control for a specific technical or operational area may have more detailed policies. These policies may be targeted for a specific application or platform. For example, a systemspecific policy may address which departments are permitted to input or modify information in the check-writing application for the disbursement of accounts payable payments. • The more detailed and issue specific the written policy is, the higher the likelihood is that the policy will require more frequent changes. Typically, high-level organizational security policies will survive for several years, while those focused on the use of technology will change much more frequently as technology matures and new technology is added to the environment. Even if an organization is not currently utilizing a technology, policies can explicitly strengthen the message that the technology is not to be used and is prohibited. For example, a policy regarding removable media such as USB drives or one regarding the use of wireless devices or camera phones in the workplace would reinforce management’s intentions around the acceptance or nonacceptance of these devices. Standards. Whereas policies define what an organization needs, standards take this a step further and define the requirements. Standards provide the agreements that provide interoperability within the organization through the use of common protocols.

Standards are the hardware and software security mechanisms selected as the organization’s method of controlling security risks. Standards are prevalent in many facets of our daily lives, such as the size of the tires on automobiles, specifications of the height, color, and format of the STOP sign, 13

AU8231_C001.fm Page 14 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® and the RJ11 plug on the end of the phone jack cable. Standards provide consistency in implementation as well as permit interoperability with reduced confusion. There are many security standards that could be chosen to implement a particular solution. For example, when selecting a control for remoteaccess identification and authentication, an organization could decide to utilize log-in IDs and passwords, strong authentication through a security token over dial-up, or a virtual private network (VPN) solution over the Internet. Standards simplify the operation of the security controls within the company and increase efficiency. It is more costly to support multiple software packages that do essentially the same activity. Imagine if each user was told to go to the local computer store and purchase the antivirus product that he or she liked best. Some users would ask the salesperson’s opinion, some would buy the least expensive, and others might get the most expensive, assuming this would provide the greatest protection. Without a consistent standard for antivirus products, the organization would be unsure as to the level of protection provided. Additionally, each of these different products would have different installation, update, and licensing considerations, contributing to complex management. It makes sense to have consistent products chosen for the organization versus leaving the product choice to every individual. Determination of which standards meet the organization’s needs must be driven by the security policies agreed upon by management. The standards provide the specification of the technology to effectively enable the organization to become successful in meeting the requirements of the policy. If, in the example of remote access, the organization was restricting information over the Internet or had many users in rural areas with limited Internet access, then the VPN standard over the Internet may not be a plausible solution. Conversely, for end users transmitting large amounts of information, the dial-up solution may be impractical. The policy defines the boundaries within which the standards must be supportive. Standards may also refer to those guidelines established by a standards organization and accepted by management. Standards creators include organizations such as the National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), Institute of Electronics and Electrical Engineers (IEEE), American National Standards Institute (ANSI), National Security Agency (NSA), and others. Procedures. Procedures are step-by-step instructions in support of the policies, standards, guidelines, and baselines. The procedure indicates how the policy will be implemented and who does what to accomplish the tasks. The procedure provides clarity and a common understanding to the operation required to effectively support the policy on a consistent basis. Procedures are best developed when the input of each of the interfacing 14

AU8231_C001.fm Page 15 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management areas is included in their development. This reduces the risk that important steps, communication, or required deliverables are left out. Companies must be able to provide assurance that they have exercised due diligence in the support and enforcement of company policies. This means that the company has made an effort to be in compliance with the policies and has communicated the expectations to the workforce. Documenting procedures communicated to the users, business partners, and anyone utilizing the systems, as appropriate, minimizes the legal liability of the corporation. Creating documented procedures is more than an exercise for the sake of documentation. The process itself creates a common understanding among the developers of the procedure of the methods used to accomplish the task. Individuals from different organizational units may be very familiar with their work area, but not as familiar with the impact of a procedure on a department. This is the “beach ball effect,” where organizations sometimes appear as a large beach ball, and the individuals working in different departments can only see their side of the ball and may not understand the other parts of the organization. The exercise of writing down a single, consistent procedure has the added effect of establishing agreement among the parties. Many times at the beginning of the process, individuals will think they understand the process only to realize that people were really executing different, individual processes to accomplish the task. Consistent documentation of the procedures permits the ability to improve upon the procedures. Once everyone understands the initial procedure, enhancements can be applied and communicated to everyone. This provides a method to incorporate the best thinking on the single procedure versus having multiple procedures for the same operation with a mixture of good and bad practices. Baselines. Baselines provide descriptions of how to implement security

packages to ensure that these implementations are consistent throughout the organization. Different software packages, hardware platforms, and networks have different methods of ensuring security. There are many different options and settings that must be determined to provide the desired protection. An analysis of the available configuration settings and subsequent settings desired, forms the basis for future, consistent implementation of the standard. For example, turning off the Telnet service may be specified in the hardening baseline document for the network servers. A procedure for exceptions to the baseline would need to be followed in the event that the baseline could not be adhered to for a particular device, along with the business justification. The baselines are the specific rules necessary to implement the security controls in support of the policy and standards that have been developed. 15

AU8231_C001.fm Page 16 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Testing of the implemented security controls on a periodic basis ensures that the baselines are implemented according to the documented baselines. The baselines themselves should be reviewed periodically to make sure that they are sufficient to address emerging threats and vulnerabilities. In large environments with multiple individuals performing systems administration and responding to urgent requests, there is an increased risk that one of the baseline configurations may not be implemented properly. Internal testing identifies these vulnerabilities and provides a mechanism to review why the control was or was not properly implemented. Failures in training, adherence to baselines and associated procedures, change control, documentation, or skills of the individual performing the changes may be identified through the testing. Guidelines. Guidelines are discretionary or optional controls used to enable individuals to make judgments with respect to security actions. A good exercise is to replace the word guideline with the word optional. If by doing so the statements contained in the “optional” are what is desired to happen at the user’s discretion, then it is an appropriate guideline. If, on the other hand, the statements are considered to be required to adequately protect the security of the organization, then this should be defined as part of a policy, standard, or baseline.

Guidelines are also those recommendations, best practices, and templates provided by other organizations such as the Control Objectives for Information and related Technology (COBIT), the Capability Maturity Model (CMM), ISO 17799, and British Standard 7799, security configuration recommendations such as those from the National Institute of Standards and Technology (NIST) or the National Security Agency (NSA), organizational guidelines, or other governmental guidelines. Combination of Policies, Standards, Baselines, Procedures, and Guidelines. Each of these documents is closely related to the others and may be

developed as the result of new regulations, external industry standards, new threats and vulnerabilities, emerging technologies, upgraded hardware and software platforms, or risk assessment changes. Sometimes these different areas are combined into single documents for ease of management of all the documents. Keeping policies separate from the implementation components (standards, baselines, and procedures) increases the flexibility and reduces the cost of maintenance, as the policies typically change less frequently than the supporting processes to achieve compliance with the policy. Policy Analogy. A useful analogy to remember the differences between policies, standards, guidelines, and procedures is to think of a company that builds cabinets and has a “hammer” policy. The different components may be as follows: 16

AU8231_C001.fm Page 17 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management • Policy: “All boards must be nailed together using company-issued hammers to ensure end-product consistency and worker safety.” Notice the flexibility provided to permit the company to define the hammer type with changes in technology or safety issues. The purpose is also communicated to the employees. • Standard: “Eleven-inch fiberglass hammers will be used. Only hardened-steel nails will be used with the hammers. Automatic hammers are to be used for repetitive jobs that are >1 hour.” Technical specifics are provided to clarify the expectations that make sense for the current environment and represent management’s decision. • Guideline: “To avoid splitting the wood, a pilot hole should be drilled first.” The guideline is a suggestion and may not apply in all cases or with all types of wood. This does not represent a requirement, but rather a suggested practice. • Procedure: “(1) Position nail in upright position on board. (2) Strike nail with full swing of hammer. (3) Repeat until nail is flush with board. (4) If thumb is caught between nail and board, see Nail FirstAid Procedure.” The procedure indicates the process of using the hammer and the nail to clarify what is expected to be successful. Following this procedure, with the appropriate standard hammers, and practicing guidelines where appropriate, will fulfill the policy. Audit Frameworks for Compliance Multiple frameworks have been created to support the auditing of the implemented security controls. These resources are valuable to assist in the design of a security program, as they define the necessary controls to provide secure information systems. The following frameworks have each gained a degree of acceptance within the auditing or information security community and add value to the information security investment delivery. Although the origins of several frameworks/best practices were not specifically designed to support information security, many of the processes within these practices support different aspects of confidentiality, integrity, and availability. COSO. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, which studied factors that lead to fraudulent financial reporting and produced recommendations for public companies, their auditors, the Securities Exchange Commission, and other regulators. COSO identifies five areas of internal control necessary to meet the financial reporting and disclosure objectives. These include (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring. The COSO internal control model has been adopted as a framework by some organizations working toward Sarbanes–Oxley Section 404 compliance. 17

AU8231_C001.fm Page 18 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® ITIL. The IT Infrastructure Library (ITIL) is a set of 34 books published by the British government’s Stationary Office between 1989 and 1992 to improve IT service management. The framework contains a set of best practices for IT core operational processes such as change, release and configuration management, incident and problem management, capacity and availability management, and IT financial management. ITIL’s primary contribution is showing how the controls can be implemented for the service management IT processes. These practices are useful as a starting point for tailoring to the specific needs of the organization, and the success of the practices depend upon the degree to which they are kept up to date and implemented on a daily basis. Achievement of these standards is an ongoing process, whereby the implementations need to be planned, supported by management, prioritized, and implemented in a phased approach. COBIT. Control Objectives for Information and related Technology (COBIT) is published by the IT Governance Institute and contains a set of 34 high-level processes, one for each of the IT processes, such as define a strategic IT plan, define the information architecture, manage the configuration, manage facilities, and ensure systems security. A total of 214 control objectives are provided to support these processes. Ensure systems security has further been broken down into control objectives, such as manage security measures, identification, authentication and access, user account management, data classification, firewall architectures, and so forth. The COBIT framework examines the effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability aspects of the high-level control objectives. The model defines four domains for governance: planning and organization, acquisition and implementation, delivery and support, and monitoring. Processes and IT activities and tasks are then defined within these domains. The framework provides an overall structure for information technology control and includes control objectives that can be utilized to determine effective security control objectives that are driven from the business needs. ISO 17799/BS 7799. The BS 7799/ISO 17799 standards can be used as a basis for developing security standards and security management practices within an organization. The U.K. Department of Trade and Industry (DTI) Code of Practice (CoP) for information security, which was developed from support of industry in 1993, became British Standard 7799 in 1995. BS 7799 was subsequently revised in 1999 to add certification and accreditation components, which became Part 2 of BS 7799. Part 1 of BS 7799 became ISO 17799 and was published as ISO 17799:2000, as the first international information security management standard by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC). 18

AU8231_C001.fm Page 19 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management The ISO 17799 standard was modified in June 2005 as ISO/IEC 17799:2005 and contains 134 detailed information security controls based upon the following 11 areas: • • • • • • • • • • •

Information security policy Organizing information security Asset management Human resources security Physical and environmental security Communications and operations management Access control Information systems acquisition, development, and maintenance Information security incident management Business continuity management Compliance

The ISO standards are grouped together by topic areas and the ISO/IEC27000 series has been designated as the information security management series. For example, the 27002 Code of Practice will replace the current ISO/IEC 17799:2005, “Information Technology — Security Techniques — Code of Practice for Information Security Management.” This is consistent with how ISO has named other topic areas, such as the ISO 9000 series for quality management. ISO/IEC 27001:2005 was released in October 2005 and specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented information security management system, taking into consideration the company’s business risks. This management standard was based on BS 7799, Part 2 and provides information on building information security management systems and guidelines for auditing the system. Organizational Behavior Organizations exist as a system of coordinated activities to accomplish organizational objectives. The larger the organization, the greater the need for formalized mechanisms to ensure the stability of the operations. Formalized, written policies, standards, procedures, and guidelines are created to provide for the long-term stability of the organization, regardless of the incumbent occupying the position. Over time, those in leadership positions will change, as well as those individuals within the workforce being managed. Organizational business processes are rationalized and logically grouped to efficiently and effectively perform the necessary work. Mergers and acquisitions frequently change the dynamics of the current operating organization, providing new opportunities to achieve synergies. 19

AU8231_C001.fm Page 20 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Work is typically broken down into subtasks, which are then assigned to an individual through specialization. When these tasks, such as systems security, database administration, or systems administration activities, are grouped together, one or more individuals that can focus on that particular skill set can perform them. This process of specialization creates greater efficiency within the organization, as it permits individuals to become very knowledgeable in a particular discipline and produce the results faster than if combined with other responsibilities. Organizations are also managed in a hierarchical manner, with the lower levels of the organization having more defined, repetitive tasks with less discretion over the resource allocation of human and physical assets. In the higher levels of the organization, through the definition of the chain of command, there are higher levels of authority and greater capability to reassign resources as necessary to accomplish higher-priority tasks. Organizational Structure Evolution The security organization has evolved over the past several decades with several names, for example, data security, systems security, security administration, information security, and information protection. These naming conventions are reflective of the emerging scope expansion of the information security departments. Earlier naming conventions, such as data security, indicated the primary focus of the information security profession, which was to protect the information that was primarily contacted within the mainframe, data-center era. As the technology evolved into distributed computing and the information has progressively moved outward from the data-center “glass house” protections, the scope of information security has increased to include these platforms. The focus in the 1970s was on the security between computers and the mainframe infrastructure, which evolved into data security and information security in the 1980s, which recognized the importance of protecting the access and integrity of the information contained within the systems. In the 1990s, as information technology was viewed as more fundamental to business success than ever before, and consumers became more aware of privacy issues regarding the protection and use of their information, the concepts of enterprise security protection emerged. With whatever naming convention is used within the organization, the primary focus of the information security organization is to ensure the confidentiality, availability, and integrity of the information. The size of the organization and the types of individuals necessary to staff the organization will depend upon the size of the overall organization, geographic dispersion, centralized or decentralized systems processing, the risk profile of the company, and the budget available for security. Each organization will be slightly different, as they operate within different industries with different threat profiles. Some organizations may be unwilling to take even the 20

AU8231_C001.fm Page 21 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management slightest risk if the information that needs to be protected, if disclosed, would be devastating to the long-term viability of the business. Organizations such as the defense industry, financial institutions, and technical research facilities needing to protect trade secrets may fall into this category. Until recently, the healthcare and insurance industries have spent a small portion of the available funds on information security, as the primary expenditures were allocated to helping patients and providing systems that increased care versus protecting the information. In fact, in some hospital environments, making information “harder to retrieve quickly” was viewed as detrimental to effective, timely care. In the early-centralized mainframe computing environments, a data security officer, who was primarily responsible for account and password administration, granting access privileges to files, and possibly the disaster recovery function, administered the security function. The assets that the security officer were protecting were primarily IT assets contained in the mainframe computer systems, and did not include hard-copy documents, people, facilities, and other company assets. The responsibility for the position resided within the IT department, and as such, the focus was on IT assets and limited in scope. The security officer was typically trained in how to work with security mechanisms such as RACF, ACF2, TopSecret in CICS/MVS environments, reflecting a narrow and well-defined scope of the responsibilities. As distributed, decentralized computing environments evolved to include internetworking between local area networks (LANs) and wide area networks (WANs), e-mail systems, data warehouses, and remote-access capabilities, the scope of the responsibilities became larger, making it more difficult to sustain these skills within one individual. Complicating the environment further was the integration of multiple disparate software applications and multiple-vendor database management system environments, such as the DB2 database management system, Oracle, Teradata, and Structure Query Language (SQL) Server running on different operating systems such as MVS, Windows, or multiple flavors of UNIX. In addition, each application has individual user access security controls that need to be managed. It would not be realistic to concentrate the technical capability for each of these platforms within one individual, or a small set of individuals trained on all of the platforms. Hence, this provided the impetus for specialization of these skills to ensure that the appropriate training and expertise were present to adequately protect the environment. Hence, firewall/router administrators need the appropriate technical training for the devices they are supporting, while a different individual or group may need to work with the Oracle database administrators to provide appropriate database management system (DBMS) access controls and logging and monitoring capabilities. Today’s Security Organizational Structure. There is no “one size fits all” for the information security department or the scope of the responsibili21

AU8231_C001.fm Page 22 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® ties. The location of where the security organization should report has also been evolving. In many organizations, the information security officer (ISSO) or chief information security officer (CISO) still reports to the chief information officer (CIO) or the individual responsible for the information technology activities of the organization. This is due to the fact that many organizations still view the information security function as an information technology problem and not a core business issue. Alternatively, the rationale for this may be due to the necessity to communicate in a technical language, which is understood by information technology professionals and is not typically well understood by the business. Regardless of the rationale for the placement, placing the individual responsible for information security within the information technology organization could represent a conflict of interest, as the IT department is motivated to deliver projects on time, within budget, and of high quality. Shortcuts may be taken on the security requirements to meet these constraints if the security function is reporting to the individual making these decisions. The benefit of having the security function report to the CIO is that the security department is more likely to be engaged in the activities of the IT department and aware of the upcoming initiatives and security challenges. A growing trend is for the security function to be treated as a risk management function and, as such, be located outside of the IT organization. This provides a greater degree of independence as well as the focus on risk management versus management of user IDs, password resets, and access authorization. Having the reporting relationship outside of the IT organization also introduces a different set of checks and balances on the security activities that are expected to be performed. The security function may report to the chief operating officer, chief executive officer, general counsel, internal audit, legal, compliance, administrative services, or some other function outside of information technology. The function should report as high in the organization as possible, preferably to an executivelevel individual. This ensures that the proper message is conveyed to senior management, the company employees view the appropriate authority of the department, and funding decisions can be made while considering the needs across the company. Best Practices Most individuals within an organization come to work every day to perform their jobs to the best of their ability. Most individuals have the appropriate intentions and seek out information on the best ways to perform their jobs, the training required, and what the expectations of their jobs are. The media places much attention on the external threat by hackers; however, there is also the threat internally of erroneous or fraudulent transactions, which could cause information assets to be damaged or 22

AU8231_C001.fm Page 23 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management destroyed. Job controls such as the segregation of duties, job description documentation, mandatory vacations, job and shift rotation, and need to know (least privilege) are implemented to minimize the risk of loss. Individuals must be qualified with the appropriate level of training, with the job responsibilities clearly defined so that the interaction among departments can properly function. Job Rotation. Job rotations reduce the risk of collusion of activities between individuals. Companies with individuals working with sensitive information or systems where there may be the opportunity for personal gain through collusion can benefit by integrating a job rotation with a segregation of duties. Rotating the position may uncover activities that the individual is performing outside of the normal operating procedures, highlighting errors or fraudulent behavior. It may be difficult to implement in small organizations due to the particular skill set required for the replaced position, and thus security controls and supervisory control will need to be relied upon. Rotating individuals in and out of jobs provides the ability to give backup coverage, succession planning, and job enrichment opportunities for those involved. Separation of Duties. One individual should not have the capability to execute all of the steps of a particular process. This is especially important in the information systems departments, where individuals typically have greater access and capability to modify, delete, or add data to the system. Failure to separate the duties could result in individuals embezzling money from the company without the involvement of others. Duties are typically subdivided or split between different individuals or organizational groups to achieve separation. This separation reduces the chances of errors or fraudulent acts, as each group serves as a balancing check on the others. Management is responsible for ensuring that the duties are well defined and separated within their business processes. Failure to do so can result in unintended consequences; for example:

• An individual in the finance department with the ability to add vendors to the vendor database, issue purchase orders, record receipt of shipment, and authorize payment could issue payments to made-up vendors without detection. • An individual in the payroll department with the ability to authorize, process, and review payroll transactions could increase the salaries of coworkers without detection. • A computer programmer with the ability to change production code could change the code to move money to a personal bank account and then conceal his or her actions by replacing the production code. • A programmer with the authority to write the code, move it to production, and run the production job, skipping internal systems 23

AU8231_C001.fm Page 24 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® development procedures, could implement erroneous code either inadvertently or deliberately. Some organizations utilize a two-dimensional segregation of duties matrix to determine what positions should be separated within a department. Each position is written along the axes of the matrix, with an x placed where the two responsibilities should not reside with the same individual. This x indicates where the job duties should be subdivided among different individuals. It is critical to separate the duties between the IS department and the business units, as well as between those areas within the IS organization. For example, the management of the user departments is responsible for providing the authorization of systems access for the access rights of their employees. The information systems department, more specifically the area responsible for security administration, is responsible for granting the access. On a periodic basis, this access is also reviewed and confirmed by the business management. Within the IT department, the security administrator would be separated from the business analyst, computer programmer, computer operator, and so forth. These duties, which should not be combined within one person or group, are referred to as incompatible duties. Incompatible duties may vary from one organization to another. However, the same individual should not typically perform the following functions: • • • • • • • • •

Systems administration Network management Data entry Computer operations Security administration Systems development and maintenance Security auditing Information systems management Change management

In smaller organizations, it may be difficult to separate the activities, as there may be limited staff available to perform these functions. These organizations may have to rely on compensating controls, such as supervisory review, to mitigate the risk. Audit logging and after-the-fact review by a third party can also provide an effective control in lieu of the ability to separate the job functions. Larger organizations need to ensure that appropriate separation and supervisory review and development of formalized operational procedures are in place. The separated functions should be documented fully and communicated to the staff to ensure that only the assigned individuals will execute tasks associated with these functions. These actions can help prevent or detect erroneous work performed by the user. Larger-dollar-amount transactions should have more extensive 24

AU8231_C001.fm Page 25 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management supervisory review controls (i.e., director/vice president/president formal sign-off) before processing is permitted. Individuals in the information systems department must be prohibited from entering data into the systems, data entry personnel must not be the same individuals verifying the data, and reconciliation of the information should not be performed by the individual entering the information. Separation of these duties introduces checks and balances on the transactions. As new applications are developed, mergers and acquisitions occur, and systems are replaced, care must be taken to ensure that the segregation of duties is maintained. Periodic management review ensures that the transaction processing environment continues to operate with the designed separation principles. Least Privilege (Need to Know). Least privilege refers to granting users only the accesses that are required to perform their job functions. Some employees will require greater access than others based upon their job functions. For example, an individual performing data entry on a mainframe system may have no need for Internet access or the ability to run off reports of the information that they are entering into the system. Conversely, a supervisor may have the need to run reports, but should not be provided the capability to change information in the database. Well-formed transactions ensure that the users update the information in systems consistently and through the developed procedures. Information is typically logged from the well-formed transactions, which can serve as a preventive control (because the user knows the information is being logged) and a detective control (to discover how information was modified after the fact). Security controls around these transactions are necessary to ensure that only authorized changes are made to the programs applying the transaction. Access privileges need to be defined at the appropriate level that provides a balance between supporting the business operational flexibility and adequate security. Defining these parameters requires the input of the business application owner to be effective. Mandatory Vacations. Requiring mandatory vacations of a specified consecutive-day period provides similar benefits as the job rotations. If work is reassigned during the vacation period, irregularities may surface through the transaction flow, communications with outside individuals, or requests to process information without following normal procedures. Some organizations remove access to the remote systems during this period as well to ensure that the employee that is temporarily replaced is not performing work. Job Position Sensitivity. The access and duties of an individual for a particular department should be assessed to determine the sensitivity of the job position. The degree of harm that the individual can cause through 25

AU8231_C001.fm Page 26 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® misuse of the computer system, through disclosing information, disrupting data processing, sharing internal secrets, modifying crucial information, or committing computer fraud, should be input to the classification. Rolebased access establishes roles for a job or class of jobs, indicating the type of information the individual is permitted to access. Job sensitivity may also be used to require more stringent policies related to mandatory vacations, job rotations, and access control policies. Excess controls for the sensitivity level of the position waste resources through the added expense, while fewer controls cause unacceptable risks. Responsibilities of the Information Security Officer The information security officer is responsible for ensuring the protection of all of the business information assets from intentional and unintentional loss, disclosure, alteration, destruction, and unavailability. The security officer typically does not have the resources available to perform all of these functions and must depend upon other individuals within the organization to implement and execute the policies, procedures, standards, and guidelines to ensure the protection of information. In this capacity, the information security officer acts as the facilitator of information security for the organization. Communicate Risks to Executive Management. The information security officer is responsible for understanding the business objectives of the organization, ensuring that a risk assessment is performed, taking into consideration the threats and vulnerabilities impacting the particular organization, and subsequently communicating the risks to executive management. The makeup of the executive management team will vary based on type of industry or government entity, but typically includes individuals with C-level titles, such as the chief executive officer (CEO), chief operating officer (COO), chief financial officer (CFO), and chief information officer (CIO). The executive team also includes the first level reporting to the CEO, such as the VP of sales and marketing, VP of administration, general counsel, and the VP of human resources.

The executive team is interested in maintaining the appropriate balance between acceptable risk and ensuring that business operations are meeting the mission of the organization. In this context, executive management is not concerned with the technical details of the implementations, but rather with what is the cost/benefit of the solution and what is the residual risk that will remain after the safeguards are implemented. For example, the configuration parameters of installing a particular vendor’s router are not as important as: (1) What is the real perceived threat (problem to be solved)? (2) What is the risk (impact and probability) to our business operations? (3) What is the cost of the safeguard? (4) What will be the residual risk (risk remaining after the safeguard is properly implemented and sus26

AU8231_C001.fm Page 27 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management tained)? (5) How long will the project take? Each of these must be evaluated along with the other items competing for resources (time, money, people, and systems). The security officer has a responsibility to ensure that the information presented to executive management is based upon a real business need and the facts are represented clearly. Ultimately, it is the executive management of the organization that is responsible for information security. Presentations should be geared at a high level to convey the purpose of the technical safeguard, and not be a rigorous detailed presentation of the underlying technology unless requested. Budget for Information Security Activities. The information security officer prepares a budget to manage the information security program and ensures that security is included in the various other departmental budgets, such as the help desk, applications development, and the computing infrastructure. Security is much less expensive when it is built in to the application design versus added as an afterthought. Estimates range widely over the costs of adding security later in the life cycle; however, it is generally believed that it is at least a factor of 10 times to add security in the implementation phase versus addressing it early in the analysis phases. The security officer must work with the application development managers to ensure that security is considered in the project cost during each phase of development (analysis, design, development, testing, implementation, and postimplementation). Systems security certification, or minimally holding walk-throughs to review the security, ensures that the deliverables are met.

In addition to ensuring that new project development activities appropriately address security, ongoing functions such as security administration, intrusion detection, incident handling, policy development, standards compliance, support of external auditors, and evaluations of emerging technology need to be appropriately funded. The security officer will rarely receive all the funding necessary to complete all of the projects for which he and his team have envisioned, and must usually plan these activities over a multiyear period. The budgeting process requires examination of the current risks and ensuring that activities with the largest cost/benefit to the organization are implemented. Projects greater than 12 to 18 months are generally considered to be long term and strategic in nature and typically require more funding and resources or are more complex in their implementation. In the event these efforts require a longer timeframe, pilot projects to demonstrate near-term results on a smaller scale are preferable. Organizations lose patience with funding long-term efforts, as the initial management supporters may change, as well as some of the team members implementing the change. The longer the payback period, the higher the rate of return (ROR) expected by executive manage27

AU8231_C001.fm Page 28 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® ment. This is due primarily to the higher risk level associated with longerterm efforts. The number of staff, level of security protection required, tasks to be performed, regulations to be met, staff qualification level, training required, and degree of metrics tracking will also be parameters that drive the amount of funding required. For example, if the organization is requested through government regulation to increase the number of individuals with security certifications, whether individual product vendor or industry standard certifications such as the CISSP, then the organization may feel an obligation to fund training seminars to prepare the individuals, and this will need to be factored into the budget process. This may also be utilized to attract and retain security professionals to the organization through increased learning opportunities. As another example, the time required in complying with government mandates and laws may necessitate increased staffing to provide the appropriate ongoing tracking and responses to audit issues. Ensure Development of Policies, Procedures, Baselines, Standards, and Guidelines. The security officer and his team are responsible for ensuring

that the security policies, procedures, baselines, standards, and guidelines are written to address the information security needs of the organization. However, this does not mean that the security department must write all the policies by themselves. Nor should the policies be written solely by the security department without the input and participation of the other departments within the organization, such as legal, human resources, information technology, compliance, physical security, the business units, and others that have to implement the policies. Develop and Provide Security Awareness Program. The security officer provides the leadership for the information security awareness program by ensuring that the programs are delivered in a meaningful, understandable way to the intended audience. The program should be developed to grab the attention of the participant to convey general awareness of the security issues and what reporting actions are expected when the end user notices security violations. Without promoting awareness, the policies remain as shelf-ware with less assurance that they will actually be practiced within the company. Understand Business Objectives. Central to the security officer’s success within the organization is to understand the vision, mission, objectives/goals, and plans of the organization. This understanding increases the chances of success, as security can be introduced at the correct times during the project life cycle and can enable the organization to carry out the mission. The security officer needs to understand the competitive pressures facing the organization, the strengths, weaknesses, threats, and 28

AU8231_C001.fm Page 29 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management opportunities, and the regulatory environment within which the organization operates. This increases the likelihood that the appropriate security controls will be applied to those areas with the greatest risk, thus resulting in an optimal allocation of the scarce security funding. Maintain Awareness of Emerging Threats and Vulnerabilities. The threat environment is constantly changing and, as such, it is incumbent upon the security officer to keep up with the changes. It is difficult for any organization to anticipate new threats, some of which come from the external environment and some from new technological changes. Prior to the September 11, 2001, terrorist attack in the United States, few individuals perceived that sort of attack as very likely. However, since then, many organizations have revisited their access control policies, physical security, and business continuity plans. New technologies, such as wireless and low-cost removable media (writeable CDs/DVDs and USB drives), have created new threats to confidentiality and disclosure of information, which need to be addressed. Although the organization tries to write policies to last for two or three years without change, depending upon the industry and the rate of change, these may need to be revisited more frequently. Evaluate Security Incidents and Response. Computer incident response teams (CIRTs) are groups of individuals with the necessary skills, including management, technical staff, infrastructure, and communications staff, for evaluating the incident, evaluating the damage caused by the incident, and providing the correct response to repair the system and collect evidence for potential prosecution or sanctions. CIRTs are activated depending upon the nature of the incident and the culture of the organization. Security incidents need to be investigated and followed up promptly, as this is a key mechanism in ensuring compliance with the security policies. Sanctions of employees with the appropriate disciplinary action, up to and including termination, must be specified and employed for the policies to be effective. The security officer and the security department ensure that these incidents are followed up in a timely manner. Develop Security Compliance Program. Compliance is the process of ensuring that security policies are adhered to. A policy and procedure regarding the hardening of the company’s firewalls are not very useful if the activity is not being performed. Periodic compliance, whether though internal or external inspection, ensures that the procedures, checklists, and baselines are documented and followed in practice. Compliance of the end users is also necessary to ensure that end users and technical staff are trained and have read the security policies. Establish Security Metrics. Measurements are collected to provide information on long-term trends and the day-to-day workload and to demonstrate the effect of noncompliance. Measurement of processes provides 29

AU8231_C001.fm Page 30 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® the ability to improve the process. For example, measuring the number of tickets for password resets can be translated into workload hours and may provide justification for the implementation of new technologies for the end user to self-administer the reset process. Or, capturing the viruses found or reported may indicate a need for further education or improvement of the antivirus management process. Many decisions need to be made when collecting metrics, such as who will collect the metrics, what statistics will be collected, when they will be collected, and what are the thresholds where variations are out of bounds and should be acted upon. Participate in Management Meetings. Security officers must be involved in the management teams and planning meetings of the organization to be fully effective. Project directions and decisions are made during these meetings, as well as the establishment of buy-in for the security initiatives. These meetings will include board of director meetings (periodic updates), IT steering committees, manager meetings, and departmental meetings. Ensure Compliance with Government Regulations. G o v e r n m e n t s a re continuously passing new laws, rules, and regulations, with which the enterprise must be in compliance. Although many of the laws are overlapping in the security requirements, frequently the new laws provide a more stringent requirement on a particular aspect of information security. Timeframes to be in compliance with the law may not always come at the best time for the organization, nor may they line up with the budget funding cycles. The security officer must stay abreast of emerging regulatory developments to enable response in a timely manner. Assist Internal and External Auditors. Auditors provide an essential role for information security by providing an independent view of the design, effectiveness, and implementation of the security control. The results of these audits generate findings that require corrective action plans to resolve the issue and mitigate the risk. Auditors request information prior to the start of the audit to facilitate the review. Some audits are performed at a high level without substantive testing, while others performing this testing pull samples to determine if the control was correctly executed. The security department cooperates with the internal and external auditors to ensure that the control environment is adequate and functional. Stay Abreast of Emerging Technologies. The security officer must stay abreast of emerging technologies to ensure that the appropriate solutions are in place for the company based upon its appetite for risk, culture, resources available, and desire to be an innovator, leader, or follower (mature product implementation) of security products and practices. Failure to do so could increase the costs to the organization by maintaining 30

AU8231_C001.fm Page 31 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management older, less effective products. Approaches to satisfying this requirement may range from active involvement in security industry associations to interaction with vendors to subscribing to industry research groups to reviewing printed material. Reporting Model The security officer and the information security organization should report as high in the organization as position to (1) maintain visibility of the importance of information security and (2) limit the distortion or inaccurate translation of messages that can occur due to hierarchical, deep organizations. The higher up in the organization, the greater the ability to gain other senior management’s attention to security and the greater the capability to compete for the appropriate budget and resources. Where the information security officer reports in the organization has been the subject of debate for several years and depends upon the culture of the organization. There is no one best model that fits all organizations, but rather pros and cons associated with each placement choice. Whatever the chosen reporting model, there should be an individual chosen with the responsibility for ensuring information security at the enterprisewide level to establish accountability for resolving security issues. The discussion in the next few sections should provide the perspective for making the appropriate choice for the target organization. Business Relationships. Wherever the information security officer reports, it is imperative that he or she establishes credible and good working relationships with executive management, middle management, and the end users that will be following the security policy. Information gathered and acted upon by executive management is obtained through their daily interactions with many individuals, not just executive management. Winning their support may be the result of influencing a respected individual within the organization, possibly several management layers below the executive. Similarly, the relationship between the senior executives and the information security officer is important if the security strategies are to carry through to implementation. Establishing a track record of delivery and demonstrating the value of the protection to the business will build this relationship. If done properly, the security function becomes viewed as an enabler of the business versus a control point, which slows innovation, provides roadblocks to implementation, and represents an overhead cost function. Reporting to an executive that understands the need for information security and is willing to work to obtain funding is preferable. Reporting to the CEO. Reporting directly to the CEO greatly reduces the message filtering of reporting further down the hierarchy and improves the communication, as well as demonstrating to the organization the importance of information security. Firms that have high security needs, such as 31

AU8231_C001.fm Page 32 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® credit card companies, technology companies, and companies whose revenue stream depends highly upon Internet Web site purchases, such as eBay or Amazon, might utilize such a model. The downside to this model is that the CEO may be preoccupied with many other business issues and may not have the interest, time, or enough technical understanding to devote to information security issues. Reporting to the Information Technology (IT) Department. In this model, the information security officer reports directly to the chief information officer (CIO), director of information systems, the vice president of systems, or whatever the title of the head of the IT department is. Most organizations are utilizing this relationship, as this was historically where the data security function was placed in many companies. This is due to the history of security being viewed as only an information technology problem, which it is not. The advantage of this model is that the individual to which the security officer is reporting has the understanding of the technical issues and typically has the clout with senior management to make the desired changes. It is also beneficial because the information security officer and his department must spend a good deal of time interacting with the rest of the information systems department, which builds the appropriate awareness of project activities and issues and builds business relationships. The downside of the reporting structure is the conflict of interest. When the CIO must make decisions with respect to time to market, resource allocations, cost minimization, application usability, and project priorities, the ability exists to slight the information security function. The typical CIO’s goals are more oriented toward delivery of application products to support the business in a timely manner. If the perception is that implementation of the security controls may take more time or money to implement, the security considerations may not be provided equal weight. Reporting to a lower level within the CIO organization should be avoided, as noted earlier; the more levels between the CEO and the information security officer, the more challenges that must be overcome. Levels further down in the organization also have their own domains of expertise that they are focusing on, such as computer operations, applications programming, or computing infrastructure. Reporting to Corporate Security. Corporate security is focused on the physical security of the enterprise, and most often the individuals in this environment have backgrounds as former police officers, military, or were associated in some other manner with the criminal justice system. This alternative may appear logical; however, the individuals from these organizations come from two different backgrounds. Physical security is focused on criminal justice, protection, and investigation services, while information security professionals usually have different training in business and information technology. The language of these disciplines intersects in 32

AU8231_C001.fm Page 33 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management some areas, but is vastly different in others. Another downside may be the association with the physical security group may evoke a police-type mentality, making it difficult to build business relationships with business users. Establishing relationships with the end users increases their willingness to listen and comply with the security controls, as well as to provide knowledge to the security department of potential violations. Reporting to the Administrative Services Department. The information security officer may report to the vice president of administrative services, which may also include the physical security, employee safety, and HR departments. As in reporting to the CIO, there is only one level between the CEO and the information security department. The model may also be viewed as an enterprise function due to the association with the human resources department. It is attractive because of the focus on security for all forms of information (paper, oral, electronic) versus residing in the technology department, where the focus may tend to be more on electronic information. The downside is that the leaders of this area may be limited in their knowledge of information technology and the ability to communicate with the CEO on technical issues. Reporting to the Insurance and Risk Management Department. Information-intensive organizations such as banks, stock brokerages, and research companies may benefit from this model. The chief risk officer is already concerned with the risks to the organization and the methods to control those risks through mitigation, acceptance, insurance, etc. The downside is that the risk officer may not be conversant in the information systems technology, and the strategic focus of this function may give less attention to day-to-day operational security projects. Reporting to the Internal Audit Department. This reporting relationship can create a conflict of interest, as the internal audit department is responsible for evaluating the effectiveness and implementation of the organization’s control structure, including those of the information security department. It would be difficult for the internal audit to provide an independent viewpoint, if the attainment of meeting the security department’s objectives is also viewed as part of its responsibility. The internal audit department may have adversarial relationships with other portions of the company due to the nature of its role (to uncover deficiencies in departmental processes), and through association, the security department may develop similar relationships. It is advisable that the security department establishes close working relationships with the internal audit department to facilitate the control environment. The internal audit manager most likely has a background in financial, operational, and general controls and may have difficulty understanding the technical activities of the information security department. On the positive side, both 33

AU8231_C001.fm Page 34 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® areas are focused on improving the controls of the company. The internal audit department does have a preferable reporting relationship for audit issues through a dotted-line relationship with the company’s audit committee on the board of directors. It is advisable for the information security function to have a path to report security issues to the board of directors as well, either in conjunction with the internal audit department or through its own. Reporting to the Legal Department. Attorneys are concerned with compliance with regulations, laws, and ethical standards, performing due diligence, and establishing policies and procedures that are consistent with many of the information security objectives. The company’s general counsel also typically has the respect or ear of the CEO. In regulated industries, this may be a very good fit. On the downside, due to the emphasis on compliance activities, the information security department may end up performing more compliance-checking activities (versus security consulting and support), which are typically the domain of internal audit. An advantage is that the distance between the CEO and the information security officer is one level. Determining the Best Fit. As indicated earlier, each organization must view the pros and cons of each of these types of relationships and develop the appropriate relationship based upon the company culture, type of industry, and what will provide the greatest benefit to the company. Conflicts of interest should be minimized, visibility increased, funding appropriately allocated, and communication effective when the optimal reporting relationship is decided for the placement of the information security department.

Enterprisewide Security Oversight Committee The enterprisewide security oversight committee, sometimes referred to as a security council, serves as an oversight committee to the information security program. The vision of the security council must be clearly defined and understood by all members of the council. Vision Statement. A clear security vision statement should exist that is in alignment with and supports the organizational vision. Typically, these statements draw upon the security concepts of confidentiality, integrity, and availability to support the business objectives. The vision statements are not technical and focus on the advantages to the business. People will be involved in the council from management and technical areas and have limited time to participate, so the vision statement must be something that is viewed as worthwhile to sustain their continued involvement. The vision statement is a high-level set of statements, brief, to the point, and achievable. 34

AU8231_C001.fm Page 35 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management

The Information Security Council provides management direction and a sounding board for the ACME Company’s information security efforts to ensure that these efforts are: • • • • •

Appropriately prioritized Supported by each organizational unit Appropriately funded Realistic given ACME’s information security needs Balance security needs to be made between cost, response time, ease of use, flexibility, and time to market

The Information Security Council takes an active role in enhancing our security profile and increasing the protection of our assets through: • • • • • • •

Approval of organizationwide information security initiatives Coordination of various workgroups so that security goals can be achieved Promoting awareness of initiatives within their organizations Discussion of security ideas, policies, and procedures and their impact on the organization Recommendation of policies to the ACME Company IT Steering Committee Increased understanding of the threats, vulnerabilities, and safeguards facing our organization Active participation in policy, procedure, and standard review

The ACME Company Information Technology Steering Committee suppor ts the Information Security Council by: • • • •

Developing the strategic vision for the deployment of Information Technology Establishing priorities, arranging resources in concert with the vision Approval of the recommended policies, standards, and guidelines Approving major capital expenditures

Figure 1.3. Sample Security Council mission statement. Mission Statement. Mission statements are objectives that support the overall vision. These become the road map to achieving the vision and help the council clearly view the purpose for its involvement. Some individuals may choose nomenclature such as goals, objectives, initiatives, etc. A sample mission statement is shown in Figure 1.3.

Effective mission statements do not need to be lengthy, as the primary concern is to communicate the goals so both technical and nontechnical individuals readily understand them. The primary mission of the security council will vary by organization, but can include statements that address the following. Security Program Oversight. By establishing this goal in the beginning, the members of the council begin to feel that they have some input and influence over the direction of the security program. This is key, as many security decisions will impact their areas of operation. This also is the beginning of management’s commitment at the committee level, as the 35

AU8231_C001.fm Page 36 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® deliverables produced through the information security program now become recommended or approved by the security council versus the information security department. DECIDE ON PROJECT INITIATIVES. Each organization has limited resources (time, money, people) to allocate across projects to advance the business. The primary objective of information security projects is to reduce the organizational business risk through the implementation of reasonable controls. The council should take an active role in understanding the initiatives and the resulting business impact. PRIORITIZE INFORMATION SECURITY EFFORTS. Once the security council understands the proposed project initiatives and the associated positive impact to the business, its members can be involved with the prioritization of the projects. This may be in the form of a formal annual process or through the discussion and expressed support for individual initiatives. REVIEW AND RECOMMEND SECURITY POLICIES. Review of the security policies should include a line-by-line review of the policies, a cursory review of the procedures to support the policies, and a review of the implementation and subsequent enforcement of the policies. Through this activity, three key concepts are implemented that are important to sustaining commitment: (1) understanding of the policy is enhanced, (2) practical ability of the organization to support the policy is discussed, and (3) buy-in is established to subsequent support of implementation activities. CHAMPION ORGANIZATIONAL SECURITY EFFORTS. Once the council understands and accepts the policies, it serves as the organizational champion behind the policies, because it was involved in the creation of the policies. Council members may have started by reviewing a draft of the policy created by the information systems security department, but the resulting product was only accomplished through their review, input, and participation in the process. Their involvement creates ownership of the deliverable and a desire to see the security policy or project succeed within the company. RECOMMEND AREAS REQUIRING INVESTMENT. Members of the council have the opportunity to provide input from the perspective of their individual business units. The council serves as a mechanism for establishing broad support for security investments from this perspective. Resources within any organization are limited and allocated to the business units with the greatest need and the greatest perceived return on investment. Establishing this support enhances the budgetary understanding of the other business managers, as well as the chief financial officer, which is often essential to obtain the appropriate funding.

A mission statement that incorporates the previous concepts will help focus the council and also provide the sustaining purpose for its involve36

AU8231_C001.fm Page 37 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management ment. The vision and mission statements should also be reviewed on an annual basis to ensure that the council is still functioning according to the values expressed in the mission statement, as well as to ensure that new and replacement members are in alignment with the objectives of the council. Oversight Committee Representation. The oversight committee is made up of representatives from multiple organizational units that are necessary to support the policies in the long term. The HR department is essential to provide knowledge of the existing code of conduct, employment and labor relations, termination and disciplinary action policies, and practices that are in place. The legal department is needed to ensure that the language of the policies states what is intended, and that applicable local, state, and federal laws are appropriately followed. The IT department provides technical input and information on current initiatives and the development of procedures and technical implementations to support the policies. The individual business unit representation is essential to understand how practical the policies may be in carrying out the mission of the business. Compliance department representation provides insight on ethics, contractual obligations, and investigations that may require policy creation. And finally, the security officer, who typically chairs the council, should represent the information security department and members of the security team for specialized technical expertise.

The oversight committee is a management committee and, as such, is populated primarily with management-level employees. It is difficult to obtain the time commitment required to review policies at a detailed level by senior management. Reviewing the policies at this level is a necessary step to achieve buy-in within management. However, it would not be a good use of the senior management level in the early stages of development. Line management is very focused on their individual areas and may not have the organizational perspective necessary (beyond their individual departments) to evaluate security policies and project initiatives. Middle management appears to be in the best position to appropriately evaluate what is best for the organization, as well as possessing the ability to influence senior and line management to accept the policies. Where middle management does not exist, it is appropriate to include line management, as they are typically filling both of these roles (middle and line functions) when operating in these positions. Many issues may be addressed in a single security council meeting, which necessitates having someone record the minutes of the meeting. The chairperson’s role in the meeting is to facilitate the discussion, ensure that all viewpoints are heard, and drive the discussions to decisions where necessary. It is difficult to perform that function at the same time as taking notes. Recording the meeting is also helpful to capture key points that may have been missed in the notes, so that accurate minutes can be produced. 37

AU8231_C001.fm Page 38 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® The relationship between the security department and the security oversight committee is a dotted-line relationship that may or may not be reflected on the organization chart. The value of the committee is in providing the business direction and increasing the awareness of the security activities that are impacting the organization on a continuous basis. How frequently the committee meets will depend upon the organizational culture (i.e., Are monthly or quarterly oversight meetings held on other initiatives?), the number of security initiatives, and the urgency of decisions that need the input of the business units. Roles and Responsibilities. Many different individuals within an organization contribute to successful information protection. Security is the responsibility of everyone within the company. Every end user is responsible for understanding the policies and procedures that are applicable to their particular job function and adhering to the security control expectations. Users must have knowledge of the responsibilities and be trained to a level that is adequate to reduce the risk of loss. Although the exact titles and scope of responsibility of the individuals may vary from organization to organization, the following roles support the implementation of security controls. An individual may be performing multiple roles when the processes are defined for the organization, depending upon the constraints and organizational structure. It is important to provide clear assignment and accountability to designated employees for the various security functions to ensure that the tasks are performed. Communication of the responsibilities for each function, through distribution of policies, job descriptions, training, and management direction, provides the foundation for execution of security controls by the workforce. END USER. The end user is responsible for protecting the information assets on a daily basis through adherence to the security policies that have been communicated. The end users represent many “windows” to the organization, and through their practices the security can be either strengthened through compliance or compromised through their actions. For example, downloading unauthorized software, opening attachments from unknown senders, or visiting malicious Web sites could introduce backdoors or Trojans into the environment. End users can also be the front-line eyes and ears of the organization and report security incidents for investigation. Creating this culture requires that this role and responsibility is clearly communicated and understood by all. EXECUTIVE MANAGEMENT. Executive management maintains the overall responsibility for protection of the information assets. The business operations are dependent upon information being available, accurate, and protected from individuals without a need to know. Financial losses can occur if the confidentiality, integrity, or availability of the information is compromised. They must be aware of the risks that they are accepting for the orga38

AU8231_C001.fm Page 39 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management nization, through either explicit decision making or failure to make decisions or understand the nature of the risks inherent in the existing operation of the information systems. SECURITY OFFICER. As noted in the governance sections, the security officer directs, coordinates, plans, and organizes information security activities throughout the organization. The security officer works with many different individuals, such as executive management, management of the business units, technical staff, business partners, and third parties such as auditors and external consultants. The security officer and his or her team are responsible for the design, implementation, management, and review of the organization’s security policies, standards, procedures, baselines, and guidelines. INFORMATION SYSTEMS SECURITY PROFESSIONAL. Development of the security policies and the supporting procedures, standards, baselines, and guidelines, and subsequent implementation and review are performed through these individuals. Guidance is provided for technical security issues, and emerging threats are considered for the adoption of new policies. Interpretation of government regulations and industry trends and determination of the placement of vendor solutions in the security architecture to advance the security of the organization are performed. DATA/INFORMATION/BUSINESS OWNERS. A business executive or manager is responsible for an information asset. These are the individuals that assign the appropriate classification to the asset and ensure that the business information is protected with the appropriate controls. Periodically, the data owners need to review the classification and access rights associated with the information asset. Depending upon the formalization of the process within the organization, the data owners or their delegates may be required to approve access to the information from other business units. Data owners also need to determine the criticality, sensitivity, retention, backups, and safeguards for the information. Data owners or their delegates are responsible for understanding the policies and procedures used to appropriately classify the information. DATA CUSTODIAN. A data custodian is an individual or function that takes care of the information on behalf of the data owner. These individuals ensure that the information is available to the end users and is backed up to enable recovery in the event of data loss or corruption. Information may be stored in files, databases, or systems whose technical infrastructure must be managed, typically by systems administrators or operations. INFORMATION SYSTEMS AUDITOR. IT auditors determine whether systems are in compliance with the security policies, procedures, standards, baselines, designs, architectures, management direction, and other requirements. The auditors provide independent assurance to management on the appro39

AU8231_C001.fm Page 40 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® priateness of the security objectives. The auditor examines the information systems and determines whether they are designed, configured, implemented, operated, and managed in a way that the organizational objectives are being achieved. The auditors provide top company management with an independent view of the controls that have been designed and their effectiveness. Samples are extracted to test the existence and effectiveness of the controls. BUSINESS CONTINUITY PLANNER. Business continuity planners develop contingency plans to prepare for the occurrence of a major threat with the ability to impact the company’s objectives negatively. Threats may include earthquakes, tornadoes, hurricanes, blackouts, changes in the economic/political climate, terrorist activities, fire, or other major actions potentially causing significant harm. The business continuity planner ensures that business processes can continue through the disaster and coordinates those activities with the information technology personnel responsible for disaster recovery on specific platforms. INFORMATION SYSTEMS/INFORMATION TECHNOLOGY PROFESSIONALS. These personnel are responsible for designing security controls into information systems, testing the controls, and implementing the systems in production environments through agreed upon operating policies and procedures. The information systems professionals work with the business owners and the security professionals to ensure that the designed solution provides security controls commensurate with the acceptable criticality, sensitivity, and availability requirements of the application. SECURITY ADMINISTRATOR. A security administrator manages the user access request process and ensures that privileges are provided to those individuals that have been authorized for access by the proper management. This individual has elevated privileges and creates and deletes accounts and access permissions. The security administrator also terminates access privileges when individuals leave their jobs or transfer to company divisions. The security administrator maintains records of approvals as part of the control environment and produces these records to the information systems auditor to demonstrate compliance with the policies. SYSTEMS ADMINISTRATOR. A systems administrator (sysadmin) configures the hardware and operating systems to ensure that the information can be available and accessible. The administrator runs software distribution systems to install updates and test patches on the company computers. The administrator tests and implements system upgrades to ensure the continued reliability of the servers and network devices. Periodic usage of vulnerability testing tools, through either purchased software or open-source tools tested in a separate environment, identifies areas needing system upgrades or patches to fix the vulnerability. 40

AU8231_C001.fm Page 41 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management PHYSICAL SECURITY. The individuals assigned to the physical security role establish relationships with external law enforcement, such as the local police agencies, state police, or the Federal Bureau of Investigation (FBI) to assist in investigations. Physical security personnel manage the installation, maintenance, and ongoing operation of the closed circuit television (CCTV) surveillance systems, burglar alarm systems, and card reader access control systems. Guards are placed where necessary as a deterrent to authorized access and to provide safety for the company employees. Physical security personnel interface with systems security, human resources, facilities, and legal and business areas to ensure that the practices are integrated. ADMINISTRATIVE ASSISTANTS/SECRETARIES. This role can be very important to information security; in many companies of smaller size, this may be the individual who greets visitors, signs packages in and out, recognizes individuals that desire to enter the offices, and serves as the phone screener for executives. These individuals may be subject to social engineering attacks, whereby the potential intruder attempts to solicit confidential information that may be used for a subsequent attack. Social engineers prey on the goodwill and good graces of the helpful individual to gain entry. A properly trained assistant will minimize the risk of divulging useful company information or providing unauthorized entry. HELP DESK ADMINISTRATOR. As the name implies, the help desk is there to field questions from users that report system problems through a ticketing system. Problems may include poor response time, potential virus infections, unauthorized access, inability to access system resources, or questions on the use of a program. The help desk individual would contact the computer incident response team (CIRT) when a situation meets the criteria developed by the team. The help desk resets passwords, resynchronizes/reinitializes tokens and smart cards, and resolves other problems with access control. These functions may alternatively be performed through self-service by the end user, i.e., an intranet-based solution that establishes the identity of the end user and resets the password, or by another area, such as the security administration, systems administrator, etc., depending upon the organizational structure and separation of duties principles.

An organization may include other roles related to information security to meet its particular needs. Individuals within the different roles will require different levels of training. The end user may require only security awareness training, including the activities that are acceptable, how to recognize that there may be a problem, and what the mechanism is for reporting the problem to the appropriate security personnel for resolution. The security administrator will need more in-depth training on the access control packages to manage the log-on IDs, accounts, and log file reviews. The systems/network administrator will need technical security training for 41

AU8231_C001.fm Page 42 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® the specific operating system (Windows, UNIX, Linux, etc.) to competently set the security controls. ESTABLISHING UNAMBIGUOUS ROLES. Establishing clear, unambiguous security roles has many benefits to the organization beyond providing information as to the responsibilities to be performed and who needs to perform them. The benefits may also include:

• Demonstrable executive management support for information security • Increased employee efficiency by reducing confusion on who is expected to perform which tasks • Team coordination to protect information as it moves from department to department • Lower risks to company reputation by damage due to security problems • Capability to manage complex information systems and networks • Personal accountability for information security • Reduction of turf battles between departments • Security balanced with business objectives • Support of disciplinary actions for security violations up to and including termination • Facilitation of increased communication for resolution of security incidents • Demonstrable compliance with applicable laws and regulations • Shielding of management from liability and negligence claims • Road map for auditors to determine whether necessary work is performed effectively and efficiently • Continuous improvement efforts (i.e., ISO 9000) • Provision of a foundation for determining the security and awareness training required Information security is a team effort requiring the skill sets and cooperation of many different individuals The executive management may have overall responsibility, and the security officer/director/manager may be assigned the day-to-day task of ensuring the organization is complying with the defined security practices. However, every person in the organization has one or more roles to ensure appropriate protection of the information assets. Security Planning Strategic, tactical, and operational plans are interrelated, and each provides a different focus toward enhancing the security of the organization. Planning reduces the likelihood that the organization will be reactionary toward the security needs. With appropriate planning, decisions on projects can be made with respect to whether they support the long- or 42

AU8231_C001.fm Page 43 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management short-term goals and have the priority that warrants the allocation of more security resources. Strategic Planning. Strategic plans are aligned with the strategic business and information technology goals. These plans have a longer-term horizon (three to five years or more) to guide the long-term view of the security activities. The process of developing a strategic plan emphasizes thinking of the company environment and the technical environment a few years into the future. High-level goals are stated to provide the vision for projects to achieve the business objectives. These plans should be reviewed minimally on an annual basis or whenever major changes to the business occur, such as a merger, acquisition, establishment of outsourcing relationships, major changes in the business climate, introductions of new competitors, and so forth. Technological changes will be frequent during a five-year period, so the plan should be adjusted. The high-level plan provides organizational guidance to ensure that lower-level decisions are consistent with executive management’s intentions for the future of the company. For example, strategic goals may consist of:

• Establish security policies and procedures • Effectively deploy servers, workstations, and network devices to reduce downtime • Ensure that all users understand the security responsibilities and reward excellent performance • Establish a security organization to manage security entitywide • Ensure that risks are effectively understood and controlled Tactical Planning. Tactical plans provide the broad initiatives to support and achieve the goals specified in the strategic plan. These initiatives may include deployments such as establishing an electronic policy development and distribution process, implementing robust change control for the server environment, reducing the likelihood of vulnerabilities residing on the servers, implementing a “hot site” disaster recovery program, or implementing an identity management solution. These plans are more specific and may consist of multiple projects to complete the effort. Tactical plans are shorter in length, such as 6 to 18 months to achieve a specific security goal of the company. Operational and Project Planning. Specific plans with milestones, dates, and accountabilities provide the communication and direction to ensure that the individual projects are completed. For example, establishing a policy development and communication process may involve multiple projects with many tasks:

• Conduct security risk assessment • Develop security policies and approval processes 43

AU8231_C001.fm Page 44 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® • Develop technical infrastructure to deploy policies and track compliance • Train end users on policies • Monitor compliance Depending upon the size and scope of the efforts, these initiatives may be steps of tasks as part of a single plan, or they may be multiple plans managed through several projects. The duration of these efforts is short term to provide discrete functionality at the completion of the effort. Traditional “waterfall” methods of implementing projects spend a large amount of time detailing the specific steps required to implement the complete project. Executives today are more focused on achieving some shortterm, or at least interim, results to demonstrate the value of the investment along the way. Such demonstration of value maintains organizational interest and visibility to the effort, increasing the chances of sustaining longerterm funding. The executive management may grow impatient without realizing these early benefits. Personnel Security Hiring qualified and trustworthy individuals depends upon implementing and adhering to personnel policies that screen those individuals whose past actions may indicate undesirable behavior, as well as to ensure that continued employment is supervised. Lower employee morale may result in reduced compliance with controls and lower levels of staff expertise over time. Termination policies and procedures are necessary to ensure that terminated employees no longer have access to the system, and therefore do not have the opportunity to damage the files or systems or disrupt company operations. Although most individuals are hardworking, competent individuals with no intentions of wrongdoing, there are a few individuals with less than desirable intentions. With the potential impact to the information and systems and the negative publicity that results today from these events, it is imperative to implement the appropriate personnel security controls. Hiring Practices. Various activities should be performed prior to the individual starting the position, such as developing job descriptions, contacting references, screening/investigating background, developing confidentiality agreements, and determining policies on vendor, contractor, consultant, and temporary staff access. Job Descriptions. Job descriptions should contain the responsibilities of the position and the education, experience, and expertise required to satisfactorily perform the job function. A well-written job description provides not only the basis for conversation with the applicant to determine if the skills are a good match, but also the barometer by which the ongoing 44

AU8231_C001.fm Page 45 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management performance reviews can be measured. Individual job goals stated within the performance reviews should mirror the job description. Failure to align the correct job description with the individual will give a false sense of security, as the individual may be lacking the job requirements. To ensure that individuals possess the security skills on an ongoing basis, the job skills must be periodically reassessed. Requirements for annual training, especially for those individuals requiring specialized security training, will ensure that the skills remain relevant and current. The employee training and participation in professional activities should be monitored and encouraged. All job descriptions of the organization should have some reference to information security responsibilities, as these responsibilities are shared across the organization. Specific technology, platform requirements, and certifications required for security staff can be noted within the job posting. Employment Agreements. Employment agreements are usually signed by the employee before he or she starts the new job or during the first day, while visiting the human resources department. These agreements will vary from organization to organization as to the form and content, but their purpose is to protect the organization while the individual is employed, as well as after the employee has left employment by the organization. For example, nondisclosure agreements contain clauses to protect the company’s rights to retain trade secrets or intellectual property that the employee may have had access to well after the employee’s departure from the organization. Code of conduct, conflict of interest, gift-handling policies, and ethics agreements may be required to ensure that the employee handles the continued employment in a manner that will be in the best interests of the organization and reduce the liability of the organization to lawsuits for unethical behavior by its employees. Reference Checks. During the interviewing and hiring process, individuals attempt to determine the past work history of the applicant and their competencies, such as teamwork, leadership abilities, perseverance, ethics, customer service orientation, management skills, planning, and specific technical and analytical capabilities. Much of the information provided is obtained by observing the individual in the interview process or from the information he or she has provided through the targeted questions. It is not always possible to determine the true work orientation of the prospective employee without other collaborating information.

Personal reference checks involve contacting those individuals supplied by the prospective employee. Many employers are reluctant to provide personal references for fear of future litigation. After all, providing a reference is placing a stamp of approval on the performance or character of the employee, even though the person providing the reference really has no control over the future work performance of the employee. Many 45

AU8231_C001.fm Page 46 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® individuals will provide references to place them in the best possible light and may place individuals such as presidents, vice presidents, doctors, lawyers, ministers, and so forth, on the list to create the appearance of greater integrity. The astute employer will ask questions that ascertain the capabilities of the employee, such as leadership ability, oral and written communication skills, decision-making skills, ability to work with others, respect from peers, how the individual acted under stress, and managerial ability (budgeting, attracting talent, delivering projects). Multiple reference checks provide multiple perspectives and provide for corroboration of the desired behaviors. Employers need to balance the response of references with the knowledge that the references were provided by the applicant and may be biased in their opinions. Failure of a prospective employee to provide references may be an indicator of a spotty work record or the possibility of prior personnel actions/sanctions against the individual. Background Investigations. Just as the personal reference checks provide the opportunity to obtain corroborating information on whether the applicant will potentially be a good addition to the company, background checks can uncover more information related to the ability of the organization to trust the individual. Organizations want to be sure of the individuals that they are hiring and minimize future lawsuits. Statistics have shown that resumes are filled with errors, accidental mistakes, or blatant lies to provide a perceived advantage to the applicant. Common falsifications include embellishment of skill levels, job responsibilities and accomplishments, certifications held, and the length of employment. The background checks can greatly assist the hiring manager in determining whether he or she has an accurate representation of the skills, experience, and work accomplishments of the individual. Commercial businesses typically do not have the time and money to conduct meaningful, thorough investigations on their own and hire outside firms that specialize in the various background checks. Background checks can uncover:

• • • • • • • • • • • • 46

Gaps in employment Misrepresentation of job titles Job duties Salary Reasons for leaving a job Validity and status of professional certification Education verification and degrees obtained Credit history Driving records Criminal history Personal references Social security number verification

AU8231_C001.fm Page 47 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management BENEFITS OF BACKGROUND CHECKS. The benefits of background checks in protecting the company are self-evident; however, the following benefits also accrue to the employer:

• Risk mitigation • Increased confidence that most qualified candidate was hired versus the one who interviewed the best • Lower hiring cost • Reduced turnover • Protection of assets • Protection of the company’s brand reputation • Shielding of employees, customers, and the public from theft, violence, drugs, and harassment • Insulation from negligent hiring and retention lawsuits • Safer workplace by avoiding hiring employees with a history of violence • Discouraging of applicants with something to hide • Revealing of criminal activity (rarely put on job applications) TIMING OF CHECKS. An effective background check program requires that all individuals involved in the hiring process support the program prior to the candidate being selected for hire. This requires that the human resources department, legal, hiring supervisors, and recruiters understand and execute the screening process. Once the individual is hired into the organization, it is much harder to obtain the information without having a specific cause for performing the investigation. Employees should also be periodically reinvestigated consistent with the sensitivity of their positions. TYPES OF BACKGROUND CHECKS. Many different types of background checks can be performed depending upon the position that the individual may be hired for. A best practice would be to perform background checks on all of the company’s employees and to require external agencies through contract agreements to perform background checks on the contractors, vendors, and anyone coming in contact with the company assets. If this is costprohibitive, the organization must decide on which group of employees it is most critical to conduct background checks. The types of checks range from minimal checks to full background investigations. The types of individuals upon which an organization may focus the checks or decide to provide more extensive checks include:

• • • • •

Individuals involved in technology Individuals with access to confidential or sensitive information Employees with access to company proprietary or competitive data Positions working with accounts payable, receivables, or payroll Positions dealing directly with the public 47

AU8231_C001.fm Page 48 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® • Employees working for healthcare industry-based organizations or organizations dealing with financial information • Positions involving driving a motor vehicle • Employees who will come in contact with children There is a broad range of possible background checks available. The following are the most common background checks performed. CREDIT HISTORY. Credit history is the primary vehicle used by financial institutions to ensure the repayment of consumer loans, credit cards, mortgages, and other types of financial obligations. Credit histories are used to screen for high default risks and to discourage default. Financial services firms use credit histories as primary leverage, providing a threat to place delinquent information on the individual’s credit reports should he or she fall behind in payments. In the past, managers would run a credit report only on those individuals that were directly handling money; however, this has changed due to the interconnection of computers and the potential access to high-risk applications. Basic credit reports verify the name, address, social security number, and prior addresses of the applicant. These can be used to provide more extensive criminal searches or uncover gaps in employment. Detailed credit histories provide the employer with liens, judgments, and payment obligations that may give an indication as to the individual’s ability to handle his or her financial obligations. However, these items must be evaluated in context, as the individual may have previously slipped into financial trouble and then reorganized his or her financial life, so this would not present a risk to the prospective employer. Sometimes credit reports have limited or no information, which may be representative of a prospect’s age (has not yet established a credit history), cash paid for purchases, assumption of a false identity, or a prospects’ residence (lives in a low-income area that relies on fringe lenders, which typically do not report to credit bureaus).

Employers need to ensure that they are using the information appropriately, according to their country’s laws. In the United States, the Fair Credit Reporting Act (FCRA) and laws under the Equal Employment Opportunity Commission (EEOC), and some state laws, will govern the actions by the organization. Legal counsel and human resources should be involved in the development of any policies and procedures related to the screening process. CRIMINAL HISTORY. Criminal records are more difficult to obtain than credit histories, as credit histories are exchanged through a system among banks, retail establishments, financial services firms, and credit-reporting bureaus. With more than 3000 legal jurisdictions in the United States, it is not feasible to search each jurisdiction. Starting with the county of residence and searching in other prior addresses will provide a reasonable 48

AU8231_C001.fm Page 49 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management background check for the applicant. Most background checks examine felonies and overlook the misdemeanors (less serious crimes). Under the FCRA, employers can request full criminal records for the past seven years, unless the applicant earns more than $75,000 annually, in which case there are no time restrictions. Important information to be searched includes state and county criminal records, sex and violent offender records, and prison parole and release records. DRIVING RECORDS. Driving records should be checked for those employees that will be operating a motor vehicle on their job. These records can also reveal information about applicants that will not be driving vehicles as part of their employment, such as verification of the applicant’s name, address, and social security number, and will include information on traffic citations, accidents, driving-under-the-influence arrests, convictions, suspensions, revocations, and cancellations. These may be indicators of a possible alcohol or drug addiction or a lack of responsibility. DRUG AND SUBSTANCE TESTING. The use of illicit drugs is tested by most organizations, as drug use may result in lost productivity, absenteeism, accidents, employee turnover, violence in the workplace, and computer crimes. Individuals using drugs avoid applying or following through the process with companies that perform drug testing. There are many different screening tests available, such as screens for amphetamines, cocaine and PCP, opiates (codeine, morphine, etc.), marijuana (THC), phencyclidine, and alcohol. Independent labs are frequently employed by employers to ensure that proper testing is performed, as businesses are not in the drug testing business. Labs employ safeguards to reduce the likelihood of false-positives, or making a wrongful determination of drug use. In the United States, laws such as the Americans with Disabilities Act (ADA) may provide protections for individuals undergoing rehabilitation. PRIOR EMPLOYMENT. Verifying employment information such as dates employed, job title, job performance, reason for leaving, and if the individual is eligible for rehire can provide information as to the accuracy of the information provided by the applicant. This is not an easy process, as many companies have policies to not comment on employee performance and will only confirm dates of employment. EDUCATION, LICENSING, AND CERTIFICATION VERIFICATION. Diploma and degree credentials listed on the resume can be verified with the institution of higher learning. Degrees can be purchased through the Internet for a fee, without attendance in any classes, so care should be taken to ensure that the degree is from an accredited institution. Certifications in the technology field, such as the CISSP, Microsoft Certified Systems Engineer (MCSE), or industry- or vendor-specific certifications, can be verified by contacting 49

AU8231_C001.fm Page 50 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® the issuing agency. State licensing agencies maintain records of stateissued licenses, complaints, and revocations of licenses. SOCIAL SECURITY NUMBER VERIFICATION AND VALIDATION. That a number is indeed a social security number can be verified through a mathematical calculation, along with the state and year that the number may have been issued. Verification that the number was issued by the Social Security Administration, was not misused, was issued to a person who is not deceased, or that the inquiry address is not associated with a mail receiving service, hotel or motel, state or federal prison, campground, or detention facility can be done through an inquiry to the Social Security Administration. SUSPECTED TERRORIST WATCH LIST. Various services search the federal and international databases of suspected terrorists. Although the construction of these databases and the methods for identifying the terrorists are relatively new and evolving, industries of higher risk, such as the defense, biotech, aviation, and pharmaceutical industries, or those that conduct business with companies associated with known terrorist activities, would benefit from checking these databases. Ongoing Supervision. Ongoing supervision and periodic performance reviews ensure that the individuals are evaluated on their current qualifications and attainment of security goals. Performance ratings for all employees should cover the compliance with security policies and procedures. Compensation and recognition of achievements should be appropriate to maintain high morale of the department. Monitoring the ongoing skill capabilities and training and experience requirements reduces the risk that inappropriate controls are being applied to information security. Employee Terminations. Employees join and leave organizations every day as a common occurrence in performing business. The reasons vary widely, due to retirement, reduction in force, layoffs, termination with or without cause, relocation to another city, career opportunities with other employers, or involuntary transfers. Terminations may be friendly or unfriendly and will need different levels of care. FRIENDLY TERMINATIONS. Regular termination is when there is little or no evidence or reason to believe that the termination is not agreeable to both the company and the employee. A standard set of procedures, typically maintained by the human resources department, governs the dismissal of the terminated employee to ensure that the company property is returned and all access is removed. These procedures may include exit interviews and return of keys, identification cards, badges, tokens, and cryptographic keys. Other property, such as laptops, cable locks, credit cards, and phone cards, are also collected. The user manager notifies the security department of the termination to ensure that access is removed to all platforms and facilities. Some facilities choose to immediately delete the accounts, 50

AU8231_C001.fm Page 51 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management while others choose to disable the accounts for a short period, say 30 days, to account for changes or extensions in the final termination date. The termination process includes a conversation with the departing associate about his continued responsibility for confidentiality of information. UNFRIENDLY TERMINATIONS. Unfriendly terminations may occur when the individual is fired, involuntarily transferred, laid off, or when the organization has reason to believe that the individual has the means and intention to potentially cause harm to the system. Individuals with technical skills and higher levels of access, such as the systems administrators, computer programmers, database administrators, or any individual with elevated privileges, may present higher risk to the environment. These individuals could alter files, plant logic bombs to create system file damage at a future date, or remove sensitive information. Other disgruntled users could enter erroneous data into the system that may not be discovered for several months. In these situations, immediate termination of systems access is warranted at the time of termination or prior to notifying the employee of the termination.

Managing the people aspect of security, from preemployment to postemployment, is critical to ensure that trustworthy, competent resources are employed to further the business objectives that will protect the company information. Each of these actions contributes to preventive, detective, or corrective personnel controls. Security Awareness, Training, and Education Security awareness can be defined as the understanding of the importance of security within an organization. Given today’s complex business environments, most organizations perceive value in promoting an awareness of security within their environments. There are many methods by which an organization can educate its members regarding security. These methods, as well as observations about their implementation, follow. Why Conduct Formal Security Awareness Training? Security awareness training is a method by which organizations can inform employees about their roles, and expectations surrounding their roles, in the observance of information security requirements. Additionally, training provides guidance surrounding the performance of particular security or risk management functions, as well as providing information surrounding the security and risk management functions in general. Finally, educated users aid the organization in the fulfillment of its security program objectives, which may also include audit objectives for organizations that are bound by regulatory compliance (such as HIPAA, the Sarbanes–Oxley Act, the Gramm–Leach–Bliley Act, or any other type of regulation). 51

AU8231_C001.fm Page 52 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Training Topics. Security is a broad discipline, and as such, there are many topics that could be covered by security awareness training. Topics that can be investigated within the security awareness curriculum include:

• • • • • • • • • • • • • • • •

Corporate security policies The organization’s security program Regulatory compliance requirements for the organization Social engineering Business continuity Disaster recovery Emergency management, to include hazardous materials, biohazards, and so on Security incident response Data classification Information labeling and handling Personnel security, safety, and soundness Physical security Appropriate computing resource use Proper care and handling of security credentials, such as passwords Risk assessment Accidents, errors, or omissions

A well-rounded security curriculum will include specialty classes and awareness aids for individuals performing specialized roles within the organization, such as those in IT, accounting, and others. The organization must also keep in mind that special attention should be paid to aligning training with security risk management activities. In doing so, the training may result in partial or complete offset of the risk within the organization. What Might a Course in Security Awareness Look Like? Let us create an outline for a security awareness course surrounding a corporate security policy. Assuming that this is the first formal course the organization has conducted, it is likely that personnel have not been formally introduced to the policy. This introduction would be an appropriate place to begin. You might expect a curriculum to proceed as follows. What Is a Corporate Security Policy? This item allows the organization to explain, in detail, a security measure it is undertaking to protect its environment. Why Is Having a Corporate Security Policy Important? This item provides the opportunity to share with employees that it is everyone’s responsibility to protect the organization, its people, and its assets. This is also an appropriate place for senior management to voice their support of the corporate security policy, and the security management effort in general.

52

AU8231_C001.fm Page 53 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management How Does This Policy Fit into My Role at the Organization? Many employees are concerned about the effect that security may have on them. Some fear that they will not be able to accomplish tasks on time; others fear that their role may change. This is the right time to indicate to employees that although security considerations may add a bit to job performance, it is more than likely that they are already performing many of the security responsibilities set forth in the security policy. The policy adds formalization to the ad hoc security functions in practice; that is, these ad hoc practices are now documented and may be enhanced as well. What about People Who Say They Do Not Have Any Security Functions Present in Their Current Role? It is important to point out that these functions may be

present in an ad hoc fashion, but that any process performed over time becomes at least partly automatic. This leads to decreased time to performance, in reality, over time. The instructor may ask the student whether there was a time in recent memory when he or she was asked to perform a new function as part of his or her job. The instructor can then point out that this is a similar situation. Do I Have to Comply? It is crucial for an organization to agree that all employees, including senior management, must comply with corporate security policies. If there are exceptions to the rule, then the policy may become unenforceable. This puts the organization in the position of having wasted dollars, time, and resources in the crafting of a policy with no “teeth.” What Are the Penalties for Noncompliance? It is equally critical that an organization spell out in common and easily understood terms what the penalty is for noncompliance with a corporate security policy. Most policies indicate in the body of the policy that all personnel, contractors, and business associates are expected to adhere to the policies. Typically, failure to do so results in disciplinary action, up to and including termination or prosecution.

At this point, there are likely to be questions about what may happen in the event of an accidental violation. It is important to reiterate to the students that security violations (or incidents) should be reported immediately, so that the impact to the organization can be minimized. What Is the Effect of This Corporate Policy on My Work? (Will It Make Things Harder?). This item was discussed in detail above; the instructor may tie this

back to impact on the individual’s role. What Type of Things Should I Be Looking For? At this point, the employee’s questions have been answered, relative to their responsibility to comply with the corporate security policy. This would be an appropriate time to discuss the policy’s contents with the students. This can be done as a lecture, by example, or in a “spot the security problem” format.

53

AU8231_C001.fm Page 54 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® When teaching a course of this type, the instructor should be sure to address topics that apply to all staff, including senior management, line management, business unit users, temporary or seasonal staff, contractors, business associates, and so on. Awareness Activities and Methods There are a variety of methods that can be used to promote security awareness. Some of the more common methods include: • Formalized courses, as mentioned above, delivered either in a classroom fashion using slides, handouts, or books, or online through training Web sites suited to this purpose. • Use of posters that call attention to aspects of security awareness, such as password protection, physical security, personnel security, and others. • Business unit walk-throughs, to aid workers in identification of practices that should be avoided (such as posting passwords on Post-It notes in a conspicuous place on the desktop) and practices that should be continued (such as maintaining a clean desk or using a locked screen saver when away from the computer). • Use of the organization’s intranet to post security reminders or to host a weekly or monthly column about information security happenings within the organization. • Appointment of a business unit security awareness mentor to aid with questions, concerns, or comments surrounding the implementation of security within the environment; these individuals would interact together and with the organization’s security officer. These mentors could also interact with the organization’s internal audit, legal, information technology, and corporate business units on a periodic (monthly or quarterly) basis. • Sponsor an organizationwide security awareness day, complete with security activities, prizes, and recognition of the winners. • Sponsor an event with an external partner, such as Information Systems Security Association (ISSA), Information Systems Audit and Control Association (ISACA), SysAdmin, Audit, Network, Security (SANS) Institute, International Information Systems Security Certification Consortium ((ISC)2), or others; allow time for staff members to fully participate in the event. • Provide trinkets for the users within the organization that support security management principles. • Provide security management videos, books, Web sites, and collateral for employees to use for reference. It is important to note that activities should be interesting and rewarding for the organization’s people. To facilitate this interest, the program 54

AU8231_C001.fm Page 55 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management should be adaptable, and the content and format of the awareness materials should be subject to change on a periodic basis. Job Training Unlike general security awareness training, security training assists personnel with the development of their skills sets relative to performance of security functions within their roles. A typical security curriculum in a mature organization will include specialty classes for individuals performing specialized roles within the organization, such as those in IT, accounting, and others. Even within these business units, specialized training will occur. For example, in the IT area, it would be advisable for network staff responsible for maintenance and monitoring of the firewalls, intrusion detection/prevention systems, and syslog servers to be sufficiently trained to perform these duties. Say senior management determined there were no funds available for training. What would be the result? Typically, motivated staff receive some on-the-job learning; however, it may not be sufficient to perform the job duties adequately. As a result, the organization is breached and sensitive information is stolen. Who would be at fault in this case? Senior management is always ultimately responsible in the organization for information security objectives. Senior management failed, in this case, to adequately protect the environment by refusing to properly train staff in their respective security duties. Any legal ramifications would fall squarely upon management’s shoulders. Let us examine the previous situation in another way. Assume that the personnel in question indicated to management that although no paid training was available, they felt comfortable that they could perform the security functions for which they were responsible. To demonstrate, they performed the requisite functions for IT management to demonstrate capability. All is well until the organization is breached some months later and confidential information stolen. Senior management returns to information systems management and asks the director to investigate. During her investigation, she discovers that patching has not occurred for the past three months. When staff were asked about the incident, no satisfactory answer could be given. Who would be responsible for the breach in that event? Again, senior management is always ultimately responsible for information security within the organization; however, senior management held the network team accountable for failing to maintain patching levels and promptly fired them from their positions. Ensuring that a resource is properly trained can assist an organization in assigning accountability for the satisfactory completion of security tasks for which they are responsible. The organization must also keep in mind that training should be closely aligned with security risk management activities. In doing so, the training may result in partial or complete offset of the risk within the organization. 55

AU8231_C001.fm Page 56 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Professional Education Security education (specifically, in this case, information security) revolves around the education of a potential or experienced security professional along career development lines and, as the SSCP administrative domain course points out, “provides decision-making and security management skills that are important for the success of an organization’s security program.” Security certifications, versus vendor certifications, may fit into this category. Certifications such as the Systems Security Certified Practitioner (SSCP), CISSP, Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Global Information Assurance Certification (GIAC), and others are related to the discipline of security for the practitioner. The benefits of this training have already been presented. Costs of the training, relative to the benefits received by the personnel and organization, must be evaluated pretraining. Equally important are curricula that have been introduced into the universities through the federal government and other benefactors, implemented as bachelor’s, master’s, and Ph.D. programs. Many of these programs present both theory and hands-on course work to the student. Topics covered in these programs may include policy and procedures design and development, security assessment techniques, technical and application security assessment techniques, social engineering, malicious software identification and eradication, incident response, disaster recovery, security program development, and others. The benefit derived from this education is self-evident: a practitioner versus a technician is created. It is important to note, however, that education of this type is typically two to six years in duration and takes significant time for resources to successfully complete. An alternative may be to train professionals on a university course-by-course basis in information security. This may be a practical alternative, given the need within the organization. Performance Metrics It is important for the organization to track performance relative to security, for the purposes of both enforcement and enhancement of security initiatives under way. It is also important for the organization to ensure that users acknowledge their security responsibilities by signing off after each class that they have heard and understand the material and will agree to be bound by the organization’s security program, policies, procedures, plans, and initiatives. Measurement can include periodic walk-throughs of business unit organizations, periodic quizzes to keep staff up to date, and so on. Risk Management Risk, as defined in the American Heritage Dictionary, is “the possibility of loss.” Random House Dictionary defines risk management as “the technique 56

AU8231_C001.fm Page 57 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management or profession of assessing, minimizing, and preventing accidental loss to a business, as through the use of insurance, safety measures, etc.” (ISC)2 defines risk management as “a discipline for living with the possibility that future events may cause harm.” Further, (ISC)2 states that “risk management reduces risks by defining and controlling threats and vulnerabilities.” We will discuss both the topics of risk assessment and the principles behind the management of risk. To achieve this, it is important to understand the principles and concepts underlying the risk management process. These principles and concepts will be discussed in this chapter. Risk Management Concepts An organization will conduct a risk assessment (the term risk analysis is sometimes interchanged with risk assessment) to evaluate: • Threats to its assets • Vulnerabilities present in the environment • The likelihood that a threat will “make good” by taking advantage of an exposure (or probability and frequency when dealing with quantitative assessment) • The impact that the exposure being realized has on the organization • Countermeasures available that can reduce the threat’s ability to exploit the exposure or that can lessen the impact to the organization when a threat is able to exploit a vulnerability • The residual risk (that is, the amount of risk that is left over when appropriate controls are properly applied to lessen or remove the vulnerability) An organization may also wish to document evidence of the countermeasure in a deliverable called an exhibit. An exhibit can be used to provide an audit trail for the organization and, likewise, evidence for any internal or external auditors that may have questions about the organization’s current state of risk. Why undertake such an endeavor? Without knowing what assets are critical and which are most at risk within an organization, it is not possible to protect those assets appropriately. For example, if an organization is bound by HIPAA regulations, but does not know how electronic personally identifiable information may be at risk, the organization may make significant mistakes in securing that information, such as neglecting to protect against certain risks or applying too much protection against low-level risks. Risk assessment also takes into account special circumstances under which assets may require additional protection, such as with regulatory compliance. Many times, these regulatory requirements are the means to completion of an appropriate risk assessment for the organization, as meeting compliance objectives requires the risk assessment to be done. 57

AU8231_C001.fm Page 58 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Because no organization has limitless dollars, resources, and time, it is sometimes difficult to persuade senior executives to undertake risk assessment, even in the face of regulatory requirements. How, then, might they be persuaded? One of the principle outcomes of risk assessment is the definition and identification of threats, vulnerabilities, and countermeasures present (or desired) within the organization. It would then be useful to “reuse” the data gathered during the risk assessment for other security initiatives, such as business continuity, security incident response, disaster recovery, and others. This reuse saves the organization dollars, time, and resources and can be demonstrated to senior management. Unlike a risk assessment, vulnerability assessments tend to focus on technology aspects of an organization, such as the network or applications. Data gathering for vulnerability assessments typically includes the use of software tools, which provide volumes of raw data for the organization and the assessor. This raw data includes information on the type of vulnerability, its location, its severity (typically based on an ordinal scale of high, medium, and low), and sometimes a discussion of the findings. Assessors who conduct vulnerability assessments must be expert in properly reading, understanding, digesting, and presenting the information obtained from a vulnerability assessment to a multidisciplinary, sometimes nontechnical audience. Why? Data that is obtained from the scanning may not truly be a vulnerability. False-positives are findings that are reported when no vulnerability truly exists in the organization (that is, something that is occurring in the environment has been flagged as an exposure when it really is not); likewise, false-negatives are vulnerabilities that should have been reported and are not. This sometimes occurs when tools are inadequately “tuned” to the task, or the vulnerability in question exists outside the scope of the assessment. Some findings are correct and appropriate, but require significant interpretation for the organization to make sense of what has been discovered and how to proceed in remediation (that is, fixing the problem). This task is typically suited for an experienced assessor or a team whose members have real-world experience with the tool in question. Qualitative Risk Assessments. Organizations have the option of performing a risk assessment in one of two ways: qualitatively or quantitatively. Qualitative risk assessments produce valid results that are descriptive versus measurable. A qualitative risk assessment is typically conducted when:

• The risk assessors available for the organization have limited expertise in quantitative risk assessment; that is, assessors typically do not require as much experience in risk assessment when conducting a qualitative assessment. 58

AU8231_C001.fm Page 59 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management • The timeframe to complete the risk assessment is short. • The organization does not have a significant amount of data readily available that can assist with the risk assessment and, as a result, descriptions, estimates, and ordinal scales (such as high, medium, and low) must be used to express risk. The following methods are typically used during a qualitative risk assessment: • Management approval to conduct the assessment must be obtained prior to assigning a team and conducting the work. Management is kept apprised during the process to continue to promote support for the effort. • Once management approval has been obtained, a risk assessment team can be formed. Members may include staff from senior management, information security, legal or compliance, internal audit, HR, facilities/safety coordination, IT, and business unit owners, as appropriate. • The assessment team requests documentation, which may include, dependent upon scope: – Information security program strategy and documentation – Information security policies, procedures, guidelines, and baselines – Information security assessments and audits – Technical documentation, to include network diagrams, network device configurations and rule sets, hardening procedures, patching and configuration management plans and procedures, test plans, vulnerability assessment findings, change control and compliance information, and other documentation as needed – Applications documentation, to include software development life cycle, change control and compliance information, secure coding standards, code promotion procedures, test plans, and other documentation as needed – Business continuity and disaster recovery plans and corresponding documents, such as business impact analysis surveys – Security incident response plan and corresponding documentation – Data classification schemes and information handling and disposal policies and procedures – Business unit procedures, as appropriate – Executive mandates, as appropriate – Other documentation, as needed • The team sets up interviews with organizational members, for the purposes of identifying vulnerabilities, threats, and countermeasures within the environment. All levels of staff should be represented, to include: – Senior management 59

AU8231_C001.fm Page 60 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® – – – – – –

Line management Business unit owners Temporary or casual staff (that is, interns) Business partners, as appropriate Remote workers, as appropriate Any other staff deemed appropriate to task

It is important to note that staff across all business units within scope for the risk assessment should be interviewed. It is not necessary to interview every staff person within a unit; a representative sample is usually sufficient. Once interviews are completed, the analysis of the data gathered can be completed. This can include matching the threat to a vulnerability, matching threats to assets, determining how likely the threat is to exploit the vulnerability, and determining the impact to the organization in the event an exploit is successful. Analysis also includes a matching of current and planned countermeasures (that is, protection) to the threat–vulnerability pair. When the matching is completed, risk can be calculated. In a qualitative analysis, the product of likelihood and impact produces the level of risk. The higher the risk level, the more immediate is the need for the organization to address the issue, to protect the organization from harm. Once risk has been determined, additional countermeasures can be recommended to minimize, transfer, or avoid the risk. When this is completed, the risk that is left over — after countermeasures have been applied to protect against the risk — is also calculated. This is the residual risk, or risk left over after countermeasure application. Quantitative Risk Assessments. As an organization becomes more sophisticated in its data collection and retention, and staff become more experienced in conducting risk assessments, an organization may find itself moving more toward quantitative risk assessment. The hallmark of a quantitative assessment is the numeric nature of the analysis. Frequency, probability, impact, countermeasure effectiveness, and other aspects of the risk assessment have a discrete mathematical value in a pure quantitative analysis.

Often, the risk assessment an organization conducts is a combination of qualitative and quantitative methods. Fully quantitative risk assessment may not be possible, because there is always some subjective input present, such as the value of information. It is clear to see the benefits, and the pitfalls, of performing a purely quantitative analysis. Quantitative analysis allows the assessor to determine whether the cost of the risk outweighs the cost of the countermeasure, in mathematical rather than descriptive terms. Purely quantitative 60

AU8231_C001.fm Page 61 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management analysis, however, requires an enormous amount of time and must be performed by assessors with a significant amount of experience. Additionally, subjectivity is introduced because the metrics may also need to be applied to qualitative measures. If the organization has the time and manpower to complete a lengthy and complex accounting evaluation, this data may be used to assist with a quantitative analysis; however, most organizations are not in a position to authorize this work. Three steps are undertaken in a quantitative risk assessment: initial management approval, construction of a risk assessment team, and the review of information currently available within the organization. Single loss expectancy (SLE) must be calculated to provide an estimate of loss. Single loss expectancy is defined as the difference between the original value and the remaining value of an asset after a single exploit. The formula for calculating SLE is as follows: SLE = asset value (in $) × exposure factor (loss in successful threat exploit, as %) Losses can include lack of availability of data assets due to data loss, theft, alteration, or denial of service (perhaps due to business continuity or security issues). Next, the organization would calculate the annualized rate of occurrence (ARO). This is done to provide an accurate calculation of annualized loss expectancy (ALE). ARO is an estimate of how often a threat will be successful in exploiting a vulnerability over the period of a year. When this is completed, the organization calculates the annualized loss expectancy (ALE). The ALE is a product of the yearly estimate for the exploit (ARO) and the loss in value of an asset after a single exploitation (SLE). The calculation follows: ALE = ARO × SLE Note that this calculation can be adjusted for geographical distances using the local annual frequency estimate (LAFE) or the standard annual frequency estimate (SAFE). Given that there is now a value for SLE, it is possible to determine what the organization should spend, if anything, to apply a countermeasure for the risk in question. Remember that no countermeasure should be greater in cost than the risk it mitigates, transfers, or avoids. Countermeasure cost per year is easy and straightforward to calculate. It is simply the cost of the countermeasure divided by the years of its life (that is, use within the organization). Finally, the organization is able to compare the cost of the risk versus the cost of the countermeasure and make some objective decisions regarding its countermeasure selection. 61

AU8231_C001.fm Page 62 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Selecting Tools and Techniques for Risk Assessment. It is expected that an organization will make a selection of the risk assessment methodology, tools, and resources (including people) that best fit its culture, personnel capabilities, budget, and timeline. Many automated tools, including proprietary tools, exist in the field. Although automation can make the data analysis, dissemination, and storage of results easier, it is not a required part of risk assessment. If an organization is planning to purchase or build automated tools for this purpose, it is highly recommended that this decision be based on an appropriate timeline and resource skill sets for creation, implementation, maintenance, and monitoring of the tool(s) and data stored within, long term. Risk Assessment Methodologies. NIST SP 800-30 and 800-66. These methodologies are qualitative methods established for use of the general public, but are particularly used by regulated industries, such as healthcare. The procedures for using the methodologies in the field are essentially the same; SP 800-66 is written specifically with HIPAA clients in mind (though it is possible to use this document for other regulated industries as well). The methodology process follows:

• • • • • • • • •

System characterization Vulnerability identification Threat identification Countermeasure identification Likelihood determination Impact determination Risk determination Additional countermeasures recommendations Document results

OCTAVE. As defined by its creator, Carnegie Mellon University’s Software Engineering Institute, OCTAVE “is a self-directed information security risk evaluation.” OCTAVE is defined as a situation where people from an organization manage and direct an information security risk evaluation for their organization. The organization’s people direct risk evaluation activities and are responsible for making decisions about the organization’s efforts to improve information security. In OCTAVE, an interdisciplinary team, called the analysis team, leads the evaluation.

The OCTAVE criteria are a set of principles, attributes, and outputs. Principles are the fundamental concepts driving the nature of the evaluation. They define the philosophy that shapes the evaluation process. For example, self-direction is one of the principles of OCTAVE. The concept of selfdirection means that people inside the organization are in the best position to lead the evaluation and make decisions. 62

AU8231_C001.fm Page 63 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management The requirements of the evaluation are embodied in the attributes and outputs. Attributes are the distinctive qualities, or characteristics, of the evaluation. They are the requirements that define the basic elements of the OCTAVE approach and what is necessary to make the evaluation a success from both the process and organizational perspectives. Attributes are derived from the OCTAVE principles. For example, one of the attributes of OCTAVE is that an interdisciplinary team (the analysis team) staffed by personnel from the organization lead the evaluation. The principle behind the creation of an analysis team is self-direction. Finally, outputs are the required results of each phase of the evaluation. They define the outcomes that an analysis team must achieve during each phase. We recognize that there is more than one set of activities that can produce the outputs of OCTAVE. It is for this reason that we do not specify one set of required activities. FRAP. In Information Security Risk Analysis, Second Edition (Auerbach Publications, 2005), Tom Peltier writes, “the Facilitated Risk Analysis Process (FRAP) examines the qualitative risk assessment process and then provides tested variations on the methodology. The FRAP process can be used by … any organization that needs to determine what direction the organization must take on a specific issue.”

The process allows organizations to prescreen applications, systems, or other subjects to determine if a risk analysis is needed. By establishing a unique prescreening process, organizations will be able to concentrate on subjects that truly need a formal risk analysis. The process has no outlay of capital and can be conducted by anyone with good facilitation skills. CRAMM. As described on the CRAMM (CCTA Risk Analysis and Management Method) Web site, residing on Siemens Insight Consulting’s Web site, “CRAMM provides a staged and disciplined approach embracing both technical (e.g., IT hardware and software) and nontechnical (e.g., physical and human) aspects of security. To assess these components, CRAMM is divided into three stages: asset identification and valuation, threat and vulnerability assessment, and countermeasure selection and recommendation.” The implementation of this methodology is much like the other methods listed above. More information will be presented on information valuation, threat, and vulnerability and countermeasure identification and selection later in this work. Spanning Tree Analysis. As stated in the (ISC)2 Information Systems Secu-

rity Engineering Professional (ISSEP) course material, spanning tree analysis “creates a ‘tree’ of all possible threats to or faults of the system. ‘Branches’ are general categories such as network threats, physical

63

AU8231_C001.fm Page 64 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® threats, component failures, etc.” When conducting the risk assessment, organizations “prune ‘branches’ that do not apply.” Failure Modes and Effect Analysis. As stated in the (ISC)2 ISSEP course mate-

rial, failure modes and effect analysis was borne in hardware analysis, but can be used for software and system analysis. It examines potential failures of each part or module, and examines effects of failure at three levels:

• Immediate level (part or module) • Intermediate level (process or package) • Systemwide The organization would then “collect total impact for failure of given modules to determine whether modules should be strengthened or further supported.” Risk Management Principles Risk Avoidance. Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized. For example, have you ever heard a friend, or parents of a friend, complain about the costs of insuring an underage driver? How about the risks that many of these children face as they become mobile? Some of these families will decide that the child in question will not be allowed to drive the family car, but will rather wait until he or she is of legal age (that is, 18 years of age) before committing to owning, insuring, and driving a motor vehicle.

In this case, the family has chosen to avoid the risks associated with an underage driver, such as poor driving performance or the cost of insurance for the child. Although this choice may be available for some situations, it is not available for all. Imagine, if you will, a global retailer who, knowing the risks associated with doing business on the Internet, decides to avoid the practice. This decision will likely cost the company a significant amount of its revenue (if, indeed, the company has products or services that consumers wish to purchase). In addition, the decision may require the company to build or lease a site in each of the locations, globally, for which it wishes to continue business. This could have a catastrophic effect on the company’s ability to continue business operations. Risk Transfer. Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance company. Let us look at one of the examples that was presented above in a different way. The family is evaluating whether to permit an underage driver to use the family car. The family decides that it is important for the child to be mobile, so it transfers the risk of a child being in an accident to the insurance company, which provides the family with auto insurance. 64

AU8231_C001.fm Page 65 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management It is important to note that the transfer of risk may be accompanied by a cost. This is certainly true for the example presented above and can be seen in other insurance instances, such as liability insurance for a vendor or the insurance taken out by companies to protect against hardware and software theft or destruction. Risk Mitigation. Risk mitigation is the practice of the elimination of or the significant decrease in the level of risk presented. Examples of risk mitigation can be seen in everyday life and are readily apparent in the information technology world. For example, to lessen the risk of exposing personal and financial information that is highly sensitive and confidential, organizations put countermeasures in place, such as firewalls, intrusion detection/prevention systems, and other mechanisms, to deter malicious outsiders from accessing this highly sensitive information. In the underage driver example, risk mitigation could take the form of driver education for the child. Risk Acceptance. In some cases, it may be prudent for an organization to simply accept the risk that is presented in certain scenarios. Risk acceptance is the practice of accepting certain risk(s), typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way.

For example, an executive may be confronted with risks identified during the course of a risk assessment for her organization. These risks have been prioritized by high, medium, and low impact to the organization. The executive notes that to mitigate or transfer the low-level risks, significant costs could be involved. Mitigation might involve the hiring of additional highly skilled personnel and the purchase of new hardware, software, and office equipment, while transference of the risk to an insurance company would require premium payments. She further notes that an insignificant impact to her organization would occur if any of the reported low-level threats were realized. Therefore, she (rightly) concludes that it is wiser for the organization to forego the costs and accept the risk. In the child driver example, risk acceptance could be based on the observation that the child has demonstrated the responsibility and maturity to warrant the parent’s trust in his or her judgment. The decision to accept risk should not be taken lightly, nor without appropriate information to justify the decision. The cost versus benefit, the organization’s willingness to monitor the risk long term, and the impact it has on the outside world’s view of the organization must all be taken into account when deciding to accept risk. It is important to note that there are organizations who may also track containment of risk. Containment lessens the impact to an organization if or when an exposure is exploited through distribution of critical assets (that is, people, processes, data, technologies, and facilities). 65

AU8231_C001.fm Page 66 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Who Owns the Risk? This is a very serious question, with an intriguing answer: it depends. Ultimately, the organization (that is, senior management) owns the risks that are present during operation of the company; however, senior management may rely on business unit (or data) owners or custodians to assist in identification of risks so that they can be mitigated, transferred, or avoided. The organization also likely expects that the owners and custodians will minimize or mitigate risk as they work, based upon policies, procedures, and regulations present in the environment. If expectations are not met, consequences such as disciplinary action, termination, or prosecution will usually result.

Here is an example: A claims processor is working with a medical healthcare claim submitted to his organization for completion. The claim contains electronic personally identifiable healthcare information for a person the claims processor knows. Although he has acknowledged his responsibilities for the protection of the data, he calls his mother, who is a good friend of the individual who filed the claim. His mother in turn calls multiple people, who in turn contact the person who filed the claim. The claimant contacts an attorney, and the employee and company are sued for the intentional breach of information. Several things are immediately apparent from this example. The employee is held immediately accountable for his action in intentionally exploiting a vulnerability (that is, sensitive information was inappropriately released, according to federal law — Health Insurance Portability and Accountability Act of 1996 (HIPAA)). While he was custodian of the data (and a co-owner of the risk), the court also determined that the company was co-owner of the risk, and hence bore the responsibility for compensating the victim (in this example, the claimant). Risk Assessment Identify Vulnerabilities. The National Institute of Standards and Technology (NIST), in Special Publication 800-30 Rev. A, defines a vulnerability as “a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.” Random House Dictionary defines being vulnerable as “capable of or susceptible to being wounded or hurt, as by a weapon” or “(of a place) open to assault; difficult to defend.”

Note that the latter definition is not strictly related to information systems, but rather can be attributed to physical, human, or other factors. In the field, it is common to identify vulnerabilities as they are related to people, processes, data, technology, and facilities. Examples of vulnerabilities could include the absence of a receptionist, mantrap, or other physical security mechanism upon entrance to a facility; inadequate integrity 66

AU8231_C001.fm Page 67 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management checking in financial transaction software; neglecting to require users to sign an acknowledgment of their responsibilities with regard to security, as well as an acknowledgment that they have read, understand, and agree to abide by the organization’s security policies; or patching and configuration of the organization’s information systems are done on an ad hoc basis, and therefore are neither documented nor up to date. Identify Threats. The National Institute of Standards and Technology (NIST), in Special Publication 800-30 Rev. A, defines a threat as “the potential for a particular threat-source to successfully exercise a particular vulnerability.” In the OCTAVE framework, threats are identified as the source from which assets in the organization are secured (or protected).

NIST defines a threat source as “either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.” Threat sources have been identified by a number of groups, but can be grouped into a few categories. Each category can be expanded with specific threats, as follows: • Human: Malicious outsider, malicious insider, (bio)terrorist, saboteur, spy political or competitive operative, loss of key personnel, errors made by human intervention, cultural issues • Natural: Fire, flood, tornado, hurricane, snow storm, earthquake • Technical: Hardware failure, software failure, malicious code, unauthorized use, use of emerging services, such as wireless, new technologies • Physical: Closed-circuit TV failure, perimeter defense failure • Environmental: Hazardous waste, biological agent, utility failure • Operational: A process (manual or automated) that affects confidentiality, integrity, or availability Many specific threats exist within each category; the organization will identify those sources as the assessment progresses, utilizing information available from groups such as (ISC)2 and SANS, and from government agencies such as the National Institute of Standards and Technology (NIST), the Federal Financial Institutions Examination Council (FFIEC), the Department of Health and Human Services (HHS), and others. Determination of Likelihood. It is important to note that likelihood is a component of a qualitative risk assessment. For more information on the components of a quantitative risk assessment, see the “Quantitative Risk Assessments” section earlier in this chapter.

Likelihood, along with impact, determines risk. Likelihood, as stated by NIST and others, can be measured by the capabilities of the threat and the presence or absence of countermeasures. Initially, organizations that do not have trending data available may use an ordinal scale, labeled high, 67

AU8231_C001.fm Page 68 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Rating Likelihood and Consequences

Figure 1.4. Rating likelihood and consequences.

medium, and low, to score likelihood rankings. Another method is presented in Figure 1.4. Once a selection on the ordinal scale has been made, the selection can be mapped to a numeric value for computation of risk. For example, the selection of high can be mapped to the value of 1. Medium can likewise be mapped to 0.5, and low can be mapped to 0.1. As the scale expands, the numeric assignments will become more targeted. Determination of Impact. Impact can be ranked much the same way as likelihood. The main difference is that the impact scale is expanded and depends upon definitions, rather than ordinal selections. Definitions of impact to an organization often include loss of life, loss of dollars, loss of prestige, loss of market share, and other facets. It is highly recommended that the organization take sufficient time to define and assign impact definitions for high, medium, low, or any other scale terms that are chosen.

Once the terms are defined, impact can be calculated. If an exploit results in loss of life (such as a bombing or bioterrorist attack), the ranking will always be high. In general, groups such as the National Security Agency view loss of life as the highest-priority risk in any organization. As such, it may be assigned the top value in the impact scale. An example: 51 to 100 = high; 11 to 50 = medium; 0 to 10 = low. Determination of Risk. Risk is determined by the product of likelihood and impact. For example, if an exploit has a likelihood of 1 (high) and an impact of 100 (high), the risk would be 100. Using the same mapping scale 68

AU8231_C001.fm Page 69 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management

Consequence: Insignificant

Likelihood:

Minor

Moderate

Major

Catastrophic

1

2

3

4

5

A (almost certain)

H

H

E

E

E

B (likely)

M

H

H

E

E

C (possible)

L

M

H

E

E

D (unlikely)

L

L

M

H

E

E (rare)

L

L

M

H

H

I

Extreme Risk: Immediate action required to mitigate the risk or decide to not proceed

H

High Risk: Action should be taken to compasate for the risk

M

Moderate Risk: Action should be taken to monitor the risk

L

Low Risk: Routine acceptance of the risk

Figure 1.5. ANZ 4360 risk levels.

as for impact, this would be the highest exploit ranking available. A ranking like this might translate to a tragedy, such as the London bombings. These scenarios (high likelihood, high impact) merit immediate attention from the organization. As the risk calculations are completed, they can be prioritized for attention, as required. Note that not all risks will receive the same level of attention, based on the organization’s risk tolerance and its strategy for mitigation, transfer, or avoidance of risk. Figure 1.5 shows another view of risk. Reporting Findings. Once the findings from the assessment have been consolidated and the calculations have been completed, it is time to present a finalized report to senior management. This can be done in a written report, by presentation or outbrief, or by both means. Written reports should include an acknowledgment to the participants, a summary of the approach taken, findings in detail (in either tabulated or graphical form), recommendations for remediation of the findings, and a summary. Organizations are encouraged to develop their own formats, to make the most of the activity, as well as the information collected and analyzed. Countermeasure Selection. It is important for the organization to appropriately select countermeasures to apply to risks in the environment. Many aspects of the countermeasure must be considered to ensure it is the proper fit to the task. Considerations for countermeasures include: 69

AU8231_C001.fm Page 70 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® • Accountability • Auditability (Can it be tested?) • Publicly available, simple design (the construction and the nature of the countermeasure are not secret) • Trusted source • Independence • Consistently applied • Cost-effective • Reliable • Distinct from other countermeasures (no overlap) • Ease of use • Minimum manual intervention • Sustainable • Secure • Protects confidentiality, integrity, and availability of assets • Can be “backed out” in event of issue • Creates no additional issues during operation • Leaves no residual data from its function Although this list appears rather lengthy, it is clear that countermeasures must be above reproach when in use for protection of an organization’s assets. It is important to note that once risk assessment is completed and there is a list of remediation activities to be undertaken, an organization must ensure that it has personnel with appropriate capabilities to implement the remediation activities, as well as to maintain and support them. This may require the organization to provide additional training opportunities to personnel involved in the design, deployment, maintenance, and support of security mechanisms within the environment. In addition, it is crucial that appropriate policies, with detailed procedures that correspond to each policy item, be created, implemented, maintained, monitored, and enforced in the environment. It is highly recommended that the organization assign accountable resources to each task and track tasks over time, reporting progress to senior management and allowing time for appropriate approvals during this process. Information Valuation. All information has value. Value is typically represented by information’s cost and its perceived value internally and externally to an organization. It is important to remember that over time, however, information may lose its value. Additionally, information may lose value if it is modified, improperly disclosed, or not had its proper value calculated. It is of utmost importance, then, to periodically attempt to properly value information assets.

How, then, is information value determined? Similarly to risk analysis, information valuation methods may be descriptive (subjective) or metric 70

AU8231_C001.fm Page 71 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management (objective). Subjective methods include the creation, dissemination, and data collection from checklists or surveys. An organization’s policies or the regulatory compliance requirements that it must follow may also determine information’s worth. Metric, or statistical, measures may provide a more objective view of information valuation. Each of these methods has its uses within an organization. One of the methods that uses consensus relative to valuation of information is the consensus/modified Delphi method. Participants in the valuation exercise are asked to comment anonymously on the task being discussed. This information is collected and disseminated to a participant other than the original author. This participant comments upon the observations of the original author. The information gathered is discussed in a public forum and the best course is agreed upon by the group (consensus). Ethics The consideration of computer ethics fundamentally emerged with the birth of computers. There was concern right away that computers would be used inappropriately to the detriment of society, or that they would replace humans in many jobs, resulting in widespread job loss. To fully grasp the issues involved with computer ethics, it is important to consider the history. The following provides a brief overview of some significant events.1 Consideration of computer ethics is recognized to have begun with the work of MIT professor Norbert Wiener during World War II in the early 1940s, when he helped to develop an antiaircraft cannon capable of shooting down fast warplanes. This work resulted in Wiener and his colleagues creating a new field of research that Wiener called cybernetics, the science of information feedback systems. The concepts of cybernetics, combined with the developing computer technologies, led Wiener to make some ethical conclusions about the technology called information and communication technology (ICT), in which Wiener predicted social and ethical consequences. Wiener published the book The Human Use of Human Beings in 1950, which described a comprehensive foundation that is still the basis for computer ethics research and analysis. In the mid-1960s, Donn B. Parker, at the time with SRI International in Menlo Park, CA, began examining unethical and illegal uses of computers and documenting examples of computer crime and other unethical computerized activities. He published “Rules of Ethics in Information Processing” in Communications of the ACM in 1968, and headed the development of the first Code of Professional Conduct for the Association for Computing Machinery, which was adopted by the ACM in 1973. During the late 1960s, Joseph Weizenbaum, a computer scientist at MIT in Boston, created a computer program that he called ELIZA that he 71

AU8231_C001.fm Page 72 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® scripted to provide a crude imitation of “a Rogerian psychotherapist engaged in an initial interview with a patient.” People had strong reactions to his program, some psychiatrists fearing it showed that computers would perform automated psychotherapy. Weizenbaum wrote Computer Power and Human Reason in 1976, in which he expressed his concerns about the growing tendency to see humans as mere machines. His book, MIT courses, and many speeches inspired many computer ethics thoughts and projects. Walter Maner is credited with coining the phrase “computer ethics” in the mid-1970s when discussing the ethical problems and issues created by computer technology, and taught a course on the subject at Old Dominion University. From the late 1970s into the mid-1980s, Maner’s work created much interest in university-level computer ethics courses. In 1978, Maner published the Starter Kit in Computer Ethics, which contained curriculum materials and advice for developing computer ethics courses. Many university courses were put in place because of Maner’s work. In the 1980s, social and ethical consequences of information technology, such as computer-enabled crime, computer failure disasters, privacy invasion using computer databases, and software ownership lawsuits, were being widely discussed in America and Europe. James Moor of Dartmouth College published “What Is Computer Ethics?” in Computers and Ethics, and Deborah Johnson of Rensselaer Polytechnic Institute published Computer Ethics, the first textbook in the field in the mid1980s. Other significant books about computer ethics were published within the psychology and sociology field, such as Sherry Turkle’s The Second Self, about the impact of computing on the human psyche, and Judith Perrolle’s Computers and Social Change: Information, Property and Power, about a sociological approach to computing and human values. Maner Terrell Bynum held the first international multidisciplinary conference on computer ethics in 1991. For the first time, philosophers, computer professionals, sociologists, psychologists, lawyers, business leaders, news reporters, and government officials assembled to discuss computer ethics. During the 1990s, new university courses, research centers, conferences, journals, articles, and textbooks appeared, and organizations like Computer Professionals for Social Responsibility, the Electronic Frontier Foundation, and the Association for Computing Machinery-Special Interest Group on Computers and Society (ACM-SIGCAS) launched projects addressing computing and professional responsibility. Developments in Europe and Australia included new computer ethics research centers in England, Poland, Holland, and Italy. In the U.K., Simon Rogerson, of De Montfort University, led the ETHICOMP series of conferences and established the Centre for Computing and Social Responsibility. 72

AU8231_C001.fm Page 73 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management Regulatory Requirements for Ethics Programs When creating an ethics strategy, it is important to look at the regulatory requirements for ethics programs. These provide the basis for a minimal ethical standard upon which an organization can expand to fit its own unique organizational environment and requirements. An increasing number of regulatory requirements related to ethics programs and training now exist. The 1991 U.S. Federal Sentencing Guidelines for Organizations (FSGO) outline minimal ethical requirements and provide for substantially reduced penalties in criminal cases when federal laws are violated if ethics programs are in place. Reduced penalties provide strong motivation to establish an ethics program. Effective November 1, 2004, the FSGO was updated with additional requirements: • In general, board members and senior executives must assume more specific responsibilities for a program to be found effective: – Organizational leaders must be knowledgeable about the content and operation of the compliance and ethics program, perform their assigned duties exercising due diligence, and promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law. – The commission’s definition of an effective compliance and ethics program now has three subsections: • Subsection (a) — the purpose of a compliance and ethics program • Subsection (b) — seven minimum requirements of such a program • Subsection (c) — the requirement to periodically assess the risk of criminal conduct and design, implement, or modify the seven program elements, as needed, to reduce the risk of criminal conduct • The purpose of an effective compliance and ethics program is “to exercise due diligence to prevent and detect criminal conduct and otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” The new requirement significantly expands the scope of an effective ethics program and requires the organization to report an offense to the appropriate governmental authorities without unreasonable delay. The Sarbanes–Oxley Act of 2002 introduced accounting reform and requires attestation to the accuracy of financial reporting documents: • Section 103, “Auditing, Quality Control, and Independence Standards and Rules,” requires the board to: – Register public accounting firms 73

AU8231_C001.fm Page 74 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® –

Establish, or adopt, by rule, “auditing, quality control, ethics, independence, and other standards relating to the preparation of audit reports for issuers” • New Item 406(a) of Regulation S-K requires companies to disclose: – Whether they have a written code of ethics that applies to their senior officers – Any waivers of the code of ethics for these individuals – Any changes to the code of ethics • If companies do not have a code of ethics, they must explain why they have not adopted one. • The U.S. Securities and Exchange Commission approved a new governance structure for the New York Stock Exchange (NYSE) in December 2003. It includes a requirement for companies to adopt and disclose a code of business conduct and ethics for directors, officers, and employees, and promptly disclose any waivers of the code for directors or executive officers. The NYSE regulations require all listed companies to possess and communicate, both internally and externally, a code of conduct or face delisting. In addition to these, organizations must monitor new and revised regulations from U.S. regulatory agencies, such as the Food and Drug Administration (FDA), Federal Trade Commission (FTC), Bureau of Alcohol, Tobacco, and Firearms (BATF), Internal Revenue Service (IRS), and Department of Labor (DoL), and many others throughout the world. Ethics plans and programs need to be established within the organization to ensure that the organization is in compliance with all such regulatory requirements. Example Topics in Computer Ethics When establishing a computer ethics program and accompanying training and awareness programs, it is important to consider the topics that have been addressed and researched. The following topics, identified by Terrell Bynum,1 are good to use as a basis. Computers in the Workplace. Computers can pose a threat to jobs as people feel they may be replaced by them. However, the computer industry already has generated a wide variety of new jobs. When computers do not eliminate a job, they can radically alter it. In addition to job security concerns, another workplace concern is health and safety. It is a computer ethics issue to consider how computers impact health and job satisfaction when information technology is introduced into a workplace. Computer Crime. With the proliferation of computer viruses, spyware, phishing and fraud schemes, and hacking activity from every location in the world, computer crime and security are certainly topics of concern when discussing computer ethics. Besides outsiders, or hackers, many 74

AU8231_C001.fm Page 75 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management computer crimes, such as embezzlement or planting of logic bombs, are committed by trusted personnel who have authorization to use company computer systems. Privacy and Anonymity. One of the earliest computer ethics topics to arouse public interest was privacy. The ease and efficiency with which computers and networks can be used to gather, store, search, compare, retrieve, and share personal information make computer technology especially threatening to anyone who wishes to keep personal information out of the public domain or out of the hands of those who are perceived as potential threats. The variety of privacy-related issues generated by computer technology has led to reexamination of the concept of privacy itself. Intellectual Property. One of the more controversial areas of computer ethics concerns the intellectual property rights connected with software ownership. Some people, like Richard Stallman, who started the Free Software Foundation, believe that software ownership should not be allowed at all. He claims that all information should be free, and all programs should be available for copying, studying, and modifying by anyone who wishes to do so.2 Others, such as Deborah Johnson, argue that software companies or programmers would not invest weeks and months of work and significant funds in the development of software if they could not get the investment back in the form of license fees or sales.3 Professional Responsibility and Globalization. Global networks such as the Internet and conglomerates of business-to-business network connections are connecting people and information worldwide. Such globalization issues that include ethics considerations include:

• • • • • •

Global laws Global business Global education Global information flows Information-rich and information-poor nations Information interpretation

The gap between rich and poor nations, and between rich and poor citizens in industrialized countries, is very wide. As educational opportunities, business and employment opportunities, medical services, and many other necessities of life move more and more into cyberspace, gaps between the rich and the poor may become even worse, leading to new ethical considerations. Common Computer Ethics Fallacies Although computer education is starting to be incorporated in lower grades in elementary schools, the lack of early computer education for 75

AU8231_C001.fm Page 76 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® most current adults led to several documented generally accepted fallacies that apply to nearly all computer users. As technology advances, these fallacies will change; new ones will arise, and some of the original fallacies will no longer exist as children learn at an earlier age about computer use, risks, security, and other associated information. There are more than described here, but Peter S. Tippett identified the following computer ethics fallacies, which have been widely discussed and generally accepted as being representative of the most common.4 The Computer Game Fallacy. Computer users tend to think that computers will generally prevent them from cheating and doing wrong. Programmers particularly believe that an error in programming syntax will prevent it from working, so that if a software program does indeed work, then it must be working correctly and preventing bad things or mistakes from happening. Even computer users in general have gotten the message that computers work with exacting accuracy and will not allow actions that should not occur. Of course, what computer users often do not consider is that although the computer operates under very strict rules, the software programs are written by humans and are just as susceptible to allowing bad things to happen as people often are in their own lives. Along with this, there is also the perception that a person can do something with a computer without being caught, so that if what is being done is not permissible, the computer should somehow prevent them from doing it. The Law-Abiding Citizen Fallacy. Laws provide guidance for many things, including computer use. Sometimes users confuse what is legal with regard to computer use with what is reasonable behavior for using computers. Laws basically define the minimum standard about which actions can be reasonably judged, but such laws also call for individual judgment. Computer users often do not realize they also have a responsibility to consider the ramifications of their actions and to behave accordingly. The Shatterproof Fallacy. Many, if not most, computer users believe that they can do little harm accidentally with a computer beyond perhaps erasing or messing up a file. However, computers are tools that can harm, even if computer users are unaware of the fact that their computer actions have actually hurt someone else in some way. For example, sending an email flame to a large group of recipients is the same as publicly humiliating them. Most people realize that they could be sued for libel for making such statements in a physical public forum, but may not realize they are also responsible for what they communicate and for their words and accusations on the Internet. As another example, forwarding e-mail without permission of the author can lead to harm or embarrassment if the original sender was communicating privately without expectation of his or her message being seen by any others. Also, using e-mail to stalk someone, to 76

AU8231_C001.fm Page 77 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management send spam, and to harass or offend the recipient in some way also are harmful uses of computers. Software piracy is yet another example of using computers to, in effect, hurt others. Generally, the shatterproof fallacy is the belief that what a person does with a computer can do minimal harm, and only affects perhaps a few files on the computer itself; it is not considering the impact of actions before doing them. The Candy-from-a-Baby Fallacy. Illegal and unethical activity, such as software piracy and plagiarism, are very easy to do with a computer. However, just because it is easy does not mean that it is right. Because of the ease with which computers can make copies, it is likely almost every computer user has committed software piracy of one form or another. The Software Publisher’s Association (SPA) and Business Software Alliance (BSA) studies reveal software piracy costs companies multibillions of dollars. Copying a retail software package without paying for it is theft. Just because doing something wrong with a computer is easy does not mean it is ethical, legal, or acceptable. The Hacker’s Fallacy. Numerous reports and publications of the commonly accepted hacker belief is that it is acceptable to do anything with a computer as long as the motivation is to learn and not to gain or make a profit from such activities. This so-called hacker ethic is explored in more depth in the following section. The Free Information Fallacy. A somewhat curious opinion of many is the notion that information “wants to be free,” as mentioned earlier. It is suggested that this fallacy emerged from the fact that it is so easy to copy digital information and to distribute it widely. However, this line of thinking completely ignores the fact the copying and distribution of data is completely under the control and whim of the people who do it, and to a great extent, the people who allow it to happen.

Hacking and Hacktivism Hacking is an ambivalent term, most commonly perceived as being part of criminal activities. However, hacking has been used to describe the work of individuals who have been associated with the open-source movement. Many of the developments in information technology have resulted from what has typically been considered as hacking activities. Manuel Castells considers hacker culture as the “informationalism” that incubates technological breakthrough, identifying hackers as “the actors in the transition from an academically and institutionally constructed milieu of innovation to the emergence of self-organizing networks transcending organizational control” (p. 276).5 77

AU8231_C001.fm Page 78 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® A hacker was originally a person who sought to understand computers as thoroughly as possible. Soon hacking came to be associated with phreaking, breaking into phone networks to make free phone calls, which is clearly illegal. The Hacker Ethic. The idea of a hacker ethic originates in the activities of the original hackers at MIT and Stanford in the 1950s and 1960s. Stephen Levy outlined the so-called hacker ethic6 as follows:

1. 2. 3. 4.

Access to computers should be unlimited and total. All information should be free. Authority should be mistrusted and decentralization promoted. Hackers should be judged solely by their skills at hacking, rather than by race, class, age, gender, or position. 5. Computers can be used to create art and beauty. 6. Computers can change your life for the better. The hacker ethic has three main functions (p. 279):5 1. It promotes the belief of individual activity over any form of corporate authority or system of ideals. 2. It supports a completely free-market approach to the exchange of and access to information. 3. It promotes the belief that computers can have a beneficial and lifechanging effect. Such ideas are in conflict with a wide range of computer professionals’ various codes of ethics. Ethics Codes of Conduct and Resources Several organizations and groups have defined the computer ethics their members should observe and practice. In fact, most professional organizations have adopted a code of ethics, a large percentage of which address how to handle information. To provide the ethics of all professional organizations related to computer use would fill a large book. The following are provided to give you an opportunity to compare similarities between the codes and, most interestingly, to note the differences (and sometimes contradictions) in the codes followed by the various diverse groups. The Code of Fair Information Practices. In 1973 the Secretary’s Advisory Committee on Automated Personal Data Systems for the U.S. Department of Health, Education and Welfare recommended the adoption of the following Code of Fair Information Practices7 to secure the privacy and rights of citizens:

1. There must be no personal data record-keeping systems whose very existence is secret; 78

AU8231_C001.fm Page 79 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management 2. There must be a way for an individual to find out what information is in his or her file and how the information is being used; 3. There must be a way for an individual to correct information in his or her records; 4. Any organization creating, maintaining, using, or disseminating records of personally identifiable information must assure the reliability of the data for its intended use and must take precautions to prevent misuse; and 5. There must be a way for an individual to prevent personal information obtained for one purpose from being used for another purpose without his or her consent. Internet Activities Board (IAB) (now the Internet Architecture Board) and RFC 1087. RFC 10878 is a statement of policy by the Internet Activities

Board (IAB) posted in 1989 concerning the ethical and proper use of the resources of the Internet. The IAB “strongly endorses the view of the Division Advisory Panel of the National Science Foundation Division of Network, Communications Research and Infrastructure,” which characterized as unethical and unacceptable any activity that purposely: 1. Seeks to gain unauthorized access to the resources of the Internet, 2. Disrupts the intended use of the Internet, 3. Wastes resources (people, capacity, computer) through such actions, 4. Destroys the integrity of computer-based information, or 5. Compromises the privacy of users. Computer Ethics Institute (CEI). In 1991 the Computer Ethics Institute held its first National Computer Ethics Conference in Washington, D.C. The Ten Commandments of Computer Ethics were first presented in Dr. Ramon C. Barquin’s paper prepared for the conference, ”In Pursuit of a ‘Ten Commandments’ for Computer Ethics.” The Computer Ethics Institute published them as follows in 1992:9

1. 2. 3. 4. 5. 6.

Thou Shalt Not Use a Computer to Harm Other People. Thou Shalt Not Interfere with Other People’s Computer Work. Thou Shalt Not Snoop around in Other People’s Computer Files. Thou Shalt Not Use a Computer to Steal. Thou Shalt Not Use a Computer to Bear False Witness. Thou Shalt Not Copy or Use Proprietary Software for Which You Have Not Paid. 7. Thou Shalt Not Use Other People’s Computer Resources without Authorization or Proper Compensation. 8. Thou Shalt Not Appropriate Other People’s Intellectual Output. 9. Thou Shalt Think about the Social Consequences of the Program You Are Writing or the System You Are Designing. 79

AU8231_C001.fm Page 80 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® 10. Thou Shalt Always Use a Computer in Ways That Insure Consideration and Respect for Your Fellow Humans. National Conference on Computing and Values. The National Conference on Computing and Values (NCCV) was held on the campus of Southern Connecticut State University in August 1991. It proposed the following four primary values for computing, originally intended to serve as the ethical foundation and guidance for computer security:4

1. 2. 3. 4.

Preserve the public trust and confidence in computers. Enforce fair information practices. Protect the legitimate interests of the constituents of the system. Resist fraud, waste, and abuse.

The Working Group on Computer Ethics. In 1991, the Working Group on Computer Ethics created the following End User’s Basic Tenets of Responsible Computing:10

1. I understand that just because something is legal, it isn’t necessarily moral or right. 2. I understand that people are always the ones ultimately harmed when computers are used unethically. The fact that computers, software, or a communications medium exists between me and those harmed does not in any way change moral responsibility toward my fellow humans. 3. I will respect the rights of authors, including authors and publishers of software as well as authors and owners of information. I understand that just because copying programs and data is easy, it is not necessarily right. 4. I will not break into or use other people’s computers or read or use their information without their consent. 5. I will not write or knowingly acquire, distribute, or allow intentional distribution of harmful software like bombs, worms, and computer viruses. National Computer Ethics and Responsibilities Campaign (NCERC).

In 1994, a National Computer Ethics and Responsibilities Campaign (NCERC) was launched11 to create an “electronic repository of information resources, training materials and sample ethics codes” that would be available on the Internet for IS managers and educators. The National Computer Security Association (NCSA) and the Computer Ethics Institute cosponsored NCERC. The NCERC Guide to Computer Ethics was developed to support the campaign. The goal of NCERC is to foster computer ethics awareness and education.4 The campaign does this by making tools and other resources available for people who want to hold events, campaigns, awareness programs, 80

AU8231_C001.fm Page 81 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management seminars, and conferences or to write or communicate about computer ethics. NCERC is a nonpartisan initiative intended to increase understanding of the ethical and moral issues unique to the use, and sometimes abuse, of information technologies. (ISC)2 Code of Ethics. The following is an excerpt from the (ISC)2 Code of

Ethics12 preamble and canons, by which all CISSPs and SSCPs must abide. Compliance with the preamble and canons is mandatory to maintain certification. Computer professionals could resolve conflicts between the canons in the order of the canons. The canons are not equal and conflicts between them are not intended to create ethical binds. Code of Ethics Preamble.

• Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. • Therefore, strict adherence to this Code is a condition of certification. Code of Ethics Canons. Protect society, the commonwealth, and the infra-

structure • Promote and preserve public trust and confidence in information and systems. • Promote the understanding and acceptance of prudent information security measures • Preserve and strengthen the integrity of the public infrastructure. • Discourage unsafe practice. Act honorably, honestly, justly, responsibly, and legally • Tell the truth; make all stakeholders aware of your actions on a timely basis. • Observe all contracts and agreements, express or implied. • Treat all constituents fairly. In resolving conflicts, consider public safety and duties to principals, individuals, and the profession in that order. • Give prudent advice; avoid raising unnecessary alarm or giving unwarranted comfort. Take care to be truthful, objective, cautious, and within your competence. • When resolving differing laws in different jurisdictions, give preference to the laws of the jurisdiction in which you render your service. Provide diligent and competent service to principals • Preserve the value of their systems, applications, and information. • Respect their trust and the privileges that they grant you. • Avoid conflicts of interest or the appearance thereof. 81

AU8231_C001.fm Page 82 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® • Render only those services for which you are fully competent and qualified. Advance and protect the profession • Sponsor for professional advancement those best qualified. All other things equal, prefer those who are certified and who adhere to these canons. Avoid professional association with those whose practices or reputation might diminish the profession. • Take care not to injure the reputation of other professionals through malice or indifference. • Maintain your competence; keep your skills and knowledge current. Give generously of your time and knowledge in training others. Organizational Ethics Plan of Action Peter S. Tippett has written extensively on computer ethics. He provided the following action plan4 to help corporate information security leaders to instill a culture of ethical computer use within organizations: 1. Develop a corporate guide to computer ethics for the organization. 2. Develop a computer ethics policy to supplement the computer security policy. 3. Add information about computer ethics to the employee handbook. 4. Find out whether the organization has a business ethics policy, and expand it to include computer ethics. 5. Learn more about computer ethics and spreading what is learned. 6. Help to foster awareness of computer ethics by participating in the computer ethics campaign. 7. Make sure the organization has an E-mail privacy policy. 8. Make sure employees know what the E-mail policy is. Fritz H. Grupe, Timothy Garcia-Jay, and William Kuechler identified the following selected ethical bases for IT decision making:13 Golden rule: Treat others as you wish to be treated. Do not implement systems that you would not wish to be subjected to yourself. Is your company using unlicensed software although your company itself sells software? Kant’s categorical imperative: If an action is not right for everyone, it is not right for anyone. Does management monitor call center employees’ seat time, but not its own? Descartes’ rule of change (also called the slippery slope): If an action is not repeatable at all times, it is not right at any time. Should your Web site link to another site, “framing” the page, so users think it was created and belongs to you? 82

AU8231_C001.fm Page 83 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management Utilitarian principle (also called universalism): Take the action that achieves the most good. Put a value on outcomes and strive to achieve the best results. This principle seeks to analyze and maximize the IT of the covered population within acknowledged resource constraints. Should customers using your Web site be asked to opt in or opt out of the possible sale of their personal data to other companies? Risk aversion principle: Incur least harm or cost. Given alternatives that have varying degrees of harm and gain, choose the one that causes the least damage. If a manager reports that a subordinate criticized him in an e-mail to other employees, who would do the search and see the results of the search? Avoid harm: Avoid malfeasance or “do no harm.” This basis implies a proactive obligation of companies to protect their customers and clients from systems with known harm. Does your company have a privacy policy that protects, rather than exploits customers? No free lunch rule: Assume that all property and information belong to someone. This principle is primarily applicable to intellectual property that should not be taken without just compensation. Has your company used unlicensed software? Or hired a group of IT workers from a competitor? Legalism: Is it against the law? Moral actions may not be legal, and vice versa. Might your Web advertising exaggerate the features and benefits of your products? Are you collecting information illegally on minors? Professionalism: Is an action contrary to codes of ethics? Do the professional codes cover a case and do they suggest the path to follow? When you present technological alternatives to managers who do not know the right questions to ask, do you tell them all they need to know to make informed choices? Evidentiary guidance: Is there hard data to support or deny the value of taking an action? This is not a traditional “ethics” value but one that is a significant factor related to IT’s policy decisions about the impact of systems on individuals and groups. This value involves probabilistic reasoning where outcomes can be predicted based on hard evidence based on research. Do you assume that you know PC users are satisfied with IT’s service or has data been collected to determine what they really think? Client/customer/patient choice: Let the people affected decide. In some circumstances, employees and customers have a right to self-determination through the informed consent process. This principle acknowledges a right to self-determination in deciding what is “harmful” or “beneficial” for their personal circumstances. Are your workers subjected to monitoring in places where they assume that they have privacy? 83

AU8231_C001.fm Page 84 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Equity: Will the costs and benefits be equitably distributed? Adherence to this principle obligates a company to provide similarly situated persons with the same access to data and systems. This can imply a proactive duty to inform and make services, data, and systems available to all those who share a similar circumstance. Has IT made intentionally inaccurate projections as to project costs? Competition: This principle derives from the marketplace where consumers and institutions can select among competing companies, based on all considerations such as degree of privacy, cost, and quality. It recognizes that to be financially viable in the market, one must have data about what competitors are doing and understand and acknowledge the competitive implications of IT decisions. When you present a build or buy proposition to management, is it fully aware of the risk involved? Compassion/last chance: Religious and philosophical traditions promote the need to find ways to assist the most vulnerable parties. Refusing to take unfair advantage of users or others who do not have technical knowledge is recognized in several professional codes of ethics. Do all workers have an equal opportunity to benefit from the organization’s investment in IT? Impartiality/objectivity: Are decisions biased in favor of one group or another? Is there an even playing field? IT personnel should avoid potential or apparent conflicts of interest. Do you or any of your IT employees have a vested interest in the companies that you deal with? Openness/full disclosure: Are persons affected by this system aware of its existence, aware of what data are being collected, and knowledgeable about how it will be used? Do they have access to the same information? Is it possible for a Web site visitor to determine what cookies are used and what is done with any information they might collect? Confidentiality: IT is obligated to determine whether data it collects on individuals can be adequately protected to avoid disclosure to parties whose need to know is not proven. Have you reduced security features to hold expenses to a minimum? Trustworthiness and honesty: Does IT stand behind ethical principles to the point where it is accountable for the actions it takes? Has IT management ever posted or circulated a professional code of ethics with an expression of support for seeing that its employees act professionally? How a Code of Ethics Applies to CISSPs In 1998, Michael Davis described a professional ethics code as a “contract between professionals.”14 According to this explanation, a profession is a 84

AU8231_C001.fm Page 85 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management group of persons who want to cooperate in serving the same ideal better than they could if they did not cooperate. Information security professionals, for example, are typically thought to serve the ideal of ensuring the confidentiality, integrity, and availability of information and the security of the technology that supports the information use. A code of ethics would then specify how professionals should pursue their common ideals so that each may do his or her best to reach the goals at a minimum cost while appropriately addressing the issues involved. The code helps to protect professionals from certain stresses and pressures (such as the pressure to cut corners with information security to save money) by making it reasonably likely that most other members of the profession will not take advantage of the resulting conduct of such pressures. An ethics code also protects members of a profession from certain consequences of competition, and encourages cooperation and support among the professionals. Considering this, an occupation does not need society’s recognition to be a profession. Indeed, it only needs the actions and activities among its members to cooperate to serve a certain ideal. Once an occupation becomes recognized as a profession, society historically has found reason to give the occupation special privileges (for example, the sole right to do certain kinds of work) to support serving the ideal in question (in this case, information security) in the way the profession serves society. Understanding a code of ethics as a contract between professionals, it can be explained why each information security professional should not depend upon only his or her private conscience when determining how to practice the profession, and why he or she must take into account what a community of information security professionals has to say about what other information security professionals should do. What others expect of information security professionals is part of what each should take into account in choosing what to do within professional activities, especially if the expectation is reasonable. The ethics code provides a guide to what information security professionals may reasonably expect of one another, basically setting forth the rules of the game. Just as athletes need to know the rules of football to know what to do to score, computer professionals also need to know computer ethics to know, for example, whether they should choose information security and risk reduction actions based completely and solely upon the wishes of an employer, or, instead, also consider information security leading practices and legal requirements when making recommendations and decisions. A code of ethics should also provide a guide to what computer professionals may expect other members of our profession to help each other do. Keep in mind that people are not merely members of this or that profession. Each individual has responsibilities beyond the profession and, as such, must face his or her own conscience, along with the criticism, blame, 85

AU8231_C001.fm Page 86 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® and punishment of others, as a result of actions. These issues cannot be escaped just by making a decision because their profession told them to. Information security professionals must take their professional code of ethics and apply it appropriately to their own unique environments. To assist with this, Donn B. Parker describes the following five ethical principles15 that apply to processing information in the workplace, and also provides examples of how they would be applied. 1. Informed consent. Try to make sure that the people affected by a decision are aware of your planned actions and that they either agree with your decision, or disagree but understand your intentions. Example: An employee gives a copy of a program that she wrote for her employer to a friend, and does not tell her employer about it. 2. Higher ethic in the worst case. Think carefully about your possible alternative actions and select the beneficial necessary ones that will cause the least, or no, harm under the worst circumstances. Example: A manager secretly monitors an employee’s email, which may violate his privacy, but the manager has reason to believe that the employee may be involved in a serious theft of trade secrets. 3. Change of scale test. Consider that an action you may take on a small scale, or by you alone, could result in significant harm if carried out on a larger scale or by many others. Examples: A teacher lets a friend try out, just once, a database that he bought to see if the friend wants to buy a copy, too. The teacher does not let an entire classroom of his students use the database for a class assignment without first getting permission from the vendor. A computer user thinks it’s okay to use a small amount of her employer’s computer services for personal business, since the others’ use is unaffected. 4. Owners’ conservation of ownership. As a person who owns or is responsible for information, always make sure that the information is reasonably protected and that ownership of it, and rights to it, are clear to users. Example: A vendor who sells a commercial electronic bulletin board service with no proprietary notice at logon, loses control of the service to a group of hackers who take it over, misuse it, and offend customers. 5. Users’ conservation of ownership. As a person who uses information, always assume others own it and their interests must be protected unless you explicitly know that you are free to use it in any way that you wish. Example: Hacker discovers a commercial electronic bulletin board with no proprietary notice at logon, and informs his friends, who take control of it, misuse it, and offend other customers.

86

AU8231_C001.fm Page 87 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management References 1. Terrell Bynum, Stanford Encyclopedia of Philosophy, 2001, available at http://plato. stanford.edu/entries/ethics-computer/. 2. Richard Stallman, Why software should be free, in Software Ownership and Intellectual Property Rights, Terrell Ward Bynum, Walter Maner, and John L. Fodor, Eds., Research Center on Computing & Society, Southern Connecticut State University, 1992, pp. 35–52. 3. Deborah G. Johnson, Proprietary rights in computer software: individual and policy issues, in Software Ownership and Intellectual Property Rights, Terrell Bynum, Computer ethics basic concepts and historical overview, Stanford Encyclopedia of Philosophy, Winter, 2001, Edward N. Zalta, Ed., available at http://plato.stanford.edu/ archives/win2001/entries-computer/. 4. Peter S. Tippett, Computer ethics, in Information Security Management Handbook, Harold F. Tipton and Micki Krause, Eds., Auerbach Publications, Boca Raton, FL, 2002. 5. Jason Whittaker, The Cyberspace Handbook, Routledge London, 2004, p. 276. 6. Stephen Levy, Hackers: Heroes of the Computer Revolution, Penguin Putnam, New York, 1984, p. 26. 7. U.S. Department of Health, Education and Welfare, Secretary’s Advisory Committee on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens viii, 1973. 8. http://www.faqs.org/rfcs/rfc1087.html. 9. Computer Ethics Institute, http://www.brook.edu/its/cei/overview/Ten_Commandments _of_Computer_Ethics.htm. 10. http://www.security.state.az.us/responsible_computing.htm. 11. M. Betts, Campaign addresses computer ethics void, Computerworld, Vol. 29, No. 24, June 13, 1994, p. 33. 12. https://www.isc2.org/cgi-bin/content.cgi?category=12. 13. Fritz H. Grupe, Timothy Garcia-Jay, and William Kuechler, “Is it time for an IT ethics program?” in Information Security Management Handbook, Harold F. Tipton and Micki Krause, Eds., Auerbach Publications, Boca Raton, FL, 2002. 14. Michael Davis, Thinking Like an Engineer: Studies in the Ethics of a Profession, Oxford University Press, New York, 1998, pp. 50–51. 15. Donn B. Parker, Fighting Computer Crime: A New Framework for Protecting Computer Information, John Wiley & Sons, New York, 1998, pp. 423–424.

Other References Todd Fitzgerald, Building management commitment through security councils, Information Systems Security, May/June 2005. Todd Fitzgerald, Ten steps to effective web-based security policy development and distribution, in Information Security Handbook, Harold Tipton and Micki Krause, Eds., Auerbach Publications, Boca Raton, FL, 2005. Rebecca Herold, Managing an Information Security and Privacy Awareness and Training Program, Auerbach Publications, New York, 2005. National Institute of Standards and Technology, An Introduction to Computer Security: The NIST Handbook, Special Publication 800-12. Thomas R. Peltier, Information Security Policies and Procedures: A Practitioner’s Reference, 2nd ed., Auerbach Publications, New York, 2004. Thomas R. Peltier, Information Security Risk Analysis, 2nd ed., Auerbach Publications, New York, 2005. Ben Rothke, Personnel security screening, in Information Security Handbook, Harold F. Tipton and Micki Krause, Eds., Auerbach Publications, Boca Raton, FL, 2005.

87

AU8231_C001.fm Page 88 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Harold F. Tipton and Micki Krause, Eds., Information Security Management Handbook, 5th ed., Vols. 1–3, Auerbach Publications, New York, 2005–2007. U.S. General Accounting Office, Executive Guide Security Management: Learning from Leading Organizations, May 1998. U.S. General Accounting Office, Federal Information System Controls Audit Manual, January 1999. Charles C. Wood, Information Security Roles and Responsibilities Made Easy, Version 1, Pentasafe Security Technologies, Houston, TX, 2001.

Sample Questions 1. Consideration of computer ethics is recognized to have begun with the work of which of the following? a. Joseph Weizenbaum b. Donn B. Parker c. Norbert Wiener d. Walter Maner 2. Which of the following U.S. laws, regulations, and guidelines does not have a requirement for organizations to provide ethics training? a. Federal sentencing guidelines for organizations b. Health Insurance Portability and Accountability Act c. Sarbanes–Oxley Act d. New York Stock Exchange governance structure 3. According to Peter S. Tippett, which of the following common ethics fallacies is demonstrated by the belief that if a computer application allows an action to occur, the action is allowable because if it was not, the application would have prevented it? a. The computer game fallacy b. The shatterproof fallacy c. The hacker’s fallacy d. The law-abiding citizen fallacy 4. According to Stephen Levy, which of the following is one of the six beliefs he described within the hacker ethic? a. There must be a way for an individual to correct information in his or her records. b. Thou shalt not interfere with other people’s computer work. c. Preserve the value of their systems, applications, and information. d. Computers can change your life for the better. 5. According to Fritz H. Grupe, Timothy Garcia-Jay, and William Kuechler, which of the following represents the concept behind the “no free lunch” rule ethical basis for IT decision making? a. If an action is not repeatable at all times, it is not right at any time. b. Assume that all property and information belong to someone. c. To be financially viable in the market, one must have data about what competitors are doing and understand and acknowledge the competitive implications of IT decisions. 88

AU8231_C001.fm Page 89 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management

6.

7.

8.

9.

10.

11.

12.

d. IT personnel should avoid potential or apparent conflicts of interest. The concept of risk management is best described as the following: a. Risk management reduces risks by defining and controlling threats and vulnerabilities. b. Risk management identifies risks and calculates their impacts on the organization. c. Risk management determines organizational assets and their subsequent values. d. All of the above. Qualitative risk assessment is earmarked by which of the following? a. Ease of implementation b. Detailed metrics used for calculation of risk c. Can be completed by personnel with a limited understanding of the risk assessment process d. a and c only Single loss expectancy (SLE) is calculated by using: a. Asset value and annualized rate of occurrence (ARO) b. Asset value, local annual frequency estimate (LAFE), and standard annual frequency estimate (SAFE) c. Asset value and exposure factor d. All of the above Consideration for which type of risk assessment to perform includes all of the following except: a. Culture of the organization b. Budget c. Capabilities of resources d. Likelihood of exposure Security awareness training includes: a. Legislated security compliance objectives b. Security roles and responsibilities for staff c. The high-level outcome of vulnerability assessments d. None of the above A signed user acknowledgment of the corporate security policy: a. Ensures that users have read the policy b. Ensures that users understand the policy, as well as the consequences for not following the policy c. Can be waived if the organization is satisfied that users have an adequate understanding of the policy d. Helps to protect the organization if a user’s behavior violates the policy Effective security management: a. Achieves security at the lowest cost b. Reduces risk to an acceptable level c. Prioritizes security for new products 89

AU8231_C001.fm Page 90 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® d. Installs patches in a timely manner 13. Identity theft is best mitigated by: a. Encrypting information in transit to prevent readability of information b. Implementing authentication controls c. Determining location of sensitive information d. Publishing privacy notices 14. Availability makes information accessible by protecting from each of the following except: a. Denial of services b. Fires, floods, and hurricanes c. Unreadable backup tapes d. Unauthorized transactions 15. The security officer could report to any of the following except: a. CEO b. Chief information officer c. Risk manager d. Application development 16. Tactical security plans: a. Establish high-level security policies b. Enable entitywide security management c. Reduce downtime d. Deploy new security technology 17. Who is accountable for information security? a. Everyone b. Senior management c. Security officer d. Data owners 18. Security is most expensive when addressed in which phase? a. Design b. Rapid prototyping c. Testing d. Implementation 19. Information systems auditors help the organization: a. Mitigate compliance issues b. Establish an effective control environment c. Identify control gaps d. Address information technology for financial statements 20. Long-duration security projects: a. Provide greater organizational value b. Increase return on investment (ROI) c. Minimize risk d. Increase completion risk 21. Setting clear security roles has the following benefits except: a. Establishes personal accountability 90

AU8231_C001.fm Page 91 Thursday, October 19, 2006 7:00 AM

Information Security and Risk Management

22.

23.

24.

25.

26.

27.

28.

29.

b. Enables continuous improvement c. Reduces cross-training requirements d. Reduces departmental turf battles Well-written security program policies should be reviewed: a. Annually b. After major project implementations c. When applications or operating systems are updated d. When procedures need to be modified Orally obtaining a password from an employee is the result of: a. Social engineering b. Weak authentication controls c. Ticket-granting server authorization d. Voice recognition software A security policy that will stand the test of time includes the following except: a. Directive words such as shall, must, or will b. Defined policy development process c. Short in length d. Technical specifications Consistency in security implementation is achieved through: a. Policies b. Standards and baselines c. Procedures d. SSL encryption The ability of one person in the finance department to add vendors to the vendor database and subsequently pay the vendor illustrates which concept? a. A well-formed transaction b. Separation of duties c. Job rotation d. Data sensitivity level Which function would be most compatible with the security function? a. Data entry b. Database administration c. Change management d. Network management Collusion is best mitigated by: a. Job rotation b. Data classification c. Defining job sensitivity level d. Least privilege False-positives are primarily a concern during: a. Drug and substance abuse testing b. Credit and background checks 91

AU8231_C001.fm Page 92 Thursday, October 19, 2006 7:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® c. Reference checks d. Forensic data analysis 30. Data access decisions are best made by: a. User managers b. Data owners c. Senior management d. Application developer 31. Company directory phone listings would typically be classified as: a. Public b. Classified c. Sensitive information d. Internal use only

92

AU8231_C002.fm Page 93 Saturday, June 2, 2007 1:21 PM

Domain 2

Access Control James S. Tiller, CISSP

Introduction Controlling access to systems, services, resources, and data is critical to any security program. Without a comprehensive approach to control access, there are few options to managing the security posture of an organization. The ability to clearly identify, authenticate, authorize, and monitor who or what is accessing the assets of an organization is essential to protecting the environment from threats and vulnerabilities.1 Access controls are a collection of mechanisms that work together to protect the assets of the enterprise. By aligning people, process, and technology, organizations can establish clear oversight, allowing them to reduce exposures, build efficiencies, and have confidence in their control environment. Access control is the backbone of information security. It is the enforcer of policy, offers assurance in enterprise operations, supports business objectives, and assists in forensics investigations. The importance of access controls cannot be understated, and it is pervasive in the discussion of information security. Although access control is represented as a unique domain within the Common Body of Knowledge (CBK)®, readers will see threads of access control in all other domains and attributes in the access control domain. CISSP® Expectations The objectives of this section are to ensure a CISSP should be able to: • Describe the access control concepts and methodologies • Identify access control security tools and technologies • Describe the auditing mechanisms for analyzing behavior, use, and content of the information system Confidentiality, Integrity, and Availability The common thread among good information security objectives is that they address all three core security principles. The goals of information security are to ensure confidentiality, integrity, and availability (CIA).

93

AU8231_C002.fm Page 94 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® • Confidentiality prevents unauthorized disclosure of systems and information. • Integrity prevents unauthorized modification of systems and information. • Availability prevents disruption of service and productivity. Clearly, access controls play a key role in ensuring the confidentiality of systems and information. Managing access to organizational assets is fundamental to preventing exposure of data. Managing an entity’s admittance and rights to specific enterprise resources ensures that valuable data and services are not abused, misappropriated, or stolen. The act of controlling access inherently provides features and benefits that speak to the integrity of business assets. By preventing unauthorized access, organizations can achieve greater confidence in data and system integrity. Without controls to manage who has access to specific resources, and what actions they are permitted to perform, there are few compensating controls that make certain information and systems are not modified by unwanted influences. Moreover, access controls offer greater visibility into determining who or what may have altered data or system information, potentially affecting the integrity of those assets. Access controls can be used to couple an entity with the actions taken against valuable assets, allowing organizations to have greater command over the environment and a better understanding of the state of their security posture. Access controls encompass the operational relationships at all layers within a computing environment. For example, firewalls employ rules that permit, limit, or deny access to various services on systems. By reducing the exposure to threats, controls protect potentially vulnerable system services, ensuring that system’s availability. By reducing exposure to unwanted and unauthorized entities, organizations can limit the number of threats that can affect the availability of systems, services, and data. There is a plethora of examples of how access control is essential to the confidentiality, integrity, and availability of enterprise assets. Throughout this chapter we will discuss all the characteristics of access control and its applicability to CIA and the security posture. Definitions and Key Concepts Access controls are a collection of mechanisms that work together to protect the assets of the enterprise. They help protect against threats and vulnerabilities by reducing exposure to unauthorized activities and providing access to information and systems to only those who have been approved. 94

AU8231_C002.fm Page 95 Saturday, June 2, 2007 1:21 PM

Access Control Introduced above, although access control is a domain within the CBK, it is the most pervasive and omnipresent aspect of information security. Therefore, access controls essentially encompass all aspects and levels of an organization: • • • •

Facilities Support systems Information systems Personnel — management, users, customers, business partners, etc.

Additionally, all entry points to the organization need some type of access control. Given the pervasive nature and importance of access controls throughout the security posture, it is necessary to isolate the four key attributes that enable security management. Access controls enable management to: • • • •

Specify which users can access the system Specify what resources they can access Specify what operations they can perform Provide individual accountability

Each of these four areas, although related, represents an established approach to defining an access control strategy. Determining Users The first step in managing resources is defining who can access a given system or information. The concept of identifying who is permitted access and providing credentials necessary for their role is fundamental to security and ancient in practice. In early cultures, a right of passage was required to obtain a garment, marking, or even a scar signifying you were approved for various activities within the tribe, which translated to access. As populations grew and became more sophisticated, new methods were developed to provide access to an approved community. Over 4000 years ago, the Egyptians developed the first lock-and-key combinations. Wooden locks were operated by a wooden key that controlled pins that would disengage a bolt permitting access. The key would be provided to those who had been identified as needing access. In today’s digital environment, users may be employees, contractors, consultants, partners, clients, or even competitors that organizations need to identify as requiring access. The act of specifying which users can have access to a system is typically driven by an operational demand, such as providing access to an account system so that bills can be paid by users in the financial department. 95

AU8231_C002.fm Page 96 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® The most significant aspect of determining which users will be provided access is clearly understanding the needs of the user and the level of trust given to that person or entity. An identification process must exist that takes into consideration the relevance of that user in the light of business needs, organizational policy, information sensitivity, and security risk. It is important to understand that with each new user or community, the threat profile of an organization is increased. For example, an organization may determine that one of its partners and all its employees need access to a given system. Upon providing that access, the potential threats to the organization now include that partner organization. Not only must the relationship be founded on trust, established by legal or other mechanisms between the two entities, but it also must consider the increase in the number of users, representing a broader spectrum of threat. Usually, making these determinations is bound to operational needs and the capabilities of the access control system. The more sophisticated the access control system, the greater the number of options to support a demand in a secure fashion. It is not uncommon for organizations to have several different access control strategies to accommodate various needs, resulting in the provision of unique access solutions. However, this is not a security best practice, and the objective is to have a consistent access control strategy to avoid complexity, which can lead to unwanted exposures. Defining Resources Typically, determining what resources users or a community is permitted to access is based on the need that identified them as users and the role they represent to the organization. Specifying what resources are permitted for a user to access is critical to the validity and capability of the access control system. The strongest access control system can be rendered useless in the broader implications of security if specific resources are not identified with regard to a user’s given role. For example, if a user is identified as needing access, but specific resources are not qualified, he or she will effectively have unfettered access to all systems and data, greatly increasing the risk to confidentiality, integrity, and availability. It is essential to bind a user, group, or entity to the systems and data they are accessing. Resources can be information, applications, services, servers, storage, processes, printers, or anything that represents an asset to the organization that can be utilized by a user. Every resource, no matter how mundane, is an asset that must be afforded protection (based on a cost–benefit analysis) from unwanted influences and unauthorized use. The user’s role will help identify what resources are necessary for him or her to perform the required function. Once the required resources are allocated, then controls can be administered to specify the level of use. 96

AU8231_C002.fm Page 97 Saturday, June 2, 2007 1:21 PM

Access Control Specifying Use Access controls move well beyond simply defining resources users can access. In addition to these requirements, access control is the mechanism used to specify the level of use of a given resource and the actions permitted by a user. The most fundamental representation of controlling the level of use can be associated with a file system and data. Most file systems provide multiple levels of permissions, such as read, write, and execute. Depending on the file system used to store data, there may be methods of permitting much more granular controls. These may include the ability to provide access to information to a specific user, but only permitting him or her to perform a certain task. For example, a user with the role of data backup will be allowed to perform administrative functions, but not to access or alter the information. (Access permissions will be covered in greater detail below.) A user may have the need to access an application, and therefore be provided execute privileges. However, he or she may not have read or write privileges, to ensure that he or she cannot obtain or modify the application. The same philosophy can be applied to any resource. For example, you may wish to provide a user with access to a printer, but his role requires another level of approval for printing to avoid abuse. In this case, you may provide access to a printer spool, but not permissions that allow unapproved printing. Once the user is identified and authenticated, an access control system must be sensitive to the level of authorization for that user to utilize the identified resources. Therefore, it is simply not enough to identify and authenticate a user to offer access to resources. It is necessary to control what actions are permitted for a specified resource and the user’s role. Accountability Individual accountability is the ability for the organization to hold people responsible for their actions. As mentioned above, access controls can provide ample material in forensics investigations, providing evidence to prove or disprove a user’s involvement in a given event. A comprehensive access control strategy will include the monitoring and secure logging of identification, authentication, and authorization processes. It should also include a log of actions taken on behalf of the user, with all the appropriate and pertinent information associated with the transaction. Moreover, a properly configured system will also log attempted actions by an authenticated user who does not have the necessar y privileges for the requested task. Therefore, when properly 97

AU8231_C002.fm Page 98 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® employed, an access control system can provide substantiation of user activities, linking a user to a transaction or an attempt to access, modify, or delete information. Access Control Principles The first element of access control is to establish an access control policy. As with other characteristics of information security, the security policy is essential in stating expectations, defining standards and requirements, and specifying responsibilities. An access control policy is a document that specifies how users are identified and authenticated and the level of access granted to resources. The existence of an access control policy ensures that decisions governing the access to enterprise assets are based on a formalized organizational statute. In order for users to be provided access to resources, which privileges they will be given must be clearly documented in an access control policy. The absence of a policy will result in inconsistencies in provisioning, management, and administration of controls. The policy will provide for a centralized and managed representation of necessary procedures, guidelines, standards, and best practices concerning the oversight of access management. For example, to limit access to the network, there must first be a written policy implemented by a set of procedures that specify who will be given access to the network and what type of access will be given. The access control policy is usually based on two standards of practice: separation of duties and least privilege. In addition to these, policies are based on the sensitivity of the data that is processed and stored. Separation of Duties. The primary objective of separation of duties is the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific process among multiple users. It acts as a deterrent to fraud or concealment because collusion with another individual is required to complete the fraudulent act. The concept is founded on the management of tasks that can be distributed across multiple users, ensuring that no individual acting alone can compromise the security of a system or gain unauthorized access to data.

The first action to employing separation of duties is defining elements of a process or work function. Processes or work functions may be a collection of tasks that must be performed to achieve an objective. A work function may simply be an administrative duty, such as performing a backup, copying files, or cycling log files. Work functions can also encompass highly complex and potentially vital business elements that should not be in the control of any one person. Nevertheless, any job can be represented as a series of elements, or tasks, that are performed by one or more users.

98

AU8231_C002.fm Page 99 Saturday, June 2, 2007 1:21 PM

Access Control Once the various elements are identified and quantified, it is necessary to divide the elements among different users or roles within a function. For example, a specific process may require seven elements to be performed. The first three may be preparing data for input, the fourth executes an application, and the last three are to process the output. Given this scenario, it may be wise to separate the three groups of elements among three different users, each with specific privileges for performing his or her assigned elements within a function. Utilizing this method, one user is tasked with preparing data, a second user with performing the process, and a third with managing the output. Although the entire function requires three uniquely privileged users, it ensures that no one person can manipulate the system. Static or Dynamic. Separation of duties can be either static or dynamic. Compliance with static separation requirements can be determined simply by the assignment of individuals to roles and allocation of specific elements to roles for which users are assigned. The more difficult scenario is dynamic separation of duties, where compliance with requirements can only be determined during system operation. The objective behind dynamic separation of duties is to allow more flexibility in operations.

Consider the case of initiating and authorizing payments. A static policy could require that no individual who can serve as payment initiator can also serve as payment authorizer. Such a policy may be too rigid for commercial use, making the cost of security greater than the loss that might be expected without the security. More flexibility could be allowed by a dynamic policy that allows the same individual to take on both initiator and authorizer roles, with the exception that no one could authorize payments that he had initiated. In a dynamic scenario, the user is permitted to perform seemingly conflicting elements, but process management allows for this to occur, offering flexibility without compromising security. Applicability. To determine the applicability of separation of duties, two distinct factors must be addressed: sensitivity of the function and the available processes that lend themselves to distribution. SENSITIVITY OF FUNCTION. Sensitivity of the function must take into consideration the criticality of the job performed and exposure to fraud, misuse, or negligence. It will be necessary to evaluate the importance of a given transaction and its relationship to enterprise security risk, operations, and, of course, CIA of assets. It is important to be aware that seemingly mundane tasks may require separation of duties practices in the larger scope of security, risk, and CIA. For example, a single user performing backup and restore procedures would have the ability to manipulate system data to

99

AU8231_C002.fm Page 100 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® cover unauthorized activity, change information, or destroy valuable resources undetected. There are other activities within an organization that are not only important when considering separation of duties, but their technical and procedural architecture assist in establishing these controls. An example is application development. Typically there is a development platform, testing facility, rollout procedures, validation, and publication. In application development, the integrity of libraries used for the development is critical. It is also important that live systems and proprietary information are not used within the testing environment, or there may be a risk of exposing sensitive information. Therefore, the development architecture lends itself to establishing separation of duties throughout the process in addition to functions within a given domain. ELEMENT DISTRIBUTION. The second factor when determining the applicability of separation of duties is understanding what elements within a function are prone to abuse, which ones are easily segmented without significantly disrupting operations, and what available skills or pool of users can perform the different elements of the function. These can be summarized as:

• Element identification, importance, and criticality • Operational considerations • User skills and availability Each function will have one or more elements that must be performed to complete the transaction. It is necessary to evaluate each element and its relevance to abuse. In other words, some elements within a function may represent milestones within the function that offer opportunities for fraud or abuse that will require a different user with unique privileges to complete the function. It is possible to collect different elements into groups that together represent several steps that lead to a milestone element. The key is to evaluate each element and the role it plays in performing the function. Once each element is assessed against the potential for abuse, they can begin to be distributed to various users. In the event a collection of elements within a function do not offer a clear point of segmentation, it may be necessary to incorporate a new milestone element as a validation and approval point within the function. For example, it may take several elements to perform a function, but given complexity, automated tasks, or myriad reasons, none of them can be clearly segmented. However, an approval element or a transference point can be incorporated. These can materialize as process approval interruptions; e.g., at a specific point, a manager sends an e-mail, applies a digital signature, or adds a validation mark to the data that must be present for the primary user to continue the remaining processes.

100

AU8231_C002.fm Page 101 Saturday, June 2, 2007 1:21 PM

Access Control One of the key attributes of a successful security program is operating effectively within a larger environment. When considering separation of duties, the impact to the function and its role in the business is essential to overall success. Without taking into account the larger implications, security-related activities can hinder the process and make it prone to circumvention. In the establishment of separation of duties practices for a function, the impact to the operations must be taken into account. Therefore, one must consider the impact to the timing of the function as well as meaningful options in the event there is a system failure or outage. It is important not to sacrifice security, but rather to have alternate compensating controls that can meet the objectives for security. Clearly, the separation of duties requires different users, and each of those users must have the appropriate skills and training to perform the specific element of a given function. Additionally, and somewhat more obvious, there must be enough users to perform all the elements that have been distributed. Finally, there should be more than one user assigned to a given element in the event that some leave the organization or are not available to perform the action. Of course, one must be careful not to have too many users assigned to a task, potentially increasing the possibility of collusion. Least Privilege. The principle of least privilege has been described as

one of the more important characteristics of access control for meeting security objectives. The principle of least privilege requires that a user or process be given no more privilege than necessary to perform a job. The objective is to limit users and processes to access only resources necessary to perform assigned functions. Ensuring least privilege requires identifying what the user’s job is, determining the minimum set of privileges required to perform that job, and restricting the user to a domain with those privileges and nothing more. By denying users privileges that are not necessary for the performance of their duties, management ensures that those denied privileges cannot be used to circumvent the organizational security policy. Information Classification Information classification is the practice of evaluating the risk level of the organization’s information to ensure that the information receives the appropriate level of protection. The application of security controls to information has a cost of time, people, hardware, software, and ongoing maintenance resources that must be considered. Applying the same level of control to all of the company’s assets would result in wasting resources by overprotecting some information while underprotecting other information. This situation results because security dollars are spent uniformly to protect all assets at the same level, when the budget could be better allo101

AU8231_C002.fm Page 102 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® cated to provide increased protection to those assets considered to be of greater value or higher sensitivity. By applying protection controls to the information based upon the classification, the organization gains efficiencies and thus reduces the cost of information security. Many organizations have thousands of data files representing many different data types. Information is created in great volumes on a daily basis from a variety of transactional systems, as well as aggregated into databases and data warehouses to provide support for decision making. The information is stored on backup tapes, copied to floppy drives, and burned to CDs and DVDs for portability. Information is stored on portable computers and network drives, and in duplicate copies stored within the e-mail systems to support the sharing of information. The same information is printed and filed, and stored off site for business continuity and disaster recovery purposes. The same data typically has multiple versions, is stored in multiple locations, and is capable of being accessed by different individuals in each of these locations. The duplication of storage of information highlights the challenge of the problem. Where is the organization’s information? How should the information be handled and protected? Who should have access to it? Who owns the information? Who makes the decisions around these parameters? These questions form the impetus for implementing a data classification strategy. Data Classification Benefits. The benefits of classifying the information may be self-evident by now; however, there are many benefits to classifying the information in addition to applying the appropriate security controls to the resource, such as:

• Creating a greater organizational awareness of the need to protect company information. • Critical information is identified that supports business recovery scenarios in focusing the recovery efforts on the most critical information. • Greater understanding of the value of the information to be protected. • Clearer direction for the handling of sensitive information. • Increased confidentiality, integrity, and availability of information by focusing limited funds on the resources requiring the highest level of protection and providing minimal controls for the information with less risk of loss. • Establishing ownership for the information, which increases the likelihood that the information will be used in the proper context and those accessing the information will be properly authorized. • Periodic review and approval processes maintain awareness of the importance of protecting information. 102

AU8231_C002.fm Page 103 Saturday, June 2, 2007 1:21 PM

Access Control • Placement of information with higher levels of classification on more reliable storage and backup mechanisms. • Understanding of information and its location identifies areas that may need higher levels of protection from vendors, consultants, and temporary employees. • Reducing expense of inefficient storage of nonsensitive documents in physical file cabinets. Establishing a Data Classification Program. Establishment of the data classification strategy and plans for implementation may seem a bit onerous; however, once the work of defining the classification levels and determining the classification of the individual information has been completed, the value to the organization is well worth the effort. The following sections walk through the steps of establishing and sustaining a data classification process. Although the results of the data classification programs may differ, depending upon the nature of the information processed, the steps identified below are a representation of the concepts introduced by programs of this type. The sequence or the steps included may vary or be combined, depending upon the size, complexity, and culture of the organization.

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14.

Determine data classification project objectives. Establish organizational support. Develop data classification policy. Develop data classification standard. Develop data classification process flow and procedure. Develop tools to support process. Identify application owners. Identify data owners and data owner delegates. Distribute standard templates. Classify information and applications. Develop auditing procedures. Load information into central repository. Train users. Periodically review and update data classifications.

Determine Data Classification Project Objectives. Although there are many benefits, as previously articulated, it is helpful to document the specific project objective to contain the scope of the effort and to determine when early deliverables are completed, so that these accomplishments may be celebrated to sustain those involved in later phases of the project. The purpose is important for establishing the support of those needed to carry out the project. Although security professionals understand the importance of data classification, without the proper positioning of the effort, the end users may perceive the effort as another project requiring their resources, with little payback to their individual departments. Objectives should be 103

AU8231_C002.fm Page 104 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® stated using the benefits, as well as exploring enhancements to the effectiveness of the organization through: • • • • • • • •

Ensuring privacy of information Improved workflow Increased accuracy of information (integrity) Increased availability of information (availability) Avoiding adverse opinion by reducing disclosure (confidentiality) Reduction in costs of overprotection Ability for managers to enforce accountability Protection of departmental intellectual property or trade secrets

Establish Organizational Support. Senior management support is essential to the continued operation of the data classification program. There may be a perception within management that all information should be treated as confidential and is secured by the physical barriers to the facility and the firewalls and other security controls protecting the environment. This view promotes the concept that all information should be protected equally. Information should be provided, even if utilizing only a single department to illustrate the point, of the costs of protecting all of the information at the same level. Develop Data Classification Policy. The data classification policy communicates the requirement to the organization to classify the information assets. The policy also communicates the primary purpose of data classification, which is to ensure that the appropriate protections are applied according to the level of classification. The policy statement is a high-level description of the requirement, including the scope of users and systems it applies to, and what is expected. Policies may indicate the responsibilities of users and management in handling the information. Develop Data Classification Standard. Policies are generally written at a high level, with the details reserved for supporting standards. The standards communicate how to determine the classification of a particular information item, as well as how that information should be subsequently handled. Involvement with business or application owners, as well as the IT department, is important in determining the matrices. This establishes the business owner buy-in to the standards, as well as provides the business operation’s perspective for determining how the information should be handled. Develop Data Classification Process Flow and Procedures. Documented procedures assist in the ongoing operation of classifying information. Although the start-up efforts will require a large amount of resources, as the organization may have many files that have not been looked at through the data classification lenses, ongoing efforts will require that the data is reviewed and updated on a periodic basis. The initial gathering of the data classifi104

AU8231_C002.fm Page 105 Saturday, June 2, 2007 1:21 PM

Access Control cations and the process utilized are driven by a documented procedure so that all of the parties involved in the effort are aware of their individual roles and requirements to complete the classification. Flowcharts can be helpful in addition to the documented written processes, as individuals receive and retain information through different means. Develop Tools to Support Process. Various tools, such as word processing documents, spreadsheets, databases, and presentations, support the collection process. Many different data types can be obtained through the process. Standardized templates facilitate the collection process, as well as the ability to generate reports by data type to ensure that the designations are consistent and are following the prescribed data classification policy and associated standard. Once the spreadsheets are distributed to the individuals completing the information, the results can be exported to a database for consolidation and review. Identify Application Owners. The business owner of the application provides the functional requirements view of what is necessary for the business. He or she will have the most intimate knowledge of the data and how it is used. The systems or information technology owner acts primarily as a data custodian of the information, and may understand the processing and technical storage and security protections of the information. Both individuals contribute to an understanding of the classification requirements of the information and should be identified. Identify Data Owners and Data Owner Delegates. D a t a o w n e r s a re t h o s e business users that understand the information and make decisions about the usage of the information. They may have designees or data delegates that they have empowered to make the day-to-day operational decisions as to who is allowed to read, modify, or delete the business information. These individuals are the primary individuals that are involved in the classification process, as they have the greatest business knowledge of the information. Distribute Standard Templates. The data classification templates created in the earlier steps are distributed to collect the classification information. This places the templates in the hands of the data owners or their delegates to provide information on the information owned by their departments. Classify Information and Applications. Once the templates have been distributed, the data owners or their delegates use the data classification standard to classify the information. Typically there are three to four levels of data classification used by most organizations, as follows:

• Public: Information that may be disclosed to the general public without concern for harming the company, the employees, or business 105

AU8231_C002.fm Page 106 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® partners. No special protections are required, and these are sometimes referred to as unclassified. For example, information that may be posted to a company’s public Internet site, public announcements (after public release), marketing materials, cafeteria menus, and any internal documents that would not present harm to the company if they were disclosed would be considered public. • Internal use only: Information that could be disclosed within the company, but could harm the company if disclosed externally. Information such as customer lists, vendor pricing, organizational policies, standards and procedures, and internal organization announcements would need baseline security protections, but do not rise to the level of protection as confidential information. • Confidential: Information that if released outside of the organization would create severe problems for the organization, e.g., information that provides a competitive advantage, is important to the technical or financial success (i.e., trade secrets, intellectual property, research designs), or compromises the privacy of individuals. Information may include payroll information, health records, credit information, formulas, technical designs, restricted regulatory information, senior management internal correspondence, or business strategies or plans. These may also be called top secret, privileged, personal, sensitive, or secret and highly confidential. Sometimes a fourth level is added to further define information that has a very high level of sensitivity and requires security controls beyond those defined for confidential information. Unless there is a clear distinction and difference between how the information should be handled between the three levels and the additional fourth level, the additional classification level is not added. Develop Auditing Procedures. Once information is classified, classifications rarely change, unless the information has been misclassified, the previously protected information is now public knowledge, or time has made public knowledge of the information less harmful to the organization. In most cases, if there was a reason to protect the information to a certain level, this information continues to be protected at this same level through the useful life of the information. New data types are always generated and need to be classified. Existing data types should be periodically reviewed to ensure that the classifications are correct. Data classification auditing is the process of reviewing the classifications to ensure the accuracy of the information, thus ensuring that the appropriate security protections continue to be applied. Load Information into Central Repository. The data classification information obtained through the data classification procedures and templates is 106

AU8231_C002.fm Page 107 Saturday, June 2, 2007 1:21 PM

Access Control loaded into a central repository to support the analysis of the collections, as well as to serve as the initial database for the ongoing updating of the classifications. A database tool provides the ability to examine the information from multiple perspectives, such as listing all of the data types owned by a data owner, all of the data types of a particular classification level, or which data types are associated with which applications. Train Users. Once all of the information is collected in a repository, the information can be made available to the end users to determine how information should be handled. This functionality provides access to the end user of the organizational data types. Reports could also be generated for the end users to provide the same information. If the end user does not understand what information is public, internal user only, or confidential, or if the end user does not understand the differences in how to handle each type of information, then the investment in data classification will have limited results. Periodically Review and Update Data Classifications. Scheduling the auditing procedures developed on a periodic basis increases the quality of the information. Providing the capability to update and add new data classifications outside of the normal cycle also increases the ongoing data quality of the information. Labeling and Marking. The labeling and marking of media with classification levels provides the ability to treat the information contained within the media with the handling instructions appropriate to the respective level of media. For example, a backup tape may be labeled with a serial number and “Company Confidential” to indicate how the information should be treated. Organizations may decide not to label individual information, but rather control the information within the organization according to restrictions based upon the type of information. Shredding confidential information or locking away information at the end of the day through a “clean desk policy” can address a class of confidential information. Data Classification Assurance. Periodically testing the data classifica-

tions provides assurance that the activities are being performed. The audit procedures previously noted uncover those data types that need to be added or reclassified. Random audits of user areas, such as checking desktops for confidential documents not returned to file drawers, information left overnight in open shredding bins, files in electronic file folders accessible by anyone within the organization, confidential information posted to a public Web site, or information left on copiers, printers, and fax machines, can provide information regarding organizational compliance. Encouraging end users to report security incidents related to mishandling of classified information can also be a source to provide assurance. 107

AU8231_C002.fm Page 108 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Summary. Data classification provides an organizational understanding of the information to be protected and creates the opportunity to allocate information protection resources in a more effective manner, by allocating more protection to the information that has the most need of security controls. End users gain a greater awareness of the differences in the information that is handled and the need to secure the information.

Access Control Categories and Types In the development of an access control architecture, it is necessary to fully understand the different categories and types of controls. This will establish a foundation for later discussion on access control technology, practices, and processes. The objectives of this section are to: • Define access controls • Describe the access control categories • Describe the types of access controls Control Categories Categories are characteristics of an access control system that can be mapped against any control type. Access control categories are very general in nature to offer administrators the opportunity to organize their access architecture and quickly determine gaps. Elements of an access control solution or device can be represented in the form of categories to ensure that all aspects that define the capabilities of access control are met. For example, a particular path of access, such as remote access to an application, may incorporate identification and authentication mechanisms, filters, rules, rights, logging and monitoring, and policy. These elements can be organized into categories to ensure that the overall capability of the control environment is meeting expectations and best practices. There are six main categories of access control: • • • •

Preventive — avoid incident Deterrent — discourage incident Detective — identify incident Corrective — remedy circumstance/mitigate damage and restore controls • Directive • Recovery — restore conditions to normal • Compensating — alternative control (e.g., supervision) Preventative. The existence of access controls prevents the potential for incidents by applying restrictions to user activity. Although obtaining access is initially provided by an authorization process, the provisioning of privileges based on the authorization prevents exposure to various threats. 108

AU8231_C002.fm Page 109 Saturday, June 2, 2007 1:21 PM

Access Control By applying limits and restrictions to a given role for which a user is assigned, an organization can avoid exposing assets to unwanted activities. The initial authorization of users establishes a relationship ultimately granting access. Based on that predefined relationship, limits can be applied that only permit a user to perform a given function. The practice of managing privileges related to access, role, and asset sensitivity is a control that prevents exposure to various incidents. Within this context, it is important to note that privileges are provided upon successful identification and authentication. Therefore, the preventive nature of access controls is founded on known and authenticated entities. If a user authenticates and is permitted to perform any function on a given system, the potential for intentional or accidental harm is significant. However, by allowing only those privileges that are necessary to perform the function, the organization can avoid harmful actions. Deterrent. Access controls act as a deterrent to threat agents by the

simple fact that the process of controlling access is founded on a challenge. By forcing the identification and authentication of a user, service, or application, and all that it implies, the potential for incidents associated with the system is significantly reduced. To demonstrate, if there are no controls for a given access path, the number of incidents and the level of impact become infinite. Controls inherently reduce exposure by applying a methodical oversight, which acts as a deterrent, curbing a threat agent’s appetite in the face of probable repercussions. The best example of discouraging incidents is best seen with employees and their propensity to intentionally perform an unauthorized function, which can lead to an unwanted event. When users understand that by authenticating into a system to perform a function their activities are logged and monitored, it reduces the likelihood they will attempt such an action. Threats operate based on anonymity, and any potential for identification and association with their act is avoided at all costs. It is this fundamental reason why access controls are the key point of circumvention by attackers. Deterrents also take the form of potential punishment if users do something unauthorized. For example, if the policy specifies that an unauthorized person using a sniffer will be fired, that will deter that act. Detective. Clearly, access controls are a deterrent to threats and can be aggressively utilized to prevent harmful incidents through the application of least privileges. However, there is the detective nature of access controls 109

AU8231_C002.fm Page 110 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® that can provide significant visibility into the access environment and help organizations manage their access strategy and related security risk. As mentioned above, privileges offer the ability to reduce the exposure of enterprise assets by limiting the capabilities of an authenticated user. However, there are few options that control what a user can perform once privileges are provided. For example, if a user is provided write access to a file and that file is damaged, altered, or negatively impacted purposefully or unintentionally, the access controls applied will offer visibility into the transaction. The control environment can be implemented to log activity regarding the identification, authentication, authorization, and use of privileges. This can be used to identify when errors occur or attempts to perform an unauthorized action, or to validate when provided credentials were exercised. The control system provides evidence of attempted actions and tasks that were executed by an authorized user. Detection aspects of access control can range from evidentiary, such as postmortem investigations, to real-time alerting of inappropriate activities. This philosophy can be applied to many different characteristics of the security environment. Access awareness can be related to intrusion detection systems (IDSs), virus controls, applications, Web filtering, network operations, administration, logs and audit trails, and security management. Visibility into the environment is key to ensuring a comprehensive security posture. An access control architecture offers significant visibility into the activities within the environment, such as what assets are accessed and by whom, when transactions took place, and what data may be affected. Corrective. When an event occurs, such as a security incident, or something more encompassing, such as a corporate merger, elements within the access control architecture may require corrective actions.

In the case with a security incident, it may be learned that the established controls were not effective in thwarting an attack, one that may have circumvented conventional controls. An access control solution must have the ability to enact corrective measures to reduce, avoid, or simply eliminate the threat. On the other end of the spectrum, corporate mergers and acquisitions can play havoc with established control practices, processes, and policy. The simple act of connecting two or more disparate networks in an effort to support a newly formed entity can represent an enormous threat to assets. This is especially true given that business owners will seek to openly share resources as soon as possible, while on the other hand there may be numerous disgruntled employees considering retribution. 110

AU8231_C002.fm Page 111 Saturday, June 2, 2007 1:21 PM

Access Control Dynamics within the business and technical environment will typically have an impact on the control architecture, forcing change to ensure that the acceptable level of risk and desired security posture are maintained. The controls environment is a collection of various mechanisms to manage exposure of assets. Within the complex web there must exist an overall management capability that can comprehensively supervise the system in accordance with established polices while coping with environmental changes. The number of corrective actions possible makes it difficult to quantify. They can range from rule set changes on firewalls, access control list updates on routers, or policy changes on system platforms to introducing certificates for 802.1x authentication in wireless networks, moving from single-factor to two-factor authentication for remote access, or introducing smart cards. The difficultly in quantification is founded on the fact that access controls are universal throughout the environment. Nevertheless, it is important that a consistent and comprehensive management capability exists that can coordinate and employ changes throughout the enterprise to enable policy compliance. Recovery. Any changes to the access control environment, whether in the face of a security incident or event or to offer temporary compensating controls, need to be accurately reinstated and returned to normal operations.

There are several situations that may affect access controls, their applicability, status, or management. Events can include system outages, attacks, project changes, technical demands, administrative gaps, and employee status. For example, if an application is not correctly installed or deployed, it may adversely affect controls placed on system files or even have default administrative accounts unknowingly implemented upon install. An employee may be transferred, quit, or be on temporary leave that may affect policy requirements regarding separation of duties. An attack on systems may have resulted in the implantation of a Trojan, potentially exposing private user information, such as credentials. In any of these cases, an undesirable situation must be rectified as quickly as possible and controls returned to normal operations. Compensating. Compensating controls are introduced when the existing capabilities of a system do not support the requirement of a policy. Compensating controls can be technical, procedural, or managerial.

Although an existing system may not support the required controls, there may exist other technology that can supplement the existing environment, closing the gap in controls and meeting policy requirements. For example, the access control policy may state that Web-related 111

AU8231_C002.fm Page 112 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® authentication must be encrypted over the Internet. Adjusting an application to support encryption for authentication purposes may be too costly. Secure Socket Layer (SSL), an encryption protocol, can be employed and layered on top of the authentication process to support the policy statement. From a procedural perspective, separation of duties offers the capability to isolate certain tasks to compensate for technical limitations in the system to ensure the security of transactions. Management processes, such as authorization, supervision, and administration, can be used to compensate for gaps in the access control environment. Finally, compensating controls can be temporary solutions to accommodate a short-term change, or support the evolution of a new application, business development, or major project. Changes and temporary additions to access controls may be necessary for application testing, data center consolidation efforts, or even to support a brief business relationship with another company. The critical points to consider when addressing compensating controls are: • Do not compromise stated policy requirements. • Ensure that the controls do not adversely affect risk or increase exposure to threats. • Controls are managed in accordance with established practices and policies. • If temporary, controls are removed after they have served their purpose. Types of Controls There are three types of access control: • Administrative: Defines the roles, responsibilities, policies, and administrative functions to manage the control environment. • Physical: The nontechnical environment, such as locks, fire management, gates, and guards. • Technical: Electronic controls as the personification of the control environment, where controls are applied and validated and information on the state of the environment is produced. The categories can be mapped against the three types to demonstrate various control examples and options shown in Figure 2.1. As discussed above, elements of an access control solution or device can be represented in the form of categories to ensure that all aspects that define the capabilities of access control are met. The value of this matrix is that it can be

112

AU8231_C002.fm Page 113 Saturday, June 2, 2007 1:21 PM

Access Control

Figure 2.1. Control examples for types and categories.

applied to the entire organization, a specific domain within the environment, or a single access path, such as employee remote access. Administrative. Administrative controls represent all the actions, policies, and management of the control system. These represent any aspect of the environment that is necessary to oversee the confidentiality, availability, and integrity of the access controls, manage the people that use it, set policy on use, and define standards for operations.

The aspects of administrative controls can be broad and vary depending on organizational needs, industry, and legal implications. Nevertheless, they can be broken into six major groups: • • • • • •

Operational policies and procedures Personnel security, evaluation, and clearances Security policies Monitoring User management Privilege management

Operational Policies and Procedures. One of the less discussed aspects of administrative oversight is operations management of the controls environment and how it should be managed within the broader scope of enterprise architecture. Access control is realized by the alignment of capabilities of many systems and processes, collaborating to ensure that threats are reduced and incidents prevented. Therefore, other operational elements of the environment must be addressed in some fashion within the access control strategy.

There are several overarching operational processes that access controls must be represented in, or there may be a risk for failure at any point within the system. Following is a list of typical IT and security operational processes where access controls need representation:

113

AU8231_C002.fm Page 114 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® • • • • • • •

Change control Business continuity and disaster recovery Performance Configuration management Vulnerability management Product life-cycle management Network management

CHANGE CONTROL. When changes to the environment are required to accommodate a need, they must be defined, approved, tested, applied, verified, deployed, audited, and documented. Changes can be minor, such as a static route being added to a system or, more significant, the redesign of a storage solution. Every organization must have a change control process to ensure that there is a formalized process for making and documenting changes to the environment. Given the scope of access control, it is important that the change control process include aspects of the access strategy and policy. In some cases, this is obvious, such as adding a new virtual private network (VPN) gateway for remote access. Clearly this will affect the control environment. Some changes are much less obvious, but can have significant impacts to access controls, such as network redesign, which can affect various established paths. Security must be incorporated into the change control process to ensure system integrity; this is most prevalent with access controls given the pervasiveness and sensitivity of controls. BUSINESS CONTINUITY AND DISASTER RECOVERY (BCDR). Many organizations have BCDR plans to ensure the organization can maintain critical operations in case of a catastrophic event or failure. BCDR plans can be simplistic, such as ensuring there are regular backups performed, or highly complex solutions incorporating multiple data centers. The scope and complexity of the BCDR plan is typically defined by the business environment, risks, and system criticality.

Regardless of the type of BCDR plan, the availability of access controls during an event is essential and must be incorporated into the plan. For example, if a system failure was to occur and an alternate system was to be temporarily employed without the expected, original controls, the exposure to critical data can be significant. All too often, security is secondary to maintaining operations. However, the irony is that critical systems are the most important in the light of BCDR. Therefore, one could rightly assume that a system included in the BCDR plan is important and the information on that system is valuable. Unfortunately, for some, security is not included in the plan. If an event were to occur, a company could have its most valuable assets completely exposed.

114

AU8231_C002.fm Page 115 Saturday, June 2, 2007 1:21 PM

Access Control One of the first steps to ensuring security is incorporated into the BCDR plan is defining the access controls for the temporary systems, services, and applications. It should be noted that this includes the access control system itself, for example, a RADIUS server may seem unimportant on the surface, but its absence in a disaster could be detrimental to security. PERFORMANCE. Traditional networks and applications are typically engineered to provide meaningful performance to users, systems, and services. The network is the cardiovascular system for most companies, and if performance is low, the productivity of the organization may suffer.

The same holds true for the controls environment. If it takes a user an excessive amount of time to log on, this could have an unfavorable impact to operations. To reduce time associated with access controls, the performance optimization processes for the networking and system environment should include the performance of controls overseeing authentication and access. CONFIGURATION MANAGEMENT. Very much related to change controls, configuration management represents the administrative tasks performed on a system or device to ensure optimal operations. Configurations can be temporary or permanent to address a multitude of needs.

Configuration management of devices, systems, services, and applications can greatly affect the controls environment. These can be obvious changes that affect user access directly or less direct, such as modifying a routing protocol. Within the bigger picture of access controls, changes to a system’s configuration must take into account what, if any, impacts to access may occur after the configuration is modified. Given the typical separation of the security group from the IT group, it is not uncommon for the network group to make an innocuous modification to a system and impact the controls associated with security. Therefore, it is important to ensure that the resources responsible for configuration management, such as network administrators, system owners, and application developers, are aware of the control environment and the importance of their domain of influence on the security of the organization. VULNERABILITY MANAGEMENT. Vulnerability management will typically include activities such as implementing system patches. It may be necessary to apply patches to accommodate a security issue, update a system service, or represent the addition of features to the system or application. When patches are installed, there may be key system modifications that can negatively affect the security of the system.

Patches must be applied through the change control system to provide a comprehensive record of system modifications and accurate documenta115

AU8231_C002.fm Page 116 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® tion. Ensuring the current state of a system is well documented allows organizations to gain more visibility into the status of their environment in the event a new vulnerability is published. This promotes rapid assessments to evaluate potential risks in the face of an attack or vulnerability. It should also be noted that the change control system utilized during the application of patches offers evidence that can be consulted prior to applying new patches or other system changes, such as installing new software. There are some scenarios where the installation of a patch may adversely affect the security posture of a system, service, or application. A change control system, documenting each change and gaining approval for system modifications, offers a historical record that can be leveraged during future changes, establishing a foundation for creating best practices that are unique to the organization. A key attribute of vulnerability management is the importance of reducing the time of deploying patches or other system updates to mitigate a vulnerability. Vulnerabilities surface in a multitude of ways. For example, a vulnerability may be published by a vendor that has discovered a security issue and provides a patch. Usually, at this point, both attackers and organizations are made aware of the vulnerability. While companies are exercising due diligence in applying fixes, attackers are developing tools or worms to exploit the vulnerability. In contrast, an incident may have occurred that exposed a vulnerability in a system that represents an immediate threat. The latter example is exacerbated by day 0 attacks, where attackers identify and exploit a vulnerability on a massive scale, understanding that time is on their side. It is very common for attackers to discover a vulnerability, develop tools and tactics to exploit it, plan, and then execute. Vulnerable organizations must find alternative measures to compensate for the threat while vendors rush to produce a patch, each consuming time as the attacks expand. Given the taxonomy of each basic scenario, time becomes a critical element in protecting assets. The ability to use time effectively to deploy a patch or employ compensating controls until a patch is published directly corresponds to the level of risk and the overall security posture of the organization. Emphasis on efficient testing and deployment of system patches or compensating controls should be the core of any vulnerability management program. However, time must be balanced against effective deployment. Initially, the evidence provided by the change control process can be investigated to determine which systems are vulnerable and represent the greatest risk, then prioritize accordingly. As the process continues, other affected systems are addressed by a manual or automated (or combination) patch management process used to deploy the update. It is at this point that the vulnerability management program must verify that the patch was in fact 116

AU8231_C002.fm Page 117 Saturday, June 2, 2007 1:21 PM

Access Control implemented as expected. Although this may seem inherent to the objective, it cannot be assumed, regardless if it is a manual or automated process. In the case of manual deployment, users and system owners may not respond accordingly or in a timely fashion. This is somewhat compensated for in automated deployment; nevertheless, both scenarios require a validation of an effective installation. Of course, this is supported and driven by a change control process. As expressed above, the introduction of a patch or control does not in and of itself represent the complete mitigation of the identified vulnerability. Many systems are unique to a specific environment, representing the potential for a change to mitigate one vulnerability and unintentionally introduce another. Or, in some cases, it is assumed that the implementation of a patch or control eliminated the vulnerability altogether. Therefore, a vulnerability management system must not only address the time to test and deploy patches and verify the patch was implemented as expected, but also include testing to ensure the target vulnerability was mitigated and new problems were not introduced by the process. Vulnerability management is a comprehensive and integral process that every security program must develop, maintain, and test regularly. PRODUCT LIFE-CYCLE MANAGEMENT. In every organization that utilizes technology to support business operations there comes a time to upgrade or replace devices and systems. Standards must be established within the access control policy that defines the minimum requirements for a system to ensure the level of controls are realized. By doing so, the organization has a clear foundation by which to evaluate products for implementation without sacrificing security or expected controls. NETWORK MANAGEMENT. Many networks are supported by a separate telemetry network that allows network administrators to manage devices without concern for affecting the production environment. Given the ability to change aspects of the network environment, it is necessary to have network management access controls established to reduce exposure of systems and network devices. Personnel Security, Evaluation, and Clearances. Surprisingly, one of the more overlooked aspects of access control is the people acquiring access. Prior to granting access of any kind, management should assess the person using the supplied credentials. This does not insinuate that every user needs to have a background check prior to checking their e-mail. Clearly, the level of validation of an individual should be directly proportional to the level of sensitivity of the assets offered to the user. Nevertheless, within an organizational environment, it is critical that processes exist to

117

AU8231_C002.fm Page 118 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® evaluate users and ensure they are worthy of the level of trust that is representative of the type of access granted. First and foremost, security requirements — at some level — should be included in all defined job roles and responsibilities. Job roles defined by the organization should have alignment to defined policies and be documented appropriately. They should include any general responsibilities for adhering to security policies, as well as any specific responsibilities concerning the protection of particular assets related to the given role. Once the security requirements for a role are defined and clearly documented, the validation of individuals to obtain credentials for a job role can be defined and exercised. The definition of a screening process is typically related to the sensitivity of the assets being accessed. However, there may be contractual demands, regulatory compliance issues, and industry standards that define how a person is screened to reach a certain level of access. This is mostly seen in the military and the allocation of clearances. Depending on the clearance level requested, a person may be subjected to intense background checks, friend and family interviews, credit checks, employment history, medical history, and a plethora of other potentially unpleasant probing. Of course, once attained, the clearance translates to a level of trustworthiness and, therefore, access. A typical organization will need only a standard process and some additional factors in the light of applicable legal requirements or regulations. These may include a credit check and background checks that simply assure management that you have not falsified information during the application process. Typical aspects of staff verification may include: • • • • •

Satisfactory character references Confirmation of claimed academic and professional qualifications Independent validation, such as the existence of a passport A credit check for those requiring access to financial systems Federal, state, and local law enforcement records check

The relevance of credit checks and other personal history can be valuable in determining a person’s propensity for unlawful acts. Personal or financial problems, changes in their behavior or lifestyle, recurring absences, and evidence of stress or depression might lead to fraud, theft, error, or other security implications. In the event the user is temporary, the access provided must take into consideration the potential exposure of proprietary information given the transient position. It should also be noted that staff agencies should perform employee validation and provide a report to their clients. 118

AU8231_C002.fm Page 119 Saturday, June 2, 2007 1:21 PM

Access Control Management should evaluate the supervision and provisioning of access to new or inexperienced staff. It may not be necessary to provide the keys to the kingdom until a new employee has satisfied a probationary period. Of course, employees should be periodically reevaluated to ensure significant changes to key elements about them have not occurred. Also, all information collected about an individual is private and confidential and should be afforded security controls like any other sensitive material. Finally, confidentiality or nondisclosure agreements should be read and signed by the user to ensure there is no doubt of the user that the information is confidential or secret and valuable to the organization. Security Policies. The organization requirements for access control should be defined and documented. Access rules and rights for each user or group of users should be clearly stated in an access policy statement and then referred back to any specific roles identified within the organization.

The access control policy should consider: • The security requirements of individual enterprise applications, systems, and services • Statements of information dissemination and authorization, such as least privilege, data classification, and specified controls for access • The consistency between the access control and information classification policies of different systems and networks • Contractual obligations or regulatory compliance regarding protection of assets • Standards defining user access profiles for organizational roles • Details regarding the management of the access control system Monitoring. It should be readily apparent that the ability to monitor the access control environment effectively is essential to the overall success and management of the solution. It is one thing to apply controls; it is another to validate their effectiveness and status. The capacity for ensuring that controls are properly employed and working effectively and for being aware of unauthorized activity is governed by the existence of monitoring and logging of the environment. This is not unique to access controls, security, or even IT. It is an essential aspect of business to monitor activity.

Systems should be monitored to detect any deviation from established access control policies and record authentication processes, authentication attempts, credential management, user management, rights usage, and rights and access denial. The monitoring procedures and technology should also monitor the status of controls to ensure conformity to policies and expectations. This last point is typically overlooked and represents a significant potential for unauthorized activities and the ability to mask or hide their existence. For example, if the control activities are monitored, 119

AU8231_C002.fm Page 120 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® yet the status of controls is not, attackers can change various controls permitting access. The logging and monitoring of the activities may not raise suspicion because they are now valid operations thanks to the attacker. LOGGING EVENTS. Logs and what is being logged are important to security management and to maintaining an effective access control solution. A log can include:

• User IDs used on systems, services, or applications. • Dates and times for log-on and log-off. • End system identity, such as IP address, host name, or message authentication code (MAC) address. It may also be possible to determine the location through virtual local area network (VLAN) logging, wireless access point identification, or remote-access system identification, if applicable. • Logging of successful and rejected authentication and access attempts. Knowing when and where people are utilizing their rights can be very helpful to determine if those rights are necessary for a job role or function. It is also helpful to know where access rights are denied to have a better understanding of what a user is trying to do. This can help determine of you have an employee trying to access the payroll system or a user that does not have adequate rights to perform his or her job. Audit logs should be retained for a specified period. In some cases, as with regulations, this is preordained and not open to interpretation. However, there are cases where no legal or regulatory demands exist. If this is the case, the retention time will probably be defined by management perception and size of the logs compared to available storage and resource commitments. The security of the logs is critical. If a log can be altered to erase unauthorized activity, there is little chance for discovery, and if discovered, there may be no evidence. Another important aspect of log security comes in the form of litigation. If logs are not secure and can be proven as such at the time of an event, the logs may not be accepted as valid evidence due to potential tampering. Logs are sensitive to reading, too, not just writing, as they can contain sensitive information such as passwords (when users accidentally type the password into a user ID prompt). Therefore, logs must be accurate, secured, and maintained for a period. REVIEWING EVENTS. Once the events are properly logged, it is necessary to review the logs to evaluate the impact of a given event. Typically, system logs are voluminous, making it difficult to isolate a given event for investigation, much less identify the event. In many cases, organizations will make 120

AU8231_C002.fm Page 121 Saturday, June 2, 2007 1:21 PM

Access Control a copy of the log (preserving the original) and use suitable utilities and tools to perform automated interrogation of the logs. There are several tools available that can be very helpful in analyzing a log file to assist administrators in identifying and isolating activity. Once again, separation of duties plays an important role in reviewing logs. Otherwise, it may be possible for a user to perform an unauthorized task and manipulate the logs. Therefore, it is necessary to separate those being monitored from those performing the review. User Management. A formal procedure should be established to control the allocation of credentials and access rights to information systems and services. The procedure should cover all stages in the life cycle of user access, from the initial registration of new users to the final decommissioning of accounts that are no longer required.

To provide access to resources, one must first established a process for creating, changing, and removing users from systems and applications. These activities should be controlled through a formal process, based on policy, which defines the administrative requirements for managing user accounts. The process should define expectations, tasks, and standards concerning the user management. For example, elements of the process should include: • Approval of user. This can include information from human resources, the user’s manager, or business unit that has approved the creation of the user account. The owner of the system that is providing information or services should concur with the approval process. Approval processes also should speak to the modification of user accounts and their removal. • Standard, defining, unique user IDs, their format, and any specifics that may be application sensitive. Additionally, information about the user should be included in the credential management system to ensure the person is clearly bound to the user defined within the system. • A process for checking that the level of access provided is appropriate to the role and job purpose within the organization and does not compromise segregation of duties. This is especially important when a user’s role and job function change. There must exist a process to evaluate existing privileges compared to the new role of the user and ensure changes are made accordingly. • Defining and requiring users to sign a written statement indicating that they understand the conditions associated with being granted access and any associated liabilities or responsibilities. It is important to understand that user confirmation should occur whenever 121

AU8231_C002.fm Page 122 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® there is a change in rights and privileges, not simply upon creation of the account. • A documentation process to capture system changes and act as a record of the transaction. Keeping a log of the administrative process and relative technical information is essential to an effective access control system. The information will be used in assessments, audits, change requests, and as evidence for investigative purposes. • Status and audit processes for the control environment. This will ensure that users who have left or changed job roles have their unused or no longer required rights immediately removed to ensure elimination of duplications and removal of dormant accounts. • Specific actions that may be taken by management if unauthorized access is attempted by a user or other forms of access abuse are identified. Clearly, this must be approved by the organization’s human resources and legal departments. In addition to overall user management, it is necessary to define policies, procedures, and controls regarding passwords. Passwords are a common practice for validating a user’s identity during the authentication process. Given that in most traditional authentication solutions the password is the only secret in the transaction (i.e., username and password combinations are prone to brute-force attacks were the username is known and the password is repeatedly guessed until access is acquired), great care should be considered in how passwords are created and managed by users and systems. A process governing user passwords should consider the following: • Users should be required to sign a statement agreeing to keep their passwords safe and confidential and to not share, distribute, or document their passwords. • All temporary passwords should be permitted to be used once — to reset the user’s password to something that only he or she knows. • Passwords should never be stored unprotected and in clear text. • Passwords should have a minimum and maximum length and include various characters and formats. • Passwords should be changed regularly. • A history of passwords should be maintained to avoid repeating old passwords as they are changed. There is some debate over the security realized by a username and password combination used for authentication. For example, depending on the system, a longer password can actually make it more prone to attack if it results in the user writing it down. The potential for exposure of passwords, poor password selection by users, and the shear number of passwords many users need to keep track of lay the foundation for potential compro122

AU8231_C002.fm Page 123 Saturday, June 2, 2007 1:21 PM

Access Control mises. Nevertheless, username and password combinations are today’s standard. The best approach to ensuring consistency and control is: • • • • •

Clearly defined policies Well-implemented system controls Understanding of the technical considerations Comprehensive user training Continual auditing

Privilege Management. The importance of privileges demands that their allocation, administration, and use should have specific processes and considerations. It is privilege management that has represented core failures in an otherwise sophisticated access control system. Many organizations will focus on identification, authentication, and modes of access. Although all these are critical and important to deterring threats and preventing incidents, the provisioning of rights within the system is the last layer of control. The typical reason for problems in the allocation of rights is mostly due to the vast number of options available to administrators and managers. It is this aspect of privilege management that demands the existence of processes and documentation that clearly defines and guides the allocation of system rights.

In the development of procedures for privilege management, the following should be considered: • Privileges associated with each system, service, or application, and the defined roles within the organization to which they apply, should be identified and clearly documented. This speaks to identifying and understanding the available rights that can be allocated within a system, aligning those to functions within the system, and defining roles that require the use of the functions. Finally, the roles need to be associated with job requirements. Therefore, a user may have several job requirements, forcing the assignment of several roles, which may translate to a collection of rights within the system. • Privileges should be managed based on least privilege. Covered earlier, only rights required to perform a job should be provided to a user, group, or role. • An authorization process and a record of all privileges allocated should be maintained. Privileges should not be granted until the authorization process is complete and validated. • Any significant privileges that are needed for intermittent job functions should be assigned to a different user account as opposed to those for normal system activity related to the job function. This practice is most seen on UNIX systems. An administrator of a UNIX system may have three or more accounts: one for daily routines, another for specific job requirements, and “root” for rare occur123

AU8231_C002.fm Page 124 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® rences where complete system access must be utilized. This is done to reduce the consequences of errors. Physical. Physical security covers a broad spectrum of controls, ranging from door, locks, and windows to environment controls, construction standards, and guards. Typically, physical security is based on zones, concentric areas within a facility that require increased security, and more zones that are passed by an individual.

Physical entry controls should meet a level of security that is relative to the zone (or area) accessed and credentials provided to those that require access. For example, an employee may work in the data center of a large financial institution — a very sensitive area. The employee may have a special badge to access the parking lot and the main entrance where guards are posted and recording access. To access the specific office area, he or she may need a different badge and PIN to disengage the door lock. Finally, to enter the data center, the card and PIN are combined with a biometric device that must be employed to gain access. The most prevalent aspect of physical security is the perimeter of a facility. A typical perimeter should be sound and without gaps or areas that can be easily broken into. The perimeter starts with the surrounding grounds. Hills, ditches, retention walls, fences, concrete posts, and high curbs can act as deterrents to attack. Depending on the sensitivity of the facility, guards, dogs, and other aggressive measures can be applied. The construction of the facility may include special walls, reinforced barriers, and even certain foliage strategically placed near doors, windows, and utilities. Of course, all this can be augmented by cameras, alarms, locks, and other essential controls. Finally, the oversight of physical controls must adhere to the same basic principles of other forms of controls: separation of duties and least privilege. For example, it may be necessary to segment the job role of guards to ensure that no single point of failure or collusion potentially allows threat agents to enter unchecked. Physical Entry. Secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. The provisioning of credentials must take into consideration the needs of the individual, his or her job function, and the zone accessed. As discussed above, the person requiring access must successfully pass an investigative process prior to being provided access.

In defining physical entry controls, the following should be considered: • Visitors should be appropriately cleared and supervised prior to entry. Moreover, the date, time, and escort should be recorded and 124

AU8231_C002.fm Page 125 Saturday, June 2, 2007 1:21 PM

Access Control validated with a signature. Visitors should only be provided access to the areas that allow visitors and should be provided with instructions concerning security actions and emergency procedures. • Access to controlled areas, such as information processing centers and where sensitive data may reside, should be restricted to authorized persons only. Authentication controls, such as badges, swipe cards, smart cards, proximity cards, PINs, and potentially biometric devices, should be employed to restrict access. • Everyone within the controlled perimeter must wear some form of identification and should be encouraged to challenge others not wearing visible identification. Moreover, different styles of identification should be employed to allow others to quickly ascertain the role of the individual. For example, a red ID badge may signify access to the fourth floor of an office building. If someone were wearing a blue badge on the fourth floor, others would be able to determine necessary actions. Action may include verifying they are escorted, notifying security, or escorting them to the nearest exit. • All access rights and privileges should be regularly reviewed and audited. This should include random checks on seemingly authorized users, control devices, approval processes, and training of employees responsible for physical security. Securing Zones. A physical security strategy may include the defining of multiple zones within the facility. Typically, this is associated with rooms, offices, floors, or smaller elements, such as a cabinet or storage locker. The design of the physical security controls within the perimeter must take into account the protection of the asset as well as the individuals working in that area. One must consider fires, floods, explosions, civil unrest, or other man-made or natural disasters. Emergency strategies must be included in the physical controls to accommodate the safe exiting of personnel and adherence to safety standards or regulations. Human safety is the priority in all decisions of physical security. Technical. Technical controls are those mechanisms employed within the digital infrastructure that enforces policy. Given the pervasive nature of technology, access controls can be materialized as almost anything and at any layer within the system. Technology controls can include elements such as firewalls, filters, operating systems, applications, and even routing protocols. In an effort to better communicate the various types, the following list can be used:

• • • •

User controls Network access Remote access System access 125

AU8231_C002.fm Page 126 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® • Application access • Malware control • Encryption User Controls. There are controls associated directly with the user; some have been introduced above and will be detailed in later sections. Technical controls related to users can be best demonstrated as user authentication factors that can be translated into technical representations.

User authentication factors are represented by something you know (e.g., a password), something you have (e.g., a token or smart card), and something you are or do (e.g., biometrics). Single-factor authentication is the employment of one of these factors, two-factor authentication is using two of the three factors, and three-factor authentication is the combination of all three factors. Single-factor authentication is usually associated with a username and password combination. This is unfortunate because the usual reusable (static) password is easily compromised, and therefore provides very limited security. There are a plethora of technical solutions that provide the framework to identify and authenticate users based on this concept. Given the broad use of username and password combinations, most technical solutions will provide this service. Two-factor authentication usually introduces an additional level of technical controls in the form of a physical or biometric device. Typically, this is a token, fob, or smart device that substantiates the user’s identity by being incorporate into the authentication process, such as a username and password. Two-factor authentication can be the combination of any two of the three basic forms of factor authentication. The incorporation can include one-time passwords, such as a time-sensitive number generation, or the existence of a certificate and private key or a biometric. Three-factor authentication will include elements of all three factors and, as such, will include something about the user, such as a biometric feature. Biometrics cover a number of options, such as fingerprints, retina scanning, hand geometry, facial features, and even temperature. The technical personification of this is a device that is used to interface with a person during the authentication process. Network Access. Network access controls are those employed within the communication infrastructure. Usually, this is associated with access control lists, remote-access solutions, virtual local area networks (VLANs), protocols, and security devices, such as firewalls and intrusion detection or intrusion prevention systems. The role of network access controls is usually to limit communications. For example, a firewall will limit what

126

AU8231_C002.fm Page 127 Saturday, June 2, 2007 1:21 PM

Access Control protocols and protocol features are permitted from a given source to a defined destination. However, there are network layer controls that can be used to employ security services that increase the level of access management in the environment. The most common example is proxy systems, those devices that employ controls and act on behalf of the user or application. Proxy systems can apply specific logic in managing service-level communications within the network. For example, a proxy system may control access to Web-based services via the Hypertext Transfer Protocol (HTTP). Just as a firewall would block specific ports, a proxy system would block or control certain aspects of the HTPP to limit exposure. Many proxy systems are used to authenticate sessions for internal users attempting to access the Internet and potentially filter out unwanted Web site activity, such as Java applets, Active Server Page (APS) code, or plug-ins. VLANs can be utilized to segment traffic and limit the interaction from one network to another. Wireless networks can employ several access control mechanisms, such as MAC filtering, several forms of authentication, and encryption, and apply limitations on access. One of the more interesting aspects of network access controls that are being adopted more readily is controlling access of remote or internal systems based on policy. Prior to allowing a system to join the network fabric, the network and supporting services query the system to ensure the workstation is adhering to established policies. Policies can be as simple as ensuring an antivirus package is present on the system and as complex as validating the system is up to date on security patches. In the event the system does not meet security policy, it may be denied access or redirected to a secure area of the network for further testing or to allow the user to implement the necessary changes to access the network. Remote Access. In today’s environment, roaming users make up a significant portion of the user community. Remote-access solutions offer services to remote users requiring access to systems and data. One of the more commonly utilized technical solutions is virtual private networks (VPNs), where the user is authenticated and provided secure communications to predefined resources. Typically, a VPN device is placed on the Internet or behind a firewall to allow remote users to access the system, authenticate, and establish a protected session with various internal systems.

Access controls are typically associated with VPNs by use of authentication mechanisms in combination with encryption methods. These combine with protocols to instill a level of control over the communication. For example, a VPN solution can be configured to permit access by users with the appropriate client package or version of a browser, limit access to cer-

127

AU8231_C002.fm Page 128 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® tain portions of the network, limit the types of services permissible, and control session time windows. System Access. A system can be a single server or a collection of servers that provide a service or perform a function. Common attributes of a system are the server and the operating system that supports upper-level services and functions. Operating systems provide access controls in the form of users, file systems, and processes. They also seek to segment key functions from user or application access to limit the system’s exposure to various operational threats.

The first iteration of access control was arguable on a single system or host. Applications were developed, data structure was created, and users were provided access based on some form of authentication. Early access controls were relegated to the capabilities of the operating system and its oversight of the file system, data store, application provisioning, and session management. All these attributes and more exist in commonly used operating systems today. The most prevalent access control on systems is the file system. The file system is the method utilized by a computer to store, access, and secure data on a device. Many file systems will incorporate access controls to limit usage of files, such as permitting a given user to only read a file. Other access controls will manage the interaction between layers in the system, such as hardware access, memory access, services, and kernel modules. Therefore, applications can run on systems where the operating system can manage resources for the application and administrators can implement controls over that environment. Weaknesses in application input controls can lead to buffer overflows that potentially allow malicious activity by circumventing system-level access controls to resources. Application Access. Applications will usually employ user and system access controls to deter threats and reduce exposure to security incidents. However, applications can incorporate several mechanisms to supplement other controls to ensure secure operations. For example, applications can establish user sessions, apply time-outs, validate data entry, and limit access to specific services or modules based on user rights and needs. Moreover, the application itself can be designed and developed to reduce exposure to buffer overflows, race conditions, and loss of system integrity.

The architecture of an application plays a significant role in its ability to thwart attack. Object-oriented programming, multitiered implementations, and even database security are important to controlling what services are provided to users and what tasks can be performed. Access controls associated with all aspects of an application are important to sound security. Many applications are complicated and offer a wide range of services and 128

AU8231_C002.fm Page 129 Saturday, June 2, 2007 1:21 PM

Access Control access to potentially sensitive information. Additionally, applications may be critical to the operational needs of the business; therefore, their sensitivity to disruption must be considered. Much like other technical controls, applications can employ several layers of security within the application framework. Just as applications may have layers, they can also have layers of controls, and these controls can be associated with user activity, object security, internal services, and data services. For example, an application may encompass a presentation module, object services module, data aggregation module, and output services that interact with the inner workings of other applications. Based on the services offered to a given user, it is necessary to consider not only the application’s oversight of the user, but also the security afforded to other activities. If this aspect of application security and access management within the application is overlooked, it may be possible for low-level users to perform privileged actions. This is when there is no association between the user role and the actions of a given object. Malware Control. Viruses, worms, Trojans, and even spam represent a threat to the enterprise. Technical controls can be applied to reduce the likelihood of impact from unwanted influences. The most prevalent of these controls is antivirus solutions that can be employed on the perimeter, servers, and end systems to detect and potentially eliminate the threat of viruses, worms, or other malicious programs. Other technical solutions include file integrity checks and intrusion prevention systems that can detect when a system service or file is modified, representing a risk to the environment.

In today’s environment, malicious code represents a significant threat to operations. Weaknesses in systems, applications, and services offer opportunities for worms and viruses to infiltrate an organization, causing outages or damage to critical systems and information. Technical access controls can materialize as add-on applications, such as antivirus software, or tools that can be used to filter spam, find spyware on systems, or detect Trojan activity. A more detailed discussion of application security issues is found in the Application Security chapter, Domain 8. Cryptography. Although covered in greater detail in the cryptography domain in the CBK, encryption has an important role in access controls. Encryption can be used to ensure the confidentiality of information or authenticate information ensuring integrity. These two characteristics are highly leveraged in the identification and authentication processes associated with access control. Authentication protocols will employ encryption to protect the session from exposure to intruders, passwords are typically hashed to protect them from disclosure, and session information may be 129

AU8231_C002.fm Page 130 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® encrypted to support the continued association of the user to the system and services used. Encryption can be used to validate a session. For example, if session information is not encrypted, the resulting communication is denied. The most predominant aspect of cryptography in access control is the employment of cryptographic mechanisms to ensure the integrity of authentication protocols and processes. Access Control Threats Access control threats are directly related to the confidentiality, integrity, and availability of enterprise assets. Any threat or threat agent that represents a risk to the CIA of enterprise assets is a threat to the access control environment. The objective for this section is to explain the threats to access controls. There are a plethora of threats to access controls and the CIA of enterprise assets. These can be best represented within the CBK as: • • • • • • • • • • • • • • • • • • •

Denial of service Buffer overflows Mobile code Malicious software Password crackers Spoofing/masquerading Sniffers Eavesdropping Emanations Shoulder surfing Tapping Object reuse Data remnants Unauthorized targeted data mining Dumpster diving Backdoor/trapdoor Theft Intruders Social engineering

Denial of Service A threat to operations is denial-of-services (DoS) attacks. DoS attacks can range from the consumption of specific resources, rendering a system service or application unusable by authorized users, to the complete outage of a system. In the early 1990s, DoS attacks were mostly relegated to protocol manipulation within the Transmission Control Protocol/Internet Protocol (TCP/IP). Known as SYN floods, threats would make an overwhelming num130

AU8231_C002.fm Page 131 Saturday, June 2, 2007 1:21 PM

Access Control ber of open-ended session requests to a service, effectively making it impossible for a valid user or application to gain access to the service. Soon, attackers began to identify weaknesses in various system services, allowing them to make specially formatted requests that would force an error, resulting in the complete loss of the service. Early on, there was an attack called Teardrop, which employed a tool to manufacture overlapping fragmented service request packets that would exploit a flaw in the system, shutting it down. In the late 1990s and into the 21st century, distributed denial of service (DDoS) became a significant threat to operations. Attackers would build vast networks of commandeered systems (i.e., zombies) that would be instructed to simultaneously make numerous requests to a single system or application, such as a Web site. Hundreds or potentially thousands of systems would make millions of requests to a Web site, completely flooding the system to the point where others could not access it or until it simply failed and went offline. DoS attacks are one of the oldest tools used by hackers and are still used quite often today. In early spoofing attacks performed by pioneers such as Kevin Mitnick, the system whose identity was leveraged was “DoS’ed” to allow the attacker to assume the role of the now unavailable system. Today, DoS attacks are used in a multitude of ways to manipulate system interactions to acquire access or redirect communications. The applicability to access control is relative to availability in the CIA triad. If a service is not available, access to valid users or systems is denied. Buffer Overflows A buffer is a portion of system memory that is utilized to temporarily store information for processing. Buffers are essential to computer operations to manage data input and output at all levels of system interaction. A buffer overflow is when a threat manipulates the system’s ability to manage the buffer, causing a system failure. A system failure can include an outage, the failure to control an application state, or the inability to control the code, information, or material prepared for processing. Buffer overflows can be used in a DoS attack or to inject malicious software for processing on behalf of the attacker. Memory can be used in network interfaces, video systems, traditional RAM, or virtual memory on hard disks. Any instance of memory is potentially vulnerable to a buffer overflow. Buffer overflows are also used to gain unauthorized access or to escalate privileges from an authorized account. Buffer overflows are typically the result of poor system memory access control and management. This can be related to poor coding of the application, services, or operating system managing the memory allocation. It 131

AU8231_C002.fm Page 132 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® can also include errors in the system BIOS that are used to oversee the use of memory. The lack of adequate application testing in the development process results in buffer overflow exposure. The applicability to access control is directly related to the controls implemented within the system to manage memory and the code that is employed. A buffer overflow is essentially exploiting a vulnerability in the memory access management system responsible for system operations. Of course, the broader implications are the result of the buffer overflow, which could lead to the injection of malicious software, further exacerbating the exposure to threats and the demise of the access control environment. Mobile Code Mobile code is software that is transmitted across a network from a remote source to a local system and is then executed on that local system, often without explicit action on the part of the user. The local system is often a personal computer, but can also be a smart device, such as a PDA, mobile phone, Internet appliance, etc. Mobile code differs from traditional software in that it need not be installed or executed explicitly by the user. Examples of mobile code include ActiveX controls, Java applets, scripts run within the browser, and HTML e-mail. Mobile code is also known as downloadable code and active content, especially in the context of Web sites and e-mail systems. The security implications of mobile code are significant because of the inherent dynamics of distribution capabilities, limited user awareness, and potential for harm. It is not uncommon for mobile code to be provided to a browser to perform a function for the user. If a system is not configured properly, it can be fooled into running mobile code designed to alter, infect, or otherwise manipulate the system. Mobile code, if left unchecked, can be used to track user activity, access vital information, or be leveraged to install other applications without alerting the user. The issue is exacerbated if the user is remotely accessing corporate resources. Data can be copied to the local system, which may be exposed to unwanted threats, access credentials may be captured and later used by an attacker, or the communication can be used to inject malicious software into the organization. Mobile code can range from a system nuisance, such as Web sites tracking Internet activity, to highly problematic situations, such as spyware that can be used in identify theft. The role of mobile code in the light of access control is relative to the exposure of information, or confidentiality. Controls are implemented to protect information and systems from unwanted exposure. Moreover, the existence of mobile code represents a failure of the application controls implemented to thwart such an event. Of course, this is assuming that the mobile code is malicious. There are businesses that will require the provi132

AU8231_C002.fm Page 133 Saturday, June 2, 2007 1:21 PM

Access Control sioning, or permission, to introduce code to perform a function. A good example is online seminars that require ActiveX applications to produce sound and present information. However, it is usually possible to add granularity to the access control environment by configuring systems to only accept mobile code that has been signed by a trusted entity. Again, this speaks to the level of sophistication of the control strategy and technology. Malicious Software Malicious software is a term used in many ways to describe software, applications, applets, scripts, or any digital material that performs undesirable functions. There was a time when the term was limited to what the industry terms as Trojans or spyware. However, it is typically used to cover just about anything that can be run on a computer system that represents a threat to the system, information, or other applications. To better demonstrate, the following are commonly accepted descriptions of different types of threats that fall under the general definition of malware: • Virus: Parasitic code that requires human transferral or insertion, or attaches itself to another program to facilitate replication and distribution. Other programs can range from e-mail, documents, and macros to boot sectors, partitions, and memory fobs. Viruses were the first iteration of malware and were typically transferred by floppy disks and injected into memory when the disk was accessed or attached to files that were transferred. • Worm: Self-propagating code that exploits system or application vulnerabilities to replicate. Once on a system, they may execute embedded attributes to wreak havoc, much like a virus, and move on to the next system. A worm is effectively a virus that does not require human or other programs to infect systems. • Trojan horse: A very general term referring to programs that appear desirable, but actually contain something harmful. A Trojan horse is software that purports to do one thing that the user wants while secretly performing other, potentially malicious actions. For example, a user may download a game, install, and begin playing. However, unbeknownst to the user, the application installed a virus, launched a worm, or has installed a utility allowing a hacker to gain unauthorized access to the system remotely, all without the user’s knowledge. • Spyware: Prior to their use in malicious activity, spyware was typically a hidden application injected through poor browser security by companies seeking to gain more information about a user’s Internet activity. Today, those methods are used to deploy other malware, collect private data, or monitor system input, such as keystrokes. 133

AU8231_C002.fm Page 134 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® In reality, the line between the different types of malicious code is growing thin. Many threats have surfaced that combine the capabilities of disparate malicious software to make for significant security challenges. Mobile code, spam, and key loggers, along with the list above, are an attempt of the security industry to assign definition to a highly dynamic threat. Hackers do not operate within the same construct. Spam can lead to spyware, which can help the proliferation of worms exploiting vulnerabilities to implant their payload of Trojan devices. Malicious software is an approach to classify software that surreptitiously inflicts unwanted exposure or harm. The threat to access controls that malicious software represents is significant and cannot be overstated. Clearly, the exposure of information, loss of system integrity, and potential exposure of user credentials to unknown entities undermine the control environment. Given the pervasive nature of access controls and their number, diversity, and types, a complicated web interaction that can be quickly unraveled by malicious software is established. Password Crackers Passwords are essentially a group of secret characters that users can enter to prove they are who they claim. Assuming the password is not shared or known by another, username and password combinations offer basic authentication. However, by their very definition, they are prone to discovery, and thereby the strategy of username and password combinations is weakened. Given the fact that the typical password will range from 5 to 15 characters on average, one could rightly assume that there is a limit to the combination of characters. Of course, the diversity of characters increases the number of possibilities. Passwords are typically stored by means of a one-way hash. An algorithm produces a unique representation of the password. When a password is received by a system during authentication, it hashes it using the same algorithm employed during the creation of the password and compares it to the hash on file. If they match, there is a high degree of certainty the password provided is the same as the one on file. In most cases, the password itself is never stored or saved. When a user sets a new password, it is immediately hashed and the hash is saved. Upon authentication, the initial hashing process is repeated and the result compared to complete the transaction. The key factor, and where password crackers come into play, is the saving of the hashed password. If a file containing the hashed password is made available, attackers can perform brute-force attacks by comparing thousands of possible password combinations against the hash. Password crackers are tools that will use a list (or create one dynamically) of possi134

AU8231_C002.fm Page 135 Saturday, June 2, 2007 1:21 PM

Access Control ble combinations, hash them, and compare the hash to the one stored in the file. In reality, it is only a matter of time before all possible character combinations are tested and the password is exposed. Of course, depending on the length and complexity of the password, the process could take minutes or years. However, most users use passwords that are easily remembered, and therefore easily guessed by the system, reducing the required time for the tool to run. Password crackers are easy to come by on the Internet, and many that are in use today were created in the late 1980s and early 1990s. John the Ripper is still very popular, and L0pht (or L0phtcrack), once a hacker tool, is now regularly used by Microsoft system administrators for password auditing and sold as such. Password crackers are one of the few tools that are equally effective for hackers and security administrators. If the tool can discover the password, the hacker can use it, or the administrator can issue a password change request to the user. Although there is much debate over the security of usernames and passwords, the role of the password cracker as a tool for the security administrator is well established as a mechanism to increase the integrity of the system. Putting aside the administrative use of password crackers as a tool, the threat they represent to access controls is very high. Simply put, passwords, for some organizations, are the keys to the kingdom. If the access control strategy is founded on passwords, their exposure would mean the demise of the control environment, rendering it useless. Moreover, the monitoring aspects of the control environment will not be very helpful in exposing the activity because, if performed discreetly, the attacker will be using the privileges assigned to the stolen accounts. Early in the evolution of password crackers, the process of creating hashes of a list of passwords and then comparing them to the stolen collection of hashed passwords was very time consuming. In 1980, Martin Hellman, best known for his work with Whitfield Diffie for the development of public key cryptography, described a cryptanalytic time–memory tradeoff that reduces the time of cryptanalysis by using precalculated data stored in memory. The goal was to save time by performing an exhaustive search and loading the results into memory, taking advantage of the close interaction between memory and the processor. This is possible because many popular operating systems generate password hashes by encrypting a fixed plaintext with the user’s password as the key and storing the result as the password hash. If the password hashing scheme is poorly designed, the plaintext and the encryption method will be the same for all passwords. In that case, the password 135

AU8231_C002.fm Page 136 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® hashes can be calculated in advance and can be subjected to a time–memory trade-off. This technique was improved by Rivest before 1982 with the introduction of distinguished points that drastically reduce the number of memory lookups during cryptanalysis. Hellman’s time–memory trade-off was based on enciphering the plaintext with all possible keys. The results were organized in chains, with only the first and last elements loaded into memory. The trade-off is based on saving memory at the cost of processing time. Unfortunately, as the number of stored chains increased, so did the probability of collisions — or generating the same results with different keys. This is aggravated by the fact that chains will merge, making them useless for downstream cryptanalysis. Rivest introduced defining distinguished points as the ends of the chains. This was based on the conclusion that the first ten bits of the key were all zeros, and therefore a chain can be pulled from memory based only on the end of the chain when a plausible match is identified. The results were a significant reduction in the time of processing passwords through optimizing the precalculated chains in memory. However, in 2003 Philippe Oechslin developed a faster time–memory trade-off. The main issue with Hellman’s chaining process, which was enhanced by Rivest, was the collisions of chains and ultimately mergers within memory. Oechslin postulated a modified approach to the creation of chains in tables that limit collision rates and isolates mergers within the table, greatly reducing memory requirements while significantly optimizing the organization of data. The new chain structure is called rainbow chains. They employ successive reduction of points within the chain, utilizing Rivest’s distinguished points along with a reduction process. This reduces the likelihood of mergers within the table in memory, allowing more useful data to be stored for cryptanalysis. To demonstrate the significance of rainbow table attacks, Oechslin successfully cracked 99.9 percent of 1.4 GB of alphanumeric password hashes in 13.6 s, whereas previous time–memory trade-off processes would do the same in 101 s. The rainbow table attack has revolutionized password cracking and is being rapidly adopted by tool creators. Spoofing/Masquerading In the 1980s, Kevin Mitnick popularized IP spoofing, originally identified by Steve Bellovin several years prior as an attack method that used weaknesses within Internet protocols to gain access to systems that were based on IP addresses and inherent trust relationships. Through IP spoofing, one could appear to come from a trusted source but was, in fact, well outside of the trusted environment. Mitnick used this technique, along with social engineering, to access systems to obtain various application source codes 136

AU8231_C002.fm Page 137 Saturday, June 2, 2007 1:21 PM

Access Control for other hacking purposes. Specifically, he wanted the source codes for cell phones (the operating system of most cell phones at the time) that would allow him to manipulate phones to access other conversations and greater system access. By the simplest definition, spoofing is appearing to a system as if coming from a known and trusted source. As stated above, early versions of spoofing were performed at the protocol layer. Attackers would send packets to a server with the source address of a known system in the packet header. This would fool filtering devices that were configured to permit activity to and from the server for specific, trusted addresses and networks. The difficult part was for the attacker to predict the response to the server that would normally come from the host whose identity is being utilized. Session identifiers, such as TCP sequence numbers, would have to be predetermined by the hacker to avoid detection by the server. Quickly, systems and firewalls compensated for such an attack, making it much less used in today’s computing environment. However, there are a multitude of other methods to manipulate systems and users, allowing hackers to appear as valid participants within the network, all falling under the definition of spoofing or masquerading. For example, phishing is a process of fooling people to believe that an email requesting a password change on an online banking application is the bank and not the attacker, essentially masquerading as a trusted source. There are examples of hackers appearing as Domain Name Servers (DNSs) to redirect Internet users to malicious sites engineered to inject malware or obtain information. Spoofing is also an effective technique used in part for man-in-the-middle attacks. A user may believe he or she is interacting with the expected destination, when in fact his or her communications are being redirected through an intermediary, collecting information from both sides of the communication. The impact of spoofing or masquerading on access controls is the affect it has on modes of communication. If a communication was manipulated and, depending on the stage of the communication the hacker employs for the attack, the affects could be likened to obtaining the necessary credentials, such as with password crackers. The threat to the access control environment is significant. Attackers could gain the necessary access to systems and information by incorporating themselves in a manner that circumvents established controls. Although many situations are realized by poor user awareness, there still exist many technical scenarios that allow attackers to bypass controls. Sniffers, Eavesdropping, and Tapping Communications, at some point, will typically become aggregated into a physical medium. These can materialize as wired or even wireless networks 137

AU8231_C002.fm Page 138 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® that represent the potential for exposure. In the event an attacker were to incorporate into the communication medium, he could potentially visualize and collect all layers of the communication. Interestingly, the same capability is utilized by some primary security systems, such as IDS. IDSs will monitor the communication in an effort to detect unwanted activities. Sniffers are typically devices that can collect information from a communication medium, such as a network. These devices can range from specialized equipment to basic workstations. It is important to note that a sniffer can collect information about most, if not all, attributes of the communication. Emanations Emanation is the proliferation or propagation of a signal. This is most evident in wireless networks. A wireless network antenna may radiate the signal to areas beyond the desired scope, such as out of a building and into the parking lot. If this were to occur, an attacker could drive to the location and attempt to access the network from the privacy of his vehicle, potentially undetected. However, there are several other examples. Given the electromagnetic properties of computing devices, there is the potential to acquire data from great distances. For example, sophisticated electromagnetic loops can be generated near communication lines to eavesdrop on communications without physically interacting with the wire. It is well known that various governments used this method to tap transoceanic communication lines during the cold war. Other examples include utilizing sensitive devices to acquire signals propagating from computer monitors from other buildings or from the streets below to see what a user is doing. There are stories (potentially urban legend) of acquiring communication signals from underground pipes that pass close to the communication line. Other examples include interacting with Bluetooth-enabled devices or cars from great distances, heat and energy distribution detection, sound propagation, and mobile phones. The threat to access controls is very similar to those realized with sniffers and taps. The attacker can obtain private information or gain better awareness of the communication architecture for further attacks. In addition to the employment of encryption, there are mechanisms to reduce the emanation of signals, such as TEMPEST. Wireless antennae come in many formats that have different irradiation patterns that can be utilized in different ways to reduce signal propagation. For the purposes of this book, there are three basic types: omnidirectional, semidirectional, and highly directional. Within these three basic groups there are several different antenna subtypes, such as mast, pillar, ground plate, patch, panel, sectorized, yagi, parabolic, and grid. Each type and subtype represents 138

AU8231_C002.fm Page 139 Saturday, June 2, 2007 1:21 PM

Access Control options for the designers of wireless networks to reduce exposure by focusing the signal. Finally, there are materials that can be used on windows or other building attributes to further disrupt the emanation of electromagnetic signals. When considering the risk of potential threats exploiting signal propagation, the level and types of controls employed should be relative to the level of impact and cost if an attacker were to acquire sensitive information. Shoulder Surfing Shoulder surfing is the act of surreptitiously gathering information from a user by means of direct observation. A good example is watching someone type in their password while talking about what they did over the weekend. This obviously requires close interaction and proximity to the user and exposes the attacker to being identified. There are many themes to this type of attack, ranging from watching people perform tasks to listening in on conversations. Essentially, this is social awareness and seeking the opportunity to gain information through observation. The impact to access controls is simply the exposure of potentially sensitive information. If someone were to see a user enter his password, it would be trivial for that person to return to her desk and log in as that user. The only plausible defense against this threat is awareness training or use of one-time passwords. However, in some circumstances, organizations have employed multifactor authentication, making it much more difficult to acquire passwords. To avoid someone reading your screen over your shoulder, you can install screen filters that require you to either look directly into the monitor to see the contents or wear special glasses to depolarize the video stream. There are numerous logical and physical controls that can be employed — at a cost — but many organizations will seek to train their employees in an effort to thwart such an attack. Object Reuse Object reuse refers to the allocation or reallocation of system resources to an unauthorized user or, more appropriately, to an application or process. Applications and services on a computer system may create or utilize objects in memory or in storage to perform a function. In some cases, it is necessary to share these resources between various system applications to perform actions. However, some objects are employed by an application to perform privileged tasks on behalf of an authorized user or upstream application. If object usage is not controlled or objects are not purged from the system after use, they may become available to unauthorized use. There are two aspects of application object reuse: the direct employment of the object or the use of data input or output from the object. In the case with object use, it is necessary for the system providing the object to 139

AU8231_C002.fm Page 140 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® verify the requesting entity. In the event of object data use, in most, if not all cases, the system should clear all residual data prior to assigning the object to another process, ensuring that no process intentionally or unintentionally inherits or reads the data of another process. More specifically, the requirements for security imply the controlled sharing of these resources. For example, the printer process needs to be controlled so that it prints only one user’s output at a time. It would be a security violation if one user’s output were mixed in with that of another and printed on the same physical sheet of paper. Fortunately, keeping print jobs separate is simple for a printing process. In a similar way, it is easy to prevent more than one user from using a terminal at any given time. Although there is nothing to prevent two people from sharing the same log-in session, internal mechanisms for terminal handling ensure that a terminal is flushed of residual data after a log-in session before another user can log on to it. However, the controlled sharing of memory is more difficult to manage. Many systems allow several processes to execute in memory simultaneously. Sections of memory may be allocated to one process for a while, then deallocated, then reallocated to another process. The constant reallocation of memory is a potential security vulnerability, because residual information may remain when a section of memory is reassigned to a new process after a previous process is completed. It is necessary for the operating system to zero out the memory upon release and before being allocated to another process. Object reuse is also applicable to system media, such as hard drives, magnetic media, or other forms of data storage. It is not uncommon for media to be reassigned to a new system, application, or user group. When media is reused, it is best practice to clean all data from the device prior to assignment. Removing all data from the storage device reduces the likelihood of exposing proprietary or confidential information. Degaussing and writing over media are example standard methods for handling object reuse to prevent unauthorized access to sensitive data when media is reassigned. The threat to access controls is significant. Very similar to buffer overflow, processes can be employed by an attacker to obtain nonzeroed, unallocated memory objects, effectively exposing information or allowing the assumption of privileges of the previous process. The threats associated with media are easily understandable. If the event devices are not degaussed or overwritten to eliminate the data, there is a significant risk to exposing sensitive information. Data Remanence It is becoming increasingly commonplace for people to buy used computer equipment, such as a hard drive, and find what was thought to be deleted 140

AU8231_C002.fm Page 141 Saturday, June 2, 2007 1:21 PM

Access Control information. Data remanence is the remains of partial or even the entire data set of digital information. Normally, this refers to the data that remains after the media is written over or degaussed. Information can be stored, processed, or transmitted, and remnants of data are most common in storage systems, but as we discussed above, they can occur in memory. Hard drives are typically made up of platters organized into segments and clusters. When a file is written to a hard drive, the file system will place the file in one or more clusters in series or spread throughout the disk based on the availability of clusters on the hard drive. The file allocation table maintains the physical location information for a given file for later retrieval. Clusters are fixed allocated space on a disk that is used for file storage. There are several scenarios that may occur that can lead to data exposure. Deleting a file does not remove it from the system. The process simply removes the information from the file allocation table, signifying to the system that those portions (clusters) are now available for use. The data remains until a new set of data is written to that space. The same basic principles apply during a disk format. The format process effectively clears the file allocation table, but again, not the data. As data is written to a disk, it will be spread out to several clusters. Each cluster is reserved for a given file. Even if the actual data stored requires less storage than the cluster size, an entire cluster is allocated for the file. The unused space is called the slack space. In early computer systems this spaced was filled with random portions of data pulled from memory. Soon, many came to realize that confidential information, including passwords stored in memory, could be found on the hard drive, even after being formatted. Although this does not typically occur today, problems surface when sensitive data is deleted and a new file is partially written to the reallocated cluster. A portion of the original file will remain in the slack space until the cluster is completely overwritten. Slack space can also be used by an attacker. Several tools are available that can write data striped across multiple clusters using only the slack space. The data is completely hidden from the user and system unless forensics tools are used to identify the information. Attackers will use this capability to store information, tools, or malicious code on a victim’s system. Depending on the frequency of data writes and deletes to the hard drive, the unwanted information may remain on the system for extended periods. There are utilities that can be used to wipe the data from the hard drive by overwriting the file information with bytes of 1s or 0s, or a random combination. However, some of these tools will not overwrite the file header, allowing someone to see the size, date, and location information of a file. Statistical analysis can be used to determine what the files may have been, 141

AU8231_C002.fm Page 142 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® and in aggressive investigations, electromagnetic shadows of the original data can be extrapolated from the disk. The most effective mechanism to destroy data, either a file or an entire disk — short of grinding the disk into little pieces, which is still no guarantee — is to overwrite the data several times. This accomplishes two things: (1) it ensures enough randomization to avoid statistical analysis of the data, and (2) each write works to further mask the remnants of any electromagnetic representation of the original information. Unfortunately, no plan is perfect. A file may be stored in swap space on the disk, may appear in other areas, such as the sent mail folder of an email program, or previously deleted versions remain in slack space throughout the disk. To reduce exposure, the hard drive should be installed in a different system and cleaned by tools running on the host operating system. The threat to access controls is related to confidentiality and data integrity. Clearly, the exposure of data, even small parts, can represent an enormous risk to the organization. The integrity of information can be affected by the manipulation of data physically on the disk. It is important to realize that the security controls applied to a file are several layers above disk operations. Tools can be easily employed to circumvent these controls at the hardware layer to change, obtain, or remove sensitive data. Unauthorized Targeted Data Mining Data mining is the act of collecting large quantities of information to perform predictions of use or type. Data mining is typically used by large organizations to find hidden patterns in data. Retail and credit companies will use data mining to identify buying patterns or trends in geographies, age groups, products, or services. Data mining is essentially the logical determination of information in lieu of specific data. Hackers will typically perform reconnaissance against their target in an effort to collect as much information as possible to draw conclusions on operations, practices, technical architecture, and business cycles. On the surface, this information is assumed to be worthless, and it is for this reason that it is easy to collect over the Internet or the phone. However, when combined in different ways and analyzed by a determined individual, vulnerabilities may surface that can be exploited or assist in other attack strategies. The role of access control is to limit the exposure of potentially harmful information. The most nebulous version of access control is the security group within an organization working closely with the marketing group to ensure public information placed on Web sites cannot be used against the company. In the early days of the Internet, organizations rushed to put as much information about the company as possible on their Web site to 142

AU8231_C002.fm Page 143 Saturday, June 2, 2007 1:21 PM

Access Control attract potential customers. This included information about the executive staff, manufacturing practices, financial data, locations, technical solutions, and other data that could be used to guide hackers. Although this is much less prominent in today’s communication practices, highly capable search engines, such as Google, can be used to gather significant information about a target. The role of access controls is to impose varying levels of access privileges to information based on need and sensitivity. When the level of sensitivity becomes lower and lower, the level of controls is reduced, and in some cases eliminated. Therefore, prior to changing the classification level of data, effectively reducing or eliminating controls over the distribution and access to information, organizations must understand the potential impacts associated with data mining by unethically inclined entities. Dumpster Diving In the old days, dumpster diving was the primary tactic used by thieves to get credit card numbers and other personal information that can be gleaned from what people and companies throw away. Dumpster diving is simply taking what people assume is trash and using that information, sometimes in combination with other data, to formulate conclusions or refine strategies for an attack. This is especially sensitive for companies who may throw away copies of proprietary data or seemingly benign data that, when in the hands of a hacker, can provide substantial information. Simple, but useful information ranges from phone numbers and e-mail lists to communication bills that have the service provider name and account details. A bill receipt containing account information can be used to help authenticate a hacker calling the service provider to access design features or IP addresses for locating logical areas where the exact target may reside. Even with sophisticated word processors and a computer on everyone’s desk, people still print volumes of documentation, sometime several times, to share with others or read later, only to throw it away without concern for the sensitivity of the data. It is not uncommon to find network designs, equipment purchase receipts, phone bills, phone books, human resource information, internal communications, configuration documentation, software documentation, project plans, and project proposals in a trash can. Most hackers do not want physical contact and the implied exposure of going through trash. The ability to go to the location, at the right time, and get information from the garbage insinuates a certain type of threat with specific motivations. Many companies destroy documentation to mitigate the risk of exposing information. Conversely, many companies assume there is little risk of dis143

AU8231_C002.fm Page 144 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® closing proprietary information, increasing the exposure to a very basic and easily exploited vulnerability. Backdoor/Trapdoor During the development of an application, the creator has the ability to include special access capabilities hidden within the application. Referred to as backdoors, applications may have hard-coded characteristics that allow complete and unfettered access to those who know the existence of the backdoor. Often these are installed to enable the programmer to access the system by bypassing the front-end security controls in cases where the system fails, locking everyone out. Most of the examples seen are the use of hidden accounts built within the application. These accounts can be used to gain authorized access without the knowledge of the system owner. Sometimes this occurs because the developer is attempting to support broad system functions and may not realize that the account can be used to gain access. In 2003, Oracle released a new version of its software that had at least five privileged accounts created upon install with the administrator none the wiser. There are other cases where system integrators will create special rules or credentials that allow them to gain complete access to systems they have installed to support their customer. Unfortunately, these practices typically mean that the same methods and username and password combinations are used for each customer. If the information were to be exposed or an employee were to leave with the information, every customer that has the backdoor implemented is exposed to a plethora of threats. However, as one would correctly assume, backdoors mostly occur in independently developed applications and not from established vendors. The threat to access controls is based on the existence of unknown credentials or configurations that will allow someone to circumvent established controls. Theft Theft is a simple concept anyone can grasp. However, as the digital interaction between people and businesses expands, the exposure of valuable information continues to exceed the traditional physicality typically associated with the term theft. Physical theft includes anything of value an unauthorized entity can remove. Computers, documents, books, phones, keys, or other materials that can be moved can be stolen. It can also include theft of a service by physical means, such as power, cable, or phone service. Digital theft is typically easier because of the virtualization of the information and the proliferation of avenues of access. 144

AU8231_C002.fm Page 145 Saturday, June 2, 2007 1:21 PM

Access Control Personal and private information about individuals and companies is shared, sold, transferred, and collected by other people and organizations for legitimate and illegitimate activities. Regardless of intent, as information is collected, the security of that data will usually grow weak. This is due to the characteristics of vast amounts of information. Either it is simply too much to oversee and manage, or it is assumed that voluminous amounts of data are unattractive. Another aspect of data collection is organizations not performing due diligence in the protection of private customer information because it is seen as not core to their business objectives. It is becoming increasingly common for hackers to gain access to an E-commerce site not to steal products or services, but rather the customers’ credit card information. Social Engineering Social engineering is the oldest form of attack to obtain data. It is the practice of coercion and misdirection to obtain information. Social engineering can take many forms, ranging from telephone calls to e-mail to face-to-face interaction. Additionally, the degree of interaction is a variable common among all forms of the attack. For example, a determined hacker may apply for a job that allows access to the establishment for on-site reconnaissance. Hackers may assume the identity of employees or their colleagues to lure others into providing information. On the lighter side, a hacker may simply send an e-mail hoping for a response. E-mail is a potent medium that can be used to extract information. It is easy to obtain names of certain employees and deduce an e-mail address. With very little research on the Internet, you can find subjects that interest a certain individual and establish communication on a common theme. An example is finding a network administrator and his conversations on various news groups to determine his physiological profile and willingness to share information. Through e-mail interaction, you may be able to gain insightful characteristics about the internal network and related security. A more prevalent approach used by hackers, and thankfully growing more difficult due to security awareness, is calling a help desk and asking for a password reset on an account. However, even with good security practices, such as asking for a human resource (HR) ID or your mother’s maiden name, it remains a simple barrier for a minimally skilled attacker to overcome. E-mail Social Engineering. E-mail can be a powerful persuasion device for hackers and con artists alike. E-mail has become a basic element in society and is considered crucial for many companies to run a successful business. People have grown so accustomed to e-mail that they rarely question the integrity of the content or source. To add to the malaise, many people 145

AU8231_C002.fm Page 146 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® do not understand how e-mail is routed from one desktop to another, and eventually the technology and science take a back seat to magic, leaving people to assume if the sender is [email protected], it must be from Dad. Given the general public is trusting of their e-mail and the direct access to people the e-mail service provides, e-mail is used over and over again to spread worms, viruses, and just bad information. It is a trivial task to make an e-mail appear as though it came from a known source. This can be especially powerful when sending an e-mail to someone from his or her management requesting the updated design for an executive presentation about the changes to security controls that are in progress. There is an endless array of e-mails that can be sent to trick people into offering information. These can range from obtaining remote-access phone numbers or information on applications in use to collecting data on security management protocol, such as getting passwords updated. Help Desk Fraud. One of the more common types of social engineering is calling the help desk as an employee in need of help. The traditional subject for help is with passwords and getting new ones. The only problem with this tactic is that help desk employees are usually trained to follow a protocol for providing passwords, and many do not include furnishing them over the phone.

A communication protocol is essentially a predefined list of questions and actions executed by the help desk attendant and the caller to ensure authentication. In many cases, there are several options to the help desk employee to deal with different scenarios. For example, if the caller cannot retrieve e-mail to get the updated password, the help desk may be directed to use voice mail. However, nothing ventured, nothing gained, and many social engineering attacks still include calls to the help desk seeking to obtain unauthorized information, and they still get results. Either someone does not follow protocol, or is simply fooled into thinking he or she has the necessary information to prove the identity of the caller. In some cases, the success was based on misdirection and controlled confusion in the conversation, such as introducing elements that were not considered in the protocol, forcing the help desk employee to make a decision based solely on his or her opinion and assumptions. Beyond trying to get passwords, which can be difficult, obtaining remote-access phone numbers or IP addresses of VPN devices can be helpful as well, and many help desk employees do not see the need to authenticate the caller for seemingly useless information.

146

AU8231_C002.fm Page 147 Saturday, June 2, 2007 1:21 PM

Access Control Nevertheless, help desks are typically prepared for controlling the provisioning of information and applications, but it is for this very reason that they can be a lucrative target for social engineering attacks. They get calls asking for similar information all day long and are expected to provide answers using the protocol, which can be weak. Additionally, for large help desks or companies that provide help desk services for other companies, there is usually a high degree of rotation of employees, resulting in unfamiliarity with the protocol, introducing even more opportunities to glean information. In some scenarios, the help desk employee may grow nonchalant about giving out passwords and simply give it to the attacker on the phone. Access to Systems To this point we have discussed access control principles and the threats to the control environment. This section covers details regarding access controls and essential control strategies. Areas include: • • • •

Identification and authentication Access control services Identity management Access control technologies

The objectives for this section are: • • • • •

List the types of authentication Describe smart cards Define access control services Describe identity management Describe the key access control technologies

Identification and Authentication Identification is the assurance that the entity (e.g., user) requesting access is accurately associated with the role defined within the system. It is the assertion of a unique user identity and all that it implies within the system or systems accessed. Identification is a critical first step in applying access controls. It is necessary to identify the user in the light of downstream activities and controls. Downstream controls include accountability, with a protected audit trail, and the ability to trace activities to individuals. They also include the provisioning of rights and privileges, system profiles, and availability of system information, applications, and services. The objective is to bind a user to the level of controls based on that unique user instance. For example, once the user is validated through authentication, her identity within the infrastructure will be used to allocate resources based on predefined privileges. 147

AU8231_C002.fm Page 148 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Authentication is verifying the identity of the user. Upon requesting access, a user will present her unique user identification and provide another set of private data that establishes trust between the user and the system for the allocation of privileges. The combination of the identity and data or information only known by or only in the possession of the user acts to verify that the user identity is being used by the expected and assigned entity (e.g., person). Types of Identification. The most common form of identification is a username, user ID, account number, or personal identification number (PIN). These can be used as a point of assignment and association to a user entity within the system. However, access is not limited to users and includes software and hardware services that may require access. Software may need to access objects, modules, databases, or other applications to provide the full suite of services offered. In an effort to ensure the authorized application is making the requests to potentially sensitive resources, they can use digital identification, such as a certificate or onetime session identifier. Other types of identification include tokens, smart cards or smart devices, biometric devices, and even badges for visual and physical access. User Identification Guidelines. There are three essential security practices

regarding identities: • Uniqueness • Nondescriptive • Issuance First and foremost, user identification must be unique so that each person can be positively identified. Although it is possible for a user to have many unique identifiers, each must be distinctive within the access control environment. In short, any function or requirement that will be granted access to the system requires a unique identifier. In the event there are several disparate access control environments that do not interact, share information, or provide access to the same resources, it is possible for duplication. For example, a user’s ID at work is “mary_t,” allowing her to be identified and authenticated within the corporate infrastructure. She may also have a Yahoo e-mail account with the user ID of “mary_t.” This is possible because the corporate access control environment does not interact with services or resources offered by Yahoo’s public services. However, one would rightly conclude this is not a good security practice. Users are prone to duplicating certain attributes, such as passwords, to minimize their effort. Therefore, any duplication, although plausible in certain circumstances, represents a fundamental risk to the enterprise. 148

AU8231_C002.fm Page 149 Saturday, June 2, 2007 1:21 PM

Access Control User identification should not expose the associated role or job function of the user. User ID’s are typically easy to discover, and the process is frankly trivial; it is the password (in a single-factor authentication scheme) that remains the most important attribute. If a user were to be called “cfo,” an attacker would be able to focus energy on that user alone based on the assumption that he is the CFO of the company and would probably have privileged access to critical systems. However, this is practiced quite often. It is very common to have user IDs of “admin,” “finance,” “shipment,” “Web master,” or other representations of highly descriptive IDs. The most predominant is the username “root.” Everyone, including hackers, knows what the username root represents in a system. It is for this very reason that attaining root’s password is so desirable. Unfortunately, in most UNIX systems (systems that typically employ the root user) changing the user or masking that role is impossible. In Microsoft systems it is possible to change the username of the default “administrator” (nearly the equivalent of root in UNIX) to some other nondescriptive name. Clearly, any highly privileged system account, such as root and administrator, represents a target for attackers, and it can be difficult to mask their role. However, traditional users, who may have a broad set of privileges throughout the enterprise, can be more difficult for attackers to isolate as a target. Therefore, establishing a username that is independent of job function or role will act to mask the true privileges of the user. Finally, the process of issuing identifiers must be secure and documented. The quality of the identifier is in part based on the quality of how it is issued. Regardless of security controls, practices, and management, if an identity can be inappropriately issued, the entire system begins to break down. The identifier is the first, and arguably the most important, step in acquiring access. The issuing of IDs must conform to an established and secure process that clearly defines the requirements, such as approval, notification, administration, and allocation of various contracts, that must be met prior to issuance. Moreover, the entire process must be logged and documented accordingly to ensure the process can be verified and audited. Types of Authentication. There are three types of authentication:

• Authentication by knowledge — what a person knows • Authentication by ownership — what a person has • Authentication by characteristic — what a person is or does As you can see, these philosophies correspond to the multiple factors introduced in the “User Controls” section. User authentication factors are represented by something you know (e.g., a password), something you 149

AU8231_C002.fm Page 150 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® have (e.g., a token or smart card), and something you are or do (e.g., biometrics). Single-factor authentication is the employment of one of these factors, two-factor authentication is using two of the three factors, and three-factor authentication is the combination of all three factors. Single-factor authentication is usually associated with a username and password combination. This is unfortunate because the usual reusable (static) password is easily compromised, and therefore provides very limited security. There are a plethora of technical solutions that provide the framework to identify and authenticate users based on this concept. Given the broad use of username and password combinations, most technical solutions will provide this service. Two-factor authentication usually introduces an additional level of technical controls in the form of a physical or biometric device. Typically, this is a token, fob, or smart device that substantiates the user’s identity by being incorporated into the authentication process, such as a username and password. Nevertheless, two-factor authentication can be the combination of any two of the three basic forms of factor authentication. The incorporation can include one-time passwords, such as a time-sensitive number generation, or the existence of a certificate and private key or a biometric. Three-factor authentication will include elements of all three factors and, as such, will include something about the user, such as a biometric feature. Biometrics cover a number of options, such as fingerprints, retina scanning, hand geometry, facial features, and even temperature. The technical personification of this is a device that is used to interface with a person during the authentication process. What a Person Knows. A representation of single-factor authentication, what a person knows, can be associated with the user ID or other unique identifier. As discussed above, this is predominantly a password. A password is typically a short (5 to 15 characters) string of characters that the user must remember to authenticate against their unique identifier. Passwords can be simple words or a combination of two easily remembered words, include numbers or special characters, and range in length and complexity. The more diverse (e.g., complicated) the password is, the more difficult it will be to guess or crack the password. Given that password crackers will typically start with a dictionary, or a collection of words, the use of common words has grown significantly less secure. What was once feasible as a password is now considered a vulnerability.

• Standard words: BoB, Phoenix, airplane, doGWalk are examples of basic words, with some capitalization, that are not considered secure by today’s standards. Unfortunately, this represents the most common passwords used. But system administrators are incorporating password requirements so that the system will not accept 150

AU8231_C002.fm Page 151 Saturday, June 2, 2007 1:21 PM

Access Control such simple passwords. However, applying this type of administrative control is not always possible. • Combination passwords: Air0ZiPPEr, Bean77Kelp, and OcEaNTaBlE12 are examples of mixing dictionary words to help the user remember the password. The inclusion of numbers can help add some complexity to the password. This example represents what a user will create to meet the system requirements for passwords, but these are still somewhat easy for a password cracker to discover. • Complex passwords: Z(1@vi|2, Al!e&N-H9z, and W@!k|nGD2w*^ are examples of passwords that include many different types of characters to introduce a significant level of complexity. Unfortunately, these examples can be difficult for the average user to remember, potentially forcing them to write the password down where it can be discovered. There are several practices to help users produce strong passwords that can be easily remembered. It can be as simple as remembering a keyboard pattern or replacing common letters with numbers and special characters, or characters that represent words that start with the letter being entered, for example, “password” can be P@zS|W0r$. Although not recommended, this password does meet most system requirements; it is over eight characters and uses lower- and uppercase letters, numbers, and special characters. An alternative to passwords is a passphrase. They are longer to enter and typically harder to attack. A passphrase will support all types of characters and spaces, allowing the user to utilize an easier to remember password without sacrificing the integrity. Examples are: • List of names: “Bobby CarolAnn Stuart Martha Mark” is an example of a 33-character passphrase that is very easy for the user to remember, but can be difficult for a password cracker to discover. • Song or phrase: “A long time ago in a galaxy far, far away …” Of course, as a phrase is identified, it is simple to incorporate special characters to replace letters, furthering the complexity. Given the singularity of the password, in that all you need is a username to associate, the confidentiality of the password or passphrase is critical. Passwords must never be passed over a network or stored in cleartext. Unfortunately, old services such as File Transfer Protocol (FTP) do not protect the password from exposure during authentication. It is important to ensure that applications and network-enabled services apply various controls to ensure passwords are not exposed. Additionally, the storage of passwords must be protected. As discussed above, password crackers can be used to attack a password file offline and 151

AU8231_C002.fm Page 152 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® unbeknownst to the system owner. Therefore, the security of the system maintaining the user credentials is paramount. To protect passwords from being exposed, they are typically hashed. A hash function will produce a unique, fixed-length representation of any amount of data. The important aspect is the hash function is inherently one-way.? This means that a hash result cannot be deciphered to produce the original data. Although there are several types of attacks that can be performed to take advantage of weaknesses in the hash algorithm or how it is employed, in nearly all cases the hash cannot be directly manipulated to produce the original data. Of course, as we learned above, password crackers can hash different passwords until a match with the original password hash in a file is found. This is not a weakness of the philosophical attributes of hashing data. It is simply performing an act that a normal system operation would perform, just thousands or potentially millions of times. However, the time to discovery of a password by means of a password cracker is directly related to the complexity of the user’s password and the employment of the hashing algorithm. What a Person Has. In addition to a unique identity, a user may be provided a token or some form of physical device that can be used in lieu of a traditional password or in addition to having a password. The objective is to add another layer of confidence that the user is who he or she claims by the assurance a physical device offers. There are two basic two-factor methods: asynchronous and synchronous. ASYNCHRONOUS. Asynchronous token device is essentially a challenge response technology. Dialogue is required between the authentication service and the remote entity trying to authenticate. Basically, the process is this: The authentication server will provide a challenge to the remote entity that can only be answered by the token that the individual holds in her hands. The token will give the correct response, which is then provided to the authentication server. Without the asynchronous token device, a correct answer to the challenge cannot be generated.

As demonstrated in Figure 2.2, the user makes a request and is challenged. The user will utilize his token to calculate the requested response. For example, the user may enter his PIN in the device, which mathematically produces a unique number. The number is then entered to authenticate. The authenticating system has the ability to perform the same mathematical function to ensure the one-time password is correct. SYNCHRONOUS. Although a very similar scenario, synchronous token authentication is based on an event, location, or time-based synchronization between the requestor and authenticator. The most common and widely adopted version is time based, although smart cards and smart 152

AU8231_C002.fm Page 153 Saturday, June 2, 2007 1:21 PM

Access Control Asynchronous Token Device · Challengeresponse scheme · Based on onetime pad 3. Enter Challenge # and PIN

1. Request sent to Auth. Server 2. Challenge # 7 digits display on Computer 6. Response sent of Auth. Server 5. Enter Response on Computer 4. Read Response on Handheld

Figure 2.2. Asynchronous token process.

tokens can store special credentials that promote event and location authentication schemes (covered in more detail later). In a time-based model, a user will be issued a token or smart device that utilizes an embedded key to produce a unique number or string of characters in a given timeframe, such as every 60 s. When the user makes a request for authentication, she is challenged to enter her user ID and the number that is currently displayed on the token. The authenticating system will know which token is issued to the user and, based on the timing of the authentication request, will know the number that should appear on the device. In addition to the relationship established between user and authenticator based on user ID, the physical possession of the token, and the number generated based on an embedded key and time, the system may request a PIN or password. In many cases, an added entry location will be provided to the user to enter her password. However, some solutions will simply request the user to append her PIN to the end of the token-generated number, furthering the level of confidence that the user identified is who she claims to be. Authentication Devices. There are physical devices, in addition to traditional number generation tokens, that contain credentials for authentication. The credentials, which can only exist on the device, act as a representation of physicality and possession of the device.

There are effectively two forms of authentication devices: • Memory cards • Smart cards The main difference between memory cards and smart cards is the processing power. A memory card holds information, but does not process information. A smart card has the necessary hardware and logic to actually 153

AU8231_C002.fm Page 154 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® process information. A memory card holds a user’s authentication information, so this user only needs to type in a user ID or PIN and present the memory card; if the two match and are approved by an authentication service, the user is successfully authenticated. An example of a memory card is a swipe card that must be used for an individual to be able to enter a building. The user enters a PIN and swipes the memory card through a card reader. If this is the correct combination, the reader flashes green and the individual can open the door and enter the building. Another example is the ATM (automatic teller machine) card. Memory cards can be used with computers, but they require a reader to process the information. The reader adds cost to the process, especially when one is needed per computer, and the overhead of PIN and card generation adds additional cost and effort to the whole authentication process. A memory card provides a more secure authentication method than using a password because the attacker would need to obtain the card and know the correct PIN. Administrators and management need to weigh the costs and benefits of a memory card implementation to determine if it is the right authentication mechanism for their environment. One of the most prevalent weaknesses of memory cards is that data stored on the card is not protected. Unencrypted data on the card (or stored on the magnetic strip) can be extracted or copied. Unlike a smart card, where security controls and logic are embedded in the integrated circuit, memory cards do not employ an inherent mechanism to protect the data from exposure. Therefore, very little trust can be associated with confidentiality and integrity of information on the memory cards. A smart card is a credit card-size plastic card that, unlike a credit card, has an embedded semiconductor chip that accepts, stores, and sends information. It can hold more data than magnetic-stripe cards. The semiconductor chip can be either a memory chip with nonprogrammable logic or a microprocessor with internal memory. Information on a smart card can be divided into several sections: • • • •

Information Information Information Information

that is read only that is added only that is updated only with no access available

There are different types of security mechanisms used in smart cards. Access to the information contained in a smart card can be controlled by: • Who can access the information (everybody, the cardholder, or a specific third party) • How can the information be accessed (read only, added to, modified, or erased) 154

AU8231_C002.fm Page 155 Saturday, June 2, 2007 1:21 PM

Access Control SMART CARDS. The term smart card is somewhat ambiguous and can be used in a multitude of ways. The International Organization for Standardization (ISO) uses the term integrated circuit card (ICC) to encompass all those devices where an integrated circuit (IC) is contained within an ISO 1 identification card piece of plastic. The card is 85.6 × 53.98 × 0.76 mm and is essentially the same as a bank or credit card.

The IC embedded is, in part, a memory chip that stores data and provides a mechanism to write and retrieve data. Moreover, small applications can be incorporated into the memory to provide various functions. There are several memory types, some of which can be implemented into a smart card, for example: • ROM (read-only memory): ROM, or, better yet, the data contained within ROM, is predetermined by the manufacturer and is unchangeable. Although ROM was used early in the evolution of smart cards, it is far too restrictive for today’s requirements. • PROM (programmable read-only memory): This type of memory can be modified, but requires the application of high voltages to enact fusible links in the IC. The requirements for high voltage for programming made it unusable for ICC, but many have tried. • EPROM (erasable programmable read-only memory): EPROM was widely used in early smart cards, but the architecture of the IC operates in a one-time programmable mode (OTP), restricting the services offered by the ICC. Moreover, it required ultraviolet light for erasing the memory, making it difficult for the typical organization to manage cards. • EEPROM (electrically erasable programmable read-only memory): EEPROM is the IC of choice because it provides user access and the ability to be rewritten, in some cases, up to a million times. Clearly this provides the services smart cards need to be usable in today’s environment. Typically, the amount of memory will range from 8 to 256 KB. • RAM (random-access memory): Up until this point, all the examples were nonvolatile, meaning that when power is removed, the data remains intact. RAM does not have this feature, and all data is lost when not powered. For some smart cards that have their own power source, RAM may be used to offer greater storage and speed. However, at some point the data will be lost — this can be an advantage or disadvantage, depending on your perspective. However, memory alone does not make a card “smart.” In the implementation of an IC, a microcontroller (or central processing unit) is integrated into the chip, effectively managing the data in memory. Control logic is embedded into the memory controller providing various services, least of which is security. Therefore, one of the most interesting aspects for smart 155

AU8231_C002.fm Page 156 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® cards — and their use in security-related applications — is founded on the fact that controls associated with the data are intrinsic to the construction of the IC. To demonstrate, when power is applied to the smart card, the processor can apply logic in an effort to perform services and control access to the EEPROM. The logic controlling access to the memory is a significant attribute in ensuring that data, such as a private key, is not exposed. Smart cards can be configured to only permit certain types of data, such as public key certificates and private keys, to be stored on the device, but never accessed directly by external applications. For example, a user may request a certificate and a corresponding public and private key pair. Once the keys and certificate are provided to the user, the user may have the opportunity to store the certificate and private key on the smart card. In these cases, some organizations will establish a certificate policy that only allows the private key to be exported once. Therefore, the private key is stored permanently on the smart card. However, smart cards will typically contain all the logic necessary to generate the keys during a certificate request process. In this scenario, the user initiates a certificate request and chooses the smart card as the cryptographic service provider. Once the client system negotiates with the certificate authority, the private key is generated and stored on the smart card in a secure fashion. When organizations select this strategy, the keys are nonexportable and tied to the owner of the card. A very similar process is utilized to leverage the private key material for private key processes, such as digitally signing documents. Data is prepared by the system and issued to the smart card for processing. This allows the system and user to leverage the key material without exposing the sensitive information, permitting it to remain in a protective state on the smart card. To allow these functions and ensure the protection of the data, programs are embedded in portions of the memory that the processor utilizes to offer advanced services. We will discuss these in more detail later. Nevertheless, simply put, a smart card has a processor and nonvolatile memory, allowing it to be smart as well as secure. To bring all this together, the following are examples of smart card features that are typically found on a common smart card today: • 64-KB EEPROM: This is the typical amount of memory found on contemporary cards. • 8-bit CPU microcontroller: This is the small controller where several forms of logic can be implemented. For example, it is not uncommon for a processor to perform cryptographic functions for DES, 3DES, RSA 1024 bit, and SHA-1, to name a few. 156

AU8231_C002.fm Page 157 Saturday, June 2, 2007 1:21 PM

Access Control • Variable power, 2.7 to 5.5 V: Given advances in today’s IC substrate, many cards will operate below 3 V, offering longer life and greater efficiencies. Alternatively, they can also operate up to 5.5 V to accommodate old card readers and systems. • Clock frequency, 1 to 7.5 MHz: In the early developments of smart card technology, the clock was either 3.57 or 4.92 MHz, mostly because of the inexpensive and prolific crystals that were available. In contrast, today’s IC can operate at multiple speeds to accommodate various applications and power levels. • Endurance: Endurance refers to the number of write/erase cycles. Obviously, this is important when considering smart card usage. Typically, most smart cards will offer between 250,000 and 500,000 cycles. Considering the primary use of a smart card in a security scenario is permitting the access to read data on the card, it is highly unlikely that someone would reach the limits of the IC. However, as more complex applications, such as Java, are integrated into the IC, there will be more management of the data, forcing more cycles upon each use. • Data retention: User data and application data contained within the memory have a shelf-life. Moreover, that life span is directly related to the temperature the smart card is exposed to. Finally, the proximity to some materials or radiation will affect the life of the card’s data. Most cards offer a range between 7 and 10 years of data retention. It is important to understand that a smart card is effectively a computer with much of the same operational challenges. There is the IC, incorporating the processor and memory; the logic embedded in the processor that supports various services; applications built into the processor and housed on the EEPROM for on-demand use; protocol management, how it is supposed to interface with other systems; and managing the data. All these and more exist in a very small substrate hidden in the card and will only become more complex as technology advances. At the most basic level, there are two types of smart cards, and the difference is founded on how they interact with other systems — contact cards, which use physical contact to communicate with systems, or contactless cards, which interface using proximity technology (Figure 2.3). Contact cards are fairly self-explanatory. Based on ISO 7816-2, a contact ICC provides for eight electrical contacts (only six are used) to interact with other systems or devices. The contacts on a smart card, as shown in Figure 2.4, provide access to different elements of the embedded IC. The contact designation (Cn) starts with C1, Vcc, and continues counterclockwise around the plate (see Table 2.1). Contactless cards, those founded on proximity communications, are growing in demand and in use. They are increasing in adoption because of 157

AU8231_C002.fm Page 158 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

Figure 2.3. Smart cards.

Figure 2.4. Contact plate.

durability, applications in use, speed, and convenience. They eliminate the physicality of interacting with disparate systems, reducing the exposure to damage that contact cards have with the plate or magnetic strip. Finally, a contactless card offers a multitude of uses and opportunity for integration, such as with cell phones or PDAs. Typically, the power and data interchange is provided by an inductive loop using low-frequency electronic magnetic radiation. ISO 14443 defines the physical characteristics, radio frequency power and signal interface, initialization and anticollision, and transmission protocol for contactless cards. The proximity coupling device (PCD) provides all the power and signaling control for communications with the card, in this case referred to as a proximity integrated circuit card (PICC). The PCD produces a radio frequency (RF) field that activates the card once it is within the electrometric field loop. The frequency of the RF operating field is 13.56 MHz ± 7 kHz and operates constantly within a minimum

158

AU8231_C002.fm Page 159 Saturday, June 2, 2007 1:21 PM

Access Control Table 2.1. Contact Descriptions Contact

Designation

Use

C1

Vcc

C2

RST

C3

CLK

C4 C5

RFU GND

C6

Vpp

C7

I/O

C8

RFU

Power connection through which operating power is supplied to the microprocessor chip in the card Reset line through which the interface device (IFD) can signal to the smart card’s microprocessor chip to initiate its reset sequence of instructions Clock signal line through which a clock signal can be provided to the microprocessor chip; this line controls the operation speed and provides a common framework for data communication between the IFD and the ICC Reserved for future use Ground line providing common electrical ground between the IFD and the ICC Programming power connection used to program EEPROM of first-generation ICCs Input/output line that provides a half-duplex communication channel between the reader and the smart card Reserved for future use

and maximum power range. When a PICC is incorporated into the loop, the PCD begins the communication setup process. There are two types of modulation (or signal types), type A and type B, that the PCD alternates until a PICC is incorporated and interacts on a given interface. The important point is that both types support 106 kbps in bidirectional communications. This can be best described as selecting what is the equivalent to layers 1 and 2 of the OSI model for computer networking. Many of the PICC and PCD solutions today are provided by or founded on Mifare and host ID (HID) products and solutions, the de facto in proximity solutions. A major advantage to smart cards is that the log-on process is done at the reader instead of at the host. Therefore, the identifier and password are not exposed to hackers while in transit to the host. In an increasingly online environment, where critical information and transactions are exchanged over open networks, security is key. New technologies involve smart cards, readers, and tools incorporating public key infrastructure (PKI) technologies to provide everything from authentication to network and information security functions on a single card platform. Features include: • Secure log-on • Secure e-mail/digital signatures 159

AU8231_C002.fm Page 160 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® • Secure Web access/remote access • Virtual private networks (VPNs) • Hard disk encryption For organizations considering smart cards, there are the physical uses of the card, the security uses, and even application extension uses. Although each is helpful in its own right, the value is in the singularity of the solution — a card. Therefore, if any of the uses below are seen as meaningful options, nearly by default all others are plausible and offer potential for significant returns on related investments. Typically, the way smart cards are used for accessing computer and network resources is that a user inserts the smart card into a reader and then enters the PIN associated with that card to unlock the services of the card. In such a scenario, the first factor of security is providing something you have — a smart card. The second factor in this case is providing something you know — the PIN. The data on the card, validated by the existence of the card in combination with the access authenticated by the PIN, offers integrity to the two-factor authentication process. With a smart card, there is a level of added integrity. The PIN provides access to the information on the card (not simply displayed as with a token), and the key on the device is used in the authentication process. When used in combination with certificates, the system participates in a larger infrastructure to provide integrity of the authentication process. Below is a summary of smart card capabilities: • • • • • • •

Can store personal information Have a high degree of security and portability Have tamper-resistant storage Can isolate security-critical computations within Offers secure enterprisewide authentication Used in encryption systems to store keys Offers capability to perform encryption algorithms on the card

What a Person Is. The ability to authenticate a user based on physical attributes about his person or other characteristics unique to him is possible due to biometric technology. Biometrics is the use of sophisticated technology to determine specific biological indicators of the human body or behavioral characteristics that can be used to calculate uniqueness.

There are two types of biometrics: • Physiological • Behavioral PHYSIOLOGICAL. A physiological biometric is representative of acquiring information about unique, physical attributes, such as a fingerprint, of the 160

AU8231_C002.fm Page 161 Saturday, June 2, 2007 1:21 PM

Access Control user. The user interfaces with the device to provide the information; the device performs a measurement (potentially several times), makes a final determination, and compares the results with the information stored in the control system. Following is a discussion about some of the commonly used physiological biometric systems. Fingerprints are unique to each person and have been used for years to identify people. One of the earlier forms of easily accessible biometric systems was based on fingerprint analysis. Today, fingerprint biometric PCMCIA (Personal Computer Memory Card International Association) thumb reader cards can be purchased and quickly utilized. Moreover, the technology has become so commonplace that USB memory fobs have incorporated fingerprint readers into the datastick to authenticate its use. Hand geometry is a technique that will attempt to discern several attributes about a person’s hand to gather enough information to draw conclusions on identity. The system may measure tension in the tendons in the hand, temperature, finger and bone length, and hand width, among several others. Palm or hand scans can be best described as a combination between certain capabilities of hand geometry and fingerprint analysis. The user’s hand is typically placed flat on a special surface where, again, several points of information are collected and combined to make a determination on the user’s identity. Up until this point, the human elements discussed have been relegated to the hand. However, the face and eyes offer another aspect of individuality that can be harnessed by a biometric device to determine and authenticate identity. There are two primary aspects of the human eye that can be investigated: the retina and iris. Each is unique to an individual to each eye. The retina is effectively the back of the eye. There are blood vessels that can be scanned to identify distinctive patterns. The iris is the colored material surrounding the pupil that governs the amount of light permitted to enter the eye. Again, each one has granularity characteristics that will identify the individual. Voice patterns and recognition are regularly used for identification and authentication. In recent history, the advancement in speech recognition has added to the technology’s viability. Voice pattern matching investigates how a user speaks. Typically, the user will associate with the system by saying several different words, including her name. When authentication occurs, the user typically says her name and the system matches the results with the expected pattern, supported by metrics gathered during the use of other words spoken during the association. The system is attempting to determine the unique sounds produced by the human during speech. With the addition of speech recognition, the system can identify 161

AU8231_C002.fm Page 162 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® what is said as well as how it is spoken. Therefore, a passphrase can be used in combination with a person’s name to authenticate on multiple levels. Again, as with other forms of multifactor authentication, other elements are used, such as a PIN, smart card, swipe card, or even another biometric system, such as fingerprint input. Finally, the entire face can be used by a system to visually verify geometry and heat signatures that correspond to skull structure and tissue density. BEHAVIORAL. The act of determining unique characteristics about a person from patterns in their actions has emerged as a viable approach to biometrics. The most prevalent of these methods is keystroke dynamics. As mentioned above, in many cases with multifactor authentication, the password (passphrase, PIN, or something else the users knows) is incorporated into the process. Keystroke pattern analysis is adding a biometric measurement to the user’s authentication process based on the fact that people enter the same information differently. For example, a user is prompted for a traditional username and password. He enters the information, but the system measures how he entered his password. If the password is correct, but the biometric pattern is wrong, he will be denied access.

In addition to keystroke authentication, an emerging solution is signature dynamics. Much like voice patterns, a user can sign her name on a digital interface, allowing the system to not only infer the context of the signature, but also measure stroke speed, acceleration and deceleration, and pressure. Law enforcement and forensics have been leveraging the science of handwriting dynamics for many years. They inspect the physical nature of the signature to identify known characteristics that indicate forgeries. For example, if the paper (or material) shows signs that intense pressure was applied, it could indicate a copy or intensity, representative of someone uncomfortable during the signing — a rarity for normal signing processes. Moreover, pauses or slow movement in specific areas typically associated with fast or light areas of the signature can be identified by an investigator. Again, signs of a forgery. These same principles are utilized by a pressure-sensitive digital interface to detect a divergence from expected signing practices. SUMMARY. As far as “what a person is” in the realm of biometrics, the truly unique biometric characteristics are fingerprint, retina, and iris. These are the three biometric options that represent the greatest diversity with the lowest range of measurement. In other words, the patterns found in the eye and on the finger have been proven to be unique. Moreover, the technical and mathematical processes of measuring these human attributes are proven technology. Unlike other physiological and behavioral biometric possibilities, the eyes and fingers represent the best combination of accurate measurement of a proven human characteristic. 162

AU8231_C002.fm Page 163 Saturday, June 2, 2007 1:21 PM

Access Control Important Elements of Biometrics. Biometrics represents a measurement of key physical attributes of a given person. Unlike passwords, tokens, or smart devices, which offer a high degree of accuracy and confidence in the transaction based on limited possibilities in measurement, biometrics, by their very nature, are prone to failure.

A password can be hashed and verified. The measurement process is static: the algorithm. Tokens, especially synchronous tokens, are founded on a strict measurement framework, such as time. When an error occurs in token-based authentication, it is typically because the time window between authentication and number creation on the token has shifted, causing an error. This is a common and sometimes expected error, and the authentication failure is in the direction of denial of access. In the case with smart cards, there is no measurement dynamic and the card adheres to established technical and physical standards. In stark contrast, biometrics is effectively a technical and mathematical guess. How a biometric device responds can be affected by hundreds, if not thousands, of environmental variables. Temperature, humidity, pressure, and even the medical condition of the individual represent changes the measurement process must try to cope with. If a person is ill or a woman is pregnant, iris scans, facial recognition, and hand geometry may fail. (Note: It is for this reason that biometrics has not been widely deployed for public use. Privacy issues are numerous.) Therefore, the accuracy, or the ability to separate authentic users from imposters, is essential to the calculated risk of use. There are three categories of biometric accuracy measurement (all represented as percentages): • False reject rate (type I error): When authorized users are rejected as unidentified or unverified. • False accept rate (type II error): When unauthorized persons or imposters are accepted as authentic. • Crossover error rate (CER): The point at which the false rejection rates and the false acceptance rates are equal. The smaller the value of the CER, the more accurate the system. As demonstrated in Figure 2.5, the level of sensitivity translates into varying levels of false rejections and false acceptance. The lower the sensitivity, the more prone the system is to false acceptance. With low sensitivity, the system may offer a broad margin of error or disparity in the determination of the metrics measured. It can also be represented as not acquiring enough meaningful data to discern the authorized from the unauthorized. If the system is overly sensitive, it may apply too much granularity to the process, resulting in a level of investigation that is prone to environmental changes or minor changes in the person. In both cases, there is a point of infinity and neutrality. Not sensitive enough, and anyone 163

AU8231_C002.fm Page 164 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

Figure 2.5. Crossover error rate.

is authorized; too sensitive, and no one gets through. Neutrality is achieved by tuning the system so the rates intersect at a midpoint. The lower the intersection point between the two rates, the more accurate the system is overall. It is important to understand the relationships and measurements, because the trends in either direction are not mathematically consistent. Moreover, the level of intersection will expose hardware issues. For example, if the lowest attainable intersection is at 20 percent, regardless of sensitivity adjustments, the system is clearly failing consistently at an unacceptable level. Also, the key is to attain the lowest possible intersection rate at the greatest possible sensitivity. Therefore, the optimal CER location is in the bottom right of the graph (Figure 2.6). In this light, although the lowest CER rate is desired, the less the sensitivity applied to push the intersection down, the greater the potential for failure. For example, while the intersection is the lowest with less sensitivity, the system is susceptible to changes in the environment promoting

Figure 2.6. Optimal crossover error rate. 164

AU8231_C002.fm Page 165 Saturday, June 2, 2007 1:21 PM

Access Control false acceptance. Therefore, it may be necessary to sacrifice a slightly higher intersection to accommodate unforeseen dynamics. Finally, the practice of tuning to the side of false rejections offers confidence that there is less potential for unauthorized access, albeit at the risk of introducing some added false rejections. The key is in the delta between the two and the relative sensitivity gained. As shown in Figure 2.6, the level of sensitivity is increased by nearly a third, while only increasing the potential for false rejections by a nominal percentage. As one would rightly conclude, the ability to tune the system and make determinations on what is optimal for a specific solution is directly relative to the level of risk and the importance of the controls. In short, the crossover error rate must be appropriate to the application. Biometric Considerations. In addition to the access control elements of a biometric system, there are several other considerations that are important to the integrity of the control environment. These are:

• • • •

Resistance to counterfeiting Data storage requirements User acceptance Reliability and accuracy

First and foremost is resistance to counterfeiting. Portrayed in movies, a person gets his finger cut off or eye removed by the villain to be used to gain unauthorized access to a super-secure room. In nearly all cases, a biometric system will employ simple metrics, such as heat, blood pressure, or heart rate, to add further confidence in the process. A very popular activity is the mimicking of a human thumb to fool a fingerprint reader. The perpetrator places a modified, thin layer of gummy bear jelly on his finger to gain unauthorized access. The thin coating, with the fingerprint of the authorized user incorporated, allows heat, pressure, and other simple metrics to be fooled because there is a real finger behind the coating. If the imposter knows the user’s PIN and has her physical credentials, the attack is probable, although unlikely. Nonetheless, a highly determined and sophisticated attacker could identify biometric weaknesses and take advantage of them by counterfeiting what is measured. Although arguably very complicated, it is feasible and therefore must be considered. Beyond the tuning of the system to the upper, optimal range and adding other identification and authentication requirements, there is little one can do; he or she is at the mercy of the product vendor to incorporate added investigative controls. A biometric system has to be trained for a given user during association. For example, a user may have to talk into a microphone, look into a scanner, or provide a fingerprint several times before the system can obtain enough data to make future decisions. During this process, the system is 165

AU8231_C002.fm Page 166 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® gathering highly sensitive and private information about the physical attributes of the user. The security of the data storage is paramount. Not unlike securing the hashed passwords on a system so that it does not fall into the hands of an attacker with a password cracker, the information about a user’s physical attributes can be used against the system or even the user. Great care and consideration must be applied to the security of the system’s authentication data to protect the system, the organization, and the user’s privacy. User acceptance can be a significant barrier to meaningful adoption of biometrics. People have understandable concerns about lasers scanning the insides of their eyes and the potential exposure of very private information, such as health status. For example, a biometric system may be able to detect a drug addiction, disease, or pregnancy before the woman knows she is pregnant. Clearly, information of this type represents a concern to users, and understandably so. In some scenarios, these concerns are nullified by the simple fact that the process is required by a job position or role within an organization — a necessary evil. A good example is the Pentagon, the central military facility in the United States, which employs a wide array of biometric systems that you must use and abide by as a member of the government. In contrast, there have been several attempts in the private sector to incorporate biometric systems to simplify customer interaction, such as with automatic teller machines (ATMs). Unfortunately, these endeavors failed due to poor user adoption, probably because of the aforementioned concerns. Finally, user acceptance may be hindered by the intrusiveness of the system. Some people may not find it intrusive to place their thumb on a reader, while others may be uncomfortable with perceptions the of sanitary condition of the device. Placing your hand on a device or looking into a system requires close personal interaction that may exceed an individual’s threshold of personal space. In addition to accuracy, detailed above, the reliability of the system is important. For example, passport control points in airports, theme parks, or other areas that can utilize biometrics for the public are typically used a lot and may be in a location that exposes the system to the elements. Sea World in Florida uses hand geometry biometrics for annual members. Members receive a picture identification card that is swiped at the entry point, and they insert their hand into the reader. The system will be used by thousands of people in a given year, and these devices are outside, exposed to the elements. The reliability of the system to perform, and perform at an acceptable level of accuracy, must be considered. Beyond physical dependability, and related more so to accuracy, is the reliability of the solution. The standard enrollment process should take roughly two minutes per person. A system should be able to reliably obtain 166

AU8231_C002.fm Page 167 Saturday, June 2, 2007 1:21 PM

Access Control enough information for future authentication requirements. In the event the system takes longer, it may affect user acceptance, raise questions of capability, and reduce confidence in the system. Moreover, the average authentication rate — speed and throughout — is six to ten seconds. A reliable system should be able to attain these levels of performance. When considering the role of biometrics, its close interactions with people, and the privacy and sensitivity of the information collected, some disadvantages begin to arise. The most significant is the inability to revoke the physical attribute of the credential. In contrast, a token, fob, or smart card can be confiscated. This limitation requires significant trust in the biometric system. If a user’s biometric information were to be captured in transit or counterfeited via a falsified reader, there are few options to the organization to (1) detect that the attack has occurred and (2) revoke the physical credential. The binding of the authentication process to the physical characteristics of the user can complicate the revocation or decommissioning processes. Finally, biometric technology excels at performing authentication. Biometrics collect specific information in a relatively controlled, localized environment and perform what amounts to comparative calculation of expected data. In stark contrast, biometrics do not perform well for identification purposes, such as face scanning for terrorists in a crowd. Authentication Method Summary. We have covered a large amount of information about identification and authentication techniques, technology, and processes. However, how do these solutions compare? As demonstrated in Figure 2.7, the level of capability and confidence increases as more factors are included in the identification and authentication process and what types.

The strength of authentication methods will vary, but generally, biometrics tends to provide higher security than any of the others. The way to interpret Figure 2.7 is to simply understand that as we move from left to right, we are increasing the strength provided by the authentication method. Something you are provides more security than something you know. One would rightly conclude that greater security controls will translate into increased implementation and support costs. Unmistakably, deploying a username and password access control system to all your users costs significantly less than deploying a token-based solution. As shown in Figure 2.8, as the complexity of the solution increases, so does the cost. The value to the business is what is being measured and demonstrated, not the strength of a given solution. For example, it may cost less to deploy fingerprint readers than it would to do the same for tokens, whereas a fingerprint solution has the potential to be a much stronger authentication solution. 167

AU8231_C002.fm Page 168 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

Figure 2.7. Authentication method comparison.

Figure 2.8. Authentication method cost versus business value.

168

AU8231_C002.fm Page 169 Saturday, June 2, 2007 1:21 PM

Access Control

Figure 2.9. Cost versus risk.

The value, or perception of value to the business, is directly related to risk and the determined level of controls for a collection of assets. As with anything in the realm of security, the cost of controls is related to the value of what is protected. Moreover, controls should be balanced. An iris scanned to gain access to a secured floor in a building does not mean much when people can walk out with sensitive materials or e-mail data to an anonymous account. As shown in Figure 2.9, risk analysis is key, and a balanced, pragmatic approach will help determine the level of authentication for an organization. Therefore, strength can relate, to some degree, to cost and ultimately risk. Identity and Access Management Access control services represent the systems and system architecture of the access control environment. The services that are offered speak directly to the core attributes of a control solution; they are: • Identification: Asserts user identity. • Authentication: Verifies who the user is and whether access is allowed. • Authorization: What the user is allowed to do. • Accountability: Tracks what the user did and when it was done. A typical control architecture is comprised of three systems: • Host • Requestor • Authenticator

169

AU8231_C002.fm Page 170 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® The host is the system, user, application, or service providing an identification and authentication interface. The requestor, also referred to as the network access server (NAS), is the system providing a challenge to the host. The authenticator is the system performing the validation of the user’s credentials. A simple example is a user logging into a remote-access solution, such as a VPN. The user attempts to connect from the host to the VPN device (i.e., NAS, requestor), which in turn issues a challenge to the host for authentication. To verify the host’s credentials, the requestor interacts with the authenticator, such as a Microsoft active directory, to validate the user. Identity Management Identity management is a much used term that refers to a set of technologies intended to offer greater efficiency in the management of a diverse user and technical environment. Identity management is intended to solve the difficulties of managing the identity of employees, contractors, customers, partners, and vendors in a highly complex organization. Identity management systems are IT infrastructure designed to centralize and streamline the management of user identity, authentication, and authorization data. As demonstrated in Figure 2.10, identity management addresses all aspects of controlling access, with a focus on centralized management. Given the complexity of modern organizations and the diversity of business requirements, many access control infrastructures grow convoluted and difficult to manage. Enterprises will operate a vast array of IT infrastructure, including: • Network operating systems • A variety of servers

Figure 2.10. Identity management overview. 170

AU8231_C002.fm Page 171 Saturday, June 2, 2007 1:21 PM

Access Control

Figure 2.11. Common complex environments.

• • • • • •

User directories Human resources, payroll, and contract management systems A variety of line-of-business applications Customer relationship management (CRM) systems Electronic commerce applications Enterprise resource management systems planning (ERP)

The result of maintaining and supporting a diverse environment to support a broad spectrum of business services is the need to provide access to a collection of different users, such as: • • • • •

Employees Contractors Partners Vendors Customers

As shown in Figure 2.11, almost every system must track valid users and control their permissions for a given system. The diversity of these systems — each with their own administration software, people, and processes — and the fact that users typically access multiple systems, makes managing this data about users difficult at best, and an obstacle to doing business at worst. Identity management technologies attempt to simplify the administration of this distributed, overlapping, and sometimes contradictory data about the users of an organization’s information technology systems. 171

AU8231_C002.fm Page 172 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

BACKLOGS

Request for Access Generated

New Use REQUESTS DELAYED

Administrators

GROWING RESOURCES

Policy and Role Examinated

MISSING AUDIT TRA II

IT in Box

Approval Routing

ERRORS

INCOMPLETE REQUEST FORMS

Figure 2.12. Inefficiencies in provisioning. Identity Management Challenges. One of the most significant business problem areas that identity management seeks to solve is provisioning of users, the associated processes, oversight, and management.

Typically, when an employee is hired, a new user profile is created and stored in an HR database and a request for access is created. Then, the user profile is compared to a company’s role–authorization policies. The request is then routed for the necessary approval, and sent to the IT department if approval is granted. Finally, the IT department submits the approved request to various system administrators to provision user access rights. The user is provisioned, and the approval is recorded in a history file (Figure 2.12). The problems that arise from using these methods include: • • • • • • •

172

Requests for access rights are backlogged, jamming user productivity. Requests are delayed. Cumbersome policies cause errors. Request forms are not fully completed. The number of resources across your enterprise is growing. Precise audit reports are rarely maintained. Many profiles and users are dormant or associated with departed employees, making them invalid.

AU8231_C002.fm Page 173 Saturday, June 2, 2007 1:21 PM

Access Control The need for identity management is mostly founded on limitations of existing capacity, increasing cost, and burgeoning inefficiencies that stem from growing business demands. The potential negative impacts are: • Loss of business productivity • Long deployment cycles adversely affecting business productivity • Increasing number of access points creating more potential breach points • Increasing number of single point of failures Key management challenges regarding identity management solutions are: • Consistency: User profile data entered into different systems should be consistent. This includes name, log-in ID, contact information, termination date, etc. The fact that each system has its own user profile management system makes this difficult. • Efficiency: Setting a user to access multiple systems is repetitive. Doing so with the tools provided with each system is needlessly costly. • Usability: When users access multiple systems, they may be presented with multiple log-in IDs, multiple passwords, and multiple sign-on screens. This complexity is burdensome to users, who consequently have problems accessing systems and incur productivity and support costs. • Reliability: User profile data should be reliable, especially if it is used to control access to sensitive data or resources. That means that the process used to update user information on every system must produce data that is complete, timely, and accurate. • Scalability: Enterprises manage user profile data for large numbers of people. There are typically tens of thousands of internal users and hundreds or thousands of partners or clients. Any identity management system used in this environment must scale to support the data volumes and peak transaction rates produced by large user populations. Identity Management Technologies. The foundation of a comprehensive identity management solution is the systems focused on streamlining the management process and managing data consistently across multiple systems. A typical enterprise will have many users with various access requirements for a diverse collection of data and application services. To bind the user to established policies, processes, and privileges throughout the infrastructure, several types of technologies are utilized to ensure consistency and oversight.

Technologies utilized in identity management solutions include: 173

AU8231_C002.fm Page 174 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® • • • • • •

Directories Web access management Password management Legacy single sign-on Account management Profile update

Directories. A corporate directory is a comprehensive system designed to centralize the management of data about an assortment of company entities. A directory will contain a hierarchy of objects storing information about users, groups, systems, servers, printers, etc. The directory is stored on one or more servers that may replicate the data stored, in part or in whole, to other directory servers. The objective, as with many multisystem, distributed environments, is to ensure scalability and availability. Client and other applications will normally access data stored in a directory by means of a standard protocol, such as the Lightweight Directory Access Protocol (LDAP).

Directories offer a valuable service to the enterprise that can be used in a multitude of ways to support a vast array of people, processes, and technology. Most importantly, given the nature of a centralized collection of user data, directories are used by many applications to avoid replication of information and simplify the architecture. Using directories, it is possible to configure several applications to share data about users, rather than having each system manage its own list of users, authentication data, etc. A key limitation of directories and their role in simplifying identity management is integration with legacy systems. Mainframes, old applications, and other outdated systems simply do not support the use of an external system to manage their own users. Example directory vendors include: • • • • • • •

Critical Path IBM/Tivoli Microsoft Novell Oracle Siemens Sun/iPlanet

There are, however, several free versions of directory software available that can be helpful for learning the idiosyncrasies of directories and their role in enterprise data management. Web Access Management. Once a directory is in place, it is possible to quickly leverage the data to manage user identity, authentication, and 174

AU8231_C002.fm Page 175 Saturday, June 2, 2007 1:21 PM

Access Control authorization data on multiple Web-based applications using a Web access management (WAM) solution. These solutions replace the sign-on process on various Web applications, typically using a plug-in on the front-end Web server. When users authenticate for the first time into the Web application environment, they maintain that user’s authentication state as the user navigates between applications. Moreover, these systems normally also define user groups and attach users to privileges on the managed systems. These systems provide effective user management and single sign-on in Web environments. They do not, in general, support comprehensive management of the entire access control environment and legacy systems. Nevertheless, WAM has offered a meaningful solution for Web environments to help organizations manage multiple Internet users accessing a collection of Web-based applications. For this reason, Web access management tools have been rapidly adopted by organizations seeking more efficient methods for managing a large number of users for a select group of applications. Vendors with access management products include: • • • • • • • • • • •

Baltimore Entegrity Entrust IBM Microsoft Netegrity Novell Oblix Open Network Technologies RSA Wipro

Password Management. Traditional users will log into systems with a username and password combination. Because passwords may be compromised over time, it is prudent to periodically change passwords. Most modern systems can be configured easily to require users to change their password at predefined intervals, in addition to offering tools and simplified processes for users. Most enterprise organizations enforce a password change interval ranging from 30 to 90 days.

When users have multiple passwords, on multiple disparate systems, that expire on different dates, they tend to write them down, store them insecurely (i.e., password.txt on the desktop), or replicate the password across multiple systems. For example, in the absence of a password management system incorporated into a larger identity management solution, a user may have the same password for several systems and simply rotate 175

AU8231_C002.fm Page 176 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® a set of three or four, making it very easy to remember, but equally easy for an attacker. A password management system is designed to manage passwords consistently across multiple platforms. This is usually achieved by a central tool synchronizing passwords across multiple systems. However, other features include assisting users and management with mundane tasks. For example, users who forget their password or trigger a lockout from too many failed attempts may be offered alternative authentication mechanisms to gain specific access to utilities to reset their password and system lockout. It is not uncommon for an organization to issue multifactor authentication tokens that are used, in part, for providing utilities so users can self-manage their accounts and passwords on other, potentially older or nonintegrated systems. In the event that an alternative authentication mechanism does not exist, password management will allow administrators or support staff to reset forgotten or disabled passwords. Another feature of a password management system, and regularly employed on large Internet sites, is a registration process that incorporates questions whose answers are private to that user, allowing him to manage his account, such as resetting the password. Vendors with password management products include: • • • • •

Blockade Courion M-Tech Net Magic Proginet

Legacy Single Sign-On. Single sign-on (SSO) is a term used to describe the user experience when accessing one or more systems. Users who log into many systems will prefer to sign into one master system, and thereafter be able to access other systems without being repeatedly prompted to identify and authenticate themselves.

There are numerous technical solutions that offer SSO to users, but many are associated with the centralization of user data, such as a directory. As demonstrated above, many legacy systems do not support an external means to identify and authenticate users. Therefore, it is possible to store the credentials outside of the various applications and have them automatically entered on behalf of the user when an application is launched. Legacy single sign-on systems provide a central repository of a user’s credentials, such as user IDs and passwords associated with the suite of applications. Users launch various applications through the SSO client software, which opens the appropriate client program and sends keystrokes to that program, simulating the user typing his own log-in ID and password. 176

AU8231_C002.fm Page 177 Saturday, June 2, 2007 1:21 PM

Access Control Today, many of these solutions are based on the possession of a smart card, secured by a PIN, that stores the user’s array of credentials in the memory of the card. In addition to a smart device loaded with credentials, software is loaded into the system that is designed to detect when the user is prompted for authentication. Upon discovery, the user is typically asked whether to learn the new application or ignore it in the future. If the system is told to learn it, it collects the identification and authentication information from the user, stores it securely on the system, and populates the fields on behalf of the user. From that point forward, the user must only remember the passphrase to unlock the smart device, so that the system can gain access to the collection of identification and authorization materials. There are also solutions that store the user’s credentials on a central system. Once authenticated to the primary SSO system, the user credentials are provided to the end system for downstream use. However, there are some limitations and challenges presented by the use of a legacy SSO solution. First, given that the applications are completely unaware of the slight of hand by the system, when a user must change his or her password within the application, it must also be changed in the system providing the SSO services. For example, very much like the smart card used in the above example, SSO software may be loaded on the client system that collects, stores, and encrypts the user’s credentials. In both scenarios, the user must change the stored password to reflect the new password in the application. Seeing that the systems are not incorporated, any change in either system will require replication, or the process will fail. Next is cost. The price of smart devices or simply the SSO software can become cost-prohibitive for a large environment. If the solution is based on a centralized SSO system that users log into to collect their IDs and passwords, there are additional costs to ensure availability of the system. If the entire user population utilizes the SSO system to gain access to enterprise applications and it were to fail (a classic single point of failure example), activity would come to a rapid halt. One of the more prevalent concerns is the fact that all of a user’s credentials are stored in a single instance. For example, if someone were to crack the SSO password, they would effectively have all the keys to the kingdom. Some vendors with SSO products include: • • • • •

Computer Associates IBM/Tivoli Novell RSA Passlogix 177

AU8231_C002.fm Page 178 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Account Management. One of most costly, time-consuming, and potentially risk-laden aspects of access control is the creation, modification, and decommissioning of users. Many organizations consume inordinate amounts of resources ensuring the timely creation of new system access, adjustments of user privileges to reflect changes in responsibilities, and termination of access once a user leaves.

Although Web access management addresses this problem for a Webbased environment, most enterprises are heterogeneous, with multiple types and versions of systems and applications, each with potentially different account management strategies and capabilities. For example, ERP systems, operating systems, network device systems, mainframes, database servers, and more, typically have difficulty in interacting with a centralized directory. Moreover, for those that can attain data from a directory, there may be limitations to the degree of control available to the system. As a result, user management processes must be performed on each system directly. Access management attempts to streamline the administration of user identity across multiple systems. They normally include one or more of the following features to ensure a central, cross-platform security administration capability: • A central facility for managing user access to multiple systems at once. • A workflow system where users can submit requests for new, changed, or terminated systems access, and these requests are automatically routed to the appropriate people for approvals. Approved requests trigger creation of accounts and allocation of other resources. • Automatic replication of data, particularly user records, between multiple systems and directories. • A facility for loading batch changes to user directories. • Automatic creation, change, or removal of access to system resources based on policies, and triggered by changes to information elsewhere (for example, in an HR system or corporate directory). • Account management systems focus on insiders, because outsiders are already well served by Web access management systems, which typically manage this data in a single directory (e.g., using LDAP). Account management systems sometimes also include a simple password management capability. As with Web access management systems, this capability is usually limited. The major drawback of access management systems is deployment time and cost. Some systems can take literally years to deploy. Some vendors with access management products include: 178

AU8231_C002.fm Page 179 Saturday, June 2, 2007 1:21 PM

Access Control • • • • • • •

Access360 BMC Business Layers Computer Associates IBM/Tivoli M-Tech Waveset

Profile Update. Profiles are a collection of information associated with the identifying entity. A user identity normally includes personal information, such as name, telephone number, e-mail address, home address, date of birth, etc. However, a profile can contain information related to privileges and rights on specific systems.

As one would rightly conclude, any information specific to an entity is going to change over time. When a change is required in the profile, it should be easy to manage and be automatically reflected in key systems, such as the corporate directory and the individual systems the users log into. Most customer relationship management (CRM) systems include some facility to manage user profiles either administratively or using a selfservice method. This capability is also available in some Web access management systems, access management systems, and password management systems. It is helpful to allow users to enter and manage those parts of their own profiles where new data is either not sensitive or does not have to be validated. Access Control Technologies There are several access control technologies that can be employed in various methods to support the multiple layers required for managing access. • Single sign-on (SSO) • Kerberos • Secure European System for Applications in a Multi-Vendor Environment (SESAME) • Security domains Single Sign-On. Introduced earlier, single sign-on for legacy systems provides an intermediary management system to support client requests. However, there are applications in use today that do not require client-side software, allowing users to gain access via an authentication gateway.

Some network enterprise systems provide users with access to many different computer systems or applications for their daily work. This wide range of access may require the user to have a user ID and password for each available resource. Instead of logging on to each individualized system or program, a solution is to implement SSO standards that enable a 179

AU8231_C002.fm Page 180 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® 1. User enters name and password

Computer

2. Server uses password to authenticate user’s identity

2. User’s Name and Password Transmitted

4. Server authorizes access for authenticated resources

Authentication Server

Figure 2.13. Common single sign-on architecture.

user to log on once to the enterprise and access all additional authorized network resources (Figure 2.13). Single sign-on is often referred to as reduced sign-on and federated ID management. By implementing a SSO solution that incorporates a single instance of user credentials leveraged by multiple systems, an organization’s employees as well as partners can be offered access with limited management. There are advantages and disadvantages to SSO solutions: • Advantages: – Efficient log-on process: Users require fewer passwords to remember and are prompted less to perform their job functions. – Users may create stronger passwords: With the reduced number of passwords to remember, users can remember a single, very strong password that can also be changed often. – No need for multiple passwords: The introduction of a SSO system translates into a single-use credential for users. – Time-out and attempt thresholds enforced across entire platform: Used to protect against a user being away from his workstation but still logged on for an extended period, thereby leaving it available to an intruder who could continue with the user’s session. The attempt threshold is used to protect against an intruder attempting to obtain an authentic user ID and password combination by brute force (trying all combinations). In the first case, the workstation would be disconnected after the selected period of inactivity. – Centralized administration: Given the singularity of the access control mechanism, administrators are offered central administrative interface to support the enterprise. • Disadvantages: – A compromised password allows intruders into all authorized resources: If the credential used for total access is compromised, the attacker would then have the privileges and capacity as180

AU8231_C002.fm Page 181 Saturday, June 2, 2007 1:21 PM

Access Control

–

signed to the original user. Although the risks are similar in nature to typical username and password combination, SSO introduces complete access via a single account. An attacker would only be limited by the enterprisewide assigned privileges, as opposed to the assigned privileges for a given system. Inclusion of unique platforms may be challenging: As introduced earlier, SSO is complex and requires significant integration to be effective. It is not uncommon for a large enterprise to utilize hundreds, if not thousands, of applications running on a wide variety of operating systems, each with their own approach to user management. Therefore, significant planning and analysis should be performed prior to embarking on a SSO solution.

Kerberos. The name Kerberos comes from Greek mythology; it is the three-headed dog that guarded the entrance to Hades. In Latin it is spelled and commonly seen as Cerberus, leading many to pronounce the name as Serberos. However, in Latin the letter C is always hard. So, Cerberus is pronounced “Ker-ber-ous.” In Latin the letter K is not normally used, and in Roman times, C always represented the K sound — hence the Greek spelling and pronunciation we use today. Also, -os is a Greek suffix (nominative masculine singular) whose nearest equivalent in Latin is the suffix -us (very familiar in Latin names). That is why the name goes into Latin as Cerberus and in Greek as Kerberos.

Kerberos, developed under Project Athena at MIT, guards a network with three elements: authentication, accounting, and auditing. Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret key cryptography. Kerberos is an effective authentication mechanism used in open, distributed environments where users must have a unique ID for each application on a network. Kerberos verifies that users are who they claim to be and the network services they use are contained within their permission profile. It meets four basic requirements for access control: • Security: A network eavesdropper should not be able to obtain needed information to impersonate a user. • Reliability: Available for users when needed. • Transparency: User is not aware of authentication process. • Scalability: Must support a small or large number of clients and servers. Kerberos Process. Kerberos is aptly named after a three-headed dog, as the authentication process is based on interaction between three systems: the requesting system (or principal), the endpoint destination server, and the Kerberos server. This Kerberos distribution center (KDC) will serve 181

AU8231_C002.fm Page 182 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® two functions during the authentication transaction — as an authentication server (AS) and as a ticket-granting server (TGS). A principal is any entity that interacts with the Kerberos server, such as a user workstation, an application, or a service. Given that Kerberos is based on symmetrical encryption and a shared secret key, the KDC maintains a database of the secret keys of all the principals on the network. While acting as the AS, it will authenticate a principal via a preexchanged secret key. Once a principal is authenticated, the KDC operates as a TGS, providing a ticket to the principal to establish a trusted relationship between multiple principals. For example, a KDS maintains the secret keys for a server and a workstation (both principals), each trusting the KDS. A user on the workstation authenticates to the AS and receives a ticket that is accepted by the server based on the trust associated with the KDS. Principals are preregistered with a secret key in the KDS. This is typically achieved through a user or system registration process. When a user or system is added to the Kerberos realm, it is provided the realm key, a common key used for initial trusted communications. During the introduction into the realm, a unique key is created to support future communications with the KDC. For example, when a Windows workstation joins a domain (i.e., realm) or a user joins the domain, a unique key is created and shared via the realm’s key, which is managed by the KDS. In the case with a user, it is common for Kerberos to utilize the password hash as the unique user key. Once the user is incorporated into the Kerberos realm, he can then be authenticated by the AS. At this point, the system authenticates the user (or system) and the TGS provides him with a ticket-granting ticket (TGT). The TGT allows the client to request service tickets (STs) and is analogous to a passport. TGTs are valid for a certain period, typically between eight and ten hours, after which they expire and the user must reauthenticate to the KDC. However, once the TGT has been issued, there is no further use of passwords or other log-on factors when interacting with other systems within the Kerberos realm. As demonstrated in Figure 2.14, upon authentication to the AS, a user workstation (P1) will be given a TGT by the TGS. Later, P1 may request access to an application server (P2) by requesting another ticket from the KDS — hence the term ticket-granting ticket. Upon validating the TGT, the KDS will generate a unique session key (SK1) to be used between P1 and P2, and will encrypt the SK1 with P1’s secret key (P1Key) and P2’s secret key (P2Key). The KDS will pack up the data in a ST, which it sends to P1. If P1 is who it claims to be, P1 will be able to decrypt SK1 and send it, along with P2Key (encrypted), to P2, the application server. The application server 182

AU8231_C002.fm Page 183 Saturday, June 2, 2007 1:21 PM

Access Control

Figure 2.14. Kerberos interaction.

will receive the ticket (the encrypted SK1 by P2Key) from P1 and be able to decrypt SK1. By decrypting SK1, the user and the application server are authenticated and now have the shared session key that can be used for encrypted communications between P1 and P2. Given that P1 and P2 have established secret keys with the KDS, it can generate unique session keys and encrypt them with its stored secret keys from the systems requesting secure interactions. The client (in this case P1) is sent the service ticket first to avoid denial-of-service attacks against the application server; otherwise, the server could be overloaded with encrypted session requests. The session key is effectively encrypted twice, once with P1’s secret key and once with P2’s secret key. This forces both systems to authenticate themselves (by possession of the correct secret key) to obtain the unique session key. Once each has the session key, each now has matching key material that can be used in follow-on symmetrical encrypted communications. A few key points to remember about Kerberos tickets are: • When the user is authenticated to the AS, it simply provides a TGT. This in and of itself does not permit access. Therefore, upon log-on the user obtains a TGT that can be used to request access to resources. • The TGT allows the user to request a service ticket from the TGS, authenticating the user through encryption processes and building a ST for the user to present to the target resource system. • The possession of the ST signifies that the user has been authenticated and can be provided access (assuming the user passes the application server’s authorization criteria). • The user is authenticated once via a traditional log-on process and verified by means of message encryption to request and acquire service tickets. The user does not have to reauthenticate as long as the TGT is valid. 183

AU8231_C002.fm Page 184 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® The primary goal of Kerberos is to ensure private communications between systems over a network. However, in providing the key material, it acts to authenticate each of the principals in the communication based on the possession of the secret key, which allows access to the session key. Kerberos is an elegant solution and used in many platforms as the basis for broad authentication processes. However, no solution is perfect, and there are some issues related to the use of Kerberos, shared by many other solutions. For example, the security depends on careful implementation: enforcing limited lifetimes for authentication credentials minimizes the threats of replayed credentials, the KDC must be physically secured, and it should be hardened, not permitting any non-Kerberos activity. More importantly, the KDC can be a single point of failure, and therefore should be supported by a backup and continuity plans. It is not uncommon for there to be several KDCs in a Kerberos architecture, each sharing principal information, such as keys, to support the infrastructure if one of the systems were to fail. Finally, the length of the keys (secret and session) is very important. For example, if the key is too short, it is vulnerable to brute-force attacks. If it is too long, systems can be overloaded with encrypting and decrypting tickets and network data. The Achilles’ heal of Kerberos is the fact that encryption processes are ultimately based on passwords. Therefore, it can fall victim to traditional password-guessing attacks. Secure European System for Applications in a Multi-Vendor Environment (SESAME). The Secure European System for Applications in a Multi-Vendor

Environment (SESAME) is a European research and development project, funded by the European Commission and developed to address some of the weaknesses found in Kerberos. It is also the name of the technology that came from the project. It offers SSO with added distributed access controls using symmetric and asymmetric cryptographic techniques for protection of interchanged data. It is actually an extension of Kerberos, offering public key cryptography and role-based access control capabilities. Attributes of SESAME include: • Offers SSO with added distributed access controls using symmetric and asymmetric cryptographic techniques for protecting interchanged data • Offers role-based access control • Uses a privileged attribute certificate (PAC), similar to a Kerberos ticket • Components can be accessible through Kerberos v5 protocol • Uses public key cryptography for the distribution of secret keys

184

AU8231_C002.fm Page 185 Saturday, June 2, 2007 1:21 PM

Access Control

Figure 2.15. Domain hierarchical relationship. Security Domain. A security domain is based on trust between resources or services in realms that share a single security policy and single management. The trust is the unique context in which a program is operating. The security policy must define the set of objects that each user has the ability to access. Think of a security domain as a concept where the principle of separation protects each resource and each domain is encapsulated into distinct address spaces.

Security domains support a hierarchical relationship where subjects can access objects in equal or lower domains; therefore, domains with higher privileges are protected from domains with lesser privileges. Characteristics for security domains include: • Can have more than one domain on a server. • A subject’s domain is the set of objects to which it has access. • In Figure 2.15, two distinct and separate security domains exist on the server, and only those individuals or subjects authorized can have access to the information on a particular domain. A subject’s domain, which contains all of the objects that the subject can access, is kept isolated. Shared objects may have more than one access by subjects, and this allows this concept to work (Figure 2.16). For example, if a hundred subjects have access to the same object, that object has to appear in a hundred different domains to allow this isolation.

Figure 2.16. Objects in domains.

185

AU8231_C002.fm Page 186 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Section Summary.

• Authentication factors are authentication by knowledge, authentication by ownership, and authentication by characteristic. • An identity management system is an IT infrastructure designed to centralize and streamline the management of user identity, authentication, and authorization data. • Single sign-on, Kerberos, and security domains are examples of the key access control technologies. Access to Data To this point, the discussion of access controls has been relegated to the processes and technology used to identify, authenticate, and authorize users and applications. However, all this must translate into controls associated with the structure of controls related to the security of data. The objectives for this section are to: • • • •

List the types of access controls Describe access control lists (ACLs) Describe rule-based and role-based access controls Define capability tables

Subtopics of this section include: • • • • • • • • • • • •

Discretionary access control Mandatory access control Access control lists Access control matrix Rule-based access control Role-based access control Content-dependent access control Constrained user interface Capability tables Temporal (time-based) isolation Centralized access control Decentralized access control

Discretionary and Mandatory Access Control Discretionary access controls (DACs) are those controls placed on data by the owner of the data. The owner determines who has access and what privileges they have. Discretionary controls represent a very early form of access control and were widely employed in VAX, VMS, UNIX, and other minicomputers in universities and other organizations prior to the evolution of personal computers. Today, DACs are widely used to allow users to manage their own data and the security of that information, and nearly 186

AU8231_C002.fm Page 187 Saturday, June 2, 2007 1:21 PM

Access Control every mainstream operating system, from Microsoft and Mac to Solaris and Linux — including the aforementioned — supports DAC. Mandatory access controls (MACs) are those controls determined by the owner and the system. The system applies controls based on privilege (or clearance) of a subject (or user) and the sensitivity (or classification) of an object (or data). In DACs, the user is free to apply controls at the discretion of the owner and not related to the overall value or classification of the data. In contrast, MACs allow the system to become involved in the assignment of controls that can be managed in accordance with broader security policies. MACs are typically for systems and data that are highly sensitive. Associating the security controls of an object based on its classification and the clearance of subjects provides for a secure system that allows for multilayered processing of information. The system’s decision controls access; the owner provides the need-toknow control. Not everyone who is cleared should have access, only those cleared and with a need to know. Even if the owner says a user has the need to know, the system must ascertain that the user is cleared or no access is allowed. To accomplish this, data needs to be labeled, allowing specific controls to be applied to that instance. Moreover, the controls the system employs are ultimately governed by an administrator following the organization’s security policy. The results demand placing limitations on authorizers, or those responsible for centrally managing the security polices applied to a given system. As demonstrated in Figure 2.17, access permissions can be applied to an object based on the level of clearance given to a subject. Moreover, multi-

No access/Null

No access permission granted

Read (R)

Read but make no changes

Write (W)

Write to file; includes change capability

Execute (X)

Execute a program

Delete (D) Change (C) Full Control

Delete file Read, write, execute and delete; may not change file permission All abilities; including changing access control permission

Figure 2.17. Example access permissions. 187

AU8231_C002.fm Page 188 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® ple access permissions can be applied to a single object, such as owner, group, public, system, or administrator, to mention a few. The example provided represents only a few of the possible permissions that can be assigned to an object. For example, “list” is a permission seen in common operating systems that permits users with that assigned permission to only list the files in a directory, not read, delete, modify, or execute the files. Access Control Lists. The term access control list (ACL) is used in many forms to communicate how a collection of controls are assigned based on a set of parameters. For example, ACLs are seen in routers that can limit or permit traffic based on an interface or session attribute, such as an IP address. Once there is a match, the list is applied. Moreover, when a list is identified and applied, it is parsed until an action can be determined.

In the case with the broader implications of security, ACLs are used in the provisioning of permissions within a given system based on policy. In most cases, ACLs within the system are performed on behalf of the user or administrator. For example, an administrator may create a set of users, assign them to a group, and apply a set of permissions for files and directories to that group. Within the system that information is translated into, an ACL that is then employed (Figure 2.18). The most common implementation of ACLs is in the DAC control model. It specifies a list of users who are allowed access to each object and is often implemented with access control matrices (ACMs). Of course, any and all ACLs must be properly secured from unauthorized modification. Access Control Matrix. An access control matrix (ACM) is simply a table structure of an ACL. Subjects are identified, as are the objects, and permissions are incorporated into the matrix.

Shown in Figure 2.19, an ACM can be used to quickly summarize what permissions a subject has for objects. Albeit a simple example, and in large environments an ACM can become cumbersome, it can be helpful in system or application design to ensure that security is incorporated early in the process. Rule-Based Access Control. In a rule-based system, access is based on a list of rules that determine what accesses should be granted. The rules, created or authorized by system owners, specify the privileges granted to users (i.e., read, write, execute, etc.). This is an example of a DAC, because the owner writes the rules.

A mediation mechanism enforces the rules to ensure only authorized access by intercepting every request, comparing it to user authorizations, and making a decision based on the rule. 188

AU8231_C002.fm Page 189 Saturday, June 2, 2007 1:21 PM

Access Control

ACCESS CONTROL LIST Mary: UserMary Directory - FullControl UserBob Directory - Write UserBruce Directory - Write Printer 001 - Execute

Bob: UserMary Directory - Read UserBob Directory - Full Control UserBruce Directory - Write Printer 001 - Execute

Bruce: UserMary Directory - No Access User Bob Directory - Write UserBruce Directory - Full Control Printer 001 - Execute

Sally: UserMary Directory - No Access UserBob Directory - No Access UserBruce Directory - No Access Printer 001 - No Access

Figure 2.18. Example access control list.

Figure 2.19. Example access control matrix. Role-Based Access Control. A role-based access control (RBAC) policy bases the access control authorizations on the functions that the user is allowed to perform within an organization. The determination of what roles have access to a file can be governed by the owner of the data, as with DACs, or applied based on policy. RBAC is a form of DAC because the roles

189

AU8231_C002.fm Page 190 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

Figure 2.20. Approaches to RBAC.

are determined by managers or HR and the access is determined by owners in accordance with company policy. These are all discretionary actions. Access control decisions are based on job function, previously defined and governed by policy, and each role (job function) will have its own access capabilities. User objects associated with a role will inherit privileges assigned to a job function. This is also true for groups of users, allowing administrators to simplify access control strategies by assigning users to groups and groups to job functions. RBAC Approach. There are several approaches to RBAC. As with many system controls, there are variances on how they can be applied within a computer system. As demonstrated in Figure 2.20, there are four basic RBAC architectures:

• Non-RBAC: Non-RBAC is simply a user-granted access to an application or data by traditional mapping, such as with ACLs. • Limited RBAC: Limited RBAC is achieved when users are mapped to roles within an application. This also includes users that are directly mapped to applications or data. For example, a user may be assigned to multiple roles within several applications and also mapped directly to another application or system. The key attribute is that 190

AU8231_C002.fm Page 191 Saturday, June 2, 2007 1:21 PM

Access Control

Figure 2.21. Content access control.

the role is defined within the application and not necessarily to the user’s overall job function. • Hybrid RBAC: Hybrid RBAC introduces the use of a role that is applied to one or more applications or systems. A user (or subject) is assigned to an individual that has a specific role within the organization. That user subject is assigned to a role that is then applied to applications or systems. However, as the term hybrid suggests, there are instances where the subject is assigned to roles defined within specific applications, devoid of the larger, more encompassing organizational role used by other systems. • Full RBAC: Full RBAC is when access is controlled by roles defined in the policy and then applied to applications and systems. The applications, systems, and associated data apply permissions based on the definition of a role that is representative of a job function, and not one defined by a specific application or system. Content-Dependent Access Control. Content-dependent access control is based on actual content of the data. It requires the access control mechanism (the arbiter program) to investigate the data to make the decision.

For example, consider a payroll database that managers have access to. Managers would only have access to those records that pertain to their own employees, not others. There is more granularity, but it creates and requires more overhead (Figure 2.21). Constrained User Interface. Another method for controlling access is restricting users to specific functions by not allowing them to request functions or services beyond their privileges or role. This is typically seen in limiting available menus, data views, encryption, or physically constrained user interfaces, such as an automatic teller machine (ATM). Capability Tables. Capability tables are used to track, manage, and apply controls based on the object and rights, or capabilities of a subject. For example, a table identifies the object, specifies access rights allowed 191

AU8231_C002.fm Page 192 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

Subject

Procedure A

Process A Joe

Execute

File X

File Y

Read

Read/Write

Write

Figure 2.22. Example capability table.

for a subject, and permits access based on the user’s possession of a capability (or ticket) for the object. As shown in Figure 2.22, the row defines the capabilities that a subject has with respect to all objects in the table. For example, Process A (subject) has read access to File X and read/write capability to File Y. The first column is a control list defining the subjects, and their corresponding capabilities relative to a specific object are shown in the row. In the example chart, File X can be read by Process A and written to by Joe. The headings of the other columns contain the title of the object. Temporal (Time-Based) Isolation. Timed-based access controls are those employed at a given time for a predetermined duration. If a request is made for access or privileged use of information or services not in the defined time window, the process is denied.

For example, only process confidential data in the morning and process secret data in the afternoon. Examples can include batch processing in a mainframe environment. Centralized Access Control. Centralized access control is when one entity (individual, department, device) makes the access decisions for the organization. Once the decision for centralized access control is made, owners or systems can specify what subjects have access to applications or data. Examples of centralized access control systems include RADIUS, TACACS+, and DIAMETER (Figure 2.23). Centralized access control is thoroughly discussed in the Telecommunications and Network Security chapter, Domain 7. Decentralized Access Control. Control is given to the people closer to the resource, as in department managers and sometimes users. Access requests do not get processed by one centralized entity, potentially leading to nonstandardization and overlapping rights, which may cause gaps in security controls (Figure 2.24). Section Summary.

• With rule-based access, access control is based on a list of rules that determine authorization. Role-based access control decisions are based on job function. 192

AU8231_C002.fm Page 193 Saturday, June 2, 2007 1:21 PM

Access Control

Figure 2.23. Example of centralized control.

Figure 2.24. Example of decentralized control.

193

AU8231_C002.fm Page 194 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® • Access control lists specify a list of users who are allowed access to each object. • A capability table is an authorization table (matrix) that relates subjects, objects, and rights. Intrusion Detection and Prevention Systems A complete and competent access control environment employs a web of technology, process, and policy working together to ensure that the desired security posture is maintained. Although firewalls, remote-access devices, applications, and myriad other technical solutions play an integral role in access control, intrusion detection and prevention systems take part in a manner that deserves greater explanation. An intrusion detection system (IDS) is a technology that employs various techniques to alert organizations to adverse or unwanted activity. IDS can be implemented as a network device, such as a router, switch, firewall, or dedicated device monitoring traffic, typically referred to as network IDS (NIDS). The technology can also be incorporated into a host system (HIDS) to monitor a single system for undesirable activities. An intrusion prevention system (IPS) is a technology that defines an acceptable operational envelope. For example, an IPS permits a set of functions and actions allowed on a network or system; anything that is not permitted is considered an unwanted process and blocked. Early versions of IPS were limited to a host system; however, network layer solutions have emerged. The objectives for this section are to: • Describe intrusion prevention systems and intrusion detection systems • Describe the benefits of audit trail monitoring • List examples of audit event types • List types of information security activities As demonstrated in Figure 2.25, IDS attempts to detect activities on the network that are evidence of an attack and warn of the discovery. The automated response capabilities of IDS are somewhat limited to its placement in the infrastructure and the existence and integration of other access control technologies. IDS is informative by nature and provides real-time information when suspicious activities are suspected. It is primarily a detective device and, acting in this traditional role, is not used to directly prevent the suspected attack. In contrast, and as the name of this technology suggests, IPS is engineered specifically to respond in real-time to an event at the system or network layer. By enforcing policy, IPS can thwart not only attackers, but also 194

AU8231_C002.fm Page 195 Saturday, June 2, 2007 1:21 PM

Access Control

Figure 2.25. IDS and IPS overview.

privileged users attempting to perform an action that is not within policy. Fundamentally, IPS is considered an access control and policy enforcement technology, whereas IDS is considered network monitoring and audit. It is important to understand that the line between IDS and IPS is growing thinner. For example, some IDS solutions are adopting preventative capabilities that allow it to act more effectively in the light of policy infringement. IPS systems are incorporating detection techniques to augment the policy enforcement capabilities. The evolution is arguably more evident within the realm of IDS. This is because IPS inherently has many of the same qualities and capabilities of IDS, such as detection, logging, alerting, and audit. Moreover, fundamentally, IPS is very simple. If a process or action performed by a user, service, or application — including the operating system — is not permitted based on policy, it is blocked. Of course, defining the policy in technical terms that permit valid system functions, updating the policy, and sharing it among other devices is where IPS can become complicated. Nevertheless, when compared to the numerous techniques IDS uses to detect unwanted activities, IPS is much more straightforward. These two technologies — more so IDS — and their role within access control will be discussed throughout this section. Intrusion Detection Systems Introduced above, IDS is a technical solution whose role is to detect suspicious activity and report on the findings. Early in the development of IDSs, the act of implementing compensating controls to thwart an attack was relegated to the security group or administrator. In short, IDS is a reactive warning system that provides information necessary to guide administrators in responding to the attack. As the technology evolved, it began to offer limited capabilities to autonomously respond to events. However, the detective characteristics of the technology worked to reduce the viability of automation. 195

AU8231_C002.fm Page 196 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® It can be argued that IDS is the opposite of IPS. IDS is attempting to detect the existence of suspicious activity. The permutations of potential and probable attack vectors are infinite. In contrast, IPS is only concerned about what is possible, defined by policy, and considers everything else detrimental. This basic characteristic has become the impetus for the development of sophisticated detection techniques to help the system determine if the monitored activities are friend or foe. A by-product is the need to tune IDS to the unique traffic generated by the organization. For example, the activity associated with a company’s custom developed application may appear to an IDS as unwanted activity, forcing the generation of multiple alerts, sometimes in the form of a flood. Equally problematic is if the IDS is not tuned to notice the slight nuances between a custom application’s activities and those of a real attack, producing no alerts. Tuning an IDS is an art form and can become a significant gap in security if not performed correctly, potentially rendering the system worthless. It becomes a noisy box people begin to ignore, or it sits quietly as networks and systems are attacked. Given the complexity tuning represents and the potential for false-positives or false-negatives, automated responses generated from IDS alerts represent a risk too great for many organizations. Network Intrusion Detection System. A network intrusion detection system (NIDS) is a network device, or dedicated system attached to the network, that monitors traffic traversing the network segment for which it is integrated. NIDS is usually incorporated into the network in a passive architecture.

A passive NIDS takes advantage of promiscuous mode access to the network, allowing it to gain visibility into every packet traversing the network segment. This allows the system to inspect packets and monitor sessions without impacting the network, performance, or the systems and applications utilizing the network. Typically, a passive NIDS is implemented by installing a network tap, attaching it to a hub, or mirroring ports on a switch to a NIDS dedicated port. Given that NIDS is simply monitoring the traffic, the risk for not detecting an event starts with the potential for dropped packets. If a 100MB, 10-port switch is used and all the ports are mirrored to a single-GB port for the NIDS, it will require the capacity to monitor and investigate GB traffic without dropping packets. Another potential failure in monitoring traffic is when the information is encrypted. The same encryption employed to ensure communication confidentiality greatly reduces the ability for IDS to inspect the packet. The amount and granularity of information that can be investigated from 196

AU8231_C002.fm Page 197 Saturday, June 2, 2007 1:21 PM

Access Control an encrypted packet is related to the implementation of the encryption technology. In most cases, the data portion of the packet is encrypted with other packet headers in the clear. Therefore, the IDS can gain some visibility into the communication participants, session information, protocol, ports, and other basic attributes. However, as the IDS digs deeper and deeper into the packet to perform analysis, it will eventually fail due to the encryption. A NIDS consumes a copy of each packet off the network to analyze the contents and its role in a session. By doing so, the IDS does not interfere with existing communications and can perform various investigative functions against the collected data. On those occasions when an IDS detects an unwanted communication stream, and is enabled to perform automated responses, it can attempt to terminate the connection. This can be accomplished in a multitude of ways. For example, it can start by simply utilizing TCP and injecting reset packets into the network, forcing one or more identified systems to cancel the communications. In lieu of directly terminating the session, many IDS solutions can be integrated with firewalls, routers, and switches to facilitate dynamic rule changes to block specific protocols, ports, or IP addresses associated with the unwanted communications. In summary, NIDS has the following essential characteristics: • Monitors network packets and traffic on transmission links in real-time • Analyzes protocols and other relevant packet information • Can send alerts or terminate offending connection • Can integrate with firewall and define new rules • Encryption interferes with monitoring data packets Host-Based Intrusion Detection System. As the name suggests, HIDS is the implementation of IDS capabilities at the host level. Its most significant difference from NIDS is intrusion detection analysis, and related processes are limited to the boundaries of the host. However, this presents advantages in effectively detecting objectionable activities. Some of these efficiencies are gained from the fact that the IDS process is running on the system. This offers unfettered access to system logs, processes, system information, and device information, and virtually eliminates limits associated with encryption and automated response. The level of integration represented by HIDS inherently increases the level of visibility and control at the disposal of the HIDS application.

There are also multihost IDSs that audit and respond to and act on data from multiple hosts. When configured in this manner, the multihost HIDS architecture allows systems to share policy information and real-time 197

AU8231_C002.fm Page 198 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® attack data. For example, if a system were to experience an attack, the signature of the attack, along with remediation actions, can be shared with other systems automatically in an attempt to establish a defensive posture. There are some retractors to implementing HIDS, many of which are common among system agents and not necessarily unique to HIDS. HIDS can consume inordinate amounts of CPU and memory to function effectively, especially during an event. Although today’s server platforms are powerful, diminishing some of the performance issues, workstations and laptops, good candidates for HIDS, may suffer from the overhead of performing analysis on all system activities. In summary, HIDS has the following essential characteristics: • Agent residing on host detects apparent intrusions. • Scrutinizes event logs, critical system files, and other auditable system resources. • Looks for unauthorized change or suspicious patterns of behavior or activity. • Host-based IDS can send alerts when unusual events are discovered. • Multihost HIDS gets audit data from multiple hosts. Analysis Engine Methods The term analysis has been used frequently to explain the role of IDSs. However, several analysis methods can be employed by an IDS. Although there are different methodologies for detection, this does not indicate that all are used in a given solution. There are two basic analysis methods: pattern matching and anomaly detection. Pattern matching is when an attack vector is known and the system produces an alert if the pattern is detected (if configured to do so). Anomaly detection is somewhat more complicated in that it uses different tactics to draw conclusions on whether the traffic represents a risk to the network or host. Anomalies may include: • • • • •

Multiple failed log-on attempts Users logging in at strange hours Unexplained changes to system clocks Unusual error messages Unexplained system shutdowns or restarts

An anomaly-based IDS tends to produce more data because anything outside of the expected behavior is reported. Thus, they tend to report more false-positives as expected behavior patterns change. An advantage is that they are able to detect new attacks that may be overlooked by a signature-based system (i.e., pattern matching). Some of these are also rule or statistical based. 198

AU8231_C002.fm Page 199 Saturday, June 2, 2007 1:21 PM

Access Control The rest of the section covers: • Pattern/stateful matching engine – Pattern matching intrusion detection – Stateful matching intrusion detection • Anomaly-based engine – Statistical anomaly-based intrusion detection – Protocol anomaly-based intrusion detection – Traffic anomaly-based intrusion detection Pattern/Stateful Matching Engine. Pattern Matching Intrusion Detection.

Some of the first IDS products used pattern matching technology, typically referred to as signatures. Signatures are a collection of byte sequences that represent a mode of attack. For example, a hacker manipulating an FTP server may use a tool that sends a specially constructed packet. If the attack vector is known, it can be represented in the form of a signature that IDS can then compare to incoming packets. Pattern-based IDS will have a database of hundreds, if not thousands, of signatures that are compared to traffic streams. As new attack signatures are produced, the system is updated, much like antivirus solutions. Several conclusions can be made based on this type of detection. Most importantly, signatures can only exist if the attack is known. If a new or different attack vector is used, it will not match a pattern and slip past the IDS. Additionally, if an attacker knows the IDS is present, he may modify his method to avoid detection. For example, the attacker may send a packet that is slightly modified to avoid detection, but still have the desired affect. Of course, as with some antivirus systems, the IDS is only as good as the latest signature database on the system. Therefore, regular updates are required to ensure the IDS has the most recent signatures. This is especially critical for newly discovered attacks. Attributes of a pattern matching IDS include: • • • • •

Identifies known attacks Provides specific information for analysis and response May trigger false-positives Requires frequent updates of signatures Attacks can be modified to avoid detection

Stateful Matching Intrusion Detection. Very much related to signature-based detection, stateful matching takes pattern matching to the next level. It scans for attack signatures in the context of a traffic stream rather than the individual packets. A hacker may use a tool that sends a volley of valid packets to a targeted system. Given the packets are valid, pattern matching is nearly useless. However, the combination of the packets represents a known attack pattern. To compensate, the attacker may send packets from 199

AU8231_C002.fm Page 200 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® different locations with long wait periods between each to either confuse the detection system or exhaust its session timing window. Because this method also uses signatures, it too must be updated regularly and has some of the same limitations as pattern matching. Attributes of a stateful matching IDS include: • • • • • •

Identifies known attacks Detects signatures spread across multiple packets Provides specific information for analysis and response May trigger false-positives Requires frequent updates of signatures Attacks can be modified to avoid detection

Anomaly-Based Engine. Statistical Anomaly-Based Intrusion Detection. T h e statistical-based IDS analyzes audit trail data by comparing it to typical or predicted profiles in an effort to find potential security breaches. Thus, it attempts to identify suspicious behavior by analyzing audit data that deviates from a predicted norm.

This type of detection method can be very effective, and at a very high level, it begins to take on the characteristics of IPS by establishing an expected base and acting on divergence from that base. However, there are some potential issues that may surface depending on the environment. Tuning the IDS can be challenging, and if not performed regularly, the system is prone to false-positives. Also, the definition of normal traffic can be open to interpretation and does not preclude an attacker using normal activities to penetrate systems. The value of statistical analysis is that the system has the potential to detect unknown attacks. This is a huge departure from being limited to matching techniques. Therefore, when combined with matching technology, the IDS can be very effective. Attributes of a statistical anomaly-based IDS include: • Develops baselines of normal traffic activity and throughput, and alerts on deviations from these baselines • Can identify unknown attacks and DoS floods • Can be difficult to tune properly • Must have a clear understanding of normal traffic environment Protocol Anomaly-Based Intrusion Detection. A protocol anomaly-based IDS identifies any unacceptable deviation from expected behavior based on known protocols and signals an alert. For example, if a typical HTTP packet is received and contains attributes that deviate from established protocol standards, it may represent a specifically constructed packet used to penetrate a firewall or exploit a vulnerability. 200

AU8231_C002.fm Page 201 Saturday, June 2, 2007 1:21 PM

Access Control The value of this method is directly related to the existence or use of well-defined protocols. In the face of custom or complex protocols, the system will have more difficultly or be completely disabled in determining proper packet format. Interestingly, this type of method is prone to the same challenges faced by signature-based IDSs. For example, protocol analysis engines may have to be added or customized to deal with unique protocols or how common protocols are manipulated and leveraged within an organization. Nevertheless, having an IDS that is intimately aware of valid protocol use can be very powerful when an organization employs standard implementations of common protocols. Attributes of a protocol anomaly-based IDS include: • Looks for deviations from standards set forth in requests for comment (RFCs). • Can identify attacks without a signature. • Reduces false-positives with well-understood protocols. • May lead to false-positives and false-negatives with poorly understood or complex protocols. • Protocol analysis modules take longer to deploy to customers than signatures. Traffic Anomaly-Based Intrusion Detection. A traffic anomaly-based IDS identifies any unacceptable deviation from expected behavior based on traffic structure. When a session is established between systems, there are multiple layers to the packets representing layers in the communication. Traffic the communication produces can be compared to expected conduct founded on the understandings of traditional system interaction.

Attributes of a traffic anomaly-based IDS include: • Watches for unusual traffic activities, such as a flood of User Datagram Protocol (UDP) packets, or a new service appearing on the network • Can identify unknown attacks and DoS floods • Can be difficult to tune properly • Must have a clear understanding of normal traffic environment Intrusion Responses As alluded to above, an IDS can be integrated into an infrastructure, allowing it to perform automated changes to other systems in an effort to thwart the attack or minimize the affects of undesirable traffic. The level of capability to perform automated acts is directly related to the level of integration with other systems and the amount of trust an organization has in the system to make the correct conclusions. Upon detection of an adverse event or suspicious activity, the IDS can begin — if permitted to and configured accordingly — to interact with the 201

AU8231_C002.fm Page 202 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® systems participating in the communication, and other systems that can be used to restrict or block traffic, and to collaborate with other IDS devices or logical access control systems, such as a directory. Early versions of IDS integration for automated intrusion responses were to tie the IDS to the firewall, allowing it to instruct the firewall to implement specific rules targeted at the questionable traffic. This practice is still employed today and used when the attack can be clearly quantified and the proposed rules do not conflict with normal business operations. On the surface, injecting a rule in a firewall to stop an attack seems logical. However, firewalls may have hundreds of rules, and at what level the new rule is inserted can have an impact on normal, mission-critical communications. Moreover, some firewall platforms will share all or portions of their rules with other firewalls in the organization. Therefore, an attack affecting North American Internet connections may be blocked without affecting local traffic, but when that change is replicated to firewalls in Germany, the results can be catastrophic. Much like firewall rule set modification, the IDS can inject new access control lists in routers, VPN gateways, or other layer 3 devices, such as switches supporting VLANs, to block or restrict traffic. Again, the placement of the filter in the system’s existing ACL can have repercussions to other communications. Nevertheless, in some cases these concerns can be quelled by tuning the interaction between the IDS and other filtering devices and predefining acceptable rules and default placement. Finally, attacks can be damaging, so much so that the temporary loss of other communications is acceptable in the face of an aggressive attack. In some configurations, multiple IDS devices can collaborate and employ additional controls based on information gathered from activities detected on a remote system. This occurs most often on HIDS and IPS devices. Other detection methods and types of IDS may require human interaction to employ proactive changes. Finally, in some cases the IDS can be configured or used in combination with custom applications to enact changes in systems logically distant from the attack. An example is a script that is activated by an alert from an IDS that temporarily disables a user account, increases the level of auditing on certain systems, or suspends an application from accepting new connections. These capabilities can be summarized as follows: • • • • 202

Dropping suspicious data packets at firewall Denying access to a user displaying suspicious activity Reporting the activity to other hosts on site Updating configurations within the IDS

AU8231_C002.fm Page 203 Saturday, June 2, 2007 1:21 PM

Access Control Alarms and Signals. The impetus for the development of IDS was to gain visibility into the activities on the network and alert administrators to potentially harmful behavior. The core capability of IDS is to produce alarms and signals that work to notify people and systems to adverse events.

There are three fundamental components of alarms: • Sensor • Control/communication • Alert/enunciator/actuator A sensor is the detection system that identifies the event and produces the appropriate notification. The notification can be informational, warning, or critical, or whatever the system administrator has configured. Control or communication refers to the mechanism of distribution. For example, an alert may materialize as an e-mail, instant message, pager (i.e., mobile device) message, or even an audible message to a phone or voice mail. The enunciator is essentially a relay system. For example, it may be necessary to notify local resources immediately and remote resources later. Also, the enunciator is the system that can employ business logic as well as construct the message to accommodate different delivery mechanisms. For example, it may have to truncate the message to send to a pager, format to support a type of e-mail system, or compile a special file format, a text-to-voice, or fax system. Finally, business logic can be employed to determine who gets the message, when, and how. It is worth noting that establishing who receives an alert, when, and how is critical. Once the appropriate people are identified, determining what types of alerts they should receive and the level of urgency, the “how” needs to be addressed. For example, if an alert occurs and a message containing sensitive material needs to be delivered to the CSO, the security of that information must be considered. Therefore, the type of technology used for delivery can have a bearing on the amount and type of data sent. To further exacerbate the issue of secure delivery, when one communication transaction fails and a secondary is attempted, the message format as well as the information it contains may need to be changed. For example, the CSO may determine that the most secure mode of notification during working hours is her private fax machine in her office. If acknowledgment is not received in a predetermined timeframe, the next mode of communication is a message to her cell phone, a much less secure device. Given this, the format must be adjusted to accommodate not only the receiving device, but the content as well. All three of these components exist in off-the-shelf IDS products with varying degrees of capability. 203

AU8231_C002.fm Page 204 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® IDS Management As IDS became an accepted enterprise security technology and adopted more readily, it began to suffer from ill-founded perceptions. Many organizations felt that it was simply a product investment — fire and forget; nothing could be further from the truth. Arguably, IDS is more about management than the box that is bolted into a rack. First and foremost, someone has to implement, tune, and monitor the system. IDS is designed to alert people in the event something is detected. It is worthless if it is not implemented properly, tuned accordingly, and there is someone to act on the information it provides. Unfortunately, what appeared to many as simply a product investment quickly turned into the inclusion of a full-time IDS administrator. Soon after, investments were needed for managing the data output from the systems, such as policies, procedures, and technology for storage, retention, and security. Finally, with added awareness of what is occurring on the network, many organizations were motivated to acquire additional technology, such as more IDSs, correlation engines, and other security controls to address the onslaught. In short, IDS requires expert administration and overall management of the solution, and the technology’s success within the enterprise is directly proportional to the integrity of management. Upon implementing IDS, organizations must ensure they have a knowledgeable resource to select, install, configure, operate, and maintain the system. Management processes and procedures must be developed and employed to ensure that the system is regularly updated with signatures and evaluated for suspicious activities, and the IDS itself is not vulnerable to direct attack. One of the more important, but overlooked, aspects of IDS is dealing with the results. Many organizations employ IDS to gain a better understanding of what may be occurring on their networks and systems. Once the IDS detects an event, it is necessary for the organization to have an incident response process. Although an IDS can be configured to perform some automated functions to thwart an attack, complete reliance on the system is not realistic. Essentially, IDS alerts you to the existence of suspicious activity and can help — to a point. Incident response is detection, identification, isolation, eradication, recovery, and learning from the incident. IDS is designed to detect and, if possible, identify the attack. It is up to people to work within their environment to follow through with the process of managing an incident. Therefore, IDS, although an effective technology, is simply the tip of the security management spear. Physically implementing IDS is the first step in orchestrating a comprehensive security management infrastructure designed to deal with potentially harmful events. In many organizations, IDS is a good candidate for outsourcing. In summary, the following are needed to ensure an effective IDS: 204

AU8231_C002.fm Page 205 Saturday, June 2, 2007 1:21 PM

Access Control • Employ a technically knowledgeable person to select, install, configure, operate, and maintain the IDS. • Update the system with new signature attacks and also to evaluate expected behavior profiles. • Be aware that IDS may be vulnerable to attacks. • Intruders may try to disable with false information or overload the system. • Attacks on IDS may be a distraction. Access Control Assurance Audit Trail Monitoring An audit trail is the data collected from various systems logging activity. It is a record of system activities that can be investigated to determine if network devices, systems, applications, services, or any computer system that produces a log is operating within expected parameters. Virtually any system can be configured to produce a log of system activities. Of course, not all possible events that can be logged are applicable to security. However, there are many system attributes that can be very helpful for collecting information and gaining awareness of the system and overall infrastructure status. The function of audit trails is to alert staff of suspicious activity for further investigation. For example, an administrator may see evidence of a user logging into a mission-critical system during after-hours, something unexpected. Upon further investigation, by checking the logs from other devices, the administrator determines that the access was sourced from a VPN device. This collection of information can be used to validate that the access was approved or expected. Moreover, the investigation can look at other logs produced from the system in question to determine if other questionable actions were performed by the user. The audit trail can provide details on the extent of intruder activity. During a typical attack, the advisory will usually have to traverse several systems, such as routers, firewalls, and applications, potentially leaving behind a record of activity. This information can be used to reconstruct the avenue of attack, what tools may have been used, the actions of the attacker, and what were the affects. If the information is properly collected and secured, and a chain of custody of said data can be accurately represented, the information can be used for legal proceedings to prove guilt or innocence. Audit Event Types. There are several event types that can be audited given the diversity and broad spectrum of capabilities of technology employed in a typical organization. However, in the light of information security and access controls, there are five key types that are the founda205

AU8231_C002.fm Page 206 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® tion of security auditing: network, system, application, user, and keystroke activity. Network. The network plays a critical role in attacks. As useful as the network is to organizations in performing business processes, it is equally valuable to threat agents; it is the common field of operations. Devices responsible for supporting communications can provide ample information about events or activities on the network.

Network layer information can be helpful in determining and isolating threat activity, such as a worm or a DoS attack. It can also be helpful in detecting whether users are using software or services not permitted by policy, such as instant messaging programs. System. System events are important to audit to have a clear understanding of the system activity. These can include logging when files are deleted, changed, or added, software is installed, or privileges are changed. System information can help determine if a worm or virus is present by evidence of unexpected activity on the system. Application. Application events encompass a broad range of possibilities for monitoring activity. Many of these are dependent on the services offered by the application, in addition to the functions it performs. For example, it may be possible to determine if a Web server is being attacked by evidence of URL manipulation. Given the diversity of applications and possible attributes that can be audited and logged, the objective is to audit activities that help isolate key functions to at least gain an initial perspective of application activity. User. User events are very important to understand who is accessing what and when. Log-on and log-off times, privilege use, and data access are the essential basics of user monitoring. Keystroke. Logging the keystrokes a user enters on a system can be extraordinarily helpful in investigating suspicious activity, but can act as evidence for remediation. A simple example is the .histor y or .bash_history file in the user’s home directory on a UNIX system. Although far from a perfect example, .history files do log all the commands a user enters during a logged-on session. Auditing Issues and Concerns. An issue with audit trails is the volume of data that is collected. The audit logs may well exceed the administrative time and skills necessary to review and investigate events that seem suspicious. Therefore, it may be necessary to use some type of event filtering or “clipping level” to properly determine the amount of log detail captured.

There are several auditing tools available that can be used to process the information. Many of these also perform correlations that help deter206

AU8231_C002.fm Page 207 Saturday, June 2, 2007 1:21 PM

Access Control mine relationships between multiple systems to better determine exactly what was performed during an attack. The security of logs is important to ensure the integrity of the information; this is especially true if the information is going to be used for forensics investigations or legal proceedings. Logs have to be protected against unauthorized access and changes. Therefore, the security of storage and archive systems is critical to the integrity of the information collected. Following are best practices in addressing audit issues and concerns: • Control the volume of data. • Event filtering or clipping level determines the amount of log detail captured. • Auditing tools can reduce log size. • Establish procedures in advance. • Train personnel in pertinent log review. • Protect and ensure against unauthorized access. • Disable auditing or deleting/clearing logs. • Protect the audit logs from unauthorized changes. • Store/archive audit logs securely. Information Security Activities There are several essential information security activities, some covered above. These are: • Security awareness and training: Ensuring users are fully aware of and understand corporate security polices and sound security practices. Moreover, how to identify potential threats and what to do if they suspect an adverse event. Educated employees can be the strongest aspect of an information security program. • Separation/rotation of duties: As discussed above, separating people and job functions so that no one person can perform a function that could result in a security event. • Least privilege: Ensuring that a user, process, application, or service is only provided the permissions and privileges required to perform its role within the organization. • Recruiting and termination procedures: The hiring and removal of personnel from an organization represent a potential threat to a company and its assets. Care must be taken when employees are added or removed in the light of information security. • Security reviews/audits: Performing regular assessments and audits ensures that established policies are followed and expectations are met. • Vulnerability/network assessment tools: Performing a vulnerability assessment assists organizations in determining the state of the environment and the level of exposure to threats. 207

AU8231_C002.fm Page 208 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® • Penetration testing: The next level in vulnerability assessments; seeks to exploit vulnerabilities to determine the true nature and impact of a given vulnerability. Penetration Testing. Penetration testing goes by many names, such as ethical hacking, tiger team, and vulnerability testing. It is the employment of exploitive techniques to determine the level of risk associated with a vulnerability or collection of vulnerabilities. The primary goal is to simulate an attack on a system or network at the request of the owner to evaluate the risk characteristics of an environment. Characteristics can include understanding the level of skill required, time to exploit a given vulnerability, and the level of impact, such as depth of access and attainable privileges.

Penetration testing can be employed against anything. However, most companies seek penetration testing to focus on Internet systems and services, remote-access solutions, and applications. The key to successful and valuable penetration testing is clearly defined objectives, scope, stated goals, agreed upon limitations, and acceptable activities. For example, it may be acceptable to attack an FTP server, but not to the point where the system is rendered useless or data is damaged. Having a clear framework and management oversight during a test is essential to ensuring the test does not have adverse affects on the target company and the most value is gained from the test. Types of Penetration Testing. One of the first steps in establishing the rules of engagement are considering what information about the target should be provided to the tester. No matter the scope or scale of a test, how information flows initially will set in motion other attributes of planning, ultimately defining factors by which the value of the test will be measured.

Usually some form of information is provided by the target, and only in the most extreme cases is absolutely no information offered. Some cannot be avoided, such as the name of the company, while others can be easily kept from the testers without totally impeding the mechanics of the test. Following are some basic definitions of information provisioning: • Zero knowledge: Zero knowledge is just that; the tester is provided nothing about the target’s network or environment. The tester is simply left to her ability to discover information about the company and use it to gain some form of access. This is also called black box or closed, depending on who is scoping the test. This is particularly appropriate when testing for external penetrations. • Partial knowledge: Something growing in popularity with companies seeking penetration testing is providing just enough information to get started. In some cases, information may include phone numbers to be 208

AU8231_C002.fm Page 209 Saturday, June 2, 2007 1:21 PM

Access Control tested, IP addresses, domain information, applications, and other data that would take some time to collect and do not represent any difficultly to a hacker, but would be rather time-consuming for the tester. The interesting aspect of getting some information and not all is the assumption of scope. Organizations tend to use limited information to define boundaries of the test, as opposed to providing initial data to support the test. For example, there is a difference in exposing whether a company has IDS, as opposed to providing a list of phone numbers. The former is an obvious attempt to limit the information provided to the tester, whereas the latter is influencing the scope of the test. • Full knowledge: Full knowledge is when every possible piece of information about the environment is provided to the tester. This type of test is typically employed when there is greater focus on what can be done, as opposed to what can be discovered. This is also known as crystal box, white box, or open, again depending on who is planning the test. This is particularly appropriate when testing for internal penetrations. Methodology. A methodology is an established collection of processes that are performed in a predetermined order to ensure the job, function, or, in this case, a test is accurately executed. There are several methods for performing a penetration test. However, there is a basic and logical methodology that has become best practice for performing tests:

• Reconnaissance/discovery: Identify and document information about target. • Enumeration: Gain more information with intrusive methods. • Vulnerability analysis: Map environment profile to known vulnerabilities. • Exploitation: Attempt to gain user and privileged access. RECONNAISSANCE/DISCOVERY. Reconnaissance is the search for freely available information to assist in the test. The search can be quick ping sweeps to see what IP addresses on a network will respond, scouring news groups on the Internet in search of misguided employees divulging useful information, or rummaging through the trash to find receipts for telecommunication services.

Reconnaissance can include theft, lying to people, tapping phones and networks, impersonations, or even leveraging falsified friendships to collect data about a target. The search for information is only limited by the extremes to which a company and the tester are willing to go. Reconnaissance offers a plethora of options, each related to one another. However, unlike other phases within the test’s framework, each option can be controlled, moderated, and measured to a surprisingly high level of granularity when properly planned and managed. 209

AU8231_C002.fm Page 210 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® ENUMERATION. Enumeration (also known as network or vulnerability discovery) is essentially obtaining readily available — and sometimes provided — information directly from the target’s systems, applications, and networks. An interesting point to make very early is that the enumeration phase represents a point within the project where the line between a passive attack and an active attack begins to blur. Without setting the appropriate expectations, this phase can have results ranging from “Oops” to “Do you swear to tell the truth and nothing but the truth?”

To build a picture of a company’s environment, there are several tools and techniques available to compile a list of information obtained from the systems. Most notably, port scanning is the “block and tackle” of the enumeration, and NMap is today’s most valuable player. The simplest explanation of a port scan is the manipulation of the basic communication setup between two networked systems using TCP/IP as a communication protocol. TCP/IP uses a basic session setup to determine with what application ports a system is willing to establish communications. Obviously, collecting information about systems is the first step in formulating an attack plan. However, information collected during the reconnaissance phase can be added to help build a picture of the target’s systems and networks. It is one thing to collect information, and it is another to determine its value, and the perceived value in the hands of a hacker. On the surface, enumeration is simple; take the collected data and evaluate it collectively to establish a plan for more reconnaissance or building a matrix for the next phase, vulnerability analysis. However, this is the phase where the tester’s ability to make logical deductions plays an enormous role. VULNERABILITY ANALYSIS. There is a logical and pragmatic approach to analyzing data. During the enumeration phase, we try to perform an interpretation of the information collected, looking for relationships that may lead to exposures that can be exploited. The vulnerability analysis phase is a practical process of comparing the information collected with known vulnerabilities.

Most information can be collected from the Internet or other sources, such as news groups or mailing lists, which can be used to compare information about the target to seek options for exploitation. However, information provided by vendors, and even data collected from the target, can be used to formulate a successful attack. Information collected during the reconnaissance phase from the company can provide knowledge about vulnerabilities unique to its environment. Data obtained directly from the company can actually support the discovery of vulnerabilities that cannot be located anywhere else. As mentioned above, information on the Internet is very helpful. Known vulnerabilities, incidents, service packs, updates, and even available 210

AU8231_C002.fm Page 211 Saturday, June 2, 2007 1:21 PM

Access Control hacker tools help in identifying a point of attack. The Internet provides a plethora of insightful information that can easily be associated with the architecture of the target. EXPLOITATION. A great deal of planning and evaluation are performed during the earlier phases to ensure that a business-centric foundation of value is established for the test. Of course, all of this planning must lead to some form of attack. Exploiting systems and applications can be as easy as running a tool or as intricate as executing fine-tuned steps in a specific way to get in. No matter the level of difficultly, good testers follow a pattern during the exploitation phase of a test.

During a penetration test, the details considered in the planning come into full view and affect the outcome of every action taken by the tester. A sound course of action is needed to translate the planning into an attack to meet the objectives within the specified period and within the defined scope. The attack process is broken up into threads and groups, and each appears in sets of security. A thread is a collection of tasks that must be performed in a specific order to achieve a goal. Threads can be one step or many in a series used to gain access. Every thread is different, but may have similarities that can be useful. Therefore, threads can be combined into groups to create a collection of access strategies. Groups are then reviewed and compared to support comprehensive attacks using very different threads in a structured manner. Each test is evaluated at every point within the operation to ensure the expected outcome is met. Each divergence from plan is appraised to make two fundamental determinations: • Expectations: Are the expectations of the thread or group not being met or are the test’s results conflicting with the company’s assumptions and stated goals? The objective is to ensure each test is within the bounds of what was established and agreed upon. On the other hand, if the test begins to produce results that were not considered during the planning, enumeration, and vulnerability analysis phases, the engagement needs to be reconsidered, or at minimum, the planning phase needs to be revisited. Meeting expectations is everything, and in the world of ethical hacking, it can represent a fundamental challenge when not planned properly or not executed to the plan. • Technical: Is a system reacting in an unexpected manner, which is having an impact on the test? Much more granular in theory than general expectations of the test, technical gaps are literally the response of a system during a test. Keeping your eyes open for unexpected responses from systems ensures that you have not negatively affected the target or gone beyond the set scope of the test. 211

AU8231_C002.fm Page 212 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Document Findings. The goal of penetration testing is to gain awareness and detailed understanding of the state of the security environment. Information is collected and acted upon during the test, producing more information that can be used to draw conclusions and articulate findings.

The goal of the document is to clearly present the findings, tactics used, and tools employed, and to offer the information collected from the test. Finally, the ultimate objective is to offer perspectives and recommendations for remediation. In summary, the test results can help with identifying: • • • • • •

Vulnerabilities of the system Gaps in security measures IDS and intrusion response capability Whether anyone is monitoring audit logs How suspicious activity is reported Suggested countermeasures

Testing Strategies. Strategies for penetration testing, based on specific objectives to be achieved, are a combination of the source of the test, how the company’s assets are targeted, and the information, or lack thereof, provided to the tester. EXTERNAL VERSUS INTERNAL TESTING. External testing refers to attacks on the organization’s network perimeter using procedures performed from outside the organization’s systems, that is, from the Internet or extranet. To conduct the test, the testing team begins by targeting the company’s externally visible servers or devices, such as the Domain Name Server (DNS), email server, Web server, or firewall.

Internal testing is performed from within the organization’s technology environment. The focus is to understand what could happen if the network perimeter were successfully penetrated, or what an authorized user could do to penetrate specific information resources within the organization’s network. BLIND AND DOUBLE-BLIND VERSUS TARGETED TESTING. In a blind testing strategy, the testing team is provided with only limited information concerning the organization’s information systems configuration. The penetration testing team must use publicly available information (such as company Web site, domain name registry, and Internet discussion board) to gather information about the target and conduct its penetration tests.

Blind testing can provide information about the organization that may have been otherwise unknown, but it can also be more time-consuming and expensive than other types of penetration testing (such as targeted 212

AU8231_C002.fm Page 213 Saturday, June 2, 2007 1:21 PM

Access Control testing) because of the effort required by the penetration testing team to research the target. Double-blind testing extends the blind testing strategy in that the organization’s IT and security staff are not notified or informed beforehand and are “blind” to the planned testing activities. Double-blind testing can test the organization’s security monitoring and incident identification, escalation, and response procedures. Normally, in double-blind testing engagements, very few people within the organization are made aware of the testing, perhaps only the project sponsor. Double-blind penetration testing requires careful monitoring by the project sponsor to ensure that the testing procedures and the organization’s incident response procedures can be terminated when the objectives of the test have been achieved. Targeted testing (often referred to as the “lights turned on” approach) involves both the organization’s IT team and the penetration testing team being aware of the testing activities and being provided information concerning the target and the network design. A targeted testing approach may be more efficient and cost-effective when the objective of the test is focused more on the technical setting, or on the design of the network, than on the organization’s incident response and other operational procedures. A targeted test typically takes less time and effort to complete than blind testing, but may not provide as complete a picture of an organization’s security vulnerabilities and response capabilities. Types of Testing. In addition to the penetration testing strategies to be used, consideration should be given to the types of testing the testing team is to carry out. These could include:

• Application testing: Evaluate controls over the application and its process flow. • Denial-of-service testing: Evaluate a system’s susceptibility to attacks that will render it inoperable. • War dialing: Identify, analyze, and exploit modems, remote-access devices, and maintenance connections. • Wireless network testing: Identify security gaps or flaws in design, implementation, and operation of wireless technologies. • Social engineering: Use social interaction to gather information and penetrate organization’s systems. • Private branch exchange (PBX) and IP telephony testing: Evaluate controls dealing with telephony technologies. Application Testing. Many organizations offer access to core business functionality through Web-based applications. This type of access introduces new security vulnerabilities because, even with a firewall and other monitoring systems, security can be compromised, because traffic must be 213

AU8231_C002.fm Page 214 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® allowed to pass through the firewall. The objective of application security testing is to evaluate the controls over the application and its process flow. Topics to be evaluated may include the application’s usage of encryption to protect the confidentiality and integrity of information, how users are authenticated, the integrity of the Internet user’s session with the host application, and the use of cookies — a block of data stored on a customer’s computer that is used by the Web server application. Denial-of-Service (DoS) Testing. The goal of DoS testing is to evaluate the system’s susceptibility to attacks that will render it inoperable so that it will deny service, that is, drop or deny legitimate access attempts. Decisions regarding the extent of denial-of-service testing to be incorporated into a penetration testing exercise will depend on the relative importance of ongoing, continued availability of the information systems and related processing activities. War Dialing. War dialing is a technique for systematically calling a range of telephone numbers in an attempt to identify modems, remote-access devices, and maintenance connections of computers that may exist on an organization’s network. Well-meaning users can inadvertently expose the organization to significant vulnerability by connecting a modem to the organization’s information systems. Once a modem or other access device has been identified, analysis and exploitation techniques are performed to assess whether this connection can be used to penetrate the organization’s information systems network. Wireless Network Testing. The introduction of wireless networks, whether through formal, approved network configuration management or the inadvertent actions of well-meaning users, creates additional security exposures. Sometimes referred to as war driving, hackers have become proficient in identifying wireless network’s access points simply by driving or walking around office buildings with their wireless network equipment. The goal of wireless network testing is to identify security gaps or flaws in the design, implementation, or operation of the organization’s wireless network. Social Engineering. Often used in conjunction with blind and double-blind testing, this refers to techniques using social interaction, typically with the organization’s employees, suppliers, and contractors, to gather information and penetrate the organization’s systems. Such techniques could include posing as a representative of the IT department’s help desk and asking users to divulge their user account and password information; posing as an employee and gaining physical access to restricted areas that may house sensitive information; or intercepting mail, courier packages, or even searching through trash for sensitive information on printed materials. Social engineering activities can test a less technical, but equally 214

AU8231_C002.fm Page 215 Saturday, June 2, 2007 1:21 PM

Access Control important, security component: the ability of the organization’s people to contribute to — or prevent — unauthorized access to information and information systems. PBX and IP Telephony Testing. Beyond war dialing, phone systems and those incorporated with the network and network services represent a potential to access corporate resources. It is not uncommon for security services to use voice mail systems to provide information to users relying on the authentication of the user to gain access to their voice mail. Hackers can gain access to voice mail to gather information and monitor activity. Moreover, phone systems can be manipulated to permit a hacker to make long-distance calls for free and undetected, potentially furthering his attack on other organizations.

IP telephony or Voice-over-IP (VoIP) is the use of traditional data networks for phone conversations. It can also include the integration of phone systems with network applications, databases, and other services, such as e-mail or collaboration systems. Tests can be performed against these technologies to gain a better understanding of the risks associated with combining voice and data on a single network. The potential threat profile essentially doubles by assuming the threats associated with IP networks and those of telephone systems. Summary.

• An intrusion prevention system provides the ability to block attacks in real-time, while an intrusion detection system attempts to identify and report attacks. • Penetration testing is a series of activities undertaken to identify and exploit security vulnerabilities.

References Thomas R. Peltier, Justin Peltier, and John A Blackley. Managing a Network Vulnerability Assessment. New York: Auerbach Publications, 2003. James S. Tiller. The Ethical Hack: A Framework for Business Value Penetration Testing. New York: Auerbach Publications, 2004. Susan Young and Dave Aitel. The Hacker’s Handbook: The Strategy behind Breaking into and Defending Networks. New York: Auerbach Publications, 2003.

Sample Questions 1. A preliminary step in managing resources is: a. Conducting a risk analysis b. Defining who can access a given system or information c. Performing a business impact analysis d. Obtaining top management support 215

AU8231_C002.fm Page 216 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® 2. Which best describes access controls? a. Access controls are a collection of technical controls that permit access to authorized users, systems, and applications. b. Access controls help protect against threats and vulnerabilities by reducing exposure to unauthorized activities and providing access to information and systems to only those who have been approved. c. Access control is the employment of encryption solutions to protect authentication information during log-on. d. Access controls help protect against vulnerabilities by controlling unauthorized access to systems and information by employees, partners, and customers. 3. _______ requires that a user or process be granted access to only those resources necessary to perform assigned functions. a. Discretionary access control b. Separation of duties c. Least privilege d. Rotation of duties 4. What are the six main categories of access control? a. Detective, corrective, monitoring, logging, recovery, and classification b. Deterrent, preventative, detective, corrective, compensating, and recovery c. Authorization, identification, factor, corrective, privilege, and detective d. Identification, authentication, authorization, detective, corrective, and recovery 5. What are the three types of access control? a. Administrative, physical, and technical b. Identification, authentication, and authorization c. Mandatory, discretionary, and least privilege d. Access, management, and monitoring 6. Which approach revolutionized the process of cracking passwords? a. Brute force b. Rainbow table attack c. Memory tabling d. One-time hashing 7. What best describes two-factor authentication? a. Something you know b. Something you have c. Something you are d. A combination of two listed above 8. A potential vulnerability of the Kerberos authentication server is: a. Single point of failure b. Asymmetric key compromise 216

AU8231_C002.fm Page 217 Saturday, June 2, 2007 1:21 PM

Access Control

9.

10.

11.

12.

13.

14.

15.

c. Use of dynamic passwords d. Limited lifetimes for authentication credentials In mandatory access control, the system controls access and the owner determines: a. Validation b. Need to know c. Consensus d. Verification Which is the least significant issue when considering biometrics? a. Resistance to counterfeiting b. Technology type c. User acceptance d. Reliability and accuracy Which is a fundamental disadvantage of biometrics? a. Revoking credentials b. Encryption c. Communications d. Placement Role-based access control _______: a. Is unique to mandatory access control b. Is independent of owner input c. Is based on user job functions d. Can be compromised by inheritance Identity management is: a. Another name for access controls b. A set of technologies and processes intended to offer greater efficiency in the management of a diverse user and technical environment c. A set of technologies and processes focused on the provisioning and decommissioning of user credentials d. A set of technologies and processes used to establish trust relationships with disparate systems A disadvantage of single sign-on is: a. Consistent time-out enforcement across platforms b. A compromised password exposes all authorized resources c. Use of multiple passwords to remember d. Password change control Which of the following is incorrect when considering privilege management? a. Privileges associated with each system, service, or application, and the defined roles within the organization to which they are needed, should be identified and clearly documented. b. Privileges should be managed based on least privilege. Only rights required to perform a job should be provided to a user, group, or role. 217

AU8231_C002.fm Page 218 Saturday, June 2, 2007 1:21 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® c. An authorization process and a record of all privileges allocated should be maintained. Privileges should not be granted until the authorization process is complete and validated. d. Any privileges that are needed for intermittent job functions should be assigned to multiple user accounts, as opposed to those for normal system activity related to the job function. 16. Capability lists are related to the subject, whereas access control lists (ACLs) are related to the object, and therefore: a. Under capability lists, attacker subjects can simply refuse to submit their lists and act with no restrictions. b. Under access control lists, a user can invoke a program to access objects normally restricted. c. Capability lists can only manage subject-to-subject access, and thus cannot be part of the reference monitor. d. Only access control lists can be used in object-oriented programming.

218

AU8231_C003.fm Page 219 Saturday, June 2, 2007 1:22 PM

Domain 3

Cryptography Kevin Henry, CISSP

Introduction Cryptography is perhaps the most fascinating domain in the CISSP® CBK®. No other domain has the history, challenge, and technological advancements that cryptography enjoys. Throughout history, cryptography has been a crucial factor in military victories or failures, treason, espionage, and business advantage. Cryptography is both an art and a science — the use of deception and mathematics, to hide data, as in steganography, to render data unintelligible through the transformation of data into an unreadable state, and to ensure that a message has not been altered in transit. Another feature of some cryptographic systems is the ability to provide assurance of who sent the message, authentication of source, and proof of delivery. CISSP Expectations The CISSP should fully understand the basic concepts within cryptography, including public and private key algorithms in terms of their applications and uses. Cryptography algorithm construction, key distribution, key management, and methods of attack are also important for the successful candidate to understand. The applications, construction, and use of digital signatures are discussed and compared to the elements of cryptography. The principles of authenticity of electronic transactions and nonrepudiation are also included in this domain. Core Information Security Principles: Confidentiality, Integrity, and Availability The cryptography domain addresses the principles, means, and methods of disguising information to ensure its integrity, confidentiality, and authenticity. Unlike the other domains, cryptography does not support the standard of availability.

219

AU8231_C003.fm Page 220 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Key Concepts and Definitions Plaintext or cleartext is the message in its natural format. Plaintext would be readable to an attacker. Ciphertext or cryptogram is the message once altered, so as to be unreadable for anyone except the intended recipients. An attacker seeing ciphertext would be unable to read the message or to determine its content. The cryptosystem represents the entire cryptographic operation. This includes the algorithm, the key, and key management functions. Encryption is the process of converting the message from its plaintext to ciphertext. It is also referred to as enciphering. The two terms are used interchangeably in literature and have similar meanings. Decryption is the reverse process from encryption. It is the process of converting a ciphertext message into plaintext through the use of the cryptographic algorithm and key that was used to do the original encryption. This term is also used interchangeably with the term decipher. The key or cryptovariable is the sequence that controls the operation of the cryptographic algorithm. It determines the behavior of the algorithm and permits the reliable encryption and decryption of the message. There are both secret and public keys used in cryptographic algorithms, as will be seen later in this chapter. Nonrepudiation is a security service by which evidence is maintained so that the sender and recipient of data cannot deny having participated in the communication. Individually, it is referred to as nonrepudiation of origin and nonrepudiation of receipt. An algorithm is a mathematical function that is used in the encryption and decryption process. It may be quite simple or extremely complex. Cryptanalysis is the study of techniques for attempting to defeat cryptographic techniques and, more generally, information security services. Cryptology is the science that deals with hidden, disguised, or encrypted communications. It embraces communications security and communications intelligence. Collision occurs when a hash function generates the same output for different inputs. Key space represents the total number of possible values of keys in a cryptographic algorithm or other security measure, such as a password. For example, a 20-bit key would have a key space of 1,048,576. Work factor represents the time and effort required to break a protective measure. 220

AU8231_C003.fm Page 221 Saturday, June 2, 2007 1:22 PM

Cryptography An initialization vector is a nonsecret binary vector used as the initializing input algorithm for the encryption of a plaintext block sequence to increase security by introducing additional cryptographic variance and to synchronize cryptographic equipment. Encoding is the action of changing a message into another format through the use of a code. This is often done by taking a plaintext message and converting it into a format that can be transmitted via radio or some other medium, and is usually used for message integrity instead of secrecy. An example would be to convert a message to Morse code. Decoding is the reverse process from encoding — converting the encoded message back into its plaintext format. Transposition or permutation is the process of reordering the plaintext to hide the message. Transposition may look like this: Plaintext

Transposition Algorithm

Ciphertext

HIDE

REORDER SEQUENCE 2143

IHED

Substitution is the process of exchanging one letter or byte for another. This operation may look like this: Plaintext

Substitution Process

Ciphertext

HIDE

Shift alphabet three places

KLGH

The SP-network is the process described by Claude Shannon used in most block ciphers to increase their strength. SP stands for substitution and permutation (transposition), and most block ciphers do a series of repeated substitutions and permutations to add confusion and diffusion to the encryption process. An SP-network uses a series of S-boxes to handle the substitutions of the blocks of data. Breaking a plaintext block into a subset of smaller S-boxes makes it easier to handle the computations. Confusion is provided by mixing (changing) the key values used during the repeated rounds of encryption. When the key is modified for each round, it provides added complexity that the attacker would encounter. Diffusion is provided by mixing up the location of the plaintext throughout the ciphertext. Through transposition, the location of the first character of the plaintext may change several times during the encryption process, and this makes the cryptanalysis process much more difficult. The avalanche effect, an important consideration in all cryptography, is to design algorithms where a minor change in either the key or the plaintext will have a significant change in the resulting ciphertext. This is also a feature of a strong hashing algorithm. 221

AU8231_C003.fm Page 222 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

Figure 3.1. The cryptographic process.

The History of Cryptography Cryptography has been around for many years, and yet the basic principles of cryptography have not changed. The core principle of most cryptographic systems is that they take a plaintext message and, through a series of transpositions or substitutions, convert it to ciphertext, as shown in Figure 3.1. The Early (Manual) Era. There is evidence of cryptographic-type operations going back thousands of years. In one case, there is an example in Egypt of one set of hieroglyphics that were encrypted with a simple substitution algorithm.

The Spartans were known for the Spartan scytale — a method of transmitting a message by wrapping a leather belt around a tapered dowel. Written across the dowel, the message would be undecipherable once it was unwrapped from the dowel. The belt could then be carried to the recipient, who would be able to read the message as long as he had a dowel of the same diameter and taper. There are further examples of the use and development of cryptographic methods throughout the past two centuries. Julius Caesar used the Caesar cipher — a simple substitution cipher that shifted the alphabet three positions. Developments in cryptographic science continued throughout the middle ages with the work of Leon Battista Alberti, who invented the idea of a cryptographic key in 1466, and the enhanced use of polyalphabetic ciphers by Blais de Vigenère. We will look at their work in more detail when we review the methods of cryptography. The Mechanical Era. From a paper-and-pencil world, cryptography developed into the mechanical era with the advent of CipherDisks and rotors to simplify the manual processes of cryptography. Devices developed during this era were in regular use well into the 20th century. These include the German Enigma machine, the Confederate Army’s CipherDisk, and the Japanese Red and Purple machines.

222

AU8231_C003.fm Page 223 Saturday, June 2, 2007 1:22 PM

Cryptography During this era, tools and machines were developed that greatly increased the complexity of cryptographic operations, as well as enabling the use of much more robust algorithms. Many of these devices introduced a form of randomization to the cryptographic operations and made the use of cryptographic devices available to nontechnical people. One core concept developed in this era was the performance of the algorithm on the numerical value of a letter, rather than the letter itself. This was a natural transition into the electronic era, where cryptographic operations are normally performed on binary or hex values of letters, rather than on the written letter. For example, we could write the alphabet as follows: A = 0, B = 1, C = 3 … Z = 25 This was especially integral to the one-time pad and other cipher methods that were developed during this era. The Modern Era. Today’s cryptography is far more advanced than the cryptosystems of yesterday. We are able to both encrypt and break ciphers that could not even have been imagined before we had the power of computers.

Today’s cryptosystems operate in a manner so that anyone with a computer can use cryptography without even understanding cryptographic operations, algorithms, and advanced mathematics. However, as we will review later, it is still important to implement a cryptosystem in a secure manner. In fact, we could state that most attacks against cryptosystems are not the result of weaknesses in cryptographic algorithms, but rather poor or mismanaged implementations. As we look at the cryptographic algorithms in use today, we will see many of the advances of yesterday built into the functions of today — randomization, transposition, and cryptographic keys. Emerging Technology Quantum Cryptography.* A fundamental difference between traditional cryptography and quantum cryptography is that traditional cryptography primarily uses difficult mathematical techniques as its fundamental mechanism. Quantum cryptography, on the other hand, uses physics to secure data. Whereas traditional cryptography stands firm due to strong math, quantum cryptography has a radically different premise in that the secu-

*Ben Rothke, An overview of quantum cryptography, in Information Security Management Handbook, 3rd ed., Vol. 3, Tipton, Harold F. and Krause, Micki, Eds., Auerbach Publications, New York, 2006, pp. 380–381.

223

AU8231_C003.fm Page 224 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® rity should be based on known physical laws rather than on mathematical difficulties. Quantum cryptography (also known as quantum key distribution, or QKD) is built on quantum physics. Perhaps the most well known aspect of quantum physics is the uncertainty principle of Werner Heisenberg. His basic claim is that we cannot know both a particle’s position and momentum with unlimited accuracy at the same time. Specifically, quantum cryptography is a set of protocols, systems, and procedures by which it is possible to create and distribute secret keys. Quantum cryptography can be used to generate and distribute secret keys, which can then be used together with traditional crypto algorithms and protocols to encrypt and transfer data. It is important to note that quantum cryptography is not used to encrypt data, transfer encrypted data, or store encrypted data. As noted early, the need for asymmetric key systems arose from the issue of key distribution. The quagmire is that you needed a secure channel to set up a secure channel. Quantum cryptography solves the key distribution problem by allowing the exchange of a cryptographic key between two remote parties with complete security, as dictated via the laws of physics. Once the key exchange takes place, conventional cryptographic algorithms are used. For that reason, many prefer the term quantum key distribution to quantum cryptography. When used in a commercial setting, the following is a basic and overly simplistic setup of how quantum cryptography can be used: 1. Two remote parties need to exchange data electronically in a highly secure manner. 2. They choose standard crypto algorithms, protocols, systems, and transport technologies to exchange the data in an encrypted form. 3. They use a quantum cryptography channel to generate and exchange the secret keys needed by the algorithms. 4. They use the secret keys generated with quantum cryptography and the classical algorithms to encrypt the data. 5. They exchange the encrypted data using the chosen classical protocols and transfer technologies. Within quantum cryptography, there are two unique channels. One is used for the transmission of the quantum key material via single-photon light pulses. The other channel carries all message traffic, including the cryptographic protocols, encrypted user traffic, and more. Within the laws of quantum physics, once a photon has been observed, its state is changed. This makes quantum cryptography perfect for security because any time that someone tries to eavesdrop on a secure channel, 224

AU8231_C003.fm Page 225 Saturday, June 2, 2007 1:22 PM

Cryptography this will cause a disturbance to the flow of the photons. This can easily be identified to provide extra security. Quantum algorithms are orders of magnitude better than current systems. It is estimated that quantum factorization can factor a number a million times longer than that used for RSA in a millionth of the time. In addition, it can crack a DES cipher in less than four minutes. KC’s speed increase comes from forming a superposition of numbers. Quantum computers are able to perform calculations on various superpositions simultaneously, which creates the effect of a massive parallel computation. Protecting Information Data Storage. Protection of stored data is a key requirement. Backup tapes, off-site storage, password files, and many other types of confidential information need to be protected from disclosure or undetected alteration. This is done through the use of cryptographic algorithms that limit access to the data to those that hold the proper encryption (and decryption) keys. (Note: Because password files are hashed instead of encrypted, there are no keys to decrypt them.) Some modern cryptographic tools also permit the condensing of messages, saving both transmission and storage space. Data Transmission. One of the primary purposes throughout history has been to move messages across various types of media. The intent was to prevent the contents of the message from being revealed even if the message itself was intercepted in transit. Whether the message is sent manually, over a voice network, or via the Internet, modern cryptography provides secure and confidential methods to transmit data and allows the verification of the integrity of the message, so that any changes to the message itself can be detected. Advances in quantum cryptography also allow the detection of whether a message has even been read in transit. Link Encryption. Data is encrypted on a network using either link or endto-end encryption. In general, link encryption is performed by service providers, such as a data communications provider on a Frame Relay network. Link encryption encrypts all of the data along a communications path (e.g., a satellite link, telephone circuit, or T-1 line). Because link encryption also encrypts routing data, communications nodes need to decrypt the data to continue routing. The data packet is decrypted and reencrypted at each point in the communications channel. It is theoretically possible that an attacker compromising a node in the network may see the message in the clear. Because link encryption also encrypts the routing information, it provides traffic confidentiality better than end-toend encryption. Traffic confidentiality hides the addressing information from an observer, preventing an inference attack based on the existence of traffic between two parties. 225

AU8231_C003.fm Page 226 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

Figure 3.2. Comparison of link and end-to-end encryption. End-to-End Encryption. End-to-end encryption is generally performed by the end-user organization. The data is encrypted at the start of the communications channel and remains encrypted until it is decrypted at the remote end. Although data remains encrypted when passed through a network, routing information remains visible. It is possible to combine both types of encryption (NIST SP 800-12). See Figure 3.2.

Uses of Cryptography Availability. Cryptography supports all three of the core principles of information security. Many access control systems use cryptography to limit access to systems through the use of passwords. Many token-based authentication systems use cryptographic-based hash algorithms to compute one-time passwords. Denying unauthorized access prevents an attacker from entering and damaging the system or network, thereby denying access to authorized users. Confidentiality. Cryptography provides confidentiality through altering or hiding a message so that it cannot be understood by anyone except the intended recipient. Integrity. Cryptographic tools provide integrity checks that allow a recipient to verify that a message has not been altered. Cryptographic tools cannot prevent a message from being altered, but they are effective to detect either intentional or accidental modification of the message.

Additional Features of Cryptographic Systems In addition to the three core principles of information security listed above, cryptographic tools provide several more benefits. 226

AU8231_C003.fm Page 227 Saturday, June 2, 2007 1:22 PM

Cryptography Nonrepudiation. In a trusted environment, authentication of the origin can be provided through the simple control of the keys. The receiver has a level of assurance that the message was encrypted by the sender, and the sender has trust that the message was not altered once it was received. However, in a more stringent, less trustworthy environment, it may be necessary to provide assurance via a third party of who sent a message and that the message was indeed delivered to the right recipient. This is accomplished through the use of digital signatures and public key encryption. As shown later in this chapter, the use of these tools provides a level of nonrepudiation of origin that can be verified by a third party.

Once a message has been received, what is to prevent the recipient from changing the message and contesting that the altered message was the one sent by the sender? Nonrepudiation of delivery prevents a recipient from changing the message and falsely claiming that the message is in its original state. This is also accomplished through the use of public key cryptography and digital signatures and is verifiable by a trusted third party. Authentication. Authentication is the ability to determine who has sent a message. This is primarily done through the control of the keys, because only those with access to the key are able to encrypt a message. This is not as strong as nonrepudiation of origin, which will be reviewed shortly.

Cryptographic functions use several methods to ensure that a message has not been changed or altered. These include hash functions, digital signatures, and message authentication codes (MACs). All of these will be reviewed in more detail through this chapter. The main thing is that the recipient is able to detect any change that has been made to a message, whether accidentally or intentionally. Access Control. Through the use of cryptographic tools, many forms of access control are supported — from log-ins via passwords and passphrases to the prevention of access to confidential files or messages. In all cases, access would only be possible for those individuals that had access to the correct cryptographic keys.

Methods of Cryptography Stream-Based Ciphers. There are two primary methods of encrypting data: the stream and block methods. When a cryptosystem performs its encryption on a bit-by-bit basis, it is called a stream-based cipher.

This is the method most commonly associated with streaming applications, such as voice or video transmission. The cryptographic operation for a stream-based cipher is to mix the plaintext with a keystream that is generated by the cryptosystem. The mixing operation is usually an exclusive-or (XOR) operation — a very fast mathematical operation. 227

AU8231_C003.fm Page 228 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

Figure 3.3. Cryptographic operation for a stream-based cipher.

As seen in Figure 3.3, the plaintext is XORed with a seemingly random keystream to generate ciphertext. We refer to it as seemingly random because the generation of the keystream is usually controlled by the key. If the key could not produce the same keystream for the purposes of decryption of the ciphertext, then it would be impossible to ever decrypt the message. The exclusive-or process is a key part of many cryptographic algorithms. It is a simple binary operation that adds two values together. If the two values are the same, 0 + 0 or 1 + 1, then the output is always a 0; however, if the two values are different, 1 + 0 or 0 + 1, then the output is a 1. From the example above we can see this in operation: Input plaintext Keystream Output of XOR

0101 0001 0111 0011 0010 0010

A stream-based cipher relies primarily on substitution — the substitution of one character or bit for another in a manner governed by the cryptosystem and controlled by the cipher key. For a stream-based cipher to operate securely, it is necessary to follow certain rules for the operation and implementation of the cryptographic tool. The keystream must be strong enough to not be easily guessed or predictable. In time, the keystream will repeat, and that period (or length of the repeating segment of the keystream) must be long enough to be difficult to calculate. If a keystream is too short, then it is susceptible to frequency analysis or other language-specific attacks. The implementation of the stream-based cipher is probably the most important factor in the strength of the cipher — this applies to nearly every crypto product and, in fact, to security overall. Some important factors in the implementation are to ensure that the key management processes are secure and cannot be readily compromised or intercepted by an attacker. 228

AU8231_C003.fm Page 229 Saturday, June 2, 2007 1:22 PM

Cryptography Block Ciphers. A block cipher operates on blocks or chunks of text. As plaintext is fed into the cryptosystem, it is divided into blocks of a preset size — often a multiple of the ASCII character size — 64, 128, 192 bits, etc.

Most block ciphers use a combination of substitution and transposition to perform their operations. This makes a block cipher relatively stronger than most stream-based ciphers, but more computationally intensive and usually more expensive to implement. This is also why many stream-based ciphers are implemented in hardware, whereas a block-based cipher is implemented in software. Encryption Systems Substitution Ciphers The substitution cipher is something many of us have used. It involves the simple process of substituting one letter for another based upon a cryptovariable. Typically, substitution involves shifting positions in the alphabet of a defined number of characters. Many old ciphers were based on substitution, including the Caesar cipher and ROT-13.* Playfair Cipher. The playfair cipher was used well into the 20th century and was a key element of the cryptographic systems used by the Allies in the Second World War.

The sender and receiver agreed on a key word, for example, Triumph. A table was then constructed using that word and then the rest of the alphabet — skipping over the letters already appearing in the key, and using I and J as the same letter. For the sake of clarity, the key word is highlighted in the table so that it can be easily found. T P D L V

R H E N W

I/J A F O X

U B G Q Y

M C K S Z

If the sender wanted to encrypt the message “Do not accept offer,” it would be encrypted by first grouping the plaintext in two letter blocks and spacing the repeated letters in the plaintext with a filler letter, e.g., X. The plaintext would then be: DO NO TA CX CX EP TO FX FX ER The table is read by looking at where the two letters of the block intersect. For example, if we took the first block, DO, and made it a rectangle, *Chris Hare, Cryptography 101, Data Security Management, 2002.

229

AU8231_C003.fm Page 230 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® the letters at the other two corners of the rectangle would be FL, that is, the ciphertext for the block DO. The box created by the letters DO is in a border for clarity. The next plaintext block is NO, and because both of those letters are on the same row, we would use the ciphertext of the next letters — in this case, NO would be encrypted as OQ. If the input block had been OS, then the row would wrap and the output ciphertext would be QL, using the next letter after the O, and the next letter after the S being the L from the beginning of the row. The letters FX fall in the same column, and we would do the same as for letters that fall in the same row — use the next lower letter and wrap to the top of the column if necessary. The block FX would be encrypted as either OI or OJ. Transposition Ciphers. All of the above cryptosystems are based on the principle of substitution, that is, to substitute or exchange one value or letter for another. Now we will look at the cryptosystems that use transposition or permutation.

These systems rely on concealing the message through the transposing of or interchanging the order of the letters. The Rail Fence. In the simple transposition cipher known as the rail fence, the message is written and read in two or more lines. Let us say that we want to send the message “Purchase gold and oil stocks.”

We could write the message in alternating diagonal rows as shown: P

R U

H C

S A

G E

L O

A D

D N

I O

S L

O T

K C

S

The ciphertext would read as follows: PRHSGLADIGOKUCAEODNOLTCS The problem with such a system is that because the letters are the same as the plaintext, no substitution has taken place, just a reordering of the letters; the ciphertext is still susceptible to frequency analysis and other cryptographic attacks Rectangular Substitution Tables. The use of rectangular substitution tables was an early form of cryptography. The sender and receiver decided on the size and structure of a table to hold the message, and then the order in which to read the message.

Let us use the same plaintext as the previous example (“Purchase gold and oil stocks”), but place it in a rectangular substitution block. 230

AU8231_C003.fm Page 231 Saturday, June 2, 2007 1:22 PM

Cryptography P A L O O

U S D I C

R E A L K

C G N S S

H O D T

Reading the table in a top-down manner would produce the following ciphertext: PALOOUSDICREALKCGNSSHODT Of course, the sender and receiver could agree on reading the table any way — bottom up, diagonally — that suited them. Monoalphabetic and Polyalphabetic Ciphers. We looked at the Caesar cipher earlier — a simple substitution algorithm that merely shifted the plaintext over three places to create the ciphertext. This was a monoalphabetic system — the substitution was one alphabet letter for another. In the case of the Caesar cipher, the replacement alphabet was offset by three places: A D

B E

C F

D G

E H

F I

G J

H K

I L

J M

K N

… …

Z C

There is also the scrambled alphabet. In this case, the substitution alphabet is a scrambled version of the alphabet. It could look like this, for example: A M

B G

C P

D U

E W

F I

G R

H L

I O

J V

K D

… …

Z K

Using the scrambled alphabet above, the plaintext of BAKE would be substituted as GMDW. The problem with monoalphabetic ciphers, however, is that they are still subject to the characteristics of the plaintext language — an E, for example, would be substituted as a W throughout the ciphertext. That would mean the letter W in the ciphertext would appear as frequently as an E in plaintext. That makes a cryptanalytic attack of a monoalphabetic system fairly simple. The use of several alphabets for substituting the plaintext is called polyalphabetic ciphers. It is designed to make the breaking of a cipher by frequency analysis more difficult. Instead of substituting one alphabet for another, the ciphertext is generated from several possible substitution alphabets. We show an example here: 231

AU8231_C003.fm Page 232 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Plaintext Substitution 1 Substitution 2 Substitution 3 Substitution 4

A M V L N

B G K P B

C P P O V

D U O I C

E W I J X

F I U M Z

G R Y K A

H L T H S

I O J G D

J V H T E

K D S U Y

… … … … …

Z K A F W

Using this table, we could substitute the plaintext FEED as IIJC, if we used the substitution alphabets in sequence. We see the power of using multiple alphabets in this example, as we see that the repeated E in the plaintext is substituted for different results in the ciphertext. We also note that the ciphertext has a repeated I, and yet that is for different plaintext values. Blais de Vigenère. Blais de Vigenère, a Frenchman, developed the polyalphabetic cipher using a key word and 26 alphabets, each one offset by one place.* We can show this in the following table. The top row of the table would be the plaintext values and the first column of the table the substitution alphabets.

A B C D E F G H I J K L … Z

A A B C D E F G H I J K L … Z

B B C D E F G H I J K L M … A

C C D E F G H I J K L M N … B

D D E F G H I J K L M N O … C

E E F G H I J K L M N O P … D

F F G H I J K L M N O P Q … E

G G H I J K L M N O P Q R … F

H H I J K L M N O P Q R S … G

I I J K L M N O P Q R S T … H

J J K L M N O P Q R S T U … I

K K L M N O P Q R S T U V … J

L L M N O P Q R S T U V W … K

… … … … … … … … … … … … … … …

Z Z A B C D E F G H I J K … Y

The sender and receiver of the message would agree on a key to use for the message — in this case we could use the word FICKLE, as the key. Just as in the running cipher shown below, we would repeat the key for the length of the plaintext. If we wanted to encrypt the message “HIKE BACK,” it would be constructed as follows:

*Please note that the author has agreed with the assertion of William Stallings in regard to Vigenère. Ross Anderson alleges that Vigenère’s work was based on modular mathematics, not on substitution tables.

232

AU8231_C003.fm Page 233 Saturday, June 2, 2007 1:22 PM

Cryptography Plaintext Key Ciphertext

H F M

I I Q

K C M

E K O

B L M

A E E

C F H

K I S

The ciphertext is found by finding where the H of the plaintext — the top row of the table — intersects with the F row of the ciphertext. For the first letter we have highlighted that cell. Again, we see the power of a polyalphabetic system where repeated values in the plaintext do not necessarily give the same ciphertext values, and repeated ciphertext values correspond to different plaintext inputs. Modular Mathematics and the Running Key Cipher. The use of modular mathematics and the representation of each letter by its numerical place in the alphabet are the key to many modern ciphers: A B C D E F G H I J K L M N O P Q … Z 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 … 25

The English alphabet would be calculated as mod 26 because there are 26 letters in the English alphabet. The use of mod 26 means that whenever the result of a mathematical operation is greater than 26, we subtract the 26 from the total as often as we need to until it is less than 26. Using the above values, the cryptographic operation operates as follows: Ciphertext = plaintext + key (mod 26). This is written as C = P + K (mod 26). Ciphertext is the value of the plaintext + the value of the key (mod 26). For example, the plaintext letter N has a value of 13 (it is the 13th letter in the alphabet using the table above). If the key to be used to encrypt the plaintext is a Q with a value of 16, the ciphertext would be 13 + 16, or the 29th letter of the alphabet. Because there is no 29th letter in the English alphabet, we subtract 26 (hence the term mod 26) and the ciphertext becomes the letter corresponding to the number 3, a D. Running Key Cipher. In the example below, we demonstrate the use of a running key cipher. In a running key cipher the key is repeated (or runs) for the same length as the plaintext input. Here we selected the key of FEED to encrypt the plaintext CHEEK. We repeat the key as long as necessary to match the length of the plaintext input.

Let us demonstrate the encryption of the word CHEEK using the table above and the key of FEED. Remember, the numbers under the letters represent the value or position of that letter in the alphabet. 233

AU8231_C003.fm Page 234 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Plaintext: CHEEK

C 2

H 7

E 4

E 4

FEED

F 5

E 4

E 4

D 3

K 10

Key: F 5

The key is repeated for the length of the plaintext. The ciphertext would be computed as follows: Plaintext key Value of plaintext Value of key Ciphertext value Ciphertext

C F 2 5 7 H

H E 7 4 11 L

E E 4 4 8 I

E D 4 3 7 H

K F 10 5 15 P

One-Time Pads. Now we will look at the only cipher system that we can assert is unbreakable. That is, as long as it is implemented properly. These are often referred to as Vernam ciphers after the work of Gilbert Vernam, who proposed the use of a key that could only be used once and that must be as long as the plaintext but never repeats.

The one-time pad uses the principles of the running key cipher, using the numerical values of the letters and adding those to the value of the key; however, the key is a string of random values the same length as the plaintext. It never repeats, compared to the running key that may repeat several times. This means that a one-time pad is not breakable by frequency analysis or many other cryptographic attacks. The sender and receiver must first exchange the key material. This is often done using cryptographic pads and sending them to both the sender and receiver through a secure exchange mechanism, such as a diplomatic pouch or trusted courier. Assume that we develop a keystream for the one-time pad that looks like this: ksosdfsherfn avaishdas vdsfvksdklvsidfva sckapocs asknvaklvnhainfwivhpreovia It is just a randomly chosen set of values — maybe generated through monitoring some seemingly random occurrence, such as atmospheric noise or the readings on a Geiger counter. In this case, we chose a series of 234

AU8231_C003.fm Page 235 Saturday, June 2, 2007 1:22 PM

Cryptography alphabetic values, but we could just as easily choose mathematical values and then add them to the plaintext using mod 26. We know from our earlier example the values of each letter. A B C D E F G H I J K L M N O P Q R S T … Z 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 … 25

Let us send the message “Do not negotiate less than 5%.” We can then format our encryption as follows: Plaintext key (from above) Plaintext values Key values Ciphertext value Ciphertext

D O K S 3 14 10 18 13 32 (mod 26) = 6 N G

N O T N E G O S D F S H 13 14 19 13 4 6 14 18 3 5 18 7 27 (mod 26) = 1 6 22 18 22 13 B G W S W N

Steganography. Steganography is the hiding of a message inside of another medium, such as a photograph, music, or other item. Steganography comes from the Greek expression of “hidden writing.”

Steganography is not a new art — history tells of slaves having a message tattooed onto their head to carry it through enemy lines. The message itself was not encrypted, but its existence was hidden so that only the recipient would know to reveal the message through a radical haircut. Steganography was also used through the centuries through microdots, invisible ink, and regular letters between friends containing hidden meanings. Modern stego tools will bury a message inside of a jpeg or other graphic image by “stealing” the least significant bit of every byte and using it to carry the secret message. This will not noticeably change the image, and a casual observer will not realize that a message is hidden inside the image, only to be revealed to the person with the correct stego tool. Most unfortunately, this has become a method of industrial espionage, where a mole (spy) within a company will send confidential information to a competitor via a generic e-mail address, hiding confidential corporate information within the message that would not be noticed even if the e-mail was being monitored. Watermarking. Watermarking is the addition of identifiable information into a file or document. This is often done to detect the improper copying or theft of information. The watermark may or may not be visible and may affect the quality of the original file. Code Words. Later in the chapter we will look more closely at modern methods of message integrity using message authentication codes and dig235

AU8231_C003.fm Page 236 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® ital signatures; however, we will briefly look at one way that encoding a message can provide a level of message integrity. For many years now, radio transmissions have been an important part of air traffic control; however, we do not all speak with the same accent, and the radios themselves are often subject to noise, distortion, and interference. For the sake of understanding, it is often better to use a code word instead of a letter — we may not understand whether the person speaking said a B or a D, but if they say “Bravo” or “Delta,” we can easily distinguish a B from the word Bravo or D from Delta. Symmetric Ciphers. Now that we have looked at some of the history of cryptography and some of the methods of cryptography, let us look at how cryptographic principles are actually used today in real implementations.

There are two primary forms of cryptography in use today, symmetric and asymmetric cryptography. We will look at each one in some detail. Symmetric algorithms operate with a single cryptographic key that is used for both encryption and decryption of the message. For this reason, it is often called single, same, or shared key encryption. It can also be called secret or private key encryption because the key factor in secure use of a symmetric algorithm is to keep the cryptographic key secret. Some of the most difficult challenges of symmetric key ciphers are the problems of key management. Because the encryption and decryption processes both require the same key, the secure distribution of the key to both the sender (or encryptor) of the message and the receiver (or decryptor) is a key factor in the secure implementation of a symmetric key system. The cryptographic key cannot be sent in the same channel (or transmission medium) as the data, so out-of-band distribution must be considered. Out of band means using a different channel to transmit the keys, such as courier, fax, phone, or some other method (Figure 3.4).

Sender Plaintext

Receiver encryption Process

Ciphertext

Key Material

Key Material Out of Band Key Distribution

Figure 3.4. Out-of-band key distribution. 236

Decryption Process

Plaintext

AU8231_C003.fm Page 237 Saturday, June 2, 2007 1:22 PM

Cryptography The advantages of symmetric key algorithms are that they are usually very fast, secure, and cheap. There are several products available on the Internet at no cost to the user that use symmetric algorithms. The disadvantages include the problems of key management, as mentioned earlier, but also the limitation that a symmetric algorithm does not provide many benefits beyond encryption, unlike most asymmetric algorithms, which also provide the ability to establish nonrepudiation, message integrity, and access control. We can best describe this limitation by using a physical security example. If ten people have a copy of the key to the server room, it can be difficult to know who entered that room at 10 P.M. yesterday. We have limited access control in that only those people with a key are able to enter; however, we do not know which one of those ten actually entered. The same with a symmetric algorithm; if the key to a secret file is shared between two or more people, then we do not have a way to know who was the last person to access the encrypted file. It would also be possible for a person to change the file and allege that it was changed by someone else. This would be most critical when the cryptosystem is used for important documents such as electronic contracts. If a person that receives a file can change the document and allege that that was the true copy he had received, we are faced with problems of repudiation. Examples of Symmetric Algorithms. We have looked at several symmetric algorithms already — the Caesar cipher, the Spartan scytale, and the Enigma machine were all symmetric algorithms. The receiver needed to use the same key to perform the decryption process as he had used during the encryption process. Now we will look at some of the modern symmetric algorithms. The Data Encryption Standard (DES). The Data Encryption Standard was based on the work of Harst Feistal.* Harst Feistal had developed a family of algorithms that had a core principle of taking the input block of plaintext and dividing it in half. Then each half was used several times through an exclusive-or operation to alter the other half — providing a type of permutation as well as substitution.

DES became the standard in 1977 when it was adopted by several agencies of the U.S. federal government for deployment across all U.S. government departments for nonclassified but sensitive information. DES is used extensively even today in many financial, virtual private network (VPN), and online encryption systems. DES has been replaced as the stan-

*The author has chosen to use the spelling of Harst Feistal as described by Anderson. It is also spelled Horst in other publications. The work of Feistal was the implementation of the research done by Claude Shannon in 1945.

237

AU8231_C003.fm Page 238 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® dard by the Advanced Encryption Standard (AES), which is based on the Rijndael algorithm. The origin of DES was the Lucifer algorithm developed by Feistal; however, Lucifer had a 128-bit key. The algorithm was modified to make it more resistant to cryptanalysis, and the key length was reduced to 56 bits so that it could be fit onto a single chip. DES operates on 64-bit input blocks (which, because it is a Feistal cipher, are then broken into 32-bit subblocks) and a 56-bit key. The output is also 64-bit blocks. When looking at a DES key, it is 64 bits in length; however, every eighth bit (used for parity) is ignored. Therefore, the effective length of the DES key is 56 bits. Because every bit has a possible value of either 1 or 0, we can state that the effective key space for the DES key is 2.56 This gives a total number of keys for DES to be 7.2*1016. Because DES has become the template for so many later encryption technologies, we will look at it in more detail.* Originally there were four modes of DES accepted for use by the U.S. federal government (NIST); in later years, the CTR mode was also accepted (Table 3.1). THE BLOCK MODES OF DES. The following modes of DES operate in a block structure, on 64-bit input blocks.

Electronic Codebook Mode (ECB) — Electronic codebook is the most basic mode of DES (Figure 3.5). It is called codebook because it is similar to having a large codebook containing every piece of 64-bit plaintext input and all possible 64-bit ciphertext outputs. In a manual sense, it would be the same as looking up the input in a book and finding what the output would be depending on which key was used. When a plaintext input is received by ECB, it operates on that block independently and produces the ciphertext output. If the input was more than 64 bits long and each 64-bit block was the same, then the output blocks would also be the same. Such regularity would make cryptanalysis fairly simple. For that reason, as we see in Table 3.1, ECB is only used for very short messages (less than 64 bits in length), such as transmission of a DES key. As with all Feistal ciphers, the decryption process is the reverse of the encryption process. Cipher Block Chaining Mode (CBC) — Cipher block chaining mode is stronger than ECB in that each input block will produce a different output — even if the input blocks are identical. This is accomplished by introduc*For more information on DES, see FIPS 81 and NIST SP 800-38A.

238

AU8231_C003.fm Page 239 Saturday, June 2, 2007 1:22 PM

Cryptography Table 3.1. Four Modes of DES Replacement DES Mode Electronic Code Book (ECB)

Cipher Block Chaining (CBC)

Cipher Feedback (CFB)

Output Feedback (OFB)

Counter Mode (CTR)

How It Works

Usage

In ECB mode, each block is encrypted independently, allowing randomly accessed files to be encrypted and still accessed without having to process the file in a linear encryption fashion. In CBC mode, the result of encrypting one block of data is fed back into the process to encrypt the next block of data. In CFB mode, each bit produced in the keystream is the result of a predetermined number of fixed ciphertext bits. In OFB mode, the keystream is generated independently of the message In CTR mode, a counter — a 64-bit random data block — is used as the first initialization vector.

Very short messages (less than 64 bits in length), such as transmission of a DES key.

Authentication

Authentication

Authentication

Used in high-speed applications such as IPSec and Asynchronous Transfer Mode (ATM)

Source: James S. Tiller, Message Authentication, in Harold F. Tipton and Micki Krause (eds.), Information Security Management Handbook, 5th ed., New York: Auerbach Publications, 2004.

ing two new factors in the encryption process — an initialization vector (IV) and a chaining function that XORs each input with the previous ciphertext. (Note: Without the IV, the chaining process applied to the same messages would create the same ciphertext.) The initialization vector is a randomly chosen value that is mixed with the first block of plaintext. This acts just like a seed in a stream-based cipher. The sender and receiver must know the IV so that the message can be decrypted later. It is important to protect the IV to the same level as the key. Usually the IV is encrypted with ECB and sent to the receiver. We can see the function of CBC in Figure 3.6.

239

AU8231_C003.fm Page 240 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

Figure 3.5. Electronic codebook is the most basic mode of DES.

Figure 3.6. Cipher block chaining mode. 240

AU8231_C003.fm Page 241 Saturday, June 2, 2007 1:22 PM

Cryptography The initial input block is XORed with the IV, and the result of that process is encrypted to produce the first block of ciphertext. This first ciphertext block is then XORed with the next input plaintext block. This is the chaining process, which ensures that even if the input blocks are the same, the resulting outputs will be different. The Stream Modes of DES — The following modes of DES operate as a stream; even though DES is a block mode cipher, these modes attempt to make DES operate as if it were a stream mode algorithm. A block-based cipher is subject to the problems of latency or delay in processing. This makes them unsuitable for many applications where simultaneous transmission of the data is desired. In these modes, DES tries to simulate a stream to be more versatile and provide support for stream-based applications. Cipher Feedback Mode (CFB) — In the cipher feedback mode of DES, the input is separated into individual segments — usually of 8 bits, because that is the size of one character (Figure 3.7). When the encryption process starts, the initialization vector is chosen and loaded into a shift register. It is then run through the encryption algorithm. The first 8 bits that come from the algorithm are then XORed with the first 8 bits of the plaintext (the first segment). Each 8-bit segment is then transmitted to the receiver and also fed back into the shift register. The shift register contents are then encrypted again to generate the keystream to be XORed with the next plaintext segment. This process continues until the end of the input. One of the drawbacks of this, however, is that if a bit is corrupted or altered, all of the data from that point onward will be damaged. It is interesting to note that because of the nature of the operation in CFB, the decryption process uses the encryption operation rather than operate in reverse like CBC. Output Feedback Mode (OFB) — Output feedback mode is very similar in operation to cipher feedback except that instead of using the ciphertext result of the XOR operation to feed back into the shift register for the ongoing keystream, it feeds the encrypted keystream itself back into the shift register to create the next portion of the keystream (Figure 3.8). Because the keystream and message data are completely independent (the keystream itself is chained, but there is no chaining of the ciphertext), it is now possible to generate the entire keystream in advance and store it for later use. However, this does pose some storage complications, especially if it were to be used in a high-speed link. Counter Mode (CTR) — Counter mode is used in high-speed applications such as IPSec and Asynchronous Transfer Mode (ATM) (Figure 3.9). In this mode, a counter — a 64-bit random data block— is used as the first initialization vector. A requirement of counter mode is that the counter must be different for every block of plaintext, so for each subsequent block, the 241

AU8231_C003.fm Page 242 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

Figure 3.7. Cipher feedback mode of DES.

counter is incremented by 1. The counter is then encrypted just as in OFB, and the result is used as a keystream and XORed with the plaintext. Because the keystream is independent from the message, it is possible to even process several blocks of data at the same time, thus speeding up the throughput of the algorithm. Again, because of the characteristics of the algorithm, the encryption process is used at both ends of the process — there is no need to install the decryption process. ADVANTAGES AND DISADVANTAGES OF DES. DES is a strong, fast algorithm that has endured the test of time; however, it is not suitable for use for very confidential data due to the increase in computing power over the years. Initially, DES was considered unbreakable, and early attempts to break a DES message were unrealistic. (A computer running at one attempt per millisecond would still take more than 1000 years to try all possible keys.) 242

AU8231_C003.fm Page 243 Saturday, June 2, 2007 1:22 PM

Cryptography

Initialization Vector loaded into Shift Register

Key

Select s bits

S bits of Plaintext

DES Algorithm

Discard 64 - s bits

XOR

S bits of ciphertext

64 - s bits

s bits

DES Algorithm

Select s bits

Next s bits of Plaintext

Discard 64 - s bits

XOR

Next S bits of ciphertext

Figure 3.8. Output feedback mode of DES.

However, DES is susceptible to a brute-force attack. Because the key is only 56 bits long, the key may be determined by trying all possible keys against the ciphertext until the true plaintext is recovered. The Electronic Frontier Foundation (www.eff.org) demonstrated this several years ago. However, it should be noted that they did the simplest form of attack — a known plaintext attack; they tried all possible keys against a ciphertext knowing what they were looking for (they knew the plaintext). If they did not know the plaintext (did not know what they were looking for), the attack would have been significantly more difficult. Regardless, DES can be deciphered using today’s computing power and enough stubborn persistence. There have also been criticisms of the structure of the DES algorithm. The S-boxes used in the encryption and decryption operations are secret,

243

AU8231_C003.fm Page 244 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

Figure 3.9. Counter mode is used in high-speed applications such as IPSec and ATM.

and this always leads to claims that they may contain hidden code or untried operations. DOUBLE DES. The primary complaint about DES was that the key was too short. This made a known plaintext brute-force attack possible. One of the first alternatives considered to create a stronger version of DES was to double the encryption process — just do the encryption process twice using two different keys, as shown in Figure 3.10.

As we can see, the first DES operation created an intermediate ciphertext, which we will call m for discussion purposes. This intermediate ciphertext, m, was then reencrypted using a second 56-bit DES key for greater cryptographic strength. Initially there was a lot of discussion as to whether the ciphertext created by the second DES operation would be the same as the ciphertext that would have been created by a third DES key. In other words, if we consider that double DES looks like this: C = EK2(EK1(P)) ciphertext created by double DES is the result of the plaintext encrypted with the first 56-bit DES key and then reencrypted with the second 56-bit DES key. 244

AU8231_C003.fm Page 245 Saturday, June 2, 2007 1:22 PM

Cryptography

Figure 3.10. Operations within double DES cryptosystems.

Is that equivalent to this? C = EK3(P) Would the result of two operations be the same as the result of one operation using a different key? It has since been proved that this is not the case; however, more serious vulnerabilities in double DES emerged. The intention of double DES was to create an algorithm that would be equivalent in strength to a 112-bit key (two 56-bit keys). If we say that the strength of single DES is approximately 255 (it is actually 1 less than 256), would double DES be approximately 2111? Unfortunately, this was not the case because of the “meet in the middle” attack (described below), which is why the lifespan of double DES was very short. MEET IN THE MIDDLE. The most effective attack against double DES was just like the successful attacks on single DES, based on doing a brute-force attack against known plaintext* (Figure 3.11). The attacker would encrypt the plaintext using all possible keys and create a table containing all possible results. We call this intermediate cipher m. This would mean encrypt-

*In a known plaintext attack, the attacker has both the plaintext and the ciphertext, but he does not have the key, and the brute-force attack, as we saw earlier, was an attack trying all possible keys. See the “Attacks on Hashing Algorithms and Message Authentication Codes” section for more details on this.

245

AU8231_C003.fm Page 246 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

Figure 3.11. Meet-in-the-middle attack on 2DES.

ing using all 256 possible keys. The table would then be sorted according to the values of m. The attacker would then decrypt the ciphertext using all possible keys until he found a match with the value of m. This would result in a true strength of double DES of approximately 256 (twice the strength of DES, but not strong enough to be considered effective), instead of the 2112 originally hoped.* TRIPLE DES (3DES). The defeat of double DES resulted in the adoption of triple DES as the next solution to overcome the weaknesses of single DES. Triple DES was designed to operate at a relative strength of 2112 using two different keys to perform the encryption.

The triple DES operation using two keys is shown below: C = EK1(EK2(EK1(P))) The ciphertext is created by encrypting the plaintext with key 1, reencrypting with key 2, and then encrypting again with key 1. *Note that most cryptographers consider the strength of single DES to be 255, not 256 as might be expected. Because double DES is approximately twice the strength of DES, it would be considered to be 256.

246

AU8231_C003.fm Page 247 Saturday, June 2, 2007 1:22 PM

Cryptography This would have a relative strength of 2112 and be unfeasible for attack using either the known plaintext or differential cryptanalysis attacks. This mode of 3DES would be referred to as EEE2 (encrypt, encrypt, encrypt using two keys). The preferred method of using triple DES was to use a decrypt step for the intermediate operation, as shown below: C = EK1(DK2(EK1(P))) The plaintext was encrypted using key 1, then decrypted using key 2, and then encrypted using key 1. Doing the decrypt operation for the intermediate step does not make a difference in the strength of the cryptographic operation, but it does allow backward compatibility through permitting a user of triple DES to also access files encrypted with single DES. This mode of triple DES is referred to as EDE2. Originally the use of triple DES was primarily done using two keys as shown above, and this was compliant with ISO 8732 and ANS X9.17; however, some users, such as PGP and S/MIME, are moving toward the adoption of triple DES using three separate keys. This would be shown as follows: C = EK3(EK2(EK1(P))) for the EEE3 mode or C = EK3(DK2(EK1(P))) for the EDE3 mode There are seven different modes of triple DES, but the four explained above are all that we are concerned with at this time. Advanced Encryption Standard (AES). Chronologically, this is not the next step in the evolution of symmetric algorithms; however, we will look at the Advanced Encryption Standard (AES) now and come back to other algorithms later.

In 1997, the National Institute of Standards and Technology (NIST) in the United States issued a call for a product to replace DES and 3DES. The requirements were that the new algorithm would be at least as strong as DES, have a larger block size (because a larger block size would be more efficient and more secure), and overcome the problems of performance with DES. DES was developed for hardware implementations and is too slow in software. 3DES is even slower, and thus creates a serious latency in encryption as well as significant processing overhead. After considerable research, the product chosen to be the new Advanced Encryption Standard was the Rijndael algorithm, created by Dr. Joan 247

AU8231_C003.fm Page 248 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Daemon and Dr. Vincent Rijmen of Belgium. The name Rijndael was merely a contraction of their surnames. Rijndael beat out the other finalists: Serpent, of which Ross Anderson was an author; MARS, the IBM product; RC6, from Ron Rivest and RSA; and TwoFish, developed by Bruce Schneier. The AES algorithm was obliged to meet many criteria, including the need to be flexible and implementable on many types of platforms and free of royalties. RIJNDAEL. The Rijndael algorithm can be used with block sizes of 128, 192, or 256 bits. The key can also be 128, 192, or 256 bits, with a variable number of rounds of operation depending on the key size. Using AES with a 128-bit key would do ten rounds, whereas a 192-bit key would do 12 and a 256-bit key would do 14. Although Rijndael supports multiple block sizes, AES only supports one block size (subset of Rijndael).

We will look at AES in the 128-bit block format. The AES operation works on the entire 128-bit block of input data by first copying it into a square table (or array) that it calls state. The inputs are placed into the array by column so that the first four bytes of the input would fill the first column of the array. Following is input plaintext when placed into a 128-bit state array: 1st byte 2nd byte 3rd byte 4th byte

5th byte 6th byte 7th byte 8th byte

9th byte 10th byte 11th byte 12th byte

13th byte 14th byte 15th byte 16th byte

The key is also placed into a similar square table or matrix. The Rijndael operation consists of four major operations. 1. Substitute bytes: Use of an S-box to do a byte-by-byte substitution of the entire block. 2. Shift rows: Transposition or permutation through offsetting each row in the table. 3. Mix columns: A substitution of each value in a column based on a function of the values of the data in the column. 4. Add round key: XOR each byte with the key for that round; the key is modified for each round of operation. Substitute Bytes — The substitute bytes operation uses an S-box that looks up the value of each byte in the input and substitutes it with the value in the table. The S-box table contains all possible 256 8-bit word values and a simple cross-reference is done to find the substitute value using the first half of the byte (4-bit word) in the input table on the x-axis and the second 248

AU8231_C003.fm Page 249 Saturday, June 2, 2007 1:22 PM

Cryptography half of the byte on the y-axis. Hexadecimal values are used in both the input and S-box tables. Shift Row Transformation — The shift row transformation step provides blockwide transposition of the input data by shifting the rows of data as follows. If we start with the input table we described earlier, we can see the effect of the shift row operation. Please note that by this point the table will have been subjected to the substitute bytes operation, so it would not look like this any longer, but we will use this table for the sake of clarity. Columns

Rows

1st byte 2nd byte 3rd byte 4th byte

5th byte 6th byte 7th byte 8th byte

9th byte 10th byte 11th byte 12th byte

13th byte 14th byte 15th byte 16th byte

5th byte

9th byte

13th byte

The first row is not shifted. 1st byte

The second row of the table is shifted one place to the left. 6th byte

10th byte

14th byte

2nd byte

The third row of the table is shifted two places to the left. 11th byte

15th byte

3rd byte

7th byte

The fourth row of the table is shifted three places to the left. 16th byte

4th byte

8th byte

12th byte

The final result of the shift rows step would look as follows: 1 6 11 16

5 10 15 4

9 14 3 8

13 2 7 12

Mix Column Transformation — The mix column transformation is performed by multiplying and XORing each byte in a column together, according to the table in Figure 3.12. 249

AU8231_C003.fm Page 250 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

Figure 3.12. Mix column transformation.

The Figure 3.12 table is the result of the previous step, so when we work on the first column (shaded in the state table), we work with the first row in the mix column table (shaded) and use multiplication and XOR. The computation of the mix columns step for the first column would be (1*02) (6*03) (11*01) (16*01) The second byte in the column would be calculated using the second row in the mix column table as (6*01) (11*02) (16*03) (1*02) Add Round Key — The key is modified for each round by first dividing the key into 16-bit pieces (4 4-bit words) and then expanding each piece into 176 bits (44 4-bit words). The key is arrayed into a square matrix, and each column is subjected to rotation (shifting the first column to the last (1, 2, 3, 4 would become 2, 3, 4, 1) and then the substituting of each word of the key using an S-box. The result of these first two operations is then XORed with a round constant to create the key to be used for that round. The round constant changes for each round, and its values are predefined. Each of the above steps (except for the mix columns, which is only done for nine rounds) are done for ten rounds to produce the ciphertext. AES is a strong algorithm that is not considered breakable at any time in the near future and is easy to deploy on many platforms with excellent throughput. International Data Encryption Algorithm (IDEA). IDEA was developed as a replacement for DES by Xuejai Lai and James Massey in 1991. IDEA uses a 128-bit key and operates on 64-bit blocks. IDEA does eight rounds of transposition and substitution using modular addition and multiplication, and bitwise exclusive-or (XOR). The patents on IDEA will expire in 2010–2011, but it is available for free for noncommercial use. CAST. CAST was developed in 1996 by Carlisle Adams and Stafford Tavares. CAST-128 can use keys between 40 and 128 bits in length and will 250

AU8231_C003.fm Page 251 Saturday, June 2, 2007 1:22 PM

Cryptography do between 12 and 16 rounds of operation, depending on key length. CAST128 is a Feistal-type block cipher with 64-bit blocks. CAST-256 was submitted as an unsuccessful candidate for the new AES. CAST-256 operates on 128-bit blocks and with keys of 128, 192, 160, 224, and 256 bits. It performs 48 rounds and is described in RFC 2612. Secure and Fast Encryption Routine (SAFER). All of the algorithms in SAFER are patent-free. The algorithms were developed by James Massey and work on either 64-bit input blocks (SAFER-SK64) or 128-bit blocks (SAFERSK128). A variation of SAFER is used as a block cipher in Bluetooth. Blowfish. Blowfish is a symmetrical algorithm developed by Bruce Schneier. It is an extremely fast cipher and can be implemented in as little as 5K of memory. It is a Feistal-type cipher in that it divides the input blocks into two halves and then uses them in XORs against each other. However, it varies from the traditional Feistal cipher in that Blowfish does work against both halves, not just one. The Blowfish algorithm operates with variable key sizes, from 32 up to 448 bits on 64-bit input and output blocks.

One of the characteristics of Blowfish is that the S-boxes are created from the key and are stored for later use. Because of the processing time taken to change keys and recompute the S-boxes, Blowfish is unsuitable for applications where the key is changed frequently or in applications on smart cards or with limited processing power. Blowfish is currently considered unbreakable (using today’s technology), and in fact, because the key is used to generate the S-boxes, it takes over 500 rounds of the Blowfish algorithm to test any single key. Twofish. Twofish was one of the finalists for the AES. It is an adapted version of Blowfish developed by a team of cryptographers led by Bruce Schneier. It can operate with keys of 128, 192, or 256 bits on blocks of 128 bits. It performs 16 rounds during the encryption/decryption process. RC5. RC5 was developed by Ron Rivest of RSA and is deployed in many of RSA’s products. It is a very adaptable product useful for many applications, ranging from software to hardware implementations. The key for RC5 can vary from 0 to 2040 bits, the number of rounds it executes can be adjusted from 0 to 255, and the length of the input words can also be chosen from 16-, 32-, and 64-bit lengths. The algorithm operates on two words at a time in a fast and secure manner.

RC5 is defined in RFC 2040 for four different modes of operation: • RC5 block cipher is similar to DES ECB producing a ciphertext block of the same length as the input. • RC5-CBC is a cipher block chaining form of RC5 using chaining to ensure that repeated input blocks would not generate the same output. 251

AU8231_C003.fm Page 252 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® • RC5-CBC-Pad combines chaining with the ability to handle input plaintext of any length. The ciphertext will be longer than the plaintext by at most one block. • RC5-CTS is called ciphertext stealing and will generate a ciphertext equal in length to a plaintext of any length. RC4. RC4, a stream-based cipher, was developed in 1987 by Ron Rivest for RSA Data Security and has become the most widely used stream cipher, being deployed, for example, in WEP and SSL/TLS.

RC4 uses a variable length key ranging from 8 to 2048 bits (1 to 256 bytes) and a period of greater than 10100. In other words, the keystream should not repeat for at least that length. The key is used to initialize a state vector that is 256 bytes in length and contains all possible values of 8-bit numbers from 0 through 255. This state is used to generate the keystream that is XORed with the plaintext. The key is only used to initialize the state and is not used thereafter. If RC4 is used with a key length of at least 128 bits, there are currently no practical ways to attack it; the published successful attacks against the use of RC4 in WEP applications are related to problems with the implementation of the algorithm, not the algorithm itself. More details on this can be found in the Telecommunications and Network Security chapter, Domain 7. Advantages and Disadvantages of Symmetric Algorithms. S y m m e t r i c algorithms are very fast and secure methods of providing confidentiality and some integrity and authentication for messages being stored or transmitted.

Many algorithms can be implemented in either hardware or software and are available at no cost to the user. There are serious disadvantages to symmetric algorithms — key management is very difficult, especially in large organizations. The number of keys needed grows rapidly with every new user according to the formula n(n – 1)/2, where n is the number of users. An organization with only 10 users, all wanting to communicate securely with one another, requires 45 keys (10*9/2). If the organization grows to 1000 employees, the need for key management expands to nearly a half million keys. Symmetric algorithms also are not able to provide nonrepudiation of origin, access control, and digital signatures, except in a very limited way. If two or more people share a symmetric key, then it is impossible to prove who altered a file protected with a symmetric key. Selecting keys is an important part of key management. There needs to be a process in place that ensures that a key is selected randomly from the entire keyspace, and that there is some way to recover a lost or forgotten key. 252

AU8231_C003.fm Page 253 Saturday, June 2, 2007 1:22 PM

Cryptography Because symmetric algorithms require both users (the sender and the receiver) to share the same key, there can be challenges with secure key distribution. Often the users must use an out-of-band channel such as mail, fax, telephone, or courier to exchange secret keys. Use of an out-of-band channel should make it difficult for an attacker to seize both the encrypted data and the key. The other method of exchanging the symmetric key is to use an asymmetric algorithm. Asymmetric Algorithms Whereas symmetric algorithms have been in existence for several millennia, the use of asymmetric (or public key) algorithms is relatively new. These algorithms became commonly known when Drs. Whit Diffie and Martin Hellman released a paper in 1976 called “New Directions in Cryptography.”* This paper described the concept of using two different keys (a key pair) to perform the cryptographic operations. The two keys would be linked mathematically, but would be mutually exclusive. For most asymmetric algorithms, if one half of this key pair were used for encryption, the other half of the key pair would be required to decrypt the message. We will look at several different asymmetric algorithms later in this chapter; however, for now, we will look at some of the general concepts behind public key cryptography. When a person wishes to communicate using an asymmetric algorithm, she would first generate a key pair. Usually this is done by the cryptographic application or the public key infrastructure without user involvement to ensure the strength of the key generation process. One half of the key pair is kept secret, and only the key holder knows that key. For this reason, it is often called the private key. The other half of the key pair can be given freely to anyone that wants a copy. In many companies, it may be available through the corporate Web site or access to a key server. That is why this half of the key pair is often referred to as the public key. Asymmetric algorithms are one-way functions, that is, a process that is much simpler to go in one direction (forward) than to go in the other direction (backward or reverse engineering). The process to generate the public key (forward) is fairly simple, and providing the public key to anyone that wants it does not compromise the private key because the process to go from the public key to the private key is computationally infeasible. Confidential Messages. Because the keys are mutually exclusive, any message that is encrypted with a public key can only be decrypted with the *Whit Diffie and Martin Hellman, New directions in cryptography, IEEE Transactions on Information Theory, IT-22, 1976.

253

AU8231_C003.fm Page 254 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

Figure 3.13. Using public key cryptography to send a confidential message.

corresponding other half of the key pair — the private key. Therefore, as long as the key holder keeps her private key secure, we have a method of transmitting a message confidentially. The sender would encrypt the message with the public key of the receiver. Only the receiver with the private key would be able to open or read the message — providing confidentiality. See Figure 3.13. Open Message. Conversely, when a message is encrypted with the private key of a sender, it can be opened or read by anyone that possesses the corresponding public key. When a person needs to send a message and provide proof of origin (nonrepudiation), he can do so by encrypting it with his own private key. The recipient then has some guarantee that, because she opened it with the public key from the sender, the message did, in fact, originate with the sender. See Figure 3.14. Confidential Messages with Proof of Origin. By encrypting a message with the private key of the sender and the public key of the receiver, we have the ability to send a message that is confidential and has proof of origin. See Figure 3.15. RSA. RSA was developed in 1978 by Ron Rivest, Adi Shamir, and Len Adleman when they were at MIT. RSA is based on the mathematical challenge of factoring the product of two large prime numbers.

254

AU8231_C003.fm Page 255 Saturday, June 2, 2007 1:22 PM

Cryptography

Figure 3.14. Using public key cryptography to send a message with proof of origin.

Figure 3.15. Using public key cryptography to send a message that is confidential and has a proof of origin.

255

AU8231_C003.fm Page 256 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® A prime number can only be divided by 1 and itself. Some prime numbers include 2, 3, 5, 7, 11, 13, and so on. Factoring is taking a number and finding the numbers that can be multiplied together to calculate that number. For example, if the product of a*b = c, then c can be factored into a and b. If we calculate 3*4 = 12, then 12 can be factored into 3, 4 and 6, 2 and 12, 1. The RSA algorithm uses large prime numbers that when multiplied together would be incredibly difficult to factor. Successful factoring attacks have been executed against 512-bit numbers (at a cost of approximately 8000 MIPS years), but current computational capability makes the factoring of a 1024-bit number impractical. RSA is the most widely used public key algorithm and operates on blocks of text according to the following formula: C = Pe mod n The ciphertext is computed from the plaintext to the exponent e mod n. How to Generate RSA Key Pairs. Select p and q where both are prime num-

bers and p ≠ q:

p = 17 and q = 11 Calculate n = pq: n = 17 ∗ 11 = 187 Calculate (n) = (p – 1)(q – 1): (n) = (17 – 1)(11 – 1) = 16 ∗ 10 = 160 Select integer e where is e is relatively prime to (n) = 160 and less than (n). Choose e = 7. Determine d such that de ≡ 1 mod 160 and d < 160: d = 23 because 23 ∗ 7 = 161 = 10 ∗ 160 + 1. (d is calculated using Euclid’s algorithm.) Public key = {e, n} = {7, 187} Private key = {d, n} = {23, 187} To encrypt a plaintext of 88 using the public key (confidentiality), we would do the following mathematics: C = Pe mod n For the sake of simplicity, we will break the modular arithmetic function into smaller pieces: C = 887 mod 187 = [(884 mod 187) ∗ (882 mod 187) ∗ 881 mod 187)] mod 187 256

AU8231_C003.fm Page 257 Saturday, June 2, 2007 1:22 PM

Cryptography 881 mod 187 = 88 882 mod 187 = 7744 mod 187 = 77 884 mod 187 = 59,969,536 mod 187 = 132 887 mod 187 = (88*77*132) mod 187 = 894,432 mod 187 = 11 C = 11 To decrypt the ciphertext of 11, we would use the formula P = 1123 mod 187. Attacking RSA. The three primary approaches to attack the RSA algorithm are to use brute force, trying all possible private keys; mathematical attacks, factoring the product of two prime numbers; and timing attacks, measuring the running time of the decryption algorithm. Diffie–Hellmann Algorithm. Diffie–Hellmann is a key exchange algorithm. It is used to enable two users to exchange or negotiate a secret symmetric key that will be used subsequently for message encryption. The Diffie–Hellmann algorithm does not provide for message confidentiality.

Diffie–Hellmann is based on discrete logarithms. This is a mathematical function based first on finding the primitive root of a prime number. Using the primitive root, we can put together a formula as follows: b ≡ ai mod p

0 ≤ i ≤ (p – 1)

where i is the discrete log (or index) for a mod p. Key Exchange Using Diffie–Hellmann. The prime number (p) and primitive root (g) used in Diffie–Hellmann are common to most users. We will use p = 353 and g = 3 for our example.

Each user A, B would choose a random secret key X that must be less than the prime number. If A chose the secret key of ’97, we could write its secret key as XA = 97. The public key, YA, for user A would be calculated as YA = gAx mod p. Therefore, A would calculate YA = 397 mod 353 = 40. If B chose the secret key of 233, the public key, YB, for user B would be calculated as YB = gBx mod p. Therefore, B would calculate YB = 3233 mod 353 = 248. A and B would then exchange the public keys that they had calculated. Using the following formula, they would each compute the common session key: A computes the common key, K, as K = (YB)AX mod 353 = 24897 mod 353 = 160 257

AU8231_C003.fm Page 258 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® B computes the common key as K = (YA)XB mod 353 = 40233 mod 353 = 160 The two parties A and B can now encrypt their data using the symmetric key of 160. This would be an example of a hybrid system, which we will describe later in the chapter. El Gamal. The El Gamal cryptographic algorithm is based on the work of Diffie–Hellmann, but it included the ability to provide message confidentiality and digital signature services, not just session key exchange. The El Gamal algorithm was based on the same mathematical functions of discrete logs. Elliptic Curve Cryptography. One branch of discrete logarithmic algorithms is based on the complex mathematics of elliptic curves. These algorithms, which are too complex to explain in this context, are advantageous for their speed and strength. The elliptic curve algorithms have the highest strength per bit of key length of any of the asymmetric algorithms. The ability to use much shorter keys for ECC implementations provides savings on computational power and bandwidth. This makes ECC especially beneficial for implementation in smart cards, wireless, and other similar application areas.

Elliptic curve algorithms provide confidentiality, digital signatures, and message authentication services. Advantages and Disadvantages of Asymmetric Key Algorithms. T h e development of asymmetric key cryptography revolutionalized the cryptographic community. Now it was possible to send a message across an untrusted medium in a secure manner without the overhead of prior key exchange or key material distribution. It allowed several other features not readily available in symmetric cryptography, such as nonrepudiation of origin, access control, and nonrepudiation of delivery.

The problem was that asymmetric cryptography is extremely slow compared to its symmetric counterpart. Asymmetric cryptography was a product that took us back to the dark ages in terms of speed and performance and would be impractical for everyday use in encrypting large amounts of data and frequent transactions. This is because asymmetric is handling much larger keys and computations — making even a fast computer work harder than if it were only handling small keys and less complex algebraic calculations. Also, ciphertext output from asymmetric algorithms may be much larger than the plaintext. This means that for large messages, they are not effective for secrecy; however, they are effective for message integrity, authentication, and nonrepudiation. 258

AU8231_C003.fm Page 259 Saturday, June 2, 2007 1:22 PM

Cryptography Hybrid Cryptography. The solution to many of the problems lays in developing a hybrid technique of cryptography that combined the strengths of both symmetric cryptography, with its great speed and secure algorithms, and asymmetric cryptography, with its ability to securely exchange session keys, message authentication, and nonrepudiation.

Symmetric cryptography is best for encrypting large files. It can handle the encryption and decryption process with little impact on delivery times or computational performance. Asymmetric cryptography can handle the initial setup of the communications session through the exchange or negotiation of the symmetric keys to be used for this session. In many cases, the symmetric key is only needed for the length of this communication and can be discarded following the completion of the transaction, so we will refer to the symmetric key in this case as a session key. A hybrid system operates as shown in Figure 3.16. The message itself is encrypted with a symmetric key, SK, and is sent to the recipient.

Sender

Plaintext Large Message

Receiver

Encryption Using Symmetric Key

Encrypted Message

Decryption Using Symmetric Key

Plaintext Message

Symmetric Key

Encryption of Symmetric Key

Public Key of Receiver

Encrypted Symmetric Key

Decryption of Symmetric Key

Private Key of Receiver

Figure 3.16. Hybrid system using a symmetric algorithm for bulk data encryption and an asymmetric algorithm for distribution of the symmetric key.

259

AU8231_C003.fm Page 260 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® The symmetric key is encrypted with the public key of the recipient and sent to the recipient. The symmetric key is decrypted with the private key of the recipient. This discloses the symmetric key to the recipient. The symmetric key can then be used to decrypt the message. Message Integrity Controls An important part of electronic commerce and computerized transactions today is the assurance that a message has not been modified, is indeed from the person that the sender claims to be, and that the message was received by the correct party. This is accomplished through cryptographic functions that perform in several manners, depending on the business needs and level of trust between the parties and systems. Traditional cryptography, such as symmetric algorithms, does produce a level of message authentication. If two parties share a symmetric key, and they have been careful not to disclose that key to anyone else, then when they transmit a message from one to another, they have assurance that the message is indeed from their trusted partner. In many cases, they would also have some degree of confidence in the integrity of the message, because any errors or modification of the message in transit would render the message undecipherable. With chaining-type algorithms, any error is likely to destroy the remainder of the message. Asymmetric algorithms also provide message authentication. Some, such as RSA, El Gamal, and ECC, have message authentication and digital signature functionality built into the implementation. These work, as we saw earlier, in the section on open messages and secure and signed messages using asymmetric key cryptography. Checksums The use of a simple error detecting code, checksum, or frame check sequence is often deployed along with symmetric key cryptography for message integrity. We can see this in Figure 3.17. We can see that the checksum was created and then appended to the message. The entire message may then be encrypted and transmitted to the receiver. The receivers must decrypt the message and generate their own checksum to verify the integrity of the message. Hash Function The hash function accepts an input message of any length and generates, through a one-way operation, a fixed-length output. This output is referred 260

AU8231_C003.fm Page 261 Saturday, June 2, 2007 1:22 PM

Cryptography

Figure 3.17. Combining checksum with encryption for message integrity.

to as a hash code or sometimes a message digest. It uses a hashing algorithm to generate the hash, but does not use a secret key. There are several ways to use message digests in communications, depending on the need for confidentiality of the message, authentication of the source, speed of processing, and choice of encryption algorithms. The requirements for a hash function are that they must provide some assurance that the message cannot be changed without detection and that it would be impractical to find any two messages with the same hash value. Simple Hash Functions. A hash operates on an input of any length (there are some limitations, but the message sizes are huge) and generates a fixed-length output. The simplest hash merely divides the input message into fixed-size blocks and then XORs every block. The hash would therefore be the same size as a block.

Hash = block 1 block 2 block 3 … end of message MD5 Message Digest Algorithm. MD5 was developed by Ron Rivest at MIT in 1992. It is the most widely used hashing algorithm and is described in RFC 1321. MD5 generates a 128-bit digest from a message of any length. It processes the message in 512-bit blocks and does four rounds of processing. Each round contains 16 steps. The likelihood of finding any two messages with the same hash code is estimated to be 264, and the difficulty of 261

AU8231_C003.fm Page 262 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® finding a message with a given digest is estimated to be 2128. One common use of MD5 is to verify the integrity of digital evidence used in forensic investigations and ensure that the original media has not been altered since seizure. In the past two years there have been several attacks developed against MD5 where it is now possible to find collisions through analysis. This is leading to many professionals recommending the abandonment of MD5 for use in secure communications, such as digital signatures. MD4 was developed in 1990 and revised in 1992. It only does three rounds of processing and fewer mathematical operations per round. It is not considered strong enough for most applications today. It also generated a 128-bit output. Secure Hash Algorithm (SHA) and SHA-1. The original Secure Hash Algorithm was developed by the National Institute of Standards and Technology (NIST) in the United States in 1993 and issued as Federal Information Processing Standard (FIPS) 180. A revised version (FIPS 180-1) was issued in 1995 as SHA-1 (RFC 3174).

SHA was based on the MD4 algorithm, whereas SHA-1 follows the logic of MD5. SHA-1 operates on 512-bit blocks and can handle any message up to 264 bits in length. The output hash is 160 bits in length. The processing includes four rounds of operations of 20 steps each. Recently there have been several attacks described against the SHA-1 algorithm despite it being considerably stronger than MD5. NIST has issued FIPS 180-2, which recognizes SHA-256, SHA-384, and SHA-512 as a part of the Secure Hash Standard. The output lengths of the digests of these are 256, 384, and 512 bits, respectively. HAVAL. HAVAL was developed at the University of Wollongong in Australia. It combines a variable length output with a variable number of rounds of operation on 1024-bit input blocks. The output may be 128, 160, 192, 224, or 256 bits, and the number of rounds may vary from three to five. That gives 15 possible combinations of operation.

HAVAL operates 60 percent faster than MD5 when only three rounds are used and is just as fast as MD5 when it does five rounds of operation. RIPEMD-160. The European RACE Integrity Primitives Evaluation project developed the RIPEMD-160 algorithm in response to the vulnerabilities it found in MD4 and MD5. The original algorithm (RIPEMD-128) has the same vulnerabilities as MD4 and MD5 and led to the improved RIPEMD-160 version. The output for RIPEMD-160 is 160 bits, and it also operates similarly to MD5 on 512-bit blocks. It does twice the processing of SHA-1, performing five paired rounds of 16 steps each for a total of 160 operations.

262

AU8231_C003.fm Page 263 Saturday, June 2, 2007 1:22 PM

Cryptography Attacks on Hashing Algorithms and Message Authentication Codes.

There are two primary ways to attack hash functions: through brute-force attacks and cryptanalysis. Over the past few years, a lot of research has been done on attacks on various hashing algorithms, such as MD-5 and SHA-1. In both cases, these have been found to be susceptible, in theory, to cryptographic attacks. A brute-force attack relies on finding a weakness in the hashing algorithm that would allow an attacker to reconstruct the original message from the hash value (defeat the one-way property of a hash function), find another message with the same hash value, or find any pair of messages with the same hash value (what is called collision resistance). Oorschot and Weiner developed a machine that could find a collision on a 128-bit hash in about 24 days. Therefore, a 128-bit value (MD5 and HAVAL128) is inadequate for a digital signature. Using the same machine, it would take 4000 years to find a match on a 160-bit hash.* The past year, however, has seen a paper on the vulnerability of a 160-bit hash that would be feasible with current computing power and attack methodology. The Birthday Paradox. The birthday paradox has been described in textbooks on probability for several years. It is a surprising mathematical condition that indicates the ease of finding two people with the same birthday from a group of people. If we consider that there are 365 possible birthdays (let us not include leap year and assume that birthdays are spread evenly across all possible dates), then we would expect to need to have roughly 183 people together to have a 50 percent probability that two of those people share the same birthday. In fact, once there are more than 23 people together, there is a greater than 50 percent probability that two of them share the same birthday. We are not going to explain the mathematics of this here, but it is correct. You can understand this once you consider that in a group of 23 people, there are 253 different pairings (n(n – 1)/2). In fact, once you have 100 people together, the chance of two of them having the same birthday is greater than 99.99 percent.

So why is a discussion about birthdays important in the middle of hashing attacks? Because the likelihood of finding a collision for two messages and their hash values may be a lot easier than we have thought. It would be very similar to the statistics of finding two people with the same birthday. One of the considerations for evaluating the strength of a hash algorithm must be its resistance to collisions. The probability of finding a collision for a 160-bit hash can be estimated at either 2160 or 2160/2, depending on the level of collision resistance needed. *As quoted in William Stallings, Cryptography and Network Security: Principles and Practice. However, the cost of this machine would be about $10 million.

263

AU8231_C003.fm Page 264 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® This approach is relevant because a hash is a representation of the message and not the message itself. Obviously, the attacker does not want to find an identical message; he wants to find out how to (1) change the message contents to what he wants it to read or (2) cast some doubt on the authenticity of the original message by demonstrating that another message has the same value as the original. The hashing algorithm must therefore be resistant to a birthday-type attack that would allow the attacker to feasibly accomplish his goals. Message Authentication Code (MAC) A message authentication code (also known as a cryptographic checksum) is a small block of data that is generated using a secret key and then appended to the message. When the message is received, the recipient can generate her own MAC using the secret key, and thereby know that the message has not changed either accidentally or intentionally in transit. Of course, this assurance is only as strong as the trust that the two parties have that no one else has access to the secret key. In the case of DES-CBC, a MAC is generated using the DES algorithm in cipher block chaining mode, and the secret DES key is shared by the sender and receiver. The MAC is actually just the last block of ciphertext generated by the algorithm. This block of data (64 bits) is attached to the unencrypted message and transmitted to the far end. All previous blocks of encrypted data are discarded to prevent any attack on the MAC itself. The receiver can just generate his own MAC using the secret DES key he shares to ensure message integrity and authentication. He knows that the message has not changed because the chaining function of CBC would significantly alter the last block of data if any bit had changed anywhere in the message. He knows the source of the message (authentication) because only one other person holds the secret key. And furthermore, if the message contains a sequence number (such as a TCP header or X.25 packet), he knows that all messages have been received and not duplicated or missed. A MAC is a small representation of a message and has the following characteristics: • A MAC is much smaller (typically) than the message generating it. • Given a MAC, it is impractical to compute the message that generated it. • Given a MAC and the message that generated it, it is impractical to find another message generating the same MAC. HMAC. A MAC based on DES is one of the most common methods of creating a MAC; however, it is slow in operation compared to a hash function. A hash function such as MD5 does not have a secret key, so it cannot be 264

AU8231_C003.fm Page 265 Saturday, June 2, 2007 1:22 PM

Cryptography used for a MAC. Therefore, RFC 2104 was issued to provide a hashed MACing system that has become the process used now in IPSec and many other secure Internet protocols, such as SSL/TLS. Hashed MACing implements a freely available hash algorithm as a component (black box) within the HMAC implementation. This allows ease of replacement of the hashing module if a new hash function becomes necessary. The use of proven cryptographic hash algorithms also provides assurance of the security of HMAC implementations. The HMAC operation provides cryptographic strength similar to a hashing algorithm, except that it now has the additional protection of a secret key, and still operates nearly as rapidly as a standard hash operation. Digital Signatures A digital signature is comparable to a handwritten signature on an important document such as a contract. It verifies to all parties to the contract that each signatory has read, agreed with, and will comply with the conditions of the contract. It is legally binding and enforceable in most courts of law. The purpose of a digital signature is to provide the same level of accountability for electronic transactions where a handwritten signature is not possible. A digital signature will provide assurance that the message does indeed come from the person that claims to have sent it, it has not been altered, both parties have a copy of the same document, and the person sending the document cannot claim that he did not send it. A digital signature will usually include a date and time of the signature, as well as a method for a third party to verify the signature. What is a digital signature? It is a block of data (a pattern of bits, usually a hash) that is generated based on the contents of the message sent and encrypted with the sender’s private key. It must contain some unique value that links it with the sender of the message that can be verified easily by the receiver and by a third party, and it must be difficult to forge the digital signature or create a new message with the same signature. Digital Signature Standard (DSS) The DSS was proposed in 1991 as FIPS 186 using the Secure Hashing Algorithm (SHA). It has since been updated several times, most recently in 2000, when it was issued as FIPS 186-2 and expanded to include the Digital Signature Algorithms based on RSA and elliptic curve cryptography. Contrasted to RSA, a digital signature is based on a public key (asymmetric) algorithm, but it does not provide for confidentiality of the message through encryption and is not used for key exchange. The Digital Signature Standard uses two methods of creating the signature: the RSA method and the DSS approach. In both cases, the operation 265

AU8231_C003.fm Page 266 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® starts with the creation of a hash of the message. The RSA approach then encrypts the hash with the private key of the sender, thus creating the signature. The DSS approach is to sign the hash using the Digital Signature Algorithm (DSA). The DSA is based on the discrete logarithmic algorithms used in El Gamal and Schnorr. The DSA chooses a random number to create a private and public key pair and encrypts the hash value with the private key and a universal key to create a two-part signature. A digital signature can be created by encrypting the entire message with the private key of the sender; however, in most cases this is not practical because of the computational impact of encrypting a message using asymmetric algorithms. Therefore, in most cases the digital signature is created by encrypting a hash of the message with the sender’s private key. If further confidentiality is needed, then the message can be encrypted with a symmetric algorithm; however, it is best to create the signature before encrypting the message — then the signature authenticates the message itself and not the ciphertext of the message. Once a digital signature is created, it is appended to the message and sent to the receiver. The receiver decrypts the signature with the public key of the sender and can verify that the message has not been altered and can establish nonrepudiation of origin of the signature. Uses of Digital Signatures Digital signatures have become invaluable in protecting the integrity of financial transactions, E-commerce, and e-mail. They are also used by software vendors to ensure that software has not been compromised through the introduction of viruses or other manipulation. This is especially important when downloading a patch via the Internet to ensure that the patch is from a legitimate site, as well as ensuring the integrity of the download. In many parts of the world, digital signatures have become recognized by the government and courts as a verifiable form of authentication. Encryption Management Key Management Perhaps the most important part of any cryptographic implementation is key management. Control over the issuance, revocation, recovery, distribution, and history of cryptographic keys is of utmost importance to any organization relying on cryptography for secure communications and data protection. It is good to review the importance of Kerckhoff’s law. Auguste Kerckhoff wrote that “a cryptosystem should be secure even if everything about the 266

AU8231_C003.fm Page 267 Saturday, June 2, 2007 1:22 PM

Cryptography system, except the key, is public knowledge.”* The key therefore is the true strength of the cryptosystem. The size of the key and the secrecy of the key are perhaps the two most important elements in a crypto implementation. Claude Shannon, the famous 20th-century military cryptographer, wrote that “the enemy knows the system.” We cannot count on the secrecy of the algorithm, the deftness of the cryptographic operations, or the superiority of our technology to protect our data and systems. We must always consider that the enemy knows the algorithms and methods we use and act accordingly. As we saw earlier, a symmetric algorithm shares the same key between the sender and receiver. This often requires out-of-band transmission of the keys — distribution through a different channel and separate from the data. Key management also looks at the replacement of keys and ensuring that new keys are strong enough to provide for secure use of the algorithm. Just as we have seen over the years with passwords, users will often choose weak or predictable passwords and store them in an insecure manner. This same tendency would affect the creation of cryptographic keys if the creation was left to the user community. People also forget passwords, necessitating the resetting of access to the network or a workstation; however, in the cryptographic world, the loss of a key means the loss of the data itself. Without some form of key recovery, it would be impossible to recover the data that was encrypted with a lost key. Key Recovery. A lost key may mean a crisis to an organization. The loss of critical data or backups may cause widespread damage to operations and even financial ruin or penalties. There are several methods of key recovery, such as common trusted directories or a policy that requires all cryptographic keys to be registered with the security department. Some people have even been using steganography to bury their passwords in pictures or other locations on their machine to prevent someone from finding their password file. Others use password wallets or other tools to hold all of their passwords.

One method is multiparty key recovery. A user would write her private key on a piece of paper, and then divide the key into two or more parts. Each part would be sealed in an envelope. The user would give one envelope each to trusted people with instructions that the envelope was only to be opened in an emergency where the organization needed access to the user’s system or files (disability or death of the user). In case of an emergency, the holders of the envelopes would report to human resources, where the envelopes could be opened and the key reconstructed.

*Kerckhoff’s Law, http://underbelly.blog-topia.com/2005/01/kerckhoffs-law.html.

267

AU8231_C003.fm Page 268 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® The user would usually give the envelopes to trusted people at different management levels and different parts of the company to reduce the risk of collusion. Key Distribution Centers. Recall the formula used before to calculate the number of symmetric keys needed for users: n(n – 1)/2. This necessitates the setup of directories, public key infrastructures, or key distribution centers.

The use of a key distribution center (KDC) for key management requires the creation of two types of keys. The first are master keys, which are secret keys shared by each user and the KDC. Each user has his own master key, and it is used to encrypt the traffic between the user and the KDC. The second type of key is a session key, created when needed, used for the duration of the communications session and then discarded once the session is complete. When a user wants to communicate with another user or an application, the KDC sets up the session key and distributes it to each user for use. An implementation of this is found in Kerberos in the Access Control chapter, Domain 2. A large organization may even have several KDCs, and they can be arranged so that there are global KDCs that coordinate the traffic between the local KDCs. Because master keys are integral to the trust and security relationship between the users and hosts, such keys should never be used in compromised situations or where they may become exposed. For encrypting files or communications, separate nonmaster keys should be used. Ideally, a master key is never visible in the clear, it is buried within the equipment itself, and it is not accessible to the user. Standards for Financial Institutions ANSI X9.17 was developed to address the need of financial institutions to transmit securities and funds securely using an electronic medium. Specifically, it describes the means to ensure the secrecy of keys. The ANSI X9.17 approach is based on a hierarchy of keys. At the bottom of the hierarchy are data keys (DKs). Data keys are used to encrypt and decrypt messages. They are given short lifespans, such as one message or one connection. At the top of the hierarchy are master key-encrypting keys (KKMs). KKMs, which must be distributed manually, are afforded longer lifespans than data keys. Using the two-tier model, the KKMs are used to encrypt the data keys. The data keys are then distributed electronically to encrypt and decrypt messages. The two-tier model may be enhanced by adding another layer to the hierarchy. In the three-tier model, the KKMs are not used to encrypt data keys directly, but to encrypt other key-encrypting keys (KKs). The KKs, which are exchanged electronically, are used to encrypt the data keys. 268

AU8231_C003.fm Page 269 Saturday, June 2, 2007 1:22 PM

Cryptography Public Key Infrastructure (PKI) The use of public key (asymmetric) cryptography has enabled more effective use of symmetric cryptography as well as several other important features, such as greater access control, nonrepudiation, and digital signatures. So often, the biggest question is, Who can you trust? How do we know that the public key we are using to verify Jim’s digital signature truly belongs to Jim, or that the public key we are using to send a confidential message to Valerie is truly Valerie’s and not that of an attacker that has set himself up in the middle of the communications channel? Public keys are by their very nature public. Many people include them on signature lines in e-mails, or organizations have them on their Web servers so that customers can establish confidential communications with the employees of the organization, who they may never even meet. How do we know an imposter or attacker has not set up a rogue Web server and is attracting communications that should have been confidential to his site instead of the real account, as in a phishing attack? Setting up a trusted public directory of keys is one option. Each user must register with the directory service, and a secure manner of communications between the user and the directory would be set up. This would allow the user to change keys — or the directory to force the change of keys. The directory would publish and maintain the list of all active keys and also delete or revoke keys that are no longer trusted. This may happen if a person believes that her private key has been compromised, or she leaves the employ of the organization. Any person wanting to communicate with a registered user of the directory could request the public key of the registered user from the directory. An even higher level of trust is provided through the use of public key certificates. This can be done directly, in that Jim would send his certificate to Valerie, or through a certificate authority, which would act as a trusted third party and issue a certificate to both Jim and Valerie containing the public key of the other party. This certificate is signed with the digital signature of the certificate authority and can be verified by the recipients. A certificate authority will adhere to the X.509 standards. This is part of the overall X.500 family of standards applying to directories. X.509 was issued in 1988 and has been updated twice since. We currently use version 3 of the standard, which was issued in1995 and revised in 2000. An X.509 certificate looks as follows: Field Version Certificate serial number

Description of Contents Currently version 3 Unique identifier for this certificate

269

AU8231_C003.fm Page 270 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Field Algorithm used for the signature Issuer name Period of validity: start date/end date Subject’s name Subject’s public key information (algorithm, parameters, key) Issuer unique identifier Subject’s unique identifier Extensions Digital signature of certificate authority

Description of Contents Algorithm used to sign the certificate X.500 name of CA Owner of the public key Public key and algorithm used to create it Optional field used in case the CA used more than one X.500 name Optional field in case the public key owner has more than one X.500 name Hash of the certificate encrypted with the private key of the CA

Figure 3.18 shows an example of a certificate issued by Verisign.

Figure 3.18. A X.509 certificate issued by Verisign.

270

AU8231_C003.fm Page 271 Saturday, June 2, 2007 1:22 PM

Cryptography Revocation of a Certificate. When a certificate needs to be revoked, the CA will keep a list of all revoked certificates. It does not keep a record of expired certificates because it is obvious that they are no longer valid. It is the responsibility of the user to check whether a certificate is revoked. Unfortunately, very few users ever check a certificate revocation directory. Cross-Certification. Users will often need to communicate with other users that are registered with a different CA. Especially in a large organization, it may not be practical to use one CA for all users. Therefore, the CAs must also have a method of cross-certifying one another so that a public key certificate from one CA is recognized by users from a different CA.

Legal Issues Surrounding Cryptography Most countries have some regulations regarding the use or distribution of cryptographic systems. Usually, this is to maintain the ability of law enforcement to do their jobs and to keep strong cryptographic tools out of the hands of criminals. Cryptography is considered in most countries to be a munition, a weapon of war, and is managed through laws written to control the distribution of military equipment. Some countries do not allow any cryptographic tools to be used by their citizens; others have laws that control the use of cryptography, usually based on key length. This is because key length is one of the most understandable methods of gauging the strength of a cryptosystem. In some countries, the laws require all organizations and individuals to provide law enforcement with their cryptographic keys on demand. Cryptanalysis and Attacks Throughout this chapter we have looked at the strengths of the cryptographic algorithms and their uses. However, we must always be aware that any security system or product is subject to compromise or attack. We will now look at many of the methods of cryptanalysis that are used. Ciphertext-Only Attack The ciphertext only attack is one of the most difficult because the attacker has so little information to start with. All he has is some unintelligible data that he suspects may be an important encrypted message. The attack becomes simpler when the attacker is able to gather several pieces of ciphertext and thereby look for trends or statistical data that would help in the attack. Known Plaintext Attack For a known plaintext attack, the attacker has access to both the ciphertext and the plaintext versions of the same message. The goal of this type 271

AU8231_C003.fm Page 272 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® of attack is to find the link — the cryptographic key that was used to encrypt the message. Once the key has been found, the attacker would then be able to decrypt all messages that had been encrypted using that key. In some cases, the attacker may not have an exact copy of the message — if the message was known to be an E-commerce transaction, the attacker knows the format of such transactions even though he does not know the actual values in the transaction. Chosen Plaintext Attack To execute the chosen attacks, the attacker knows the algorithm used for the encrypting, or even better, he may have access to the machine used to do the encryption and is trying to determine the key. This may happen if a workstation used for encrypting messages is left unattended. Now the attacker can run chosen pieces of plaintext through the algorithm and see what the result is. This may assist in a known plaintext attack. An adaptive chosen plaintext attack is where the attacker can modify the chosen input files to see what effect that would have on the resulting ciphertext. Chosen Ciphertext Attack This is similar to the chosen plaintext attack in that the attacker has access to the decryption device or software and is attempting to defeat the cryptographic protection by decrypting chosen pieces of ciphertext to discover the key. An adaptive chosen ciphertext would be the same, except that the attacker can modify the ciphertext prior to putting it through the algorithm. Social Engineering This is the most common type of attack and usually the most successful. All cryptography relies to some extent on humans to implement and operate. Unfortunately, this is one of the greatest vulnerabilities and has led to some of the greatest compromises of a nation’s or organization’s secrets or intellectual property. Through coercion, bribery, or befriending people in positions of responsibility, spies or competitors are able to gain access to systems without having any technical expertise. Brute Force There is little that is scientific or glamorous about this attack. Brute force is trying all possible keys until one is found that decrypts the ciphertext. This is why key length is such an important factor in determining the strength of a cryptosystem. With DES only having a 56-bit key, in time the attackers were able to discover the key and decrypt a DES message. This is also why SHA-1 is considered stronger than MD5, because the output hash is longer, and therefore more resistant to a brute-force attack. 272

AU8231_C003.fm Page 273 Saturday, June 2, 2007 1:22 PM

Cryptography Differential Power Analysis Also called side channel attack, this more complex attack is done by measuring the exact execution times and power required by the crypto device to perform the encryption or decryption. By measuring this, it is possible to determine the length of the key and the algorithm used. Frequency Analysis This attack works closely with several other types of attacks. It is especially useful when attacking a substitution cipher where the statistics of the plaintext language are known. In English, for example, we know that some letters will appear more often than others, allowing an attacker to assume that those letters may represent an E or S. Birthday Attack We looked at this attack earlier when we discussed hash algorithms. Because a hash is a short representation of a message, we know that given enough time and resources, we could find another message that would give us the same hash value. As we saw from the statistics of the birthday attack, this may be easier than originally thought. However, hashing algorithms have been developed with this in mind, so that they can resist a simple birthday attack. Dictionary Attack The dictionary attack is used most commonly against password files. It exploits the poor habits of users that choose simple passwords based on natural words. The dictionary attack merely encrypts all of the words in a dictionary and then checks whether the resulting hash matches an encrypted password stored in the .sam file or other password file. Replay Attack This attack is meant to disrupt and damage processing by the attacker sending repeated files to the host. If there are no checks or sequence verification codes in the receiving software, the system might process duplicate files. Factoring Attacks This attack is aimed at the RSA algorithm. Because that algorithm uses the product of large prime numbers to generate the public and private keys, this attack attempts to find the keys through solving the factoring of these numbers. Reverse Engineering This attack is one of the most common. A competing firm buys a crypto product from another firm and then tries to reverse engineer the product. 273

AU8231_C003.fm Page 274 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Through reverse engineering, it may be able to find weaknesses in the system or gain crucial information about the operations of the algorithm. Attacking the Random Number Generators This attack was successful against the SSL installed in Netscape several years ago. Because the random number generator was too predictable, it gave the attackers the ability to guess the random numbers so critical in setting up initialization vectors or a nonce. With this information in hand, the attacker is much more likely to run a successful attack. Temporary Files Most cryptosystems will use temporary files to perform their calculations. If these files are not deleted and overwritten, they may be compromised and lead an attacker to the message in plaintext. Encryption Usage Selecting the correct encryption product is much more than just adopting a technology. A CISSP is expected to understand the many other issues related to implementing a technology — the correct processes, procedures, training of the users, and maintenance of the products chosen. Some considerations must be the security of the cryptographic keys and the ability to recover lost keys or data that was encrypted by exemployees. Every organization must have policies related to the use of cryptographic tools. These policies should require the use of organizationally supported standard encryption products and the correct processes for key management (key exchange and recovery) and storage and transmission of classified data. E-mail Security Using Cryptography Cryptography has many uses in today’s business environment, but perhaps one of the most visible is to protect e-mail. E-mail is the most common form of business communications for most organizations today, far outranking voice or personal contact in its importance for commerce. There are several reasons why an organization may need to protect email — to protect the confidentiality of message content and preserve intellectual property, to verify the course of e-mails to ensure that the sender is who he claims to be, to provide access control, and to prevent the distribution or copying of e-mail message content. As we know, the ability to forge e-mails, alter attachments, and masquerade as another user is a fairly simple process, and this underlines the requirement for secure e-mail. 274

AU8231_C003.fm Page 275 Saturday, June 2, 2007 1:22 PM

Cryptography Protocols and Standards Pretty Good Privacy (PGP) PGP was developed by Phil Zimmerman as a free product for noncommercial use that would enable all people to have access to state-of-the-art cryptographic algorithms to protect their privacy. PGP is also available as a commercial product that has received widespread acceptance by many organizations looking for a user-friendly, simple system of encryption of files, documents, and e-mail and the ability to wipe out old files through a process of overwriting them to protect old data from recovery. PGP also compresses data to save on bandwidth and storage needs. PGP uses several of the most common algorithms — symmetric algorithms such as CAST-128 and 3DES for encryption of bulk data, RSA for key management and distribution of hash values, and SHA-1 to compute hash values for message integrity. It gives the user the option to choose which algorithm she wishes to use, including others not mentioned here. When sending e-mail, PGP will ensure compatibility with most e-mail systems, converting binary bits to ASCII characters, breaking large messages into smaller pieces, and encrypting each message with a session (symmetric) key that is only used once. A user needing a new keyring will select a passphrase (the advantages of passphrases over passwords was described in the “Access Control” section) and PGP will generate the key pair to be used. A user will establish trust in another user’s public key through a web of trust relationship. Rather than establishing trust in a hierarchical format, where a root CA is trusted by everyone and everyone below that level trusts the higher authority, PGP establishes trust based on relationships, and one user can sign another user’s key for a third party based on the level of trust that the third party has on the key signer. Secure/Multipurpose Internet Mail Extension (S/MIME) S/MIME is the security enhancement for the MIME Internet e-mail standard format. S/MIME provides several features, including signed and encrypted mail messages. It uses SHA-1 and DSS for digital signature services and Diffie–Hellmann and RSA for encryption of the session key. Encryption of the message itself is accomplished through 3DES and RC2/40. S/MIME also adjusts the encryption method used depending on the algorithms used by the receiver of the message. Internet and Network Security IPSec. IPSec was developed to provide security over Internet connections and prevent IP spoofing, eavesdropping, and misuse of IP-based authentication. It operates with both IPv4 and IPv6. We study IPSec in more 275

AU8231_C003.fm Page 276 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® detail in the telecommunications domain, but we will look at it here for utilization of encryption and compression services to provide secure communications. IPSec is documented in RFCs 2401, 2412, 2406, and 2408. IPSec uses HMAC-MD5-96 or HMAC-SHA-1-96 to provide an integrity check value for the message and part of the headers. This prevents the spoofing of the address portion of the headers. The reason they are called “-96” is that although the full MD5 or SHA-1 is used to calculate the integrity check value, only the first 96 bits (of 128 or 160, respectively) is used. For Encapsulating Security Payload (ESP) mode of operations, IPSec uses three-key 3DES, RC5, IDEA, three-key 3IDEA, CAST, or Blowfish to encrypt the payload (message) and, depending on whether it is tunnel or transport mode, part of the header. Key management is an important part of IPSec, and it uses Oakley/ISAKMP for key exchange. Oakley uses a form of Diffie–Hellman with some added security to prevent clogging of the key exchange process. This is done by forcing the sender to include a random number (nonce) in the original packet to the receiver. The receiver will then respond back to the address of the sender in the packet and not begin the decryption process until it receives an acknowledgment that the reply was received by the sender. If an attacker spoofed the sender’s address, the sender would never get the response from the receiver, and this would prevent the receiver from doing unnecessary work and clogging up his system with spoofed requests. ISAKMP specifies the format of the process to negotiate security associations. SSL/TLS. SSL is one of the most common protocols we use to protect Internet traffic. It encrypts the messages using symmetric algorithms, such as IDEA, DES, 3DES, and Fortezza, and also calculates the MAC for the message using MD5 or SHA-1. The MAC is appended to the message and encrypted along with the message data. Exchange of the symmetric keys is accomplished through various versions of Diffie–Hellmann or RSA.

TLS is the Internet standard based on SSLv3. TLSv1 is backwards compatible with SSLv3. It uses the same algorithms as SSLv3; however, it computes the MAC in a slightly different manner. References Henri Cohen et al. Handbook of Elliptic and Hyperelliptic Curve Cryptography. Boca Raton, FL: CRC Press, 2005. Gregory Kipper. Investigator’s Guide to Steganography. New York: Auerbach Publications, 2003. Richard A. Mollin. Codes: The Guide to Secrecy from Ancient to Modern Times. Boca Raton, FL: CRC Press, 2005. Richard A. Mollin. RSA and Public-Key Cryptography. Boca Raton, FL: CRC Press, 2002.

276

AU8231_C003.fm Page 277 Saturday, June 2, 2007 1:22 PM

Cryptography William Stallings. Cryptography and Network Security: Principles and Practice. Englewood Cliffs, NJ: Prentice Hall, 2002. Douglas R. Stinson. Cryptography: Theory and Practice, 3rd ed. Boca Raton, FL: CRC Press, 2005. James S. Tiller. A Technical Guide to IPSec Virtual Private Networks. New York: Auerbach Publications, 2000. Harold F. Tipton and Micki Krause (Eds.). Information Security Management Handbook, 5th ed., Vols. 1–3. New York: Auerbach Publications, 2005–2007. John R. Vacca. Public Key Infrastructure: Building Trusted Applications and Web Services. New York: Auerbach Publications, 2004. Lawrence C. Washington. Elliptic Curves: Number Theory and Cryptography. Boca Raton, FL: CRC Press, 2004.

Sample Questions 1. Asymmetric key cryptography is used for all of the following except: a. Encryption of data b. Access control c. Nonrepudiation d. Steganography 2. The most common forms of asymmetric key cryptography include: a. Diffie–Hellman b. Rijndael c. Blowfish d. SHA-256 3. One of the most important principles in the secure use of a public key algorithm is: a. Protection of the private key b. Distribution of the shared key c. Integrity of the message d. History of session keys 4. Secure distribution of a confidential message can be performed by: a. Encrypting the message with the receiver’s public key b. Encrypting a hash of the message c. Having the message authenticated by a certificate authority d. Using a password-protected file format 5. What are the disadvantages of using a public key algorithm compared to a symmetric algorithm? a. A symmetric algorithm provides better access control. b. A symmetric algorithm is a faster process. c. A symmetric algorithm provides nonrepudiation of delivery. d. A symmetric algorithm is more difficult to implement. 6. When a user needs to provide message integrity, what options may be best? a. Send a digital signature of the message to the recipient b. Encrypt the message with a symmetric algorithm and send it

277

AU8231_C003.fm Page 278 Saturday, June 2, 2007 1:22 PM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

7.

8.

9.

10.

11.

12.

13.

14.

278

c. Encrypt the message with a private key so the recipient can decrypt with the corresponding public key d. Send an encrypted hash of the message along with the message to the recipient A certification authority provides which benefits to a user? a. Protection of public keys of all users b. History of symmetric keys c. Proof of nonrepudiation of origin d. Validation that a public key is associated with a particular user What is the output length of a RIPEMD-160 hash? a. 160 bits b. 150 bits c. 128 bits d. 104 bits What is the primary risk of using cryptographic protection for systems or data? a. Loss of the system may mean loss of all data. b. A hardware failure may lead to lost data or system integrity. c. A disgruntled user may lead to denial of service. d. An employee may hide his activities from the security department. ANSI X9.17 is concerned primarily with: a. Protection and secrecy of keys b. Financial records and retention of encrypted data c. Formalizing a key hierarchy d. The lifespan of key-encrypting keys (KKMs) When a certificate is revoked, what is the proper procedure? a. Setting new key expiry dates b. Updating the certificate revocation list c. Removal of the private key from all directories d. Notification to all employees of revoked keys What is not true about link encryption? a. Link encryption encrypts routing information. b. Link encryption is often used for Frame Relay or satellite links. c. Link encryption is suitable for high-risk environments. d. Link encryption provides better traffic flow confidentiality. A _______________ is the sequence that controls the operation of the cryptographic algorithm. a. Encoder b. Decoder wheel c. Cryptovariable d. Cryptographic routine The process used in most block ciphers to increase their strength is: a. Diffusion b. Confusion

AU8231_C003.fm Page 279 Saturday, June 2, 2007 1:22 PM

Cryptography

15.

16.

17.

18.

19.

20.

c. Step function d. SP-network The two methods of encrypting data are: a. Substitution and transposition b. Block and stream c. Symmetric and asymmetric d. DES and AES Cryptography supports all of the core principles of information security except: a. Availability b. Confidentiality c. Integrity d. BCP A way to defeat frequency analysis as a method to determine the key is to use: a. Substitution ciphers b. Transposition ciphers c. Polyalphabetic ciphers d. Inversion ciphers The running key cipher is based on: a. Modular arithmetic b. XOR mathematics c. Factoring d. Exponentiation The only cipher system said to be unbreakable by brute force is: a. AES b. DES c. One-time pad d. Triple DES Messages protected by steganography can be transmitted to: a. Picture files b. Music files c. Video files d. All of the above

279

AU8231_C003.fm Page 280 Saturday, June 2, 2007 1:22 PM

AU8231_book.fm Page 281 Friday, October 13, 2006 8:00 AM

Domain 4

Physical (Environmental) Security Paul Hansford, CISSP

Introduction The physical (environmental) security domain addresses the common physical, environmental, and procedural risks that may exist in the environment in which the information system is managed. It also addresses physical and procedural defensive and recovery strategies, countermeasures, and resources, including the corporate physical infrastructure, security policies and procedures, physical security tools, and the organization’s staff. It is commonly accepted that the greatest potential source of threats to systems is “the insider” — staff, contractors, and anyone else who has logical (technical) or physical access to the system. It is also commonly accepted that the majority of the security breaches caused by insiders are not malicious, but the result of ignorance, i.e., a lack of training or awareness, or vulnerabilities arising from inadequate physical security or lapsed working procedures. In establishing and maintaining the security of a system, the Certified Information Systems Security Professional (CISSP®) will need to address its physical environment. In this, the CISSP must have an understanding of the strengths, weaknesses, and applicability of the likes of vehicle gates, doors, and windows, which may initially appear to have little direct bearing on information security. But of course they do. The Common Body of Knowledge (CBK®) reflects this in its domain on physical (environmental) security; in terms of the examination, you, the candidate, should be able to: • Describe the common threats to — and vulnerabilities found in — the environments of system and mobile devices, including working procedures, site facilities, equipment and media, and environmental support systems 281

AU8231_book.fm Page 282 Friday, October 13, 2006 8:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® • Explain the principle of defense in depth, expressed as “a layered combination of complementary countermeasures,” and the importance of providing both preventive and recovery measures • Identify the range of countermeasures available for the environmental protection of information assets, including security procedures, physical barriers, physical intrusion detection and monitoring systems, technical identification and authentication tools (e.g., smart cards, biometric devices), and environmental controls (e.g., of power, water, light, and heat). CISSP Expectations The CBK domain on physical (environmental) security is listed below to assist in determining topics for further review. Although this exam guide is detailed, it is not possible to thoroughly discuss every CBK topic here. Therefore, additional study of some items may the advisable. The CISSP should fully understand: • Threat types, including physical attack, arson, accidental damage, and burglary; environmental damage, including water, dust, heat, and power; irregularities; and disruptions • Threat sources, including pressure and terrorist groups, criminals, staff and contractors, and the general public • Vulnerabilities, including inadequate or lapsed procedures and weak or inappropriate physical security measures • The organization of perimeter, site zones, and building security • The benefits of including preexisting physical and procedural measures in system security strategies, and of blending physical and procedural measures with technical measures in a defense-indepth strategy • The benefits of coordinating with physical security and facilities management staff, and training staff, to utilize physical security measures and promote procedural security through training and awareness • Physical security procedures • Environmental controls, aligned with relevant health and safety legislation, including fire, flood, and similar safety requirements • Physical barriers, including identification and authentication, and access and intrusion detection controls Physical (Environmental) Security Challenges Physical, environmental, and procedural security measures perhaps offer the greatest potential for cost-effective defense in depth, particularly where measures already exist to address other security needs and are appropriate to the security of the system. However, it is important when 282

AU8231_book.fm Page 283 Friday, October 13, 2006 8:00 AM

Physical (Environmental) Security selecting these to confirm that they remain effective in practice as well as on paper — procedures can become relaxed over time and physical measures neglected. The increasing tendency toward home working and mobile computing, with diminished control over the physical environment, makes the need for procedural security more important than ever before. Security procedures must be clearly understood by those required to carry them out, and fit with working practices: experience shows that staff who do not appreciate the need for procedures will, sooner or later, find ways around them. At a strategic (corporate) level, the challenges for the information security professional include understanding the discipline of physical security and building effective working relationships with those who manage environmental and physical security. This may also include negotiating with contracted security services providers. To ensure staff honor their security obligations, it may be necessary to carry out security education, training, and awareness to promote the concept that everyone in the organization has a responsibility to address the physical and procedural aspects of information security in their daily work. Threats and Vulnerabilities As with other information security goals, the objective of physical, environmental, and procedural security is to ensure the system is available when needed and maintains data integrity and the confidentiality of the information it manages. The physical and procedural threats to systems include both malicious and accidental actions, plus environmental conditions that may damage computer system hardware and media. The physical components of systems are particularly at risk during installation, and where building maintenance or geographical relocation is under way. Mobile systems, including laptops, mobile phones, and personal digital assistants (PDAs), are particularly at risk in public transit and when left unattended in “foreign” environments, such as hotel rooms. Threat Types. There are three basic threat types: natural and environmental, threats from utility systems, and man-made and political threats. This section examines each of these treats in relation to sources, vulnerabilities, and countermeasures. Environmental Threats. A range of threats are presented by the physical environment itself. These include water leakage and humidity, ingress of dust and materials, excessive high and low temperature levels within and around the system, and power fluctuations and loss. Complete loss of power from its commercial source is sometimes called a blackout, whereas 283

AU8231_book.fm Page 284 Friday, October 13, 2006 8:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® a reduction of the power level is termed a brownout. Power fluctuations can be caused within the organization’s infrastructure by, for example, switching on a motor or infrastructure component that requires a high level of power to start up. This may cause a momentary sag or dip in voltage. Similarly, switching off a large system or failing to regulate voltage from an internal power source may deliver a momentary power surge or spike of higher voltage to the system, burning out circuitry. Power surges can also be caused by environmental changes, such as a local lightning storm. Most computer rooms need to be temperature controlled: failure to maintain this may require the system to be shut down. Securing the system’s environment must be achieved in compliance with statutory health and safety regulations: clearly, the protection of human life overrides the protection of computers. The position of a fire exit may not fit with security plans, but that must be accommodated. And although staff are normally required, for example, to purge printers, faxes, and photocopiers and lock away media before leaving their offices, these procedures clearly do not apply in the event of a fire. Malicious Threats. These include physical attack, sabotage, vandalism, arson, and theft. All of these may disrupt the business longer than may first seem likely. It is rarely a simple matter of replacing hardware or installing a software backup. A physical attack may be targeted on the building or site, rather than the system itself; therefore, damage to the infrastructure may need to be repaired before the computer system can be restored. Arson may entail recovering from the wider effects of smoke and water damage.

It is difficult to generalize on the possible sources of such physical attacks, but the information security professional should consider the capability, opportunities, and motivation of, for example, any relevant political or other pressure groups, competitors, and even former employees. These days, the majority of thefts tend to be either of laptops and similar small devices or of peripherals such as keyboards, mouses, monitors, and printers. In all these cases, the target is the hardware, but information is also lost and confidentiality compromised. That said, there are still examples of more organized, larger-scale burglaries of computer systems and software from premises; the risk of such an attack cannot therefore be discounted. Finally, information itself has a value: commercial plans, research and development data, staff directories, and other such information are of use to competitors, investigative journalists, hackers, and others. Many technical hacking attacks begin with information gathering and social engineering, for example, the collection of paper waste that has not been shredded or otherwise rendered unusable.

284

AU8231_book.fm Page 285 Friday, October 13, 2006 8:00 AM

Physical (Environmental) Security Accidental Threats. It is commonly accepted that around 75 percent of all attacks perpetrated by insiders are in fact simply accidents, or the consequence of ignorance of security obligations or how to operate the system securely. This type of physical threat may range from the minor and ephemeral — for example, the often-quoted “spilling coffee on the keyboard” — to a more serious disruption to service. Examples of building contractors accidentally cutting through cables during site excavations are often heard. Experience has shown that many potential accidental threats can be avoided by education and good procedural security measures. Vulnerabilities. Most physical, environmental, and procedural vulnerabilities arise from inadequate or lapsed security working practices and weak or inappropriate physical security measures. They include failure to test and review the integration of procedures with working practices, or to monitor and maintain physical security measures over time — against changes in the threat, work practices, and the physical infrastructure of the organization itself.

Site Location The location of the site has implications for the need for physical security for the system. An out-of-town location may provide complete control of the outermost perimeter by means of fencing, guard patrols, closed-circuit television (CCTV), and other intrusion sensors. In an urban area, however, that perimeter area may be as shallow as the building’s walls or the floors the organization occupies. Where the organization leases part of a shared building, control over external security may be difficult to achieve: although it can protect its own perimeters within the building, the organization may not be able to legislate against attacks on the building itself, nor any shared infrastructure services, such as telecommunications. The geographical location of the site may affect the security requirement if it is vulnerable to natural disasters, such as lying in a flood plain; is vulnerable to civil disobedience, demonstrations, or terrorist attacks; experiences crime, including burglary, vandalism, street crime, and arson; or lacks adequate access for the logistical support of emergency services. Site Fabric and Infrastructure The layout of and materials used in buildings have implications for security, as does the provision of infrastructure: water, light, heat and ventilation, and power systems. In this area, security arrangements must comply with statutory health and safety requirements.

285

AU8231_book.fm Page 286 Friday, October 13, 2006 8:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® In modern buildings, it may be possible to change the layout to accommodate security requirements, for example, to place cabling in secure ducting under floors or in ceiling cavities. In older buildings, particularly where these are subject to conservation orders, this may be impossible and security must be addressed within given architectural constraints. When a new site is built, or the organization relocates to modern premises, there is an opportunity to influence infrastructure and physical security arrangements to best protect the systems. To achieve this, security will need to be considered at all stages of design and build. Although this may involve additional complexity in planning, it will result in overall better and more cost-effective security than if this is considered after the event. Site fabric and infrastructure issues that may affect the security requirement include the location of doors and windows in the building, particularly on the ground floor; entry points open to the public, reception areas, and delivery and other trade entrances; the location of fire escapes, including external and internal stairways; the layout of offices, whether open plan, partitioned, or with solid or hollow walls; and door construction. The Layered Defense Model The main aim of physical and procedural security should be to integrate with technical system security measures in providing defense in depth. This is defined as “a layered combination of complementary countermeasures” or the layered defense model (Figure 4.1). The number and nature of defensive layers will depend on the configurations of the sites in which the system is managed. Typically, they will include the outermost physical perimeter, inner perimeters, and security zones specific to the system. In this chapter, we use the term outermost perimeter to define the furthest physical extent that the organization can control; inner perimeter to describe areas within this, that themselves require some additional form of protection; and restricted areas to describe more specific areas, such as suites or individual rooms. But there is no unified definition of these terms, nor will they necessarily be defined as such in the CISSP examination. In an open or rural environment, the outermost perimeter may comprise the fences, landscaping, and parking areas surrounding the buildings of the site; inner perimeters may comprise individual buildings within this overall perimeter; and security zones may be needed for server rooms and specific data processing areas. In an urban environment, the outermost perimeter may comprise the building or a suite of floors in a shared building that belong to the organization. Inner perimeters may comprise specific floors or suites of rooms, 286

AU8231_book.fm Page 287 Friday, October 13, 2006 8:00 AM

Communications channels

Physical (Environmental) Security

Outermost perimeter Building Grounds Entrance/public areas General oﬃces

ICT suite and other rooms

Figure 4.1. The basic layered defense model.

and security zones may again comprise those rooms that specifically house the system itself. These inner perimeters logically extend to communications systems and ducting that carries wire or fiber-optic cables between secure zones. In considering communications security, note that physical security measures cannot protect wireless communications and — unless specific shielding measures are taken — the unintended emission and interception of signals from system components. Physical Considerations Working with Others to Achieve Physical and Procedural Security. W h e r e the system is installed within a secure site, its security strategy can benefit from physical and procedural measures that already exist for other reasons, such as in business continuity planning (BCP). The benefits of utilizing existing measures in a new security strategy include cost-effectiveness, because those measures are already in place and budgeted; any problems should have been identified and resolved; and they provide a visible deterrent to potential attackers.

In adopting existing measures into the security strategy, there needs to be proof that these: 287

AU8231_book.fm Page 288 Friday, October 13, 2006 8:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® • Actually provide security, and procedures are actually carried out as specified • Continue to address the risks, and that these risks are relevant to the system • Neither duplicate security provision nor leave security gaps in the defense-in-depth strategy Physical and Procedural Security Methods, Tools, and Techniques. I n common with technical aspects of information security, the defense-indepth strategy applied to the environment in which the system is managed addresses four primary protection aims:

• Identifying and authenticating those individuals with physical access to the environment • Authorizing (i.e., defining and implementing access control for) those individuals • Monitoring and accounting for actions within the environment • Providing a contingency (to support business continuity) capability in the environment In this section, we will define a simple model of a site, comprising four protective layers, and discuss the procedural, environmental, and physical controls appropriate to these environments: • The external perimeter, comprising green space and car parking areas • Buildings within the site, housing various company activities • Restricted areas within each building: whole floors, suites, or individual rooms in which the IT system is sited and central resources, server rooms, and offices containing networked workstations • Communications channels that run between secure zones and outside the site perimeter Procedural Controls. At the outermost perimeter, procedural controls are designed to manage the environment boundaries and open areas. This may include landscaped areas, car parking, and shipping and receiving areas. Procedural controls may consist of the following. Guard Post. A guard post may include vehicle gates control, patrols of perimeters, staff and visitor car parks, buildings, vehicle inspections, and monitoring of CCTV. Many organizations outsource guard services to contractor companies. This can create a vulnerability to the information security regime due to high turnover and poor training. These vulnerabilities can be mitigated though good contract management. Reasonable wages and specific post orders detailing what is expected of contract security staff, along with specific performance metrics built into the contract, can go a long way in minimizing turnover and ensuring high-quality service. 288

AU8231_book.fm Page 289 Friday, October 13, 2006 8:00 AM

Physical (Environmental) Security Security guard shifts should overlap and not allow periods where boundaries are unattended. Guards should remain aware of the security requirements for which they are responsible, and their employer should be contractually bound to enforce these. Computer rooms should be secured at all times, require an appropriate form of access control (for example, card access), and have the capability to monitor and account for traffic moving in and out of them. Staff and visitor car parking should be segregated, and passes used to identify staff vehicles. In particularly sensitive situations, guards may be required to search vehicles on entry and exit to the premises. If so, it may be necessary to consult with legal experts on the legal aspects of such procedures. Checking and Escorting Visitors on Site. Because hackers have used social engineering to enter sites and gain information prior to launching a technical attack, and in extreme cases, commercial competitors and others have similarly used covert access to company premises to directly or indirectly gain access to information or IT services, the management of visitors on company premises has a direct bearing on information security. The ability to identify and account for visitors on site is a health and safety requirement, and security requirements can therefore be integrated with existing procedures in this respect. Managing Deliveries to the Site. Individual buildings on the site may need differing levels of security. Some buildings may be open to visitors and others not. The central suite, communications center, and server rooms will require special attention. Procedural controls may include:

• • • •

Reception areas, including visitor registration and pass management Deck-to-deck walls Cameras recording all access points to server room Management of entry and exit points, including fire exits and delivery points • Control on site of devices belonging to staff and visitors, such as laptops, mobile phones, and personal digital assistants (PDAs) Buildings may themselves be organized in various levels of secure zones. Typical examples include the control center, server rooms, and offices containing workstations. Procedural controls may include: • Clear desk procedures • Purging of storage media on fax, photocopier, and telephone voice mail facilities • Security checks on leaving rooms and the end of the day Communications channels present a separate security environment, because they may cross boundaries between secure zones within a site, 289

AU8231_book.fm Page 290 Friday, October 13, 2006 8:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® and indeed across the organizational boundary to the outside world. In this section, we refer particularly to data links between components of the corporate system. But they may also include telephone and similar channels acting as carriers for computer, fax, teleconferencing, and other forms of transmission. Procedural controls may include: • Inspections of internal cable ducting, cross-site underground cable runs, and telephone exchanges to guard against breakages, water and other damage, and tapping attacks • Inspections of physical controls (locks and similar security devices) on cabinets and ducting that house communications equipment • Testing for unintended emissions from cables and computer system peripherals (including monitor screens and keyboards) • Testing for the range of transmission from wireless communications Infrastructure Support Systems Environmental controls may already be in place to comply with health and safety legislation, including fire, flood, and other threats. The information security strategy must work within health and safety requirements; for example, a fire exit in or near a computer room may present a security vulnerability, but that vulnerability must be managed without compromising the purpose of the exit. In addition, computer systems themselves need protection in terms of power management, heating, ventilation, and air conditioning (HVAC), and refrigeration issues. At the external perimeter of our model, there are unlikely to be environmental controls other than, perhaps, parks maintenance to maintain clear line of sight for guard patrols and CCTV to all parts of the perimeter boundary. In urban settings, where the external perimeter may be that of the office block itself, environmental controls may be required to prevent parking close to the block. Within buildings, and within restricted areas dedicated to systems, there may be particular needs. Depending on the architecture and fabric of the building, these include HVAC, power surge suppressors and uninterruptible power supplies (UPSs), alternate power sources and grids, and electromagnetic and radio frequency interference (RFI). Temperature, humidity, and air quality sensors are tied into building alarm systems, which include emergency shutdown, for example, emergency power off (EPO) switches and protection and recovery measures against water leakage and flooding. Fire Prevention, Detection, and Suppression. Clearly, measures for preventing, detecting, and dealing with fires should be in place for health and safety and infrastructure protection reasons. Some of these measures — 290

AU8231_book.fm Page 291 Friday, October 13, 2006 8:00 AM

Physical (Environmental) Security for example, the placement and operation of fire exits — may affect the security strategy, which must consider the protection of human life as paramount. But there are also specific considerations for protecting systems, and these are discussed below. Training and education have a part to play here too, because a timely and appropriate response to a fire outbreak may prevent it becoming a critical incident. Most environments include false floors or ceilings to carry cabling. These areas can act as tunnels for flame and smoke. Therefore, the materials used in these must be nonflammable, and consideration should be given to compartmenting computer suites using floor-to-ceiling barriers to prevent the spread of flames and smoke in the event of fire. Noting that media such as magnetic tapes can produce poisonous gases when ignited, and that smoke can do as much damage as the fire itself, combustible materials should not be stored in central computing facility rooms. Media containing critical data and system software should be stored in fireproof containers, and backups should be held off-site. Fire and Smoke Detection Systems. Detection and suppression systems are likely to be installed throughout the infrastructure to protect staff and the building in which they work. Those units operating in data centers should be calibrated to accommodate the temperature, humidity, and other requirements for operating the hardware. Common types of fire and smoke detection systems include:

• Ionization: Reacts to the charged particles in smoke. • Photoelectric: Reacts to changes in or blockage of light caused by smoke. • Heat: Reacts to significant changes in temperature caused by fire. Fire Suppression Devices. Statutor y health and safety requirements require that portable fire extinguishers are available near electrical equipment, and of course this includes hardware. These must remain accessible, all relevant staff should know how and when to use them, and the correct class of extinguisher should be available and clearly labeled. These classes (and their applications) are:

• Class A: For common combustibles such as paper, wood, and laminates. Uses water or soda acid to control the fire. • Class B: For liquids such as petrol or coolants. Uses gas (Halon, a substitute, or carbon dioxide) or soda acid to control the fire. • Class C: For electrical equipment including wiring. Uses gas (Halon, a substitute, or carbon dioxide) or soda acid to control the fire. • Class D: For combustible metals. Uses dry powder to control the fire. • Class K: For commercial kitchens. Uses wet chemicals for fire suppression. 291

AU8231_book.fm Page 292 Friday, October 13, 2006 8:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Fire extinguishers can deal with small outbreaks, but larger sprinkler systems are needed to quell larger fires. Gas systems (including Halon) are sometimes used, but water systems are more common. Article 2B of “The Montreal Protocol on Substances That Deplete the Ozone Layer” has been agreed to by 183 nations under the United Nations Environment Programme, and amended most recently in Beijing (1999). Among other requirements to limit CFC emissions, this protocol controls the use of Halon 1211, 1301, and 2402. It also asserts that all new installations must use alternative means of fire suppression. Clearly, water will damage system hardware and, as a conductor of electrical charge, may cause significant damage through shorting out electrically live system components. This situation may to some extent be mitigated by first ensuring that fire and smoke detectors focus on specific zones within the suite (and perhaps that the sprinkler is activated only when a combination of these sensors detect heat or smoke) and then building into the suppression system a slight delay before water is introduced into the environment. This arrangement is called a dry pipe system: a valve is activated by the smoke or fire sensor and essentially chokes the water supply for a short time — to allow for, for example, evacuation or emergency system shutdown procedures to take place — before the sprinkler system is started. Sprinkler systems without this type of delay feature (that start the sprinkler as soon as the sensor detects smoke or fire) are called wet pipe systems. As stated previously, the security strategy must recognize that a fire of any magnitude in or near the data center is likely to cause significant damage — if not through fire itself, then through the results of smoke damage or, ironically, the consequence of fire suppression actions. Clearly, the response to this type of event will likely be based on a business continuity plan. Boundary Protection. Physical barriers, including identification and authentication, access control, and intrusion detection, are required to protect all layers of the environment of the system. In established sites, many of these measures may already be in place for other reasons. Providing they are effective and relevant to the security requirement for the system, these can offer a cost-effective basis for a defense-in-depth security strategy for the system.

At the external perimeter of our model, physical controls may include those listed below. In an urban environment, where, for example, the external perimeter is that of a shared office block, some perimeter controls may be jointly owned with other organizations or provided as a managed service. In this case, security arrangements may need to be negotiated and internal measures raised within those parts of the block where the organization has control, to allow for any shortfalls. 292

AU8231_book.fm Page 293 Friday, October 13, 2006 8:00 AM

Physical (Environmental) Security Perimeter Walls, Fences, and Similar Barriers. Walls and fences provide a clear statement of the physical boundaries of the organization and should act as a deterrent. Considerations for implementing these include:

• The ability to see all parts of such barriers, using guard patrols, CCTV, or other means to detect any attempts to break over or through them. • Ensuring that landscaping and architectural features do not impede line of sight. • Ensuring that chain-link fencing is adequately sited, for example, in concrete bases, and taut. Chain fencing is liable to corrosion and other wear-and-tear deterioration; checks must be made periodically for signs of weakness in the structure. • Using a combination of barrier types, such as a barbed-wire top guard above the fence or wall. Vehicle and Personnel Entry and Exit Gateways. These gateways include automated barriers. Automated gates and pole barriers that are raised and lowered to allow or prevent vehicular access may need to be manned or to incorporate some form of surveillance, for example, CCTV, to detect instances of “tailgating,” where the barrier is open long enough for a trespasser to follow immediately behind an authorized visitor.

Personnel barriers include turnstiles and mantraps. The latter comprise a double-door facility so that the entrant is momentarily “trapped” between the closed door and the other about to open. Personnel barriers may be operated by guards or by the presentation of a smart card or other token, a PIN (personal identification number), or possibly a biometric reading. In selecting which type of barrier to implement, consideration must be given to the number of staff who will need to pass through these at peak office times, and their ability to permit a swift exit in the event of a fire or similar emergency. Revolving doors and turnstiles can be set for freewheeling egress when interfaced with building fire systems. Building Entry Points Keys and Locking Systems. Locking systems, using keys or other devices, remain among the most common form of access control to premises. It is worth defining the various types available and their uses. Key and Deadbolt Locks. Key locks require a physical key to open the lock. Deadbolt locks additionally comprise a bolt or bolts that are “thrown” from the door into the door frame when the key is turned, providing additional strength against a physical attack. Commonly used on standard room and cabinet doors, these are perhaps the most vulnerable types of locking system, in the sense that a lost or stolen key offers ready access and locks are relatively easy to pick. Therefore, accounting of all keys and spares must 293

AU8231_book.fm Page 294 Friday, October 13, 2006 8:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® be made, and audits conducted periodically to ensure none are missing. To mitigate this risk further, ensure that restricted areas with access-controlled doors do not have keys, which are issued to staff. Keys must be available in emergency situations if the access control system fails, but this can be handled in a number of ways. More expensive locking hardware can also be added to the door to increase the difficulty of picking the lock. Although there is no thing as a pick-proof lock, a lock can be made difficult enough to frustrate someone’s attempt. Some organizations operate a master key system, where the master can be used to access all doors, though each also has its own unique key. In this case, the master key and its duplicate are critical and must be held securely against loss, theft, or copying. Restricted key systems offer a method for eliminating the possibility of having keys copied. Even with a restricted key system, some keys need to be issued and could be misused. Therefore, it is a good practice to make sure that the perimeter doors are keyed to a separate system than the internal keys, that a minimum number of perimeter doors (one or two) be keyed alike, and that only a few of those keys be issued in case of access control failure. That way, if a key is compromised, only a maximum of two doors need to be rekeyed. Combination Locks. Combination locks comprise a numbered tumbler or dial that must be turned clockwise and anticlockwise a number of times to preset numbers to open the device. This system overcomes the issue of physical key management and effectively allows the key (the combination numbers) to be changed periodically. It is commonly (not exclusively) associated with security furniture and requires knowledge both of the numbers and of the rotation sequence to gain access. The principal vulnerabilities of this system are where the combination is written down and found, or is not changed frequently, and when staff leave. A register of tumbler combinations, and those who hold them, needs to be managed centrally. Keypad or Pushbutton Locks. Keypad or pushbutton locks simply require a combination of numbers to be learned and secured. When the number is input to the keypad, access is given. The combination relates to the barrier rather than to the individual, and may therefore be shared by all those requiring access — hence accountability is lost. Further, there is the danger that the combination number is overseen as it is input, or that it can be discovered by trial and error. Smart Locks. Smart locks and associated smart cards can be used to permit only authorized individuals to gain access and can be programmed, for example, to limit access to certain times or for a prescribed period, after which the card will not work. These are similar to access-controlled doors, 294

AU8231_book.fm Page 295 Friday, October 13, 2006 8:00 AM

Physical (Environmental) Security but are not linked to a central database. Physically going to each door to update access tables is required, which makes this solution impractical for large-scale deployment. Associated with this limitation is the vulnerability of not being able to disable access quickly when a person leaves the company but keeps the smart card. Walls, Doors, and Windows. Door Design and Materials. Having discussed locks, it is worth considering the value or otherwise of door construction. These may be solid or contain a pane of glass to ensure those approaching the door can be seen. They may be hollow, comprising two thin boards on a frame. The solid door is more secure than the hollow construction, which can simply be kicked in or cut through. Where doors to rooms that contain equipment have glass elements, care should be taken to ensure that desks and monitor screens cannot be observed from outside the room.

In addition, it is often overlooked that a determined attacker may remove the door from its frame to gain access. Fixing of the frame securely to the wall and ensuring the door hinges are hidden, rather than external, when the door is closed add to the security of the doorway. In cases where external hinges are necessary, the hinge pins should be welded or pinned to keep them from being removed by an intruder. Finally, attention should be paid to fire doors, roof access points and fire escapes, ventilation openings, and crawl spaces below raised floors and above false ceilings that may allow access between rooms. Window Glass and Types. In secure areas, the type and construction of windows — particularly external windows — can either aid security or present vulnerabilities. Standard plate glass is relatively brittle and breaks into shards, whereas tempered glass is several times stronger and breaks into small fragments. Reflective or shatter-proof security film (sometimes referred to as bomb blast film) can be applied to such existing window panes to prevent outsiders seeing into rooms or to further reinforce the window against shattering. Wire mesh or a polycarbonate sheet can be embedded between two sheets of glass to create a laminated window pane; the wire mesh format is often required to comply with fire regulations. Finally, acrylics such as Lexan (this is both a product name and a common way of referring to this type of very strong, clear acrylic sheeting) can be used in place of glass. A measure of the strength of Lexan is seen in its use in aircraft windows.

As with doors, it is important that the window frames are fully secured to the walls, that the windows can be locked, and that the glass is fixed within the frame such that it cannot be removed from outside. Security sensors can be applied to window frames to detect noise or vibration that indicates an attack on the window. 295

AU8231_book.fm Page 296 Friday, October 13, 2006 8:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Most of the measures we have discussed so far provide access control. We now discuss some identification and authentication measures, recognizing that these are often closely integrated with access control measures and procedures. Access Controls. Card, Badge, and Pass Identifiers. C o l o r - c o d e d b a d g e s and passes can be worn to indicate the authorization of the individual to enter secure zones. This measure must be supported by the procedural requirement that badges and passes are worn at all times and that staff challenge those who do not wear them or are in an unauthorized area.

As discussed earlier, programmable swipe cards and smart cards with chip technology can be used to provide two-factor authentication: something the individual has (the card) and something she knows (a PIN or password she supplies to the control, with the card). Smart cards can further offer encryption-based identification in concert with the access control device Contact card systems require physical contact between the card and the reader to share authentication information. Proximity cards are typically 13.56-MHz contactless radio frequency interface device (RFID) cards, also known as contactless smart cards. Proximity cards are defined by the ISO 14443 (proximity card) standard. Biometric Controls. Biometric identification and authentication measures are gaining in popularity, but arguably still suffer from false-negative and false-positive decisions. Biometric devices offer authentication based on the “something you are” principle: a fingerprint, retina or iris scan, signature dynamic, voice recognition, or facial scan. They are often recommended as being faster and less onerous for staff to operate than password or PIN systems. But it is not clear that this is always true, and some staff remain unhappy about submitting to what they perceive to be a physically intrusive measure.

For more information about cards and biometrics, see the chapter on Access Control, Domain 2. We now turn to consider monitoring and intrusion detection systems. Closed-Circuit Television (CCTV). Although CCTV provides a limited, visible deterrent to potential intruders, its real benefit is the ability to detect and identify an intrusion as it happens. However, CCTV requires human intervention and, like any other monitoring capability, is only as good as those who operate it. An effective CCTV system includes the following features:

• Positioning of cameras at an adequate height to avoid physical attack. • Appropriately distributed to exclude any blind areas between each camera range. 296

AU8231_book.fm Page 297 Friday, October 13, 2006 8:00 AM

Physical (Environmental) Security • Adequate lighting in all conditions, to obtain good pictures. • Appropriate lenses (fixed or zoom) and the ability to pan, tilt, and zoom as required. • Ability to be recorded. Premise liability exists when a camera system is in place that is not recorded. Tapes have been used for years, but most current systems involve digital recorders using some form of video compression algorithm, either locally on a digital video recorder (DVR) or centrally on a server across the network in a network video recorder (NVR) system. A software interface allows people to view live and archived video. • Having the camera system tied into the alarm system. This way, a pan, tilt, and zoom (PTZ) can be programmed to automatically focus in on a preset location, like a door or window, when an alarm occurs. Other options for both PTZ and fixed cameras are to have the number and quality of video frames increased during an alarm event. • Regular servicing of moving parts, and ensuring that lenses remain clean. • Human intervention: literally, someone to watch the pictures. It is ineffective for a person to attempt to monitor more than a few cameras over a long period, even if that is their only function. Motion detection and pixel analysis software, which are an integral part of most DVR solutions, allow hundreds of cameras to be monitored by one person, who then only needs to pull them up when they go into an alarm state. Various choices can be made about the type of CCTV coverage; clearly, more sensitive areas will require more constant, real-time, and live coverage. Cameras can be programmed to sweep a range or remain static; video monitoring can be programmed to swap pictures on a single screen or provide multiple screens to view all camera pictures all the time. Besides the DVR and NVR solutions, current advancements, including smart video and IP cameras, have a storage capability of up to a week. This makes an NVR solution more practical, but all of these advancements also raise new issues around bandwidth and network reliability. Although MPEG-4 compression helps to minimize some bandwidth issues, an assessment of your existing network should be done to determine which solution is right for you. The use of CCTV has both legal and practical implications for the organization: • Whether digital or video, the amount of visual data recorded and kept will have a storage implication. This may be considerable if data is kept over time for possible use in legal prosecution. • Video tapes must be stored in a way that mitigates against their physical deterioration. Digital records must be kept in a way that asserts their integrity if brought as evidence in a legal prosecution. 297

AU8231_book.fm Page 298 Friday, October 13, 2006 8:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® • Recording the actions of individuals may present statutory human rights and privacy implications. For example, it may be necessary to gain the consent of staff to record them, and to place signage around the site that warns visitors that CCTV is in operation. • In using CCTV records as evidence in a prosecution, privacy legislation may require that details of individuals other than the accused be blurred or pixelated. This may include the faces, car number plates, and so on: this requires the technical facility to edit visual records and the often significant human effort to accomplish it. This account of CCTV has so far focused on the type of units we see installed around site perimeters and on buildings. Nowadays, cameras come in all shapes and sizes — some are very small, often intended for covert use. Although these devices have an application (for example, in specific investigations), their deployment must be considered carefully against any infringement of human rights and privacy legislation. It is important to differentiate between overt and covert video recording. It is against the law in some countries to covertly monitor employees. There is also an expectation of privacy in, for example, bathrooms and locker rooms, which make placing even overt cameras a legally indefensible action. Intrusion Detection Systems. While CCTV provides an overall detection

capability, other intrusion detection devices offer protection for specific areas within buildings, for example, doors, windows, and false ceilings. Electrical Circuit. This uses foil or wire contacts placed across door or window frames, carrying a low level of current. When the door or window is opened, the circuit is broken and the alarm triggered. Light Beam. This uses a photoelectric cell that receives a small light source across the secure boundary. When the path of the light to the cell is interrupted, the alarm is triggered. This method has particular application to open boundaries that, for whatever reason, cannot implement a physical barrier, such as a gate or doorway. However, dust or other small materials may trigger false alarms, and attackers may be able to avoid disturbing the light beam as they cross the boundary line. Passive Infrared Detector (PIR). Among the most common intrusion detection devices, PIRs measure light energy within a physical range. When this energy level is changed by the presence of an intruder, the alarm is triggered. PIR systems are effective in detecting heat and movement, but they need to be calibrated carefully to ensure against false alarms. Microwave and Ultrasonic Systems. These systems comprise transceivers and control units. The transceiver units produce and monitor either a measurement of distance (microwave) or an acoustic energy pattern (ultrasonic) across the room and trigger an alarm when this changes. Ultrasonic 298

AU8231_book.fm Page 299 Friday, October 13, 2006 8:00 AM

Physical (Environmental) Security systems have the advantage of invisibility, but can be prone to raising false alarms when significant external sounds impact on the acoustic pattern. Regardless of what intrusion detection systems you deploy, ensure that they are tied into an alarm system that is monitored somewhere and that you have a response procedure in place. CCTV can minimize, but not eliminate, false alarm calls. Portable Device Security. The proliferation of portable computing, remote computing, and telecommuting has raised the issue of physical and procedural protection for these devices, associated media, and the information they manage. This issue extends beyond laptops and PDAs to increasingly integrated devices, such as camera phones, personal dictation machines, and media, including USB sticks.

Theft of such devices is usually to gain the hardware. But of course information — too often sensitive and of value to the individual and the organization — is lost with it. However, the majority of security incidents relate to simply losing equipment, leaving it in taxis, on public transport, in hotel rooms, and so on. Procedural and physical security measures for laptops may include: • Carrying them in unmarked bags or briefcases (as opposed to manufacturers’ bags, which draw attention to their contents) • Transporting the hard disk separately from the laptop (though this is not always convenient) • Using tamper detection measures, tracing software, or invisible marking systems • Protecting against illicit access with tokens, such as smart cards Elsewhere, protection against compromised confidentiality for portable devices may be achieved by disk encryption, password protection, and similar technical measures. As stated in the introduction to this chapter, the inherent inability to provide a physically secure environment places greater emphasis than ever on good procedural security measures, plus education, training, and awareness to promote them to users. Asset and Risk Registers. Registers of physical IT assets can help audit against theft and the acquisition, movement, and decommissioning of systems and security equipment. This may become more important as wireless technology allows systems infrastructures to become more dynamic and mobile.

Records can be made of those members of staff who, for example, hold combination and PIN numbers to access secure zones and security furniture; these can be used to ensure that these items are changed at a pre299

AU8231_book.fm Page 300 Friday, October 13, 2006 8:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® scribed frequency and on a timely basis as staff join, move around, or leave the organization. Risk registers covering physical sources and types of threats and vulnerabilities can be used in reviewing and auditing the effectiveness of physical, environmental, and procedural security against changes in the risk, practices, and physical infrastructure of the organization. Information Protection and Management Services Managed Services Organizations that contract out physical security services, such as guarding, building control, and courier services, may have little control over the vetting process and contracts of staff employed by the managed service provider. In these situations, the following issues must be addressed: • The contractor understands and is contractually bound to meet the organization’s physical and procedural security requirements. • The contracting organization has the ability to audit or test the security services provided. • There is a channel of communication between the contracting authority and the contractor to affect changes to procedural and physical security measures as they are needed. Physical security can be compromised during temporary situations, such as office relocations and times when scaffolding is placed against buildings for refurbishment or repair work. Security of hardware assets may be weak when in transit and in temporary storage. And although good physical security may be evident on ground floors, the windows, fire exits, and external stairwells on upper stories may be less well protected. Audits, Drills, Exercises, and Testing Among the most commonly experienced vulnerabilities are failing to implement physical security measures properly and allowing procedures to relax. Security audits report that although physical, environmental, and procedural security may be organized in the security strategy, it is not applied as prescribed in day-to-day working practices. Education, training, and awareness can help resolve this discrepancy (see below), as can auditing those measures and conducting exercises and tests. An audit of compliance with the security strategy should be undertaken at an appropriate frequency — perhaps annually. Audits should also be conducted when any significant breach of security or change in the risk, working practices, or nature of the physical infrastructure indicates this may be needed. Audits may be paper based and review the practical effectiveness of physical and procedural measures against prescribed security operating 300

AU8231_book.fm Page 301 Friday, October 13, 2006 8:00 AM

Physical (Environmental) Security procedures and security manuals, training and awareness materials, and incident reporting statistics. They may also involve interviews with staff and observation of behaviors in the workplace. In these methods, however, staff may feel criticized and exhibit behaviors expected of them, rather than their normal practice. Vulnerability and Penetration Tests Vulnerability and penetration tests may be conducted as part of initial procurement evaluation and routinely as part of an audit exercise. Vulnerability tests may include technical testing of biometric devices against false-negative and false-positive results, and attempting brute-force and lock-picking attacks on security furniture. Penetration tests may include attempts to enter premises and test, or attempt to subvert, secure working practices by, for example: • Social engineering attempts to gain entry while posing as a legitimate member of staff • Testing procedures, such as challenging, by not wearing an appropriate security pass • Testing physical security by, for example, attempting to tailgate staff through entry points Such exercises may be either advertised or conducted under cover, to test how alert staff really are to such intrusions. The results of such exercises can be used to justify the effort required to improve security and to raise awareness and encourage staff to address any vulnerabilities that are discovered. Maintenance and Service Issues Because many physical security mechanisms involve moving parts, and some are open to the corrosive elements of the weather and other agents, security maintenance will need to take into account testing, maintaining, and servicing such items. And contingency measures should be available if these break down for any reason. Regular checks of static elements, such as fencing, walls, and similar barriers, are needed to ensure that any malicious damage or general wear and tear has not diminished their effectiveness. Education, Training, and Awareness As for other aspects of information security, education, training, and awareness can encourage staff to address physical and procedural security requirements. This is particularly important in situations where the organization has diminished control over the physical environment, such as home- or telecommuting scenarios and where the workforce is predominantly mobile. 301

AU8231_book.fm Page 302 Friday, October 13, 2006 8:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Emphasis can be given to those areas of procedural security in particular that are shown in audits and incident reporting statistics to be poorly supported. Analogies can be drawn with health and safety requirements, which may already be understood. Physical and procedural security measures can often be demonstrated to ensure that staff literally see their value to the business of the organization and the protection of their jobs. Summary The need for physical and particularly procedural security has grown alongside the development of wireless technology and an increasingly mobile workforce. Although systems may not always be the target of a malicious physical attack on an organization, they may suffer as much as any other corporate resource as a result. Physical and procedural countermeasures should aim to provide identification and authentication, authorization (access control), and accountability for all individuals who may have physical access to the system. A fourth element is the provision of physical contingency resources and alternative procedures should any aspect of the systems and the services it provides be mitigated. Physical security should be organized in a defense-in-depth strategy: a “layered combination of complementary countermeasures” that together present a variety of protective measures against deliberate and accidental interventions, as well as commonplace environmental threats. This can be provided in a cost-effective way by adopting measures that are already in place to address other security requirements. If so, these measures must be checked to ensure that they remain effective against the risk and that they fit with the security strategy for the system. The effectiveness of procedural security relies on the knowledge, skills, and awareness of staff to enable them to comply with procedures consistently and completely. Analogies can be drawn with health and safety requirements. Physical and procedural security are integral parts of information security and rely on integrating computer security with facilities and other forms of security. This is an area where the CISSP must work effectively with other security specialists to achieve the best security solution for the system. References Mary Lynn Garcia. The Design and Evaluation of Physical Protection Systems. London: Butterworth Heinemann, 2001. Joseph F. Gustin. Facility Manager’s Handbook. New York: Marcel Dekker, 2002.

302

AU8231_book.fm Page 303 Friday, October 13, 2006 8:00 AM

Physical (Environmental) Security Richard Lack. Safety, Health, and Asset Protection: Management Essentials, 2nd ed. Boca Raton, FL: CRC Press, 2001. James P. Muuss and David Rabern. The Complete Guide for CPP Examination Preparation. New York: Auerbach Publications, 2006. POA Publishing. Asset Protection and Security Management Handbook. New York: Auerbach Publications, 2002. Louis A. Tyska and Lawrence J. Fennelly. Physical Security: 150 Things You Should Know. Amsterdam: Elsevier, 2000.

Sample Questions 1. Which of these statements best describes the concept of defense in depth or the layered defense model? a. A combination of complementary countermeasures b. Replicated defensive techniques, such as double firewalling c. Perimeter fencing and guarding d. Contingency measures for recovery after, e.g., system failure 2. Sprinkler systems to defeat a fire outbreak may include either a dry pipe or wet pipe mechanism. Which of these statements is not true of a dry pipe mechanism? a. It delays briefly before providing water to the fire. b. It uses gas or powder, rather than a fluid, to choke the fire. c. It offers a brief opportunity for emergency shutdown procedures. d. It offers a brief opportunity to evacuate staff from the affected rooms. 3. The geographical location of the site may affect the security requirement if it: a. May be vulnerable to natural disaster (e.g., a floodplain) b. Lacks adequate access for, or the logistical support of, emergency services c. Experiences crime, including burglary, vandalism, street crime, and arson d. All of the above 4. Which of these infrastructure features would most likely present a physical vulnerability for an information system? a. Fire escapes, including external and internal stairways b. The information security architecture c. The corporate compliance policy d. The internal telephone network 5. Which one of these would be the principal practical benefit of utilizing existing physical or procedural measures in an information system’s security strategy? a. They offer duplication of, e.g., access controls. b. They are already tried, tested, and accepted by staff. c. They are managed by facilities staff. d. They are written into corporate procedures. 303

AU8231_book.fm Page 304 Friday, October 13, 2006 8:00 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® 6. Which one of these is least likely to provide a physical security barrier for a system? a. External site perimeter b. Protected zones (e.g., a floor or suite of rooms) within a building c. Communications channels d. Office layout 7. Which of these is a procedural (rather than an administrative or technical) control? a. System logging b. Purging storage media on, e.g., fax, photocopier, or voice mail facilities c. Developing a system security policy d. Configuring a firewall rule base 8. Which of these is not a common type of fire/smoke detection system? a. Ionization b. Photoelectric c. Heat d. Movement 9. Which one of these fire extinguisher classes is most appropriate for controlling fires in electrical equipment or wiring? a. Class A b. Class B c. Class C d. Class D 10. Which one of these is the strongest form of protective window glass? a. Standard plate b. Tempered c. Embedded polycarbonate sheeting d. Embedded wire mesh 11. Which one of these physical intruder detection systems reacts to fluctuations of ambient light energy within its range? a. Electrical circuit b. Light beam c. Passive infrared detector (PIR) d. Microwave system 12. Which one of these physical locking devices requires the knowledge of a set of numbers and a rotation sequence to achieve access? a. Deadbolt lock b. Combination lock c. Keypad d. Smart lock 13. Which one of these is the most critical aspect of ensuring the effectiveness of a CCTV system? a. Positioning cameras at a height that prevents physical attack b. Adequate lighting and positioning to address blind spots 304

AU8231_book.fm Page 305 Friday, October 13, 2006 8:00 AM

Physical (Environmental) Security c. Monitoring of and reaction to camera feeds d. Safe storage of footage 14. In terms of physical security, which one of these is the best measure to prevent loss of data in a mobile computing scenario? a. Carry the laptop in an unmarked bag or briefcase. b. Carry the laptop’s hard disk separately from the laptop. c. Use tamper detection measures or tracing software. d. Restrict access via tokens, such as smart cards. 15. Procedural security measures often fail because staff fail to appreciate why they should use them. Which one of these measures may best address this? a. Security operating procedures b. Security training and awareness c. Disciplinary procedures d. Dissemination of the corporate security policy

305

AU8231_book.fm Page 306 Friday, October 13, 2006 8:00 AM

AU8231_C005.fm Page 307 Wednesday, May 23, 2007 9:02 AM

Domain 5

Security Architecture and Design William Lipiczky, CISSP

Introduction The security architecture and design domain addresses the high-level and detailed processes, concepts, principles, structures, and standards used to define, design, implement, monitor, and secure/ensure operating systems, applications, equipment, and networks. It addresses the technical security policies of the organization as well as the implementation and enforcement of those policies. The security architecture and design must clearly address the design, implementation, and operation of those controls used to enforce various levels of availability, integrity, and confidentiality to ensure effective operation and compliance (with governance and other drivers). This domain presents the key principles and concepts that are critical to consider when designing security architecture. The information contained in the other domains, when used in accordance with the principles and concepts discussed in this domain, can provide a solid basis to evaluate an existing architecture and then build a truly strong enterprise security architecture. CISSP® Expectations Designing the security architecture of an information system is crucial to implementing an organization’s information security policy. A Certified Information Systems Security Professional (CISSP) must be able to address competently the following areas: 1. Identify the physical components of IT architecture. 2. Discuss the relationship between the various uses of software. 3. Understand the design principles as they relate to the enterprise architecture. 4. Describe how to secure an enterprise architecture. 307

AU8231_C005.fm Page 308 Wednesday, May 23, 2007 9:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® 5. Identify the difference between trusted and nontrusted components of an enterprise. 6. Discuss security models and architecture theory. 7. Identify appropriate protection mechanisms. 8. Discuss evaluation methods and criteria. 9. Understand the role of assurance evaluations. 10. Explain the terms certification and accreditation. 11. Identify the techniques used to provide system security. Security Architecture and Design Components and Principles There are three basic components to system architecture: the central processing unit (CPU), storage devices, and peripherals (input/output devices). They each have specialized roles in the architecture. The CPU, or microprocessor, is the brains behind a computer system and performs calculations as it solves problems and performs system tasks. Storage devices provide both long- and short-term storage of information that the CPU either has processed or may process. Peripherals (scanners, printers, modems, etc.) are devices that either input data or receive the data output by the CPU. Security Frameworks: ISO/IEC 17799:2005, BS 7799:2, ISO 270001 ISO/IEC 17799:2005, the “Code of Practice for Information Security Management,” is an internationally recognized set of controls that focus on best practices for information security. BS 7799-2:2002 provides instructions on how to apply ISO/IEC 17799 and to construct, run, sustain, and advance an information security management. ISO/IEC 17799:2005 addresses 11 categories: 1. Business continuity management mitigates an incident’s impact on critical business systems. 2. Access control provides only authorized access to data, mobile communications, telecommunications, and network services, as well as detects unauthorized activities. 3. System development, acquisition, and maintenance implements security controls into operations and development systems to ensure the security of application systems software and data. 4. Physical and environmental security prevents unauthorized access, damage, and interference to facilities and data. 5. Compliance ensures adherence to criminal and civil laws and statutory, regulatory, or contractual obligations, complies with organizational security policies and standards, and provides for a comprehensive audit process. 6. Human resources security minimizes the risks of human error, theft, and misuse of resources, provides information security threats and 308

AU8231_C005.fm Page 309 Wednesday, May 23, 2007 9:02 AM

Security Architecture and Design

7.

8.

9. 10. 11.

concerns to users, and disseminates information to support the corporate security policy. Information security organization provides a formal data security mechanism within an organization that includes information processing facilities and information assets accessed or maintained by third parties. Communications and operations management ensures the proper and secure operation of data processing facilities by protecting software, communications, data, and the supporting infrastructure, as well as ensuring proper data exchange between organizations. Asset management protects corporate assets by ensuring data assets receive appropriate protection. Security policy provides management guidance and support for information security. Information security incident management implements procedures to detect and respond to information security incidents.

ISO 27001 is “Information Security Management: Specification with Guidance for Use.” Once it is formally released, it will directly replace BS 77992:2002. ISO 27001 defines an information security management system and creates a framework for the design, implementation, management, and maintenance of IS processes throughout an organization. As with BS 7799, ISO 27001 will continue to complement ISO 17799. They are two distinct documents, but are designed to support each other. Where ISO 17799 is a code of practice, detailing individual controls for potential implementation, ISO 27001 defines the information management system itself, which encompasses the former. Currently, certification is granted against BS 7799. Upon its release, future certifications will be against ISO 27001. Design Principles Diskless Workstations, Thin Clients, and Thin Processing. A diskless workstation is a computer without a hard drive in it, and sometimes without a CD-ROM drive or a floppy drive. The workstation has a network card and video card, and may also have other expansion cards, such as a sound card. A diskless workstation relies on services provided by network servers for most of its operation, such as booting and running applications. Usually the workstation operates as a thin client connecting to a server that provides access to files and runs applications. These thin-client systems replace individual desktop PCs with a centralized server that provides the applications and data users need at individual workstations. Thin clients were used during the mainframe-dominated era, but now PC usage is pervasive. This is both beneficial and problematic. The problem with using PCs is that users get themselves — and the company — in trouble through unauthorized applications, downloads, and errors. By returning control of the applications to centralized servers maintained by knowl309

AU8231_C005.fm Page 310 Wednesday, May 23, 2007 9:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® edgeable IT staff, thin-client computing may be successful in addressing these and other security concerns. Diskless workstations are usually described as workstations without any secondary storage. Because there is no storage capability, users do not need to have download capabilities. Other by-products are that this reduces virus vectors, lessens removable media concerns, and improves availability compared to dealing with disk failures on PCs. On the downside, there may be lower availability under network outage or power degradation conditions. Thin Storage. Management of file and database storage is getting out of control and using more and more system administrators’ time. Networkattached storage or CD-ROM libraries are ways to add shared storage capacity to networks. Then, a thin client containing an operating system installed in flash memory is plugged into the network and an IP address assigned. A variety of systems and protocols are supported, such as Common Internet File System/Server Message Block for Microsoft Windows NT, NetWare Core Protocol for Novell NetWare, Network File System for UNIX, Dynamic Host Configuration Protocol for automatic IP addressing, and Simple Network Management Protocol for network management.

The thin-client application normally uses an Internet browser to connect to a central server. This allows for almost universal access to thin-client applications. There are two types of thin-client applications used to access storage management software: application service provider (ASP) and Web-based data warehousing. With ASP, data is stored in a remote server farm that the software provider maintains. This provides a centralized storage area that can be accessed from any Internet connection. However, ASP requires a constant connection to the Internet. If the connection is unavailable to the user or the host, then the software is unable to operate. Web-based data warehousing provides redundancy and allows access even if the Internet connection is disrupted. A transmitter applet transmits data based on user-defined intervals. If the Internet connection is lost, it can be automatically reestablished and any storage changes are automatically sent to the server. The advantage of thin-client applications is that usually they outperform other server connection methods. An added benefit is that to access data, all that is needed is Internet connectivity. In addition, by choosing an application that provides data redundancy, even if the Internet connection is disrupted, access to data is still possible. Operating System Protection. Privilege Levels and Ring Protection. Privilege level controls prevent memory access (programs or data) from less privileged to more privileged levels. Memory access from more privileged to less privileged levels is permit310

AU8231_C005.fm Page 311 Wednesday, May 23, 2007 9:02 AM

Security Architecture and Design ted. Mechanisms called control gates manage transfers from a less privileged level to a more privileged level. The highest level, 0, is used by the operating system; the lowest level, 3, is used by the applications. These privilege levels, which identify what actions can be done by specific processes, are supported by all modern processors and operating systems to some degree. OSs running in ring 0 potentially have unrestricted access to the hardware, and limiting this ring to use by a single OS enables the OS to have complete knowledge of the state of the hardware. An architecture where there are more than two execution domains (or privilege levels) is called a ring architecture because it is normally pictured as a set of concentric rings with the most privileged ring in the center. Each ring has access to its own resources and to the resources available to the rings outside it, but no access to the resources of the more privileged rings inside it. Layering. This is assigning each layer a specific process. Communication between the layers is through well-defined interfaces. This helps ensure that volatile areas of the system are protected from unauthorized access or change. Data Hiding. Data hiding maintains activities at different security levels to separate these levels from each other. This assists in preventing data at one security level from being seen by processes operating at other security levels. Abstraction. Abstraction negates the need for users to know the particulars of how an object functions. They only need to be familiar with the correct syntax for using an object and the nature of the information that will be presented as a result.

Hardware The term mainframe originally referred to the very large computer systems housed in very large steel-framed boxes and was used to differentiate them from the smaller mini- or microcomputers. A large company such as IBM usually manufactured these systems. These mainframes were used in Fortune 1000 companies to process commercial applications and were also employed by federal, state, and local governments. The term has been used in numerous ways over the years, but most often it describes the successive families of IBM computer systems starting with System/360. This term also applies to comparable systems built by other companies. Historically, a mainframe has been associated with centralized rather than distributed computing. There appears to be a prevailing belief that the computing environment is still very much a distributed computing environment on PCs. This is not 311

AU8231_C005.fm Page 312 Wednesday, May 23, 2007 9:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® necessarily true. The business world has been using mainframes for over 30 years. This long history, combined with the advances sure to take place over the next two to three decades, will keep the mainframe as probably the most reliable platform. By consolidating multiple vendor platforms and providing scalability, mainframes are an effective way to minimize costs. Multiple operating systems can be running on a mainframe, most notably numerous instances of Linux. Other uses include data warehousing systems, Web applications, financial applications and middleware. Mainframes provide reliability, scalability, and maintainability, with the lower total cost of ownership and credible disaster recovery. This section looks at the main components of desktop architectures, applicability issues related to varying users, and various aspects of element design and scaling. The desktop environment consists of numerous parts: client devices, applications, services and servers, and OS software. A wide range of client devices has become available over the years. This document addresses the choices of desktop or mobile users and looks at both thick- and thin-client device options. One widespread solution is the deployment by many organizations of traditional desktop systems. These systems were usually based on the Intel x86 architecture and Microsoft operating software. They provided autonomous processing power to the user and the capacity to use a varied range of personal productivity and line-of-business applications. A drawback of these systems is that the hardware and operating software may need to be refreshed on a frequent basis. Patch management and hardware upgrades need to be addressed on a continuous basis. Because the open-source movement has gained support, there has been an increasing deployment of Linux desktop systems. Some popular Linux distributions now contain a number of packages that supply the needs of the desktop user. It has now become feasible to duplicate a lot of the functionality of the traditional desktop clients on a Linux system. There has also been significant growth of interest in support for the Apple Macintosh. This is particularly true for users of specialized graphical and publishing applications that are developed specifically for Macintosh. These systems are integrated into an overall desktop architecture through the use of Mac OS 9 and OS X clients, e-mail and browser clients, and office productivity products. Because there is such a wide variety of clients available, many organizations look for a solution that will enable support for the widest variety of client devices. Some of the architecture decisions being addressed follow. How well do the clients integrate with office productivity suites? Currently, Microsoft Office 11 and the Star Office 7 software are compatible with some, but not all, PDA office personal productivity applications. How easy is it to perform e-mail and data synchronization? There are emerging stan312

AU8231_C005.fm Page 313 Wednesday, May 23, 2007 9:02 AM

Security Architecture and Design dards, such as SyncML, that may simplify synchronization between handheld devices and enterprise mail message stores. Looking at a broader picture, there is a need to choose integration software that delivers server-based applications. These can be found in a typical client/server or distributed environment or in a thin-client architecture. Let us not forget UNIX workstations. A large installed base of technical workstations based on Reduced Instruction Set Computer (RISC) processors and various flavors of UNIX still exists. Many UNIX users must interoperate with and use office productivity applications, Internet browsers, and other applications. A popular solution is to install open-source equivalents, as most of these have been ported to the popular variations of UNIX. Another solution to deal with a heterogeneous environment is the application integration solution first seen as Windows Terminal Services (WTS). WTS delivers a presentation layer service to client devices through Microsoft’s Remote Desktop Protocol (RDP). A suitably equipped client could be a PC running Windows ME or XP, or it could be a system that uses RDP. A variation of this solution is to install Citrix MetaFrame on the Windows server to deliver applications to devices, such as a Windows-based terminal or a traditional desktop PC with Citrix client software. A significant feature of an organization’s IT environment is whether it is centralized or distributed. Having a centralized system means that users access a single source where they log in, manage their accounts, and collect the data that results from user requests. In distributed environments, users log into their own computer and data is saved locally or remotely at various sites. There is no central authority that administers user authentications and accounts or manages data storage. No central server is necessary, although servers may have an assortment of roles in such systems. Distributed environments support a wide range of diverse software applications, real-time data access, and varied media formats and data storage. In addition, distributed systems support diverse devices, such as desktops and laptop computers, thin clients, cell phones, or other kinds of handheld devices. Finally, because there may be a wide range of resources accessed, updated, and stored, there needs to be a way to track user interactions with the system. A distributed file-sharing network has a common or universal file format (e.g., Network File System [NFS]) to allow an unknown array of files to be stored, recognized, and exchanged by any authorized user on the network. For more functional software, such gaming or instant messaging, all involved users must have a common software application. This software is obtained in diverse ways, including propagating software around the network from one user to another. 313

AU8231_C005.fm Page 314 Wednesday, May 23, 2007 9:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® One challenge of distributed systems is the need to have a central naming repository, which generates universally unique identifiers (UUIDs). When a user requests a resource, a search is done within a potentially large network to find a particular resource, thus requiring a precise specification of the resource. However, authorization may be the biggest challenge, as there is no central authority to trust. In a fully distributed system, trust is typically done through cryptographic digital signatures via a public key cryptography system. There is another kind of distributed system that has evolved because of networks supporting peer-to-peer exchanges of data and software. Napster was one of the first prominent examples of a swapping community where there was minimal involvement of a centralized authority. Rather, each individual, or peer, logs on and is connected to all other peers in a network. This permits the viewing and exchanging of files with any other peer. Although Napster used a central server to set up the interconnected network of users, current peer-to-peer implementations use discovery. All entities connecting to the network use the same kind of software. This enables them to discover all other peers connected to the system and running the same software. This collection of interconnected users provides a new type of functionality that does not need a central authority to negotiate transactions or store data. Personal Digital Assistants (PDAs) and Smart Phones. Apple Newtons, Palm Pilots, and Microsoft Handheld PC devices were the original personal digital assistants (PDAs). They were designed to be an electronic organizer or portable day planner that was easy to use and capable of sharing information with PCs. They were not developed as a replacement for a PC, but rather as an extension of the PC.

The number of PDA and mobile devices has grown considerably in the past four or five years. Products vary from sophisticated mobile phones, such as third-generation (3G) handsets, to full-featured PDAs. These PDAs are basically small-footprint PCs that contain an operating system, productivity and business software, and a browser. At least three technologies have taken hold in this arena. One of these is Java technology-based solutions. These are mobile phones, PDAs, and some gaming devices that function with Java Virtual Machine (JVM) software. These devices generally have standard business productivity functionality as well as use Java applications, such as games, on a pay-peruse basis. Another PDA technology is based on variations of the PALM operating system, such as Palm, Handspring, and Sony. These devices tend to have more capabilities than phone handsets and provide a larger range of builtin applications. 314

AU8231_C005.fm Page 315 Wednesday, May 23, 2007 9:02 AM

Security Architecture and Design A third PDA technology is the use of Win CE or the PocketPC. In essence, these devices use subsets of the Microsoft Windows operating system, thus presenting a potential platform for porting Windows-based applications. PDAs can now manage personal information, such as contacts, appointments, and to-do lists. Current PDAs connect to the Internet, function as global positioning system (GPS) devices, and run multimedia software. They can also support Bluetooth technology and wireless wide area networks (WANs). They have memory card slots that accept flash media that can serve as additional storage for files and applications. Some PDAs provide audio and video support, incorporating MP3 players, a microphone, a speaker, and headphone jacks along with a built-in digital camera. Integrated security features such as a biometric fingerprint reader can also be included. A smart phone can be described as either a cell phone with PDA capabilities or a traditional PDA with added cell phone capabilities, depending on the style and manufacturer. Features of these devices include various combinations of cell phone and PDA functionality, a cellular service, Internet access through cellular data networks, and an operating system. Central Processing Unit (CPU). Processing occurs inside the computer in an area called the central processing unit (CPU). Processing is the conversion of inputted raw data into useful information called output. The processor manages all of the system’s devices as well as doing the actual data processing. From a physical perspective in today’s terminology, the CPU typically is one or more microprocessor chips and is located on the computer’s motherboard. The CPU and memory operate together, with the memory holding data and the next set of program instructions as the CPU uses its current instructions to perform calculations on the data. When the CPU requires data, it retrieves it from memory. Multitasking, Multiprocessing, and Multithreading. As mentioned previously, the CPU is the vital component of a computer because it executes programs and controls hardware operations. To take advantage of the speed of a processor, programmers split programs into multiple, cooperating processes. A multitasking operating system switches from one process to another quickly to speed up processing. To the user, it appears to be simultaneous execution even though only one process is running at any given time on the CPU. However, there needs to be a mechanism in place that will allow the OS to start running an application with the probability, but not the certainty, that the application will sooner or later return control to the operating system.

Higher performance can be achieved by increasing the number of processors in a system. Powerful computers such as servers typically have several processors handling different tasks, although there must be one 315

AU8231_C005.fm Page 316 Wednesday, May 23, 2007 9:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® processor to control the flow of instructions and data through the supplementary processors. We call this type of system a multiprocessing system. As a program is executing, it runs each line of code in sequence. However, there are times when a subsequent step is not dependent upon the completion of a previous step. If the programmer requests a new thread to be generated for the later step, the CPU can be asked to do something else at the same time the application continues doing its current task. An example might be a spreadsheet calculation running at the same time that the main application asks a user for input. Multithreading, then, is the concept whereby the operating system time slices the threads and gives one thread some time on the CPU, then switches to another thread and lets it run for a while. This routine continues until the first thread has its turn again. In essence, the threads are split up and given to the CPU in an interleaved manner. Each thread operates as though it has exclusive access to the CPU, even though it runs only for a short time and then stops until it runs again in a short time. The ability of a system to do multitasking, multiprocessing, and multithreading can lead to some potential security vulnerabilities. One challenge is how to protect the multiple processes/tasks/threads from the other processes/tasks/threads that may contain bugs or exhibit unfriendly actions. Techniques need to be implemented to measure and control resource usage. For example, when a system is running many different tasks, being able to measure each task’s total resource usage is a desired piece of managing security in such a system. This information needs to be gathered without incurring a significant performance penalty and without changing the manner that tasks are written and executed. If this type of functionality is not available, a mischievous task might assign and seize enough memory to effect a denial-of-service attack, a crash, or a system slowdown. The bottom line, even though there are many advantages to implementing multiprocessing, multitasking, and multithreading, is that the more subtasks a system creates, the more things that can go awry. Storage. Primary Storage. As data waits for processing by the CPU, it sits in a staging area called primary storage. Whether implemented as memory, cache, or registers (part of the CPU), and regardless of its location, primary storage stores data that has a high probability of being requested by the CPU, so it is usually faster than long-term, secondary storage. The location where data is stored is denoted by its physical memory address. This memory register identifier remains constant and is independent of the value stored there. Some examples of primary storage devices include randomaccess memory (RAM), synchronous dynamic random-access memory (SDRAM), and read-only memory (ROM). Random-access memory is volatile, that is, when the system shuts down, it flushes the data in RAM. Con316

AU8231_C005.fm Page 317 Wednesday, May 23, 2007 9:02 AM

Security Architecture and Design trast this to read-only memory (ROM), which is nonvolatile storage that retains data even when electrical power is shut off. The closer data is to the CPU, the faster it can be retrieved and thus processed. Data is sent to the CPU through various input devices (keyboards, modems, etc.), cache, main memory, and disk storage devices. As the data travels to the CPU, it typically moves from storage devices (disks, tapes, etc.) to main memory (RAM) to cache memory, finally arriving at the CPU for processing. The further data is from the CPU, the longer the trip takes. In fact, if one were to compare speed of access to data, retrieving data from disk storage takes the longest, retrieval from random-access memory (RAM) is faster than disk storage, and cache memory retrieval takes the least amount of time. Cache memory can be described as high-speed RAM. Optimally designed cache can reduce the memory access time because data moves from the slower RAM to the faster cache then to the CPU. This process speeds up the CPU’s access to the data and thus improves the performance of program execution. Secondary Storage. Secondary storage holds data not currently being used by the CPU. In addition to being nonvolatile, it has higher capacity than primary storage. Computer systems use multiple media types for storing information as both raw data and programs. This media differs in storage capacity, speed of access, permanency of storage, and mode of access. Fixed disks may store up to hundreds of gigabytes in personal computers and up to hundreds of terabytes in large systems. Fixed-disk data access is typically done randomly and is slower than RAM access. However, data stored on fixed disks is permanent in that it does not disappear when power is turned off, although data can be erased and modified. Dismountable media devices can be removed for storage or shipping and include floppy diskettes, which are randomly accessed; magnetic tapes, with gigabytes of storage and either sequential or random access (DLT, SDLT, 8-mm DAT); optical compact disks (CDs), with 650 to 870 MB of storage per CD; and high-capacity DVDs, with 50 to 100 GB of storage. Both CDs and DVDs use random access. Virtual Memory. Most operating systems have the ability to simulate having more main memory than is physically available as main memory. This is done by storing part of the data on secondary storage, such as a disk. This can be considered a virtual page. If the data requested by the system is not currently in main memory, a page fault is taken. This condition triggers the operating system handler. If the virtual address is a valid one, the operating system will locate the physical page, put the right information in that page, update the translation table, and then try the request again. Some other page might be swapped out to make room. Each process may have its own separate virtual address space along with its own mappings and protections. 317

AU8231_C005.fm Page 318 Wednesday, May 23, 2007 9:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® One of the reasons that virtual memory was developed is that computer systems have a limited amount of physical memory, and often that amount of RAM is insufficient to run simultaneously all of the programs that users want to use. For example, with the Windows operating system loaded and an e-mail program, along with a Web browser and word processor, physical memory may be insufficient to hold all of the data. If there were no such entity as virtual memory, the computer would not be able to load any more applications. With virtual memory, the operating system looks for data in RAM that has not been accessed recently and copies it onto the hard disk. The cleared space is now available to load additional applications (but within the same physical memory constraints). This process occurs automatically, and the computer functions as though it has almost unlimited RAM available. Because hard disks are cheaper than RAM chips, virtual memory provides a good cost-effective solution. There are potential downsides to using virtual memory, especially if it is not configured correctly. To take advantage of virtual memory, the system must be configured with a swap file. This swap or page file is the hard disk area that stores the data contained in the RAM. These pages of RAM, called page frames, are used by the operating system to move data back and forth between the page file and RAM. When it comes to accessing data, the read and write speeds of a hard drive are a lot slower than RAM access. In addition, because hard drives are not designed to constantly access tiny bits of data, if a system relies too much on virtual memory, there may be a sizable negative impact on performance. One solution is to install sufficient RAM to run all tasks simultaneously. Even with sufficient physical memory, the system may experience a small hesitation as tasks are changed. However, with the appropriate amount of RAM, virtual memory functions well. On the other hand, with an insufficient amount of RAM, the operating system continuously has to swap data between the hard disk and RAM. This thrashing of data to and fro between the disk and RAM will also slow down a computer system. Input/Output Devices. As was described earlier, data needs to be inputted and processed and output generated. The data is transferred between numerous locations — from disk to CPU or from the CPU to memory or from memory to the display adapter. It would be unrealistic to have discrete circuits between every pair of entities. For instance, throughput would be too slow. However, when a bus concept is implemented, a shared set of wires connects all the computer devices and chips. Certain wires transmit data; others send control and clocking signals. Addresses identifying specific devices or memory locations are transmitted and, when a device’s address is transmitted, the corresponding device then transfers data across the wires to the CPU, RAM, display adapter, etc.

318

AU8231_C005.fm Page 319 Wednesday, May 23, 2007 9:02 AM

Security Architecture and Design Data is the raw information fed to the computer, and programs are the collection of instructions that provide directions to the computer. To tell a system what tasks to perform, commands are entered into the system by the user. For ease of use, input takes various forms. Commands and responses can be entered locally via a keyboard or mouse, with menus and icons, or remotely from another system or peripheral. The result of computer processing is considered output. This output is in binary or hexadecimal numbers, but for users to understand the output, it takes the form of alphanumeric characters and words that are interpreted by humans as video, audio, or printed text. Thus, output devices may be computer displays, speaker systems, laser printers, and all-in-one devices. Inputs are the signals received through an interface, and outputs are the signals sent from the interfaces. A person (or another computer system) communicates with the computer by using these interfaces (I/O devices.) In summary, the CPU and main memory, working in tandem, are the core processes of a computer, and the transfer of information from or to that duo, for example, retrieving from and storing data to a disk drive, is considered to be I/O. Communications Devices. Software programs called drivers control the input and output devices and the communication channels that are used for system I/O. Drivers enable the OS to control and communicate with hardware. Different signals require different interfaces that differ according to the communications channel of the I/O device. A Universal Serial Bus (USB) device communicates through a USB cable attached to a USB port. The high-speed 2.0 standard supports data transfer rates of 480 Mbps and connects up to 127 peripheral devices, such as removable disk drives, mouses, printers, and keyboards. Serial and parallel devices require their appropriate interfaces. Networks and Partitioning. Computer networks are a crucial ingredient of most organizations. Local area networks bind together computer equipment within a building or over a whole site. This allows users with common goals and interests to share resources such as disks, printers, or applications. Wide area networks are used to exchange data as well as a means to access remote resources. Some wide area networks are regional networks that join systems throughout an organization, regardless of location — be it within a city, state, or region. Wide area networks may also be national, international, or global in scope. The Internet is a loose association of wide area networks. A workstation is on the Internet if it is part of a local area network that is, in turn, connected to a regional or national network that is also on the Internet.

As this discussion shows, there is an underlying theme when defining networks. Organizations can develop policies for each type of network 319

AU8231_C005.fm Page 320 Wednesday, May 23, 2007 9:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® (and its associated resources) under its control and define who, what, when, and how resources — computers, data, applications, etc. — may be accessed. In fact, security policies can be designed and implemented to be unique to each network partition. These network partitions are typically trusted areas that are separated from untrusted areas by an imaginary boundary, sometimes referred to as the security perimeter. This separation is possible because organizations can implement a combination of hardware, software, and other controls to enforce their security policy. Further control is available by implementing a system that validates all accesses to every resource. This reference monitor intercepts every request of a subject to an object and verifies that the credentials of the subject meet the criteria for object access. Software Software is a succession of related instructions, performed one step at a time by the CPU, to achieve a specific task. Software establishes how computers respond to input, what processing will occur, what data will be displayed, and the output. There are at least three types of programs: operating systems, programming languages, and middleware and applications. Operating Systems. The operating system (OS) is the software that controls the operation of the computer from the moment it is turned on or booted. The OS controls all input and output to and from the peripherals, as well as the operation of other programs, and allows the user to work with and manage files without knowing specifically how the data is stored and retrieved. In multiuser systems, operating systems manage user access to the processor and peripherals and schedule jobs.

Examples of operating systems are Microsoft Windows, Apple’s MacOS X, various versions of UNIX and Linux, and mainframe systems commonly using proprietary operating systems, such as IBM’s MVS, developed by their manufacturers. Although functions performed by operating systems are similar, it can be very difficult to move files or software from one to another; many software packages run under only one operating system or have substantially different versions for different operating systems. System Kernel. The kernel is the core of an operating system, and one of its main functions is to provide access to system resources, which includes the system’s hardware and processes. The kernel supplies the vital services that make up the heart of computer systems; it loads and runs binary programs, schedules the task swapping, which allows computer systems to do more than one thing at a time, allocates memory, and tracks the physical location of files on the computer’s hard disks. The kernel provides these services by acting as an interface between other programs operating under its control and the physical hardware of the computer; this insulates 320

AU8231_C005.fm Page 321 Wednesday, May 23, 2007 9:02 AM

Security Architecture and Design programs running on the system from the complexities of the computer. For example, when a running program needs access to a file, it does not simply open the file. Instead, it issues a system call asking the kernel to open the file. The kernel takes over and fulfills the request, then notifies the program of the success or failure of the request. To read data from the file requires another system call. If the kernel determines the request is valid, it reads the requested block of data and passes it back to the program. The security kernel is the hardware, firmware, and software elements of a trusted computing base that implement the reference monitor concept. It must mediate all accesses, be protected from modification, and be verifiable as correct. System States. The CPU has two states: a supervisor state and a problem state. In supervisor state (privilege or kernel mode), the CPU is operating at the highest privilege level on the system, and this allows it to access any system resource (data and hardware) and execute both privileged and nonprivileged instructions. This enforces the separation of applications from the operating system. Thus, applications run in the problem state (nonprivileged or user mode) and have limited access to system data and hardware. When operating in the problem or user state, only nonprivileged instructions can be run, such as instructions or commands that applications execute.

When a processor is executing in supervisor mode, some of the privileged instructions it can execute are the ability to control I/O operations and to give instructions to change processor mode. This mode can also access privileged address spaces, such as the data structures within the operating system and other processes’ address spaces, as well as change and create address spaces. The operating system changes to user mode to run applications. This mode provides the ability to use the operating system standard instructions, such as load and store general registers to and from memory. User mode can access only subsets of memory and cannot perform privileged instructions. This helps in guaranteeing that only individuals (programs, processes, etc.) that have supervisory privileges may access the additional functionality needed to perform such functions as system maintenance. System compromises have occurred, where an intruder has entered a system via an application running in user mode. Once on the system, vulnerabilities are then exploited that permit the intruder to escalate to the privilege mode and have unrestricted access to the system. Application Programs. Applications are programs used for all purposes other than performing operating system chores or writing other programs (programming languages). Applications include word processors, spread321

AU8231_C005.fm Page 322 Wednesday, May 23, 2007 9:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® sheets, database management systems, airline reservation systems, and payroll systems. Word processors are applications that modify or edit the contents of files. Word processors as well as other applications have printer drivers that link them to a printer so that a user can obtain a hard copy of the results of the processing. Databases are designed to create, edit, manipulate, and analyze data. Many databases use the same language, Structured Query Language (SQL), for formulating queries. Spreadsheets allow users to work with numerical data in tabular form. Processes and Threads. A program is a set of instructions, along with the information necessary to process those instructions. When a program executes, it spawns a process or an instance of that program. This process requests resources called handles or descriptors.

The operating system allocates the required resources, such as memory, to run the program. A process progresses through phases from its initial entry into the system until it completes or exits. From the process’ point of view, it is either running or not, and the status of each process is maintained in a process table. One of the challenges from a security perspective is to make sure that only authorized processes are running. When a process requests resources, it creates one or more independent threads. There is not a parent/child relationship between threads as there is for processes. This is because threads may be created and joined by many different threads in the process. Threads can be created by any thread, joined by any other, and have different attributes and options. A thread can be considered a lightweight process. Upon creation, a process is allocated a virtual address space as well as control of a resource (a file, I/O device, etc.). This process (or task) has protected access to processors, other processes, files, and I/O resources. As it is executing, it becomes a lightweight process or thread. This thread is either running or ready to run. If it is not running, its context is saved. When it is executing, a thread has access to the memory space and resources of its processes. Thus, it takes less time to create a new thread than a process, because the newly created thread uses the current process’ address space. Communication overhead between threads is minimized because the threads share everything. Because address space is shared, data produced by one thread is immediately available to all other threads. Similar to multiple processes running on some systems, there can also be multiple threads running (multithreading.) There are two major disadvantages to using threads: deadlocks and blocking. Deadlocks occur when two or more threads stop executing while waiting for the same resource. This happens because the threads are attempting to manipulate the same resources that control the resource. 322

AU8231_C005.fm Page 323 Wednesday, May 23, 2007 9:02 AM

Security Architecture and Design Because each thread is waiting for the other to finish, completion of the entire process is stalled until the process is killed or restarted. The second disadvantage occurs when a thread makes specific system calls, such as an I/O request. This call will not return until it has completed or the system call is interrupted by a signal to the process. If a fault occurs during the call, it may take an extended time for the call to come back (if it ever does). For this period, the thread cannot execute any other instruction. Middleware. Middleware is connectivity software that enables multiple processes running on one or more machines to interact. These services are collections of distributed software that are present between the application running on the operating system and the network services, which reside on a network node. The main purpose of middleware services is to help solve many application connectivity and interoperability problems.

In essence, middleware is a distributed software layer that hides the intricacies and heterogeneous distributed environment consisting of numerous network technologies, computer architectures, operating systems, and programming languages. Some of the services provided are directory services, transaction tracking, data replication, and time synchronization, services that improve the distributed environment. Some examples are workflow, messaging applications, Internet news channels, and customer ordering through delivery. Firmware Firmware is the storage of programs or instructions in read-only memory. Typically, this software is embedded into hardware and is used to control that hardware. Because ROM is nonvolatile, these programs and instructions will not change if power is shut off, but instead become a permanent part of the system. User manipulation of the firmware should not be permitted. Usually, firmware is upgradeable and is stored in erasable programmable read-only memory (EEPROM.) This is handy in those instances where firmware may have bugs and an upgrade will fix the problems. The hardware itself is not upgradeable without substituting portions of it. Therefore, vendors attempt to store as many important controls as possible in the firmware in case changes need to be made. From the vendor’s perspective, if a bug is discovered, it is preferable to notify the affected clients to upgrade the firmware than to replace the product. Examples of devices with firmware are computer systems, peripherals, and accessories such as USB flash drives, memory cards, and mobile phones. Trusted Computer Base (TCB) The Orange Book (Department of Defense Trusted Computer System Evaluation Criteria) defines the trusted computing base. The TCB is the combi323

AU8231_C005.fm Page 324 Wednesday, May 23, 2007 9:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® nation of all hardware, firmware, and software responsible for enforcing the security policy. The ability of a trusted computing base to correctly enforce a security policy depends solely on the mechanisms within the TCB and on the correct input by system administrative personnel of parameters (e.g., a user’s clearance) related to the security policy. Reference Monitor The reference monitor is also an Orange Book concept and refers to an abstract machine that mediates all accesses to objects by subjects. Because the reference monitor is an access control mechanism, it must be auditable to ensure it is performing its role effectively and that it is always invoked. Security Models and Architecture Theory A security model formally describes a security policy. The role of a security policy is to document the security requirements of an organization. The security policy will then become the guidance document that will be followed to help an organization defend itself against security threats and mitigate risks. Security researchers create access control models as a way of formalizing security policies. Whereas security policies describe the rules about who is allowed to do what to a system or network, access control models designate the rules and explain how the system makes authorization choices. Each access control model provides an element or concept that is different from the others. Some models are founded on mathematical equations that provide proof of the model’s security to a system, whereas others are based solely on a recognized necessity. In terms of data sensitivity and data integrity, two models stand out: the Bell–LaPadula and the Clark–Wilson. The Bell–LaPadula model concentrates its efforts on providing security while maintaining data sensitivity, and the Clark–Wilson model focuses on data integrity. Both models attack the concerns of data security from differing points of view, each with pros and cons.* Lattice Models Lattice-based access control is a mechanism for enforcing one-way information flow, which can be applied to confidentiality or integrity security. Users are assigned security clearances and data is classified. The system evaluates the clearance of the user with the classification of the data to determine access. Security labels are attached to all objects.

*Patricia Ferson, I’ll take an order of data sensitivity with some integrity on the side: finding a balance within access control models, Information Systems Security, 13, 22, 2004.

324

AU8231_C005.fm Page 325 Wednesday, May 23, 2007 9:02 AM

Security Architecture and Design Lattice-based access control is one of the essential ingredients of computer security, and models (e.g., Bell–LaPadula [BLP], Biba, Chinese Wall, etc.) are designed to deal with this information flow. The basic principle behind information flow is to control access by assigning every object a security class. (Note: The Orange Book definition of a lattice is “a partially ordered set for which every pair of elements has a greatest lower bound and a least upper bound.”) State Machine Models State machine models capture the current security posture of an automated information system (AIS). According to its rule set, which is determined by a security policy, an AIS’s secure state can only change at distinct points in time, such as when an event occurs or a clock triggers it. Thus, upon its initial start-up, the AIS checks to determine if it is in a secure state. Once the AIS is determined to be in a secure state, the state machine model will ensure that every time the AIS is accessed, it will be accessed only in accordance with the security policy rules. This process will guarantee that the AIS will transition only from one secure state to another secure state. Research Models Noninterference Models. The goal of a noninterference model is to help ensure that high-level actions (inputs) do not determine what low-level users can see (outputs). Most of the security models presented are secured by permitting restricted flows between high- and low-level users. The noninterference model maintains activities at different security levels to separate these levels from each other. In this way, it minimizes leakages that may happen through covert channels, because there is complete separation (noninterference) between security levels. Because a user at a higher security level has no way to interfere with the activities at a lower level, the lower-level user cannot get any information from the higher level. Information Flow Models. Information flow models have a similar framework as BLP in that objects are labeled with security classes in the form of a lattice and the information the object represents may flow from one data set to another without concern for direction. Logically, it could flow upward or at the same level, if allowed.

Bell–LaPadula Confidentiality Model The BLP model (the confidentiality model) is perhaps the most well known and significant security model, and it is described in the Orange Book or the Trusted Computer System Evaluation Criteria (TCSEC). Bell–LaPadula is a state machine model that helps ensure the confidentiality of an automated information system (AIS). This is accomplished by using mandatory access control. Mandatory access control is based on labeling both objects 325

AU8231_C005.fm Page 326 Wednesday, May 23, 2007 9:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® (with their classifications) and subjects (with their clearances). The system (reference monitor) compares the level of classification with the clearance and only allows access if the clearance is equal to or higher than the classification. Because all subjects that have an appropriate clearance may not need access, the system owner must also allow access by providing a need-to-know decision. However, the owner may not allow access to a subject that does not have an appropriate clearance. Bell–LaPadula security rules prevent information from being moved from a higher security level to a lower one. Access modes can be one of two types: simple security and the * (star) property. Simple security (the read property) states that a subject of lower clearance cannot read an object of higher classification, but a subject with a higher clearance level can read down. The * property (the write property), on the other hand, states that a high-level subject cannot send messages to a lower-level object. In short, subjects can read down and objects can write or append up. BLP thus uses access permission matrices and a security lattice for security levels for access control. Biba Integrity Model The Biba model ensures integrity and is a complement to BLP because this model is based on the premise that higher levels of integrity are more trusted than lower ones. Access is controlled to ensure that objects or subjects cannot have less integrity as a result of read/write operations. The Biba model assigns integrity levels to subjects and objects. Then, depending on what is requested, one of two properties are followed: the simple integrity (read) property or the integrity * property (write). The simple integrity property states that a subject may have read access to an object only if the security level of the subject is either lower or equal to the level of the object. The integrity * property states that a subject may have write access to an object only if the security level of the subject is equal to or higher than that of the object. Basically, the model ensures that no information from a subject can be passed on to an object in a higher security level. This prevents contaminating data of higher integrity with data of lower integrity. Clark–Wilson Integrity Model The Clark–Wilson model moves from the area of integrity levels to the area of change controls that are suitable for transaction systems. This model was designed specifically for the commercial environment and addresses the three goals of integrity: no changes by unauthorized subjects, no unauthorized changes by authorized subjects, and the maintenance of internal and external consistency. This model establishes a system of subject–program–object bindings such that the subject no longer has direct access to the object. Instead, this is done through a program (called a 326

AU8231_C005.fm Page 327 Wednesday, May 23, 2007 9:02 AM

Security Architecture and Design well-formed transaction) with access to the object. The following controls are considered in the Clark–Wilson model: subject authentication and identification, only a set of programs can access objects, and subjects can execute only a restricted set of programs. These controls lend themselves to guaranteeing the Clark–Wilson model goal of internal and external consistency. Internal consistency relates to the system doing what it is expected to do every time without exception. External consistency relates to the data in the system being consistent with similar data in the outside world. This goal is achieved through the use of well-formed transactions and the separation of duties. The Clark–Wilson model defines each data item and allows changes by only a limited set of programs. The items defined are: Constrained data item (CDI): The integrity of this data item is protected. Unconstrained data item: Data not controlled by Clark–Wilson. Nonvalidated input or any output. Integrity verification procedure (IVP): Procedure scanning data and confirming its integrity. Transformation procedures (TPs): Procedures allowed only to change a constrained data item. Once data items have been defined, the next step is to label subjects and objects with sets of TPs. The TPs operate as the intermediate layer between subjects and objects. Each data item has a set of access operations that can be performed on it. Each subject is given a set of access operations that it can perform. The system then compares these two parameters and either permits or denies access by the subject to the object. This restricted access to CDIs only through TPs is the core of the Clark–Wilson integrity model. Access Control Matrix and Information Flow Models An access control matrix lists the users, groups, and roles down the lefthand side, and all the resources and functions across the top. The matrix is a concise way to represent rules, and once it is finished, rules are implemented according their description in the matrix. Subjects are listed in rows and objects are listed in columns. The exercise of working out the users, roles, assets, capabilities, and how to choose rows and columns can get complicated. However, if you cannot describe the access control rules, it is very unlikely that the access control matrix will be implemented correctly. Typically, access control is based on a user’s role or group membership. It may be advantageous to identify groups for some attributes to make it easier to manage. Sometimes it is beneficial to specify how the access will be performed. Perhaps some users are allowed read only, while others can read and write. 327

AU8231_C005.fm Page 328 Wednesday, May 23, 2007 9:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® The list of access methods will be what is appropriate to your organization. Typical access methods for content are read, write, edit, and delete. Recording this type of information requires extending the access control matrix to include the appropriate permissions in each cell. It is important to note that this model does not describe the relationship between subjects in the model, such as if one subject created another or gave another subject access rights. Information Flow Models. Information flow models have a similar framework as Bell–LaPadula in that objects are labeled with security classes in the form of a lattice, and the information the object represents may flow from one data set to another without concern for direction. Logically, it could flow upward or at the same level, if allowed. Graham–Denning Model. The Graham–Denning access control model has three parts: a set of objects, a set of subjects, and a set of rights. The subjects are composed of two things: a process and a domain. The domain is the set of constraints controlling how subjects may access objects. Subjects may also be objects at specific times. The set of rights govern how subjects may manipulate the passive objects. This model describes eight primitive protection rights called commands that subjects can execute to have an effect on other subjects or objects. The eight primitive protection rights are:

1. 2. 3. 4. 5. 6. 7. 8.

Create object Create subject Delete object Delete subject Read access right Grant access right Delete access right Transfer access right

Harrison–Ruzzo–Ullman Model. The Bell–LaPadula model does not state policies for changing access rights or for creating and deleting subjects and objects. The Harrison–Ruzzo–Ullman model describes authorization systems that deal with these issues. This model is very similar to the Graham–Denning model, and it is composed of a set of generic rights and a finite set of commands. By implementing this set of rights and commands and restricting the commands to a single operation each, it is possible to determine when a specific subject can ever obtain a particular right to an object. Brewer–Nash (Chinese Wall). This model focuses on preventing conflict of interest. The principle is that users should not access the confidential information of both a client organization and one or more of its competi328

AU8231_C005.fm Page 329 Wednesday, May 23, 2007 9:02 AM

Security Architecture and Design tors. The process is that users have no wall initially. Once any given file is accessed, files with competitor information become inaccessible. Unlike other models, access control rules change user behavior. Security Product Evaluation Methods and Criteria Rainbow Series Trusted Computer Security Evaluation Criteria (TCSEC). The criteria that address only confidentiality were published in the Orange Book and have been replaced by the Common Criteria. TCSEC defines four main levels (A, B, C, D):

A Verified protection A1 Verified design B Mandatory protection B3 Security domains B2 Structured protection B1 Labeled security C Discretionary protection C2 Controlled access C1 Discretionary protection D Minimal security Process Isolation. Process isolation is addressed in the Orange Book when the specific functionalities of the TCB are presented. The Orange Book states that the TCB will provide distinct address spaces to maintain process isolation. Furthermore, to achieve a B1 rating, the TCB must isolate the resources that are protected so that they are subject to the access control and auditing requirements. The end result will provide a process that will run without being altered or interfered with by other programs or the user. Layering and Data Hiding. The Orange Book specifies controls that focus on ensuring confidentiality of both data and processes, and layering is one control required at B3 or above. The design of the TCB is such that although the layers of the TCB know about interfaces and depend on the services of layers below, they know nothing about and do not depend on the correct functioning of the layers above. This ensures that each layer of the TCB is protected from tampering by the layers above, and that layers cannot violate the portions of the security policy enforced by the layers below. This is also a required design technique when developing the TCB to achieve B3 or above. Layering not only facilitates the verification of the correctness of the TCB by allowing examination of one layer at a time, but it also allows higher layers to be modified or replaced without the need to redesign or reverify the lower layers.

Data hiding is an Orange Book requirement stating that the TCB shall incorporate significant use of layering, abstraction, and data hiding. It must 329

AU8231_C005.fm Page 330 Wednesday, May 23, 2007 9:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® be implemented correctly to minimize any negative effect it may have in compromising the ability to examine the TCB and verify that it correctly enforces the security policy. The TCB at B2 or above must be divided into well-defined modules with data hiding being a required criterion of module development for systems at B3 or above. Although layering, abstraction, and data hiding are not required until B3, they are good design techniques for system development. Because these architectural features help in understanding and maintaining the system, using them may facilitate the evaluation of a TCB at any class. Data hiding is also a characteristic of object-oriented programming. Because an object can only be associated with data in predefined classes or templates, the object can only “know” about the data it needs to know about. This is needed so that there is no way for someone maintaining the code to inadvertently point to or unintentionally access the wrong data. Thus, all data not required by an object can be said to be hidden. Data might include text, output of commands, executables, programs, games, and rootkits. This concept of hiding data within a class and providing it only through the methods is known as encapsulation because it seals the data (and internal methods) safely inside the capsule of the class, where it can be accessed only by trusted users (i.e., by the methods of the class). Information Technology Security Evaluation Criteria (ITSEC) ITSEC addresses confidentiality, integrity, and availability and is primarily used in Europe. The product or system being evaluated is called the target of evaluation (TOE). There are two ratings: a functionality rating (F1 to F10) and an assurance rating (E0 to E6). See below for a rough mapping between ITSEC and TCSEC. ITSEC has also been replaced by the Common Criteria. It was created as a harmonization criterion so the vender products evaluated in one country could be marketed in all other countries without being reevaluated. ITSEC

TCSEC

E0 D F1 + E1 C1 F2 + E2 C2 F3 + E3 B1 F4 + E4 B2 F5 + E5 B3 F6 + E6 A1 F6 — systems that provide high integrity F7 — systems that provide high availability F8 — systems that provide data integrity during communications F9 — systems that provide high confidentiality (like crypto devices) F10 — networks with high demands on confidentiality and integrity

330

AU8231_C005.fm Page 331 Wednesday, May 23, 2007 9:02 AM

Security Architecture and Design Common Criteria The Common Criteria is an ISO standard product evaluation criterion that supersedes several different criteria, including TCSEC and ITSEC. Participating governments recognize Common Criteria certifications awarded by other nations. The Common Criteria defines a scale for measuring the criteria for the evaluation of protection profiles (PPs) and security targets. There are seven evaluation assurance levels (EAL 1 to 7) in a uniformly increasing scale of assurance. The terminology used includes the terms protection profile, security target, target of evaluation, evaluation assurance level, and security functional requirements. The evaluation assurance levels are as follows: EAL 1: The product is functionally tested; this is sought when some assurance in accurate operation is necessary, but the threats to security are not seen as serious. EAL 2: Structurally tested; this is sought when developers or users need a low to moderate level of independently guaranteed security. EAL 3: Methodically tested and checked; this is sought when there is a need for a moderate level of independently ensured security. EAL 4: Methodically designed, tested, and reviewed; this is sought when developers or users require a moderate to high level of independently ensured security. EAL 5: Semiformally designed and tested; this is sought when the requirement is for a high level of independently ensured security. EAL 6: Semiformally verified, designed, and tested; this is sought when developing specialized targets of evaluation (TOEs) for high-risk situations. EAL 7: Formally verified, designed, and tested; this is sought when developing a security TOE for application in extremely high risk situations. Software Engineering Institute’s Capability Maturity Model Integration (SEI-CMMI) The SEI is a research and development center contracted to advance software engineering practices. The CMMI ratings help customers determine trustworthy and low-risk vendors of software products and services. CMMI level 5 means an organization can prove successful application of government and industry best practices to a company’s management and engineering operations. Process management is the focal point in this model and is based on the idea that the quality of a system is highly influenced by the quality of the process used to acquire, develop, and maintain it. By providing a structured collection of elements that describe the characteristics of effective processes, there is a benchmark for assessing different organizations for equivalent comparison. 331

AU8231_C005.fm Page 332 Wednesday, May 23, 2007 9:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Certification and Accreditation A way to determine how well a system meets its security requirements is to perform a formal evaluation. This evaluation is a two-step process, first a certification and then an accreditation. Basically, the objective is to determine how well a system measures up to a preferred level of security. The methodology used needs to consider, from a security perspective, the entire system, the network, and the application life cycle. An audit of policies, procedures, controls, and continuity planning will be performed. At the beginning of the process, the evaluation criteria must be chosen. With the criteria known, the certification process will test the system’s hardware, software, and configuration. Once the entire system has been evaluated, the next step is to evaluate the method by which a secure system was connected to a network and the physical security of that system. This will create a baseline for the specific design and implementation, which will be used to compare against the set of specific security requirements. Keep in mind that the certification is only applicable for a particular system in a specific environment and configuration. With the results of the certification available, management evaluates the capacity of a system to meet the needs of the organization. If management determines that the needs of the system satisfy the security needs of the organization, they will formally accept the evaluated system for a stated period. If the configuration is changed, the new configuration must be certified. Recertification must normally be performed either when the time period elapses or when configuration changes are made. Sample Questions 1. What is the name for an operating system that switches from one process to another process quickly to speed up processing? a. Multiprocessing b. Multitasking c. Multithreading d. Multidimensional 2. What mode do applications run to limit their access to system data and hardware? a. Supervisor mode b. User mode c. Tunnel mode d. Interprocess mode 3. Which of the following is not true of the reference monitor? a. It must mediate all accesses. b. It must be protected from modification. c. It must be verifiable as correct. d. It must provide continuous monitoring of file privileges. 332

AU8231_C005.fm Page 333 Wednesday, May 23, 2007 9:02 AM

Security Architecture and Design 4. In the Bell–LaPadula model, the simple security property addresses which of the following? a. Reads b. Writes c. Executes d. Read/writes 5. Which of the following does not provide a certification process? a. ISO/IEC 17799:2005 b. BS 7799:2 c. ISO 27001 d. ISO 15408 6. Data hiding is a required TCSEC criterion of module development for systems beginning at what criterion level? a. A1 b. B3 c. B2 d. C3 7. Which of the following security models addresses three goals of integrity? a. Biba b. Bell–LaPadula c. Clark–Wilson d. Brewer–Nash 8. ITSEC added which of the following requirements that TCSEC did not address? a. Confidentiality and availability b. Integrity and confidentiality c. Availability and integrity d. Nonrepudiation and integrity 9. Which of the following is not a usual integrity goal? a. Prevent unauthorized users from making modifications b. Prevent authorized users from making improper modifications c. Maintain conflict-of-interest protections d. Maintain internal and external consistency 10. Which model establishes a system of subject–program–object bindings such that the subject no longer has direct access to the object, but instead this is done through a program? a. Biba b. Bell–LaPadula c. Clark–Wilson d. Brewer–Nash 11. The Biba integrity * (star) property ensures: a. No write up b. No write down 333

AU8231_C005.fm Page 334 Wednesday, May 23, 2007 9:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

12.

13.

14.

15.

16.

17.

18.

334

c. No read up d. No read down Which model fails to address the fact that because all subjects that have an appropriate clearance may not need access, the system owner must still allow access by providing the need-to-know decision? a. Biba b. Bell–LaPadula c. Clark–Wilson d. Brewer–Nash Which model helps ensure that high-level actions (inputs) do not determine what low-level users can see (outputs)? a. Noninterference model b. Lattice model c. Information flow model d. Graham–Denning model Which access control model has three parts — a set of objects, a set of subjects, and a set of rights — as well as defining eight primitive rights? a. Access control matrix b. Lattice model c. Information flow model d. Graham–Denning model What is the name for the collections of distributed software that are present between the application running on the operating system and the network services that reside on a network node? a. Applications b. Middleware c. Trusted computer base (TCB) d. System kernel Which model assigns access rights to subjects for their accesses to objects? a. Jueneman model b. Access control matrix c. Information flow model d. Noninterference model Which model describes a partially ordered set for which every pair of elements has a greatest lower bound and a least upper bound? a. Lattice-based model b. Access control matrix c. Information flow model d. Noninterference model What are typically trusted areas that are separated from untrusted areas by an imaginary boundary sometimes referred to as the security perimeter? a. Mainframes and centralized computing environments

AU8231_C005.fm Page 335 Wednesday, May 23, 2007 9:02 AM

Security Architecture and Design b. PCs and distributed computing environments c. Network partitions d. Chinese wall 19. The Common Criteria uses which designations for evaluation? a. D1, C1, C2, B1, B2, B3, A1 b. E0, E1, E2, E3, E4, E5, E6, E7 c. EAL1, EAL2, EAL3, EAL4, EAL5, EAL6, EAL7 d. F0, F1, F2, F3, F4, F5, F6, F7

335

AU8231_C005.fm Page 336 Wednesday, May 23, 2007 9:02 AM

AU8231_C006.fm Page 337 Thursday, October 19, 2006 7:02 AM

Domain 6

Business Continuity and Disaster Recovery Planning Carl B. Jackson, CISSP

Introduction The business continuity planning (BCP) and disaster recovery planning (DRP) domain addresses the preparation, processes, and practices required to ensure the preservation of the business in the face of major disruptions to normal business operations. BCP and DRP involve the identification, selection, implementation, testing, and updating of processes and specific actions necessary to prudently protect critical business processes from the effects of major system and network disruptions and to ensure the timely restoration of business operations if significant disruptions occur. The objective of this chapter is to provide the reader with a step-by-step route map (Figure 6.1) on how to view, develop, implement, maintain, and measure an appropriate continuity planning process for his or her organization. The continuity planning methodology, processes, and techniques suggested here are tried and true, and equally applicable to public and private organizations. These approaches have a broad base of support and are intended for the information security professional preparing to sit for the Certified Information Systems Security Professional (CISSP®) examination. The expectation is that after studying this chapter, the CISSP candidate should have knowledge of the entire continuity planning process and its constituent BCP and DRP components. CISSP candidates should understand that these endeavors are the discipline of anticipating, preplanning, deploying, and managing a set of activities and tasks to assist in the survival of the organization following a disaster, by significantly mitigating its overall adverse impact.

337

AU8231_C006.fm Page 338 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

Figure 6.1. A route map that represents the megaprocesses of the continuity planning implementation method. This chapter is organized along these lines and provides the reader with more detailed discussion on each of the megaprocesses.

CISSP Expectations The CISSP candidate must possess a fundamental understanding of the two disciplines of business continuity planning (BCP) and disaster recovery planning (DRP). These disciplines are just two parts of a larger endeavor, which we refer to as the continuity planning process (CPP). The continuity planning process encapsulates all continuity planning disciplines, including BCP and DRP. The concept of the continuity planning process is not to be confused with actual enterprise business processes that continuity plans are designed to protect. Enterprise business processes will also be covered in detail within this chapter. In the past, continuity planning was frequently thought of as the recovery of computer or information technology systems and nothing more. This discipline is often referred to as disaster recovery planning. Experience in the field of continuity planning has shown that the recovery of IT functions alone does not ensure survival of the enterprise following a serious disruption or disaster. Complete recovery requires the thorough knowledge of all aspects of the enterprise, as will be explained later in the chapter. The most efficient approach to ensuring the continuity of the enterprise is to anticipate events and prepare continuity plans that focus attention on the organization’s time-critical1 business processes and the resources, including IT resources, that support those time-critical processes. 338

AU8231_C006.fm Page 339 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning Core Information Security Principles: Availability, Integrity, Confidentiality (AIC) As we know, the cornerstone of information security is the protection of the confidentiality, integrity, and availability of enterprise information resources. The term availability implies that continuity or recovery planning activities are the responsibility of the information security group. Many organizations specifically assign continuity planning to the information security folks, while others designate a separate continuity planning department to address those issues. Either way, the information security manager or information security officer (ISO) is a stakeholder in continuity planning processes. Even if not directly accountable, ISOs must work to make certain that a proper degree of enterprise continuity planning is taking place. Why Continuity Planning? The effects of Hurricane Katrina and the events of September 11, 2001, in conjunction with the recent corporate corruption cases of WorldCom, Enron, HealthSouth, etc., cause concern to organizations about continuity and, in fact, about enterprise survivability. All organizations bear responsibility for the life safety of their employees and others on their premises. They also have financial and moral obligations to their shareholders, customers, employees, employees’ families, and other key stakeholders. Terrorism, government regulation, internal and external audit, industry standards and guidelines, good business practice (standard of due care), and actual disaster events are all excellent reasons to prepare, in advance, for organizational survival. These obligations and responsibilities mandate the creation and maintenance of an effective enterprisewide continuity planning program. To some CISSPs, the need for continuity planning may seem intuitive. Others (outside the profession) fail to share this viewpoint. It is not usually easy to vie for scarce internal resources, gain support from management, or communicate the importance of continuity planning, given competing priorities. Reality of Terrorist Attack. Let us start with the obvious. Subsequent to the September 11 attacks on the World Trade Center and the Pentagon, the U.S. attorney general advised and encouraged American companies to immediately evaluate and strengthen their security programs. This raised a number of questions regarding the condition and practicality of existing life safety emergency response plans and continuity plans within public and private organizations around the world. The recommended approaches to continuity planning emphasize support for first responders, understanding and addressing risks, and making preparations to withstand 339

AU8231_C006.fm Page 340 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® such events. All of these recommendations were at the heart of this advice from the attorney general in the weeks following these horrifying events. Natural Disasters. Hurricane Katrina is a dramatic example of a natural disaster that was long anticipated. Her consequences were dreadfully underestimated and caused tragic devastation and loss of life to the U.S. Gulf Coast area. The hurricane’s devastation touched the Bahamas and most of eastern and southeastern North America. The highest wind gusts were up to 175 miles per hour. The destruction in the Florida Panhandle, Alabama, Mississippi, and Louisiana, most especially New Orleans, caused federal disaster declarations over a 90,000 square mile area. In Louisiana, after the hurricane moved north, the New Orleans levies were breached and the major flooding started. It was not until then that the city suffered dramatic increases in the loss of life and damage already wrought by the storm. This one-two punch caught many by surprise and slowed the overall disaster response at all levels of community and government. As of this writing, the toll on human death, property damage, jobs lost, businesses destroyed, etc., has yet to be clearly understood or quantified. Suffice to say, this dramatic regional catastrophe is the most terrible in U.S. history, with total damage estimates at or exceeding $100 billion. This event illustrates compellingly why crisis management and continuity planning are of increasing concern to public and private sector executive decision makers. Internal and External Audit Oversight. Adverse audit or regulator y comments, more often than not, drive continuity planning initiatives. For audit purposes, the life cycle of the continuity planning process, and the point at which each organization has evolved within that life cycle, offers ample opportunity for audit scrutiny and deficiency comments. It is common knowledge that the audit function usually initiates audits based upon a review of organizational policies, standards, and procedures, and then measures compliance with those directives, similar to the continuity planning policy example (see sample continuity planning policy insert). Industry surveys also continue to show that an overwhelming number of organizations undertake continuity planning as a direct result of adverse audit/regulator comments. Legislative and Regulatory Requirements. There are other reasons that organization management is concerned about continuity planning issues. In regulated industries, for example, state and federal regulations and rulings mandate degrees of continuity planning. We reference the reader to an article written by Rebecca Herold in Addressing Legislative Compliance within Business Continuity Plans.2 This article, in Appendix A, does an outstanding job of listing various regulatory initiatives requiring continuity planning on the part of constituent organizations that specifically address HIPAA, SOX, GLB, the Patriot Act, and others. 340

AU8231_C006.fm Page 341 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning Industry and Professional Standards NFPA 1600. The National Standard on Preparedness, also known as NFPA 1600 (National Fire Protection Association), is a benchmark that continuity planners might use as a source of guidance on methodological development, risk identification, or planning guidelines. ISO 17799. ISO 17799 is “a comprehensive set of controls comprising best practices in information security.” It is essentially an internationally recognized generic information security standard. ISO 17799 comprises ten prime sections: security policy, system access control, computer and operations management system development and maintenance, physical and environmental security, compliance, personnel security, security organization, asset classification and control, and business continuity management (BCM). Defense Security Service (DSS). The Defense Security Service (DSS), formerly known as the Defense Investigative Service (DIS) is agency of the United States Department of Defense (DoD). DSS makes its contribution to the National Security Community by conducting personnel security investigations and providing industrial security products and services, as well as offering comprehensive security education and training to DoD and other government entities. To complement its three primary missions: the Personnel Security Investigations Program (PSI); the Industrial Security Program (ISP); and the Security Education, Training and Awareness Program, DSS offers the unique advantage of integrating counterintelligence into its core security disciplines through training programs, policy development, and operational support to its field elements. (http://en.wikipedia.org/wiki/Defense_Security_Service) National Institute of Standards and Technology (NIST). NIST provides a number of requirements for federal contingency planning. Good Business Practice or the Standard of Due Care. The Free Dictionary defines the standard of due care as “the care that a reasonable man would exercise under the circumstances; the standard for determining legal duty” (http://www.thefreedictionary.com/due+care). The standard of due care applies to the enterprise exercising good corporate citizenship and proactively planning to abide by good business practices in the protection of its shareholders, customers, employees, etc.

Enterprise Continuity Planning and Its Relationship to Business Continuity and Disaster Recovery Planning At the end of the day, even with a comprehensive and well-managed continuity planning infrastructure, an enterprise can be surprised. By continuity planning infrastructure, we mean a complete continuity planning business process that includes all the components reflected in Figure 6.2: all of 341

AU8231_C006.fm Page 342 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

Figure 6.2. A view of the components of an enterprisewide continuity planning business process.3

the continuity and recovery teams, their reporting structure, IT disaster recovery planning, business resumption planning for business processes, crisis management planning, and high availability. Organizations should plan for worst-case events, rather than for specific scenarios or types of disasters. The theory, proven many times, is that the organization that is ready to respond to the worst-case disaster will also be able to handle lesser disruptions. The purpose of continuity planning, which includes the disciplines of BCP and DRP, is to reduce the impact of an incident or disaster. Will a reasonably well capitalized organization survive a serious disruption without a business continuity plan or disaster recovery plan? In many cases, for larger organizations, the answer is yes. Chances of survival are increased, however, if the organization is well prepared to significantly reduce the possible impact of a disruptive event, and the resulting qualitative and quantitative losses are significantly reduced. What are the potential loss categories? Revenue Loss. Permanent loss of revenue or a temporary interruption (cash flow) is a significant causative factor for organizations to undertake 342

AU8231_C006.fm Page 343 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning a continuity planning program. By extrapolating the potential material revenue loss for the first few hours and days of a disaster, management can create a picture of what it stands to lose long term, should an event occur. Extra Expense. Extraordinary expenses are those that would not have normally been incurred had the organization not suffered the disaster. This category includes overtime, rents and leases for temporary space and equipment, activating recovery capabilities, interest paid on receivables, the loss of interest income, legal or regulatory fines or penalties, and the like. Compromised Customer Service. Interestingly enough, an interruption in service, whether to an external or internal customer, or business partner, drives short recovery windows in almost all cases, even more so than an interruption in revenue. We must be able to measure the impact of a disaster to the organization from the moment of the event. Although we cannot usually determine the precise financial cost of customer inconvenience, we certainly can estimate the level of their inconvenience as it builds over time. We also know that eventually this customer inconvenience will most likely result in revenue loss. Thus, customer service level is the only truly reflective short-term measure over the first few seconds, minutes, hours, and days of a disaster, and its economic result can be described in metrics of high impact, medium impact, or low impact. Embarrassment or Loss of Confidence Impact. The impact to track and measure here is the embarrassment or loss of confidence suffered by important external entities that rely upon, or have an interest in, the enterprise. Examples of such external entities include key customers, suppliers, business partners, regulatory agencies, and auditors. Similar to the impact of compromised customer service, the metric for loss of confidence cannot be easily expressed in terms of financial loss. However, it can be stated in qualitative levels of impact, such as high, medium, or low, and can be tracked over a period of time following a disruption.

As seen in Figure 6.2, there is a tremendous interdependency among the various enterprisewide continuity planning process subcomponents. The continuity planning process is comprised of business continuity planning, disaster recovery planning (for technology of the enterprise), and the crisis management plan structure. Crisis management is the subcomponent that focuses on communications and management of the enterprise through the course of the disaster. A good understanding of the concepts and component interrelationships presented in Figure 6.2 will serve the CISSP candidate well in implementing and managing continuity planning within an information security program. Hidden Benefits of Continuity Planning. The primary goal of a continuity planning process is to ensure the organization’s survival in the event of 343

AU8231_C006.fm Page 344 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® a disaster. There are other, less obvious benefits of continuity planning. In developing a comprehensive continuity planning infrastructure, the continuity planner must understand the business processes of his enterprise, and how information, goods, and services move within the organization. Equally important is knowing how information, goods, services, and cash flow in and out of the enterprise. The collection and analysis of this knowledge could identify potential cost reductions by improving or creating operating efficiencies. The planner may also find opportunities for cost savings in business interruption insurance and directors’ and officers’ coverage. These examples show that continuity planning could provide an advantage over competitors. As the importance of continuity planning becomes more well known, the lack of planning could even disqualify a company from consideration for new business. The continuity planning process also forces a review of various other components of the organization’s infrastructure. Vital records management, data backup and storage, and physical, environmental, and information security controls must also be scrutinized when addressing continuity planning, and efficiencies may be discovered during the process. Organization of the BCP/DRP Domain Chapter There are many ways to present CISSP examination review subject matter. Although there are others, this chapter presents the project management plan approach to BCP/DRP. This approach walks through the process from initiation to final implementation, maintenance, and management of a continuity planning initiative. Although this is a from-scratch approach, the application of this same project plan method is also relevant for those CISSPs who are working in the field with organizations that already have some level of continuity planning in place. Project Initiation Phase Preplanning activities recommended in the project initiation phase will set the tempo for each succeeding phase. Clearly articulated management intentions and commitment will contribute to the success of later continuity planning phases. It is in this phase where all the project preplanning is performed, including: • Establish the organization’s continuity planning scope and objectives criteria • Gain and demonstrate management support • Form the BCP project implementation team, referred to hereafter as the continuity planning project team (CPPT), and define their roles and responsibilities • Define and obtain continuity project resource requirements 344

AU8231_C006.fm Page 345 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning • Understand and leverage current and anticipated disaster avoidance preparations Current State Assessment Phase The current state assessment phase is composed of several discrete sets of activities that will provide enterprise management with the practical information it must have to make informed decisions concerning business continuity planning. When the activities within this phase of the methodology are completed, you will have gained an understanding of the strategies, goals, and objectives of the enterprise, and you will have completed: • • • •

A threat analysis A business impact assessment (BIA) A continuity planning process current state assessment Possible a benchmark or peer review

Design and Development Phase Given the baseline information gathered in the current state assessment phase, the CPPT is in a position to devise preliminary recommendations and action plans regarding suitable next steps. This phase is where the organization, with the assistance of the CPPT, formulates the most efficient and effective recovery strategies to address the threats and recovery priorities identified. The primary activities that take place during this phase of the methodology are: • Develop and design the most appropriate continuity strategies • Develop the crisis management plan (CMP) and continuity planning (BCP and DRP) structures • Develop continuity and crisis management plan infrastructure testing and maintenance activities • Design initial acceptance testing of the plans • Plan for recovery resource acquisition Implementation Phase During this phase, CPPT professionals work with business process owners or representatives to deploy: • Continuity plans (business continuity plans and disaster recovery plans) as well as the enterprise crisis management plan • Program short-term and long-term testing • Program short-term and long-term maintenance strategies • Program training, awareness, and education processes • Program management process 345

AU8231_C006.fm Page 346 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Management Phase The management phase of the methodology is where the day-to-day management of continuity planning is organized, executed, and sustained. During this ongoing process, the CPPT works with the business process owner or representatives to address overall continuity planning issues, which include program oversight and continuity planning manager roles and responsibilities. The ideas presented in this brief introduction will now be explored in depth. Project Initiation Phase Description The project initiation phase sets the tone for the entire continuity planning project. All the project preplanning is performed in this phase, including: • Establish the organization’s continuity planning scope and objectives criteria • Gain and demonstrate management support • Form the continuity planning project team (CPPT) and define their roles and responsibilities • Define and obtain continuity project resource requirements • Understand and leverage current and anticipated disaster avoidance preparations Project Scope Development and Planning. The continuity planning process minimizes the impact on an organization’s time-critical business processes, given a significant disruptive event such as power outages, a natural disaster, accident, act of sabotage, or other such occurrence. The continuity planning process is intended to help management develop costeffective approaches to ensure continuity during and after an interruption of time-critical processes, supporting systems, or resources. The components of the enterprise continuity planning process, shown in Figure 6.2, are as follows. Disaster Recovery Planning (DRP). Traditional DRP addresses the recovery planning needs of the organization’s IT infrastructures, including centralized and decentralized IT capabilities, as well as voice and data communications network support services. As mentioned in the chapter introduction, traditional continuity planning was concerned only with the recovery of computer or IT systems. We still commonly refer to this as disaster recovery planning. As the field of continuity planning has matured, it has become apparent that recovery of IT alone does not ensure survival of the enterprise following a serious disruption or disaster. Speedy recovery of all the components of IT is useful only if the organization’s business units are able to continue functioning, at some level, throughout the event. They must be in a position to communicate with customers, organizations or 346

AU8231_C006.fm Page 347 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning patients, key business partners, vendors, employees and employees’ families, and the like. They must also be able to receive and enter orders, produce goods, provide services, collect and book revenue, account for assets, etc. Business Continuity Planning (BCP). Traditional BCP addresses recovery of

an organization’s business operations (i.e., accounting, purchasing, etc.) should it lose access to its supporting resources (i.e., IT, communications network, facilities, business partner relationships, etc.). As the disciplines of the continuity planning profession matured, it became apparent that continuity planning is a business issue, not a technical issue. The focus shifted from IT and related areas to the actual business processes of the enterprise, where they should have been all along. Each business process must be examined and prioritized, paying particular attention to its time criticality, to determine its recovery time objective (RTO). This approach will ultimately provide management and the CPPT with empirical information for decision making and for implementing the most effective continuity plans. Crisis Management Planning. Another component of the enterprise continuity planning process approach is the crisis management plan (CMP). Many organizations utilize the incident command system (ICS)4 to organize their crisis management planning efforts, and in these cases, the CMP may be referred to as the emergency operations center (EOC). There is more discussion on the ICS later in the chapter. Either way, those responsible for CMP must provide leadership to facilitate an effective and efficient enterprisewide emergency/disaster response capability. This response capability includes forming appropriate management teams and training their members how to react to serious emergency situations like hurricanes, earthquakes, flood, fire, and serious hacker or virus damage. Continuous Availability. Continuous availability (CA) is a building-block approach to constructing resilient and robust technological infrastructures that support high availability requirements.5 Not solely a continuity planning responsibility, continuous availability is a concern of the CPPT, should any given business process have a zero or near-zero-time RTO. The CA concept joins a mix of disciplines, focusing on enterprise high availability needs in a 24 hours a day, 7 days a week (24/7) environment. The CPPT can assist with planning, designing, implementing, and measuring IT infrastructure capabilities for organizations with 24/7 application and network uptime requirements once there is agreement on the RTO timeframe. It is primarily the responsibility of the IT systems and IT Infrastructure groups to build and operate a CA environment, but the CPPT can and should work closely with them ensure that the RTOs can be met. Incident Command System. The ICS is a standardized response management system described as an all hazard–all risk approach to managing cri347

AU8231_C006.fm Page 348 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® sis response operations and noncrisis events. A group of local, state, and federal agencies, with wild land fire protection responsibilities, initially designed it to improve the ability of fire forces to respond to any type of emergency. The ICS is a structure of management-level positions suitable for managing any incident. It is described as being organizationally flexible and capable of expanding and contracting to accommodate responses or events of varying size or complexity. For more information on ICS, see the ICS-related Web site URL at the end of this chapter, which is just one of many Internet resources relating to ICS. Executive Management Support. From the very start of any continuity planning project, executive management’s understanding and support is an unqualified must. The continuity planning endeavor simply touches every single corner of the enterprise, encompassing business processes, information technology (IT), communications infrastructures, facilities, virtual organization business partners, personnel, and other mission-critical business process support services. The business continuity planning manager and the CPPT must enjoy clearly articulated top-down management support. This support must include suitable resource commitments to the continuity planning process and CPPT. Supporting the continuity planning effort means that management must make suitable resource commitments in terms of staffing the CPPT, establishing a budget, adopting senior-level policies and standards, approving scope, etc.

The project effort may include one or all three of the individual components of the enterprisewide approach to continuity planning. That is, the continuity planning process effort may be for IT continuity planning (DRP) only, or could include any combination of IT continuity planning, business continuity planning, or crisis management planning. Table 6.1 suggests techniques the CPPT might use to assist them in gaining support. BCP Project Scope and Authorization. For organizations without a continuity planning process, the scope will be full, enterprisewide, and end to end. Of course, the individual components of the project can be broken down to bite-sized chunks to avoid the appearance that the CPPT is attempting to boil the ocean.

Once the continuity planning process is in place and fully tested, the work is not over. Organizations are constantly in a state of change, so the continuity planning must constantly be tweaked. Changes occur in personnel, organizational structure, product development activities, business partner relationships, and dozens of other events. These events all result in changing the organization slightly, or sometimes significantly, at any given time. Should the enterprise have an active, or at least recent, continuity plan, the continuity planner should prepare to adjust the scope of the

348

Analyze, collate, and assess business process owner/ representative requirements Create summary working document of interview and workshop notes (not for presentation to the business process owner/representative)

Interview key stakeholders and set expectations for workshop Prepare business process owner/representative-specific presentation and discussion points for workshops Conduct workshop/interview

Design interview scripts and agree with sponsor

Identify executive sponsor for strategy consulting CPP effort Propose and agree with sponsor on interview methodology or workshop with key stakeholders with purpose of mapping business and process requirements Identify business strategy stakeholders with sponsor

As needed to support the scope of the CPP effort As needed to support the scope of the CPP effort As needed to support the scope of the CPP effort

Agree on preferred approach for conducting business impact assessment as well as other current state assessments as needed by the business process owner/representative As appropriate for this component of the enterprisewide availability infrastructure See plan phase samples below for the most appropriate interview scripts As needed to support the scope of the CPP effort As needed to support the scope of the CPP effort

As needed to support the scope of the CPP effort As needed to support the scope of the CPP effort As needed to support the scope of the CPP effort

Business Continuity Planning (BCP) CEO, CFO, other executive management representatives Agree on preferred approach for conducting business impact assessment as well as other current state assessments as needed by the business process owner/representative As appropriate for this component of the enterprisewide availability infrastructure See plan phase samples below for the most appropriate interview scripts As needed to support the scope of the CPP effort As needed to support the scope of the CPP effort

CIO or IT director

IT Continuity Planning (DRP)

Table 6.1. Techniques for Gaining Management Support

As needed to support the scope of the CPP effort

As needed to support the scope of the CPP effort As needed to support the scope of the CPP effort

CEO, CFO, other executive management representatives Agree on preferred approach for conducting business impact assessment as well as other current state assessments as needed by the business process owner/representative As appropriate for this component of the enterprisewide availability infrastructure See plan phase samples below for the most appropriate interview scripts As needed to support the scope of the CPP effort As needed to support the scope of the CPP effort

Crisis Management Planning (CMP)

AU8231_C006.fm Page 349 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning

349

AU8231_C006.fm Page 350 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® project to address current needs (i.e., update stale plans, plan for and conduct tests, readdress or update aged business impact assessments, etc.). Executive Management Leadership and Awareness. Executive management can express its support in a number of ways, including the following. Formalizing Continuity Planning Policy. As mentioned above, an executivelevel organizational policy regarding requirements, roles, and responsibilities for continuity planning is a must. Continuity planning policy sets the stage for further development of appropriate standards and procedures that will assist organizational units to address continuity planning issues prudently and provides a benchmark for compliance with policy. It is vital to the continuity planning endeavor that executive management (including the board of directors, where applicable) makes a strong commitment that is clearly and succinctly articulated. Middle management should develop appropriate support standards and procedures based on the policy direction set by executive management. Appropriate supporting standards should outline and provide for a continuity planning infrastructure that is relevant and supports executive management’s vision. This will demonstrate to all those who have hands-on continuity planning responsibility the value that an appropriate degree of continuity planning will add to the organization (see sample continuity planning policy statement). Establishing and Managing a Continuity Planning Budget. Allocation of funds for continuity planning projects visibly demonstrates top-down commitment. Of particular concern will be the questions and methods on how continuity planning-related costs/expenses would be capitalized or allocated within the organization. This is an important topic to discuss and decide upon with the executive sponsors prior to the project kickoff. Associated continuity planning budget categories are as follows:

• Expenditures used for acquisition, implementation, and maintenance of preventative controls that are designed for physical environmental or information security. • Expenditures utilized for purchasing alternative recovery resources like facilities, equipment, supplies, hardware, software, and telecommunication infrastructure facilities. • Personnel expenses; consideration should be given to the annual salary requirements of continuity planning personnel and the annual salary and benefits of the incremental business unit personnel costs for each of the business function representatives involved in the effort. • Use of external consultants or vendor organization personnel that might be utilized and the consulting fees and travel expenses associated with their participation. • Day-to-day management expenditures of the continuity planning process, including testing maintenance and training. 350

AU8231_C006.fm Page 351 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning With regard to testing, there will likely be costs associated with travel, lodging, meals, and ground transportation if management has elected to use a remote location recovery strategy. Defining Continuity Planning Metrics. Continuity planning-specific metrics developed in support of the organization’s strategic vision and values will help to eliminate the on-again, off-again continuity planning efforts that have plagued many organizations. A clear set of both qualitative and quantitative continuity planning metrics will illustrate what management considers important. After all, we get what we measure. Articulating Continuity Planning Communications. T h e a b o v e - m e n tioned techniques notwithstanding, clearly articulated executive management communications of support will open a lot of otherwise closed doors to the continuity planning effort. Continuity Planning Project Team Organization and Management. T h e continuity planning project team (CPPT) should be made up of continuity planning leadership and selected technical and business experts who have business process knowledge and a stake in the continuity planning process. A CPPT project lead should be appointed as soon as is practical. The most senior and knowledgeable staff need always be involved; assigning lower-level staff to this team will do little to ensure success. As a rule, the team members should be the more seasoned managers who understand the need for continuity planning, the goals of the enterprise, and the intricacies of the business processes.

Once the CPPT has been named, their first duty is to scope the continuity planning process and define the project management strategies they will utilize to accomplish their goals, in line with management and the allocated funding. Of particular concern to the CPPT is whether to use a PMO approach, what project management tools they will be depending upon, and what their timelines are for the project. Project Management Office Techniques. In larger organizations, it may be useful to organize the continuity planning process under the control of a project management office (PMO). A PMO approach to the project will provide strategic support to business units and management. This can be especially helpful for continuity planning processes, as they are crossorganizational in scope and approach. The continuity planning endeavor encompasses the entire enterprise and all its business processes, which are mapped to their supporting resources. As such, the CPPT must be able to interact with many levels of management and organizational structures. They also must have a thorough understanding of the associated business functions throughout the enterprise. The PMO manages and supports from the top down. Trained project managers utilize project management standards, methods, tools, and education to their best effect. 351

AU8231_C006.fm Page 352 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Project Management Tools. A practical approach to developing a continuity planning process and enterprise implementation is through the use of project management methodologies. With these methods, the PMO or the CPPT will likely use software and Internet/intranet space to compile, organize, secure, and store relevant internal and external information. These and other tools are helpful in the initial planning and implementation of the continuity planning process. They are even more useful in the long term (testing and maintenance stages), where the real expense of continuity planning is incurred. In the book The Complete Project Management Office Handbook,6 Gerard Hill presents an overview of PMO functions. Continuity Planning Project Timelines. When establishing schedules, deadlines, and milestones for a continuity planning process, the nature or culture of each unique organization must be taken into consideration. Success is more likely if the components of the project are broken up in more manageable (bite-size) units, like days and weeks, rather than months. This will prevent the perception of boiling the ocean and the fatigue that goes along with it. Keeping the continuity planning process timeframes relatively short will help to avoid project participant burnout as well. Conduct Continuity Planning Project Kickoff Meeting. Within some cultures, holding a formal continuity planning kickoff meeting is an important first step in the continuity planning process. The kickoff meeting is a formal introduction of the business process owners or representatives to the CPPT and should help them get comfortable with the effort. The objectives of a continuity planning kickoff meeting might be:

• Allow the executive sponsor to introduce the continuity planning project and describe its value to the enterprise • Introduce the CPPT • Provide an overview of the continuity planning process • Present an overview of the continuity planning methodology • Detail the project approach and scope • Present the project objectives • Review the project schedule • Discuss project staffing • Describe the project deliverables • Review the preliminary work plan • Identify key business process owners or representative contacts outside the project team • Obtain time commitments from business process owner or representative team members • Answer questions and address concerns As the continuity planning process evolves, it is crucial that all of the business process owners or representatives involved understand: 352

AU8231_C006.fm Page 353 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning • The continuity planning process as it applies to their organization • The project scope, deliverables, schedule, and approach • Their responsibilities and time commitments for the continuity planning process effort In addition, it is important that the kickoff meeting provide an opportunity for participants to raise issues and concerns related to continuity planning or the project. The meeting should include a question-and-answer period at the end so the audience can ask questions, make suggestions, or discuss challenges they may have. Any issues that are not answered immediately should be discussed with the CPPT project lead as soon as possible. Swift resolution of these issues is required to ensure that the project can continue as scheduled. It is important to stress to the business process owners or representatives on the CPPT that the type of disaster (e.g., fire, brownout, flood) is less important than the fact that the disaster could occur. A disaster is any event that takes time-critical processes down for longer than the RTO that is defined in the business impact analysis (BIA). When participants focus on particular types of disasters, rather than more generalized disaster scenarios, they are likely to miss the point of the overall information-gathering exercise by answering questions too specifically. From a continuity planning perspective, the type of disaster or interruption is relatively unimportant. Destruction of a facility by reason of fire versus flood is not significant; the impact of the destruction and the continuity of critical operations are the important issues. Disaster or Disruption Avoidance and Mitigation. It is during the project initiation phase that the CPPT should consider the extent and status of existing physical, environmental, and information security-related controls that might mitigate the effects of an event. Although a formalized risk assessment is part of the current state assessment phase, a fundamental understanding of the vulnerabilities of the organization will help to sell the need for continuity planning to management.

By definition, continuity planning tends to focus on preparation of the mechanisms necessary to react to an adverse event, more than proactively planning to mitigate or prevent the event in the first place. Activities designed to identify potential threats and vulnerabilities are incorporated into an enlightened approach to continuity planning, so that appropriate mitigating controls can be considered. The physical, environmental, and information security of business processes are reviewed, and the resulting deliverable contains observations and recommendations regarding the most appropriate next steps in putting effective and efficient control mechanisms in place. This is the risk assessment, sometimes known as the risk management review (RMR), and is fully described under the current state 353

AU8231_C006.fm Page 354 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Table 6.2. Project Initiation Phase Activities and Tasks Work Plan Project Initiation Phase Activity/Task Prepare project charter and obtain management approval Prepare and finalize project plan, including work steps, deliverables, and milestones Prepare and finalize project budget Management presentation and approval to move to next phase

Deliverables

Milestone Definitions

Project charter Project work plan Budget

assessment section of this chapter. This risk/vulnerability mitigation process would also include consideration of the overall control infrastructure of the business process and could suggest other organizational controls. Physical or information security representatives can assist in the development of appropriate mitigating controls, standards, and procedures, or any other mechanism required to implement and manage an effective control infrastructure. The resulting infrastructure would be designed to mitigate or avoid threats and vulnerabilities to the most practical degree. A continuous availability (CA) recommendation from the CPPT to the business unit may be an appropriate course of action if that unit’s business processes have an RTO of zero or close to zero, and where its network infrastructure mandates uptimes of more than 99 percent. Project Initiation Phase Activities and Tasks Work Plan. The work plan in Table 6.2 presents a sample of the high-level activities and tasks suggested as a starting point for planning and executing this phase.

Current State Assessment Phase Description The current state assessment phase is composed of several discrete sets of activities that will provide enterprise management with the practical information they must have to make informed decisions concerning business continuity planning activities. The primary activities that take place during this phase of the methodology are: • • • • •

Understand enterprise stratgies, goals, and objectives Conduct a threat analysis Business impact assessment (BIA) Continuity planning process (CPP) current state assessment Possibly benchmarking or peer review

Understanding Enterprise Strategy, Goals, and Objectives. The first step in understanding the enterprise is to request, gather, and analyze informa354

AU8231_C006.fm Page 355 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning tion such as annual reports, organizational charts, strategic planning documentation, existing continuity plans, audit reports, and third-party service level assurance reports. In addition, online searches for financial information and other competitive intelligence can be valuable in understanding the organization’s true business environment. Enterprise Business Processes Analysis. The continuity planning process should support the overall objectives of the enterprise and be measurable, maintainable, and add value. To ensure that this process meets these criteria, it is critical that the CPPT request or develop business process information, including business process maps, of the enterprise. Highlevel business process maps that identify required components like facilities, business units, IT systems and infrastructure, and critical business partnerships illuminate the overall process flow of the organization for the CPPT. They should be broken down into mega, major, and subbusiness processes. This information will be relied upon heavily during the business impact assessment undertaken later in the methodology. People and Organizations. Organizational charts, telephone directories (online and hard copy), and other inventory lists will be needed to execute the continuity planning project effort. One of the goals of the BIA process will be to map time-critical business processes to people, locations, external communities, technologies and networks, etc. Therefore, a thorough understanding of each of the physical and geographical locations, and the numbers of employees who work in those locations, is mandatory. Time Dependencies. At this juncture, time-critical dependencies of the business processes should be identified and documented. A more detailed analysis and justification of time-critical business processes and their supporting resources will be done during the BIA phase of the continuity planning project. Motivation, Risks, and Control Objectives. Successful implementation of a continuity planning process involves many people issues, sometimes addressed in terms of organizational change management. Because the continuity plans may be ready for the organization before the organization is ready for the continuity plans, it is important to understand the peoplerelated barriers, enablers, and rewards. Also of importance are the technology and process barriers, enablers, and rewards. People, process, and technology issues have to be considered when attempting to understand how an organization will react to the implementation and will eventually become a predictor for the success of the continuity planning process effort. Budgets. Like any part of the enterprise, financial considerations are important to the CPPT. They must understand the budgetary processes and the resources allocated to this continuity planning process effort. 355

AU8231_C006.fm Page 356 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Technical Issues and Constraints. Technical enablers and barriers must be understood from the beginning of the continuity planning process effort. The CPPT should devote time to consider and document the technological environments (IT, networks — voice and data) of the enterprise and closely associated communities (i.e., virtual business partners, outsourced service providers, vendors, customers/patients, etc.). It is also important that the CPPT know about any current or future strategies the organization is considering in terms of linking business and technology plans.

Continuity Planning Process Support Assessment The current state assessment phase examines the health and vitality of an enterprise’s continuity planning infrastructure and determines if the components are up to date. Continuity planning is not an event; it is a process like other major business processes. It can be judged by how intelligently the relationships of the people, processes, technologies, and missions of the enterprise are understood and documented. Two broad types of information flow from the current state assessment phase. The first stage consists of the threat assessment. A collection of potential quick hits from the threat assessment are listed in Table 6.5. The second type of information is the business impact assessment, which details the core or key business processes for which comprehensive continuity plans must be developed. Threat Assessment. One objective of the threat assessment is to evaluate the existing organizational controls and procedures that could reduce the likelihood of a potential interruption of services. Another objective is, should an interruption take place, the impact of the interruption is minimized and the organization’s assets are safeguarded. Steps must be taken to identify significant exposures that could place an organization at risk for an interruption and to determine solutions for the identified risks in advance.

During the threat analysis, potential risks and vulnerabilities are assessed and strategies and programs are developed to mitigate or eliminate those risks. The CPPT’s understanding of existing risk factors is an integral part of preparing to recover before the disruption. Prior to developing mitigating controls to prevent or lessen the impact of a disaster or disruption, you must understand the underlying risks. This type of threat assessment differs somewhat in scope from a traditional information security threat assessment. The BCP project team is concerned specifically with threats as they relate to information and resources that are necessary to support critical business processes. In general, a threat assessment is broken down into three types of threat assessments: 356

AU8231_C006.fm Page 357 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning • Physical and personnel security assessment • Environmental security assessment • Information security assessment Physical and Personnel Security Assessment. The physical and personnel

security assessment includes: • Loss of key personnel, temporary or permanent for any reason (even retirement) • Physical access control weaknesses • Health or accident • Supply chain failure • Vendor business interruption • War/terrorism • Shortage of raw materials • Surveillance • Business interruption and extra expense insurance • Emergency response plan assessment, including a review of the enterprise crisis management plans, as well as other emergency response teams, to ensure there are recommendations to achieve the following: – Identification of affected areas – Business processes affected – Infrastructure, buildings, and equipment conditions – Users’ life safety – Consideration of impact on customers, shareholders, community, etc. – Condition of utilities and communications – Notification and alerting procedures to crisis managers – Providing for safety and security of personnel – Personnel notification as necessary – Executive succession planning – Role of executives in crisis management – Roles of BCP coordinator and team members – Notification lists – Role of public relations toward the media, customers, local officials, and employees – Backups and off-site storage – Data, applications, and disaster recovery plans – Premises accessibility – Security – Environmental security – Communications status – Emergency systems: phones, cellular phones, radios, pagers – Communications networks – Emergency response procedures 357

AU8231_C006.fm Page 358 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® – – –

Mitigating the damage Declaring a disaster Recovery team structure roles and responsibilities

Environmental Security Assessment. The environmental security assess-

ment includes: • • • • • • •

Fire detection and suppression Protection from water damage Utility failure Gas leaks Electrical disruptions and controls HVAC controls General utilities review at both the primary and secondary operations locations, including ensuring that electrical power is sufficient at alternate sites • Telecommunications availability Information Security Assessment. The information security assessment

includes: • Off-site data storage deficiencies • Logical access control weaknesses • Continuity planning — existing strategies for recoverability of timecritical processes and support resources • Change or problem management • Identification of single points of failure Reducing the identified exposures such as access control weaknesses will also result in more efficient or stable ongoing operations. Proactive steps to reduce an organization’s overall level of exposure are the most cost-effective elements of a comprehensive continuity planning program. Risk Management. Arriving at an understanding of what threats are most likely to affect the organization, some BCP professionals consider risk assessment and BIA processes to be very closely related. In his book Business Continuity: Best Practices,7 Andrew Hiles says: Risk management includes identification of risks; appreciation of their impact on the business and the likely frequency of occurrence; and implementation of steps to reduce that frequency to an acceptable level. Although risk assessment and business impact analysis are often treated as separate activities, for all practical purposes they are part of the overall process of risk management.

Table 6.3 can be utilized to assist the CISSP candidate to understand the type of information that is collected and useful during the threat analysis phase. 358

AU8231_C006.fm Page 359 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning Table 6.3. Information Collected and Useful during the Threat Analysis Phase Current State Assessment Component Physical security Environmental security Information security Business impact assessment Emergency response procedures Existing continuity plans Insurance coverage Off-site backup site inventory/backup processes Continuity planning business process

Information Requested Facilities diagrams and supporting documentation Facilities diagrams and supporting documentation Information security policies, procedures, standards, etc. Existing business impact assessment reports or documents, audit reports, etc. Written emergency response procedures documentation Written or automated continuity plans, audit reports Insurance documentation Backup media inventory information, backup process operational information Organizational charts, telephone books, continuity planning policies, standards, procedures, etc.

Interview Key Infrastructure and Business Managers. Table 6.4 lists people to interview as part of the current state assessment phase.

The threat assessment should be a high-level-only review that serves to identify major exposures. If a more detailed review is required, it should be completed as a separate project and the appropriate CPPT specialists should be contacted. Certain areas of evaluation may require expertise or certification not possessed by the project team, particularly when evaluating insurance provisions or certain engineering issues. In these cases, appropriate assistance should be requested. Once the threat analysis footwork has been completed, the CPPT should analyze and prepare recommendations for next steps. Mitigation of Risk Factors. Table 6.5 provides some very general examples of quick hits that may be identified as a result of this type of current state assessment. Business Impact Assessment (BIA). The goal of the BIA is to provide enterprise management with a prioritized list of time-critical business processes, and estimate a recovery time objective (RTO) for each of the timecritical processes and the components of the enterprise that support those processes.

359

AU8231_C006.fm Page 360 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Table 6.4. People to Interview as Part of the Current State Assessment Phase Current State Assessment Component Physical security Environmental security Information security Business impact assessment Emergency response procedures Existing continuity plans Insurance coverage Off-site backup site inventory/backup processes Continuity planning business process

Positions to Interview Facilities management, data center management, risk management, physical security management Facilities management, data center management, risk management, physical security management Information security management, data center management Continuity planning management Facilities management, data center management, risk management, physical security management, key business unit management representatives Continuity planning management, data center management, crisis management, risk management Risk management Data center management, media storage management

Continuity planning management, senior management representatives, data center management, risk management

Executive management must understand the potential losses or impacts to the organization as precisely as possible to allocate resources to the continuity planning process. It is vital that they thoroughly understand the time-critical business processes. The BIA is where this information is gathered, analyzed, consolidated, and presented with recommendations (including next steps and rough order of magnitude cost). Another important outcome of the BIA is the mapping of time-critical processes to their constituent support resources (i.e., IT servers and applications, infrastructure and networks, facilities space requirements, business partner connectivity, etc.). The initial step in the BIA is to adopt an efficient method (such as a questionnaire) for gathering information relative to enterprise business processes as follows. Business Interruption. Business interruption is also known as customer service interruption or loss. Experience has shown that a severe interruption in customer service capabilities will, in almost all cases, drive shorter recovery time windows than financial impacts. A customer service interruption, whether to an external or internal customer, or business partner, must be measured from the moment of the event. Although we cannot usually determine the precise financial costs associated with customer inconve360

AU8231_C006.fm Page 361 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning Table 6.5. Examples of Quick Hits That May Be Identified as a Result of This Type of Current State Assessment Current State Assessment Component Physical security Environmental security

Information security

Business impact assessment

Emergency response procedures Existing continuity plans Insurance coverage Off-site backup site, inventory/ backup processes Continuity planning business process

Example Quick-Hit Opportunities Develop physical security policies and procedures Implement physical security controls Develop environmental security policies and procedures Implement environmental security controls Implement various information security controls Develop information security policies and procedures Conduct risk analysis, etc. Business process analysis can reveal various quickhit opportunities for continuity planning as well as other noncontinuity-planning-related projects Development of emergency response procedures Development of crisis management plans Testing assistance Testing assistance Enhancement of outdated plans, etc. Reduction in premium studies Expanded continuity planning infrastructure Implementation of specialized automated backup systems Regular audits of off-site backup Reengineering the continuity planning process Defining appropriate continuity planning matrix, etc.

nience, at least in the short term, we certainly can estimate the level of their inconvenience as it builds over time. We also know that eventually this customer inconvenience will most likely result in revenue loss. So, customer service level is the only truly reflective short-term measure over the first few seconds, minutes, hours, and days of a disaster, and its economic result can be described in metrics of high impact, medium impact, or low impact. Embarrassment or Loss of Confidence Impact. The impact to track and measure here is the embarrassment or loss of confidence suffered by important external entities that rely upon, or are have an interest in, the enterprise. Examples of such external entities include key customers, suppliers, business partners, regulatory agencies, and auditors. Similar to the impact of compromised customer service, the metric for loss of confidence cannot be easily expressed in terms of financial loss. It can, however, be stated in qualitative levels of impact, such as high, medium, or low, and can be tracked over a period of time following a disruption. 361

AU8231_C006.fm Page 362 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Revenue Loss. Permanent loss of revenue or a temporary interruption (cash flow) is a significant causative factor for organizations to undertake a continuity planning program. By extrapolating the potential material revenue loss for the first few hours and days of a disaster, management can create a picture of what it stands to lose long term, should an event occur. Extra Expense. Extraordinary expenses include those that would not have normally been incurred had the organization not suffered the disaster. This category includes overtime, rents and leases for temporary space and equipment, activating recovery capabilities, interest paid on receivables, the loss of interest income, legal or regulatory fines or penalties, and the like. ESTABLISHING ACCURATE FINANCIAL MATERIALITY. Executive management, including the CFO, if possible, should be enlisted to help set the level of materiality of significant financial impacts. Setting revenue loss and extra expense ranges at either too high or too low a level when customizing the BIA questionnaire will adversely impact the BIA’s findings and resulting recommendations. This is especially so if the BIA is being used to cost justify the acquisition of expensive alternative recovery resources like computers, network circuits, alternative workspaces, etc. PREPARING AND PRESENTING BIA INFORMATION. We are not going to go into the myriad available methods to consolidate, analyze, and present BIA information in this chapter. Suffice it to say that without a well-executed BIA, executive management can only guess at what the business priorities are, and when and in what order they should be recovered. Because the true cost of continuity planning is not in the initial analysis, but in the long-term testing, maintenance, and training of recovery team personnel, it is incumbent on the organization to ensure that it has done due diligence during the BIA to be able to justify further continuity planning investments. Benchmarking and Peer Review. The CPPT can be aided in their efforts if they take advantage of peer or benchmarking techniques. Although completely optional, this component encompasses performance of industry or peer benchmarking studies to determine leading practices. These leading practices can then be used to establish the most appropriate future state vision for the continuity planning infrastructure.

Benchmarking is a powerful technique that enables organizations to identify goals based on potential future performance rather than on the outcomes of previous years. Benchmarking allows organizations to look beyond rigid functional or industry boundaries when attempting to improve or innovate processes and practices. These benefits help to produce world-class organizations that are equipped to rapidly respond to, if not anticipate and prepare for, sudden changes in their environments. Benchmarking can: 362

AU8231_C006.fm Page 363 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning • Provide opportunities to leverage best-practice measurements into opportunities for substantial performance improvement • Help identify processes and practices that serve as models for streamlining, redesigning, or reengineering within an organization • Help establish strategic plans based on maximum organizational potential • Allow realistic, yet aggressive, goal setting for action plans and agendas • Provide an effective context for developing metrics and measures that help executive management identify improvement opportunities and successes • Help establish or spread a continuous improvement philosophy throughout an organization • Increase the level of employee involvement in performance improvement • Focus growing numbers of personnel on the search for and assimilation of best practices • Help identify new products and services Sample Current State Assessment Phase Activities and Tasks Work Plan.

The work plan in Table 6.6 presents a sample of the high-level activities and tasks suggested as a starting point for planning for and executing this phase. Development Phase Description Once all the current state activities are completed, the CPPT has a wellgrounded understanding of the current state status and future state expectations of executive management. The resulting gap can now be translated into actionable development and design activities. This phase takes the next step in providing the CPPT with the occasion to thoughtfully consider and design the most suitable continuity planning process strategies, programs, plans, and short- and long-term testing, maintenance, training, and measurement processes. Recovery Strategy Development. Acknowledging the baseline information gathered in the current state assessment phase, the CPPT is in a position to design and determine the most appropriate recovery alternatives. The recovery alternative procedure must be in line with the RTO established in the BIA. The primary activities that take place during this phase of the methodology are to:

• Develop the most suitable recovery strategies • Develop continuity and crisis management planning formats and implementation infrastructure • Develop strategies for continuity and crisis management plan testing, maintenance, and awareness and training • Plan for recovery resource acquisition 363

AU8231_C006.fm Page 364 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Table 6.6. Sample of the High-Level Activities and Tasks Suggested as a Starting Point for Planning for and Executing the Current State Assessment Phase Current State Assessment (CSA) Phase Activity/Task CSA phase initiation activities Identify planning software tool or internal process (BIA and plan development) Schedule and conduct kickoff meeting Define business processes affected Develop high-level business process model Obtain process model for this industry Gather enterprise business process information Customize process model to environment Map major processes to functional business units Map major processes to information systems Map major processes to physical facilities Map major processes to virtual business partners Assemble high-level process model Perform threat assessment Identify concerns and risks from audit reports Customize threat analysis questionnaire Perform risk assessment Assess physical security Assess environmental security Assess information security Assess emergency response procedures (ERPs) Obtain, review, and evaluate emergency response procedures Prepare recommendations for updating ERPs/restart procedures Assess application/systems restart procedures Obtain, review, and evaluate application/system restart/recovery procedures Assess site management training and awareness Review site management training and awareness effectiveness

364

Deliverables

Project plan

Process model

Milestone Definitions

AU8231_C006.fm Page 365 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning Table 6.6. Sample of the High-Level Activities and Tasks Suggested as a Starting Point for Planning for and Executing the Current State Assessment Phase (Continued) Current State Assessment (CSA) Phase Activity/Task Assess system backup strategies Review existing system and data backup strategies Document threat analysis results Business impact assessment (BIA) Obtain BIA data-gathering tool and install on local system Prepare/customize BIA questionnaire Distribute questionnaires via memo to appropriate management Contact management and set up BIA interviews Conduct BIA management interviews Document BIA management interviews using BIA summary template Enter BIA information into BIA data-gathering tool (if applicable) Enter BIA inventory information into access database Prepare/send confirming memo/BIA summary template to interviewees Consolidate BIA interview information Map consolidated BIA information to continuity process matrices Analyze BIA interview information Document business impact assessment report Review results with project sponsor/team Assemble draft business impact assessment report Obtain executive management approval Publish business impact assessment report Benchmark/peer review Scope benchmark review

Conduct benchmark review Prepare benchmark report

Deliverables

Milestone Definitions

Risk management/threat analysis report

Final questionnaire

Draft BIA report

Final BIA report Develop benchmarking approach and questions Final benchmark report

365

AU8231_C006.fm Page 366 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Work Plan Development. For each of these recovery strategies and next-step activities developed or facilitated by the CPPT, they should prepare a high-level project plan that includes components like timing, resource commitments, etc. This project plan should serve as an outline for the implementation, testing, maintenance, and management steps for IT and business owners or representatives to use as they progress through implementation and other phases of the methodology. Develop and Design Recovery Strategies. The objective of the recovery alternative strategy is to successfully translate enterprise business requirements into recovery resource requirements that make sense and that meet the RTOs defined in the BIA. The purpose here is to determine, at a reasonable level of detail, the technical and business process requirements needed to meet the various recovery tiers for both IT and business process recovery. Knowledgeable technical and business owners or representatives are equipped to determine the resource requirements, and the CPPT must enlist their help with many components of this phase.

Recovery strategy can be developed in different ways. Here we will divide strategy development into three parts: • IT and IT infrastructure (DRP), strategy development • Business processes (or functions or units) strategy development BCP • Facilities strategy development DRP Recovery Strategies for IT. DRP recovery strategies must be developed to address IT resource requirements. Because the organization’s time-critical processes have been mapped to their constituent components during the BIA, the CPPT knows the applications, systems, and supporting equipment required to support those processes. This procedure must also take into consideration the recovery of data.

The CPPT must work with IT to define and agree upon functional and technical requirements for IT recovery strategies. All likely recovery alternatives should be considered when determining and recommending continuity strategies. Analysis and availability of critical recovery resources is an important element in developing ongoing recovery cost estimates. After system recovery requirements are determined, there are a number of areas for consideration, including: • • • • 366

Systems hardware resources (also includes midrange) Systems data storage requirements Unique (i.e., nonstandard) hardware resources Distributed systems (e.g., workstations, intranets, extranets, etc.)

AU8231_C006.fm Page 367 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning DRP strategy development can be organized along the lines of the organization’s IT workload requirements, segmented as follows: • • • • •

Nondeferrable Deferrable Development Nontime-critical production Time-critical production

The Concept of IT Full Production Backup. Determination of critical production IT workloads is very important because it is the key criterion in developing recovery strategies. If this workload cannot be identified and isolated in terms of hardware resources and data storage requirements, then the alternative is to recover the entire IT production workload in the shortest acceptable recovery timeframe (tier I), or a very large portion of it (see Table 6.7). This could have a significant effect on cost and recovery timeframes.

Recovery planning in a distributed systems environment requires thoughtful consideration of the business processes supported by IT. Careful analysis and classification of the required components can narrow the scope of the recovery planning efforts. Distributed IT systems environments are highly integrated and interconnected. Because of interdependencies, recovery of one distributed system environment component will generally require the recovery of most, if not all, the other distributed systems environment components. The time has long since past when the IT groups for a major organization can simply select batch processes easily transported to a secondary computer system for recovery. The real issue is not the computer itself, or even the computer’s location; it is the communication system or infrastructure that connects the IT systems to end-user workstations. Implementation of full production backup capabilities requires a thorough examination of the distributed systems environments from all points of view (i.e., hardware, software, applications, database, and communications levels). This will add to the complexity of identifying the recovery alternates required for the distributed systems environment, but is the only accurate method of aligning IT recovery capabilities with business process RTO requirements. Other Recovery Alternative Considerations. For both IT and IT infrastructure and for business process (or functions or units) recovery strategy purposes, there are various recovery alternatives that can be considered. Along with a brief description of the alternatives below, we have attempted to estimate the RTO support capabilities of each. It should be remembered that these RTO estimates are very broad, and there are often exceptions. These recovery alternatives are discussed below. 367

AU8231_C006.fm Page 368 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Cold Sites. A cold site is an IT location that is capable of supporting IT functionality, but is not already equipped with IT and supporting equipment. A cold site is usually simply a shell location that must be built out to serve as an alternative IT center. This is also one of the most cost-effective alternate site strategies for RTOs one week or longer. Cold sites should not be used when RTOs are shorter than one or even two weeks. Warm Sites. Similar to a cold site, a warm site is capable of hosting IT operations and contains some level of IT equipment on-site that may or may not be operationally capable, although not currently being used for the purposes for which it was designed. It is appropriate to use a warm site when the RTO is five days or more. Hotsites. As opposed to the descriptions of the cold and warm sites above, a hotsite is an IT location that has “hot” capability. That is, the site has the equipment, software, and communications capabilities to facilitate a recovery within a few minutes or hours following the notification of a disaster at the organization’s primary site. Relative to IT continuity planning strategies, most major commercial recovery site vendors (HP, IBM, SunGard, etc.) provide more than one potential recovery site location. Because it is likely that there will be contention for scarce resources in the event of an areawide or multiple disaster situation, multiple recovery site capabilities should be a prime consideration in the selection of a recovery vendor. Mobile Sites. Some commercial vendors offer mobile facilities. These facilities are usually mounted on large truck trailers and can be brought to whatever location designated by the organization for operations recovery. The support for this type of recovery alternative is normally for RTOs of three to five days. Multiple Processing Sites. Some organizations use multiple internal processing locations to support backup and recovery. Should one site go down, the other sites could pick up the production load. These support RTOs as low as minutes and hours. The challenge with this type of strategy is maintaining the configuration management (hardware, software, processes, etc.) so that the multiple sites stay synchronized from a technical capability standpoint. Workspace and Facilities. Many commercial recovery site vendors and some enterprises also maintain alternative locations for business operations and users that may or may not be equipped with workstations and communications capabilities. There are myriad alternative implementations that can be selected. This strategy can be used to support RTOs in a very broad range, from hours to days. Virtual Business Partners. Similar to the multiple processing site alternatives described above, this strategy relies upon another outside business 368

AU8231_C006.fm Page 369 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning partner’s IT or workspace capabilities to support recovery. As with the multiple processing site alternatives, configuration management is a must. Although there may well be exceptions to this assumption, the RTO support provided by this strategy, in most cases, is in a days to weeks timeframe. IT Recovery Alternative Processing and Support Agreements. Described below are a series of miscellaneous recovery alternative considerations. The prepared CISSP candidate must be familiar with them.

Reciprocal or mutual aid agreements are formalized agreements between two different organizations, or even multiple locations within one organization, that support similar or dissimilar IT processing objectives. The reciprocal agreement philosophy is sometimes plagued with challenges like proactive configuration management coordination (operating systems releases, hardware compatibility, operator training, telecommunications similarities, etc.) between two organizations’ IT sites, who must agree to support each other. One additional concern is that if one of the two participants declares a disaster, which may or may not have similar processing configuration environments, the first organization is, in effect, declaring a disaster at both sites, as both sets of users will be adversely affected by the disaster. Commercially available service bureaus have similar characteristics as the reciprocal agreements discussed above. A service bureau normally services multiple customers and agrees to provide recovery capability should a disaster occur at one of the subscriber locations. The challenges of this type of recovery alternative are very nearly the same as described above for the reciprocal/mutual aid agreement alternatives. Data and Software Backup Approaches. Electronic vaulting is a type of data backup strategy that utilizes IT infrastructure (communications network) to send data and software backups directly to a facility, like a hotsite, to ensure that the data is on-site and available should a disaster occur at the primary site. The data can be stored in disk or tape media, depending upon the RTO requirements of the organization. Electronic vaulting significantly improves RTOs in organizations that use magnetic tape as a backup media stored at an off-site location.

Remote journaling is a process that involves replicating data transactions, or other categories of data, in a real-time or near-real-time manner at a secondary processing site. Presumably, this secondary site would be used as a hot recovery alternative for IT systems and infrastructure. The RTO support provided by this strategy is measured in terms of seconds and minutes in most cases. Off-Site Storage. Traditional IT data and software backup techniques require making regular backups and removing and storing them at a secondary secure off-site location. Should a disaster occur, the tapes would 369

AU8231_C006.fm Page 370 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® be transported to the secondary site for use in recovering IT capabilities. The RTO support from this type of strategy is usually measured in three to five days. Storage Area Networks. A storage area network (SAN) is a data storage capability characterized by using high-speed subnetworking of shared disk storage devices. In this case, the data is not stored directly on the organization’s network servers so that server power can be used for IT production work. Database Shadowing and Mirroring. Database shadowing and mirroring involves the writing of data simultaneously to multiple disks (redundant array of inexpensive disks (RAID)) to provide redundant data locations in case of single-drive failure situations. Therefore, mirroring provides rapid recovery of data should a single drive fail. If a multiple-drive loss of the environment occurs, this technique can be ineffective. DRP Recovery Strategies for IT. Voice and data infrastructure communications are every bit as important as IT systems. Network recovery strategies are unique to the specific enterprise recovery requirement and, consequently, will require that adequate technical staff expertise be available to the CPPT to devise appropriate recovery strategies, usually with long lead times. DRP Recovery Strategies for IT Infrastructure. For IT infrastructure recovery alternative strategy development there will be IT infrastructure resource requirements to operate time-critical network infrastructures. These most likely will include both voice and data communication requirements and any other equipment needed to support the various recovery tiers. As with IT DRP strategy development, knowledgeable technical and business experts are the best equipped to determine recovery resource requirements.

Sometimes, voice communication recovery is even more time critical than data network recovery. Provisions must be made, in advance, for the capability to divert inbound voice communication to another location. An estimate of capacity required to support time-critical processes must be made to provide cost-effective continuity for voice communication. Allowances for outbound voice communication must also be addressed. Similar to voice communication, estimates of data communication bandwidth and other technical requirements are required. The recovery location, determined by the IT systems, application system, and data center requirements, must be known to determine the exact data network recovery requirements. Department computing locations and resulting local data networking requirements also must be determined and agreed upon. Data communication should be restored at the chosen alternate comput-

370

AU8231_C006.fm Page 371 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning ing facility (hotsite, etc.), as well as at the locations that personnel/users may be operating from, if outside their primary business location. BCP Recovery Strategies for Enterprise Business Processes. S i m i l a r t o recovery strategy development techniques used for IT and IT infrastructure, the development of business continuity plans for business processes (or functions or units) follows a parallel path. The CPPT should use the enterprise business process maps of time-critical business processes matched to business departments or divisions, etc., as a guide. The CPPT can then utilize that information to meet with business experts to develop the most appropriate recovery strategies.

The CPPT and the business unit participants must consider many factors in determining the most appropriate recovery strategies. For instance, they must consider: • • • • • • •

Business process/function/unit priorities Time-critical process descriptions IT Infrastructure needs IT systems needs Recovery time objectives (see definitions section) Recovery point objectives (see definitions section) Cost/benefit analysis for each potential recovery alternative, including manual workaround procedures • Recovery alternatives, such as: – Workspace/facilities (see discussion above) – Virtual business partners (see discussion above) – Logistics and supplies – Transportation of supplies and employees – Workspace at alternate site for equipment and employees – Emergency funds availability to speed decisions and acquisitions Other inventory information will be fully discussed in the next section of the chapter. Developing Facilities Recovery Strategies. The requirements for the above resources must also be translated into physical facility requirements. The combinations of options are too numerous and complex to be described here. If an organization’s key business functions are not centralized, the communications and facilities recovery resources provided by external vendors may meet their needs. In other cases, an alternate location, controlled by the business unit, may be required. The BIA will indicate which business units need to resume critical processes and when, according to its tier level. It will also indicate the number of employees required for each tier, and their equipment and supply needs.

371

AU8231_C006.fm Page 372 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® An overall facility recovery strategy must also be defined. The logical process is similar to developing data center alternatives. Business experts should be involved as much as possible in considering suggested recommendations and should be allowed, with management, to review and approve them. Integration of Disaster Recovery Plans and Business Continuity Plans into the Crisis Management Process. DRP and BCP strategy development

considerations do not stand alone in times of emergency or disaster. Common mitigation and response strategies must also be linked to the enterprise crisis management planning scheme. Many organizations, especially since 9/11, have created a crisis management team infrastructure that is responsible for monitoring events and reacting to a disaster that affects the enterprise. Development of crisis management plans will be discussed later in the chapter, but for now it is important to keep in mind that the alternative recovery strategies designed for IT and the business processes will link to the overall crisis management strategy of the enterprise. (See Figure 6.2 for how crisis management interfaces with the BCP and DRP structure.) Recovery Strategy Development Techniques. One way for the CPPT to gather this information and gain consensus is to facilitate meetings, designed to determine and document the most appropriate recovery alternatives to continuity planning challenges, as below:

• Determine if a hotsite or any other recovery resource is needed for IT recovery purposes • Determine if additional communications circuits should be installed in a networking environment • Determine if additional workspace is needed in a business operations environment, etc., using the information derived from the risk assessments After these facilitated meetings, CPPT professionals work with the business process owners or representatives, as well as the technical teams, to create business process documentation with the current state information and proposed recovery alternative recommendations for management approval. Identifying Recovery Alternatives. This step involves identification of recovery alternatives available for each of the tiers of recovery (unique to each organization). The recovery strategy is based on the required recovery timeframe.

Table 6.7 illustrates only one method an organization may want to use to prioritize business processes or IT infrastructure components. Conducting the Recovery Alternative Meetings. R e c o v e r y a l t e r n a t i v e meetings are an important step in the continuity planning process. In the 372

AU8231_C006.fm Page 373 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning Table 6.7. Method to Prioritize Business Processes or IT Infrastructure Components Recovery Tier

Recovery Timeframe

I

0–24 hours

II III IV

1–3 days 3–5 days Other

Recovery Requirement Resources must be available in advance and implemented first Resources must be available in advance Resources must be identified and quickly available Resources must be identified

meetings, key business representatives and IT technicians brainstorm and agree on the most appropriate recovery strategies. The agenda might include: • Introduce the participants • Provide an overview of current state (BIA, benchmarks, risk assessment, etc.) • Present an overview of the meeting rules and expectations • Discuss recovery alternatives and reach consensus • Identify recovery alternative resource providers • Determine strategies for getting management approval • Identify next steps • Obtain time commitments from team members for next steps • Answer questions and address concerns Developing Continuity Plan Documents and Infrastructure Strategies.

As stated, the results of the BIA are used to develop continuity strategies that are documented in the recovery alternative strategy deliverable. The required resources, recovery timeframes (based on the business process), and recovery alternatives are identified, and management approval of the recommended alternative is obtained. Once the strategic alternatives have been identified and agreed upon, they must be documented in a deliverable, the strategy report, which might be reviewed by senior management. Because expenditures for recoverability can be substantial, the approval level required is almost certainly at the officer level, possibly as high as the executive committee or board of directors. For this reason, the CPPT alternative recovery report must be written in business terms with a minimal amount of jargon. In addition to a description of the alternatives, each alternative must be evaluated for cost and noncost factors and presented to management for decision. Developing Testing/Maintenance/Training Strategies. The real cost of continuity planning is in the long-term testing, maintenance, and training activities required to keep the continuity planning process vital and oper373

AU8231_C006.fm Page 374 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® ational. It is the responsibility of the CPPT, on behalf of the enterprise, to create and document the strategies necessary to successfully manage the following ongoing processes. Testing. In the next section of this chapter, development and implementation of continuity test plans will be discussed fully. It is important, however, at this stage in the methodology that the organization formalize short- and long-term testing philosophies to include policies and standards that can be applied to the testing process following implementation. Maintenance. Maintenance procedures are also described in the next section. As above, it is important at this stage in the methodology that the CPPT formalizes short- and long-term maintenance policies and standards for the maintenance process. Training. Prior to 9/11, awareness and training of contingency or recovery team members was usually considered a secondary task. This training was done infrequently, for a number of reasons. Following 9/11, however, people are far more aware of the need to prepare responsible personnel for crisis and recovery activities, and provide regular, ongoing training and frequent testing. This awareness has caused some to favor increased testing and practice over exhaustive documentation of some types of continuity plans. Plan Development Phase Description. Once the recovery strategy phase is complete, the CPPT can move into the plan documentation phase of the project. This phase is where the organization, with the assistance of the CPPT, actually develops the crisis and continuity plans that will help effect the most efficient and effective recovery. The team will design and prepare migration plans in line with the preliminary recommendations and action plans. The primary activities that take place during this phase of the methodology are:

• Determine the practicality of using continuity planning software • Create continuity plan structure and gather required information • Acquire appropriate backup resources Use of Continuity Planning Software and Tools. Traditionally, organizations have documented their continuity plans using paper-based technologies (i.e., typewritten, word processing based, etc.). Continuity plans that are on paper-based forms are designed to facilitate the rapid recovery of business processes and supporting resource operations. They are cumbersome, however, and are often merely developed and put on the shelf. The goal is to develop the plan, test it appropriately, then continue testing and maintaining it. The real cost of continuity planning is not in the original development of the plans; it is in the ongoing testing and maintenance of the plans and the entire continuity planning process. Any tool that enhances an organization’s capability to effectively document, test, and maintain continuity plans is advantageous. 374

AU8231_C006.fm Page 375 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning Many organizations have acquired and implemented continuity planning software planning tools (a large number of which are commercially available). Continuity planning software helps planners construct recovery plans by automating the planning and documentation task. Use of continuity planning software should save time for the organization, improve the overall effectiveness of the recovery plan documentation process, and facilitate maintenance and execution of the plans. The continuity planning software solution or mechanism should be easy to use and maintain, and should be based on a sound business continuity planning methodology. It must be compatible with existing organization systems. The tool should also allow for an appropriate degree of plan roll-up for validation and review purposes, and should have the ability to demonstrate to management the robust state of the continuity planning implantation. Continuity planning software tools also enhance overall awareness and training of those individuals responsible for development, implementation, testing, and maintenance of continuity plans, if the data-gathering technique or method is standardized. As the plan writers will be the same people who implement and execute the plans should disaster strike, value is added to the organization — because everyone is on the same page. Some of the advantages of using continuity planning software are: • • • • • • •

Standardized tools Centralized development Oversight audit and management Improves testing and maintenance Facilitates plan implementation Prepare manual plans Can be used in an online manner during a crisis or disaster

Future Trends in Continuity Planning Automation. Another trend in the industry is the use of existing enterprise in-house technologies to build platforms for maintaining continuity plans in an automated environment. This has many of the software-related advantages mentioned above. It also allows the organization to Web enable the continuity plan development and maintenance procedure. While providing for multiple copies to be maintained, Web-enabled plans are easier to use during an emergency. Examples of these types of technologies include Lotus Notes, Sharepoint, and numerous database applications. This approach can sometimes be much more cost-effective than purchasing and maintaining externally developed continuity planning software products. Building Continuity Plans. Continuity Plan Development. During plan development, the CPPT assists the IT and BCP teams in documenting their plans. Using the recovery strategies determined previously, the CPPT can initiate or at least facilitate development of enterprisewide business continuity plans. 375

AU8231_C006.fm Page 376 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Business Continuity Plans for Enterprise Business Operations. The information used to populate business continuity plans is based on the current state assessment phase and should include the strategies as determined in the development phase. The resulting business continuity plans will comprise the activities and tasks required by business process owners for recovery of the process. Disaster Recovery Plans for IT and IT Infrastructures. The IT disaster recovery plans will address the technical recovery priorities as determined during the strategy phase and will include the procedures, team structure, and inventory information required by IT.

For all intents and purposes, the basic structure and the categories of information required for both the IT DRP and the BCP are very similar. The following is a description of the types of information that should be organized and formalized into the continuity plans. CONTINUITY PLAN CONTENTS. The purpose of a business continuity plan is to significantly reduce the impact that will be suffered by the organization if a disaster strikes. To accomplish this, it is important that the continuity plan and planner address most of the contingencies that may arise ahead of time. It will be too late to disseminate the specific guidance on recovery decisions to recovery personnel following a disaster. In times of crises, people are placed under a great deal of stress and can be subject to unpredictable decision making. This can result in mistakes that will slow the recovery. The plan should anticipate appropriate measures that expedite recovery and provide direction to both experienced and inexperienced personnel on how best to proceed. Although it is impractical and impossible to prepare an exhaustive list of all contingencies and directions on how to address them, it is very possible to document the plan with precise recovery guidelines, and assign tasks to specific recovery team members.

Continuity plans are composed of three broad categories of information: • Scope, objectives, and assumptions (testing and maintenance responsibilities) • Execution and logistical information (i.e., team structure, recovery tasks, etc.) • Inventory information (i.e., space, people, software, networks, etc.) DEFINE CONTINUITY PLAN SCOPE, OBJECTIVES, AND ASSUMPTIONS. Introductory information contained in all continuity plans is relatively standard and includes the following:

• Introductory information and a description of the purpose of the continuity plan (i.e., table of contents, background, scope, objectives, assumptions, etc.) 376

AU8231_C006.fm Page 377 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning • Plan maintenance responsibilities (who specifically is assigned maintenance responsibilities and what are their timeframes) • Plan testing responsibilities (who specifically is assigned testing responsibilities and their timeframes) Identify the Recovery Team Structure. The CPPT should assist in the identification of those individuals who will be assigned recovery team responsibilities. Each team should be comprised of individuals who have the appropriate expertise to recover and add value to the CPP effort. Of course, there is no hard and fast guideline on the number of individuals that should be assigned to each of these teams. This decision depends upon the organization. The following recovery team functions are suggested as a minimum.

The recovery management team (RMT) is responsible for leading the recovery effort. All other recovery teams report to the RMT, and all decisions flow from this team. The RMT is responsible for actually declaring a disaster (or degree of disaster) and communicating it accordingly. The RMT should have team members with the authority to make quick, considered decisions, and be able to authorize recovery expenses. This team should also have representatives of various departments such as human resources, so that notifications and communications with employees and their families can be properly facilitated. There should be a security presence on this team to help prevent fraud, looting, vandalism, etc., if possible. Legal and life safety issues must also be considered when naming team members. The damage assessment team has the important responsibility to quickly assess the current situation and ascertain whether the event will render the IT or business processes unavailable for longer than the RTO. Whatever their decision, the team lead should quickly provide his assessment to the RMT leader along with the recommendations on next steps. If a disaster has been formally declared, the backup activation team initiates the recovery procedures as outlined in the continuity plans, including but not limited to moving to alternate sites; scheduling and executing the transfer of people, equipment, and other resources; and recovering the most time critical processes and systems first. Once the time-critical systems or business operations have been restored, the backup operations team takes over the more routine operations of the processes while restoration procedures are initiated. The restoration team is responsible for further diagnosis of the damage and for the restoration of the systems or business operations capabilities to their original or desired condition. These responsibilities include, but are not limited to, cleaning, salvaging, repair, procurement, and replacement activities.

377

AU8231_C006.fm Page 378 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Once the restoration team has completed its duties, the primary site/service reactivation team is responsible for preparing the primary site or capability for reactivation. This must include a full test of the newly renovated systems or business operations capabilities, ensuring that they are fully functional, so as not to cause yet another disaster by moving away from the backup site too soon. Recovery Plan Logistical Information. Once the CPPT has identified and assigned the recovery team’s responsibilities, it is time to document those activities and tasks associated with the recovery of time-critical systems and business processes. This portion of the continuity plan should really be considered the heart of the plan. The suggested order of tasks is as follows:

1. Detail recovery procedures, checklists, etc., that outline the precise steps necessary to recover time-critical applications, systems, networks etc., depending upon the scope and objective of the recovery plan. 2. Assign recovery team personnel who are responsible for executing the specific recovery procedures. 3. Assign a location where the recovery activities are to take place (EOC, etc.). 4. Assign the presumed timeframe for the recovery activities. 5. Identify to whom the recovery teams are to report, what they should report, and when they report (in what timeframe). Continuity Plan Inventory Information. Because the recovery teams will require resources to execute their assigned recovery duties, resource inventory information should be gathered and documented prior to the disaster for ease of access.

To provide the access to this inventory information, these inventory lists should be supplemented, expanded, or centralized into appropriate appendices within the continuity plan, rather than included in the text of the continuity plan itself. The inventory information consists of all the time-critical inventory information, and only the time-critical inventory information, required to successfully execute the recovery effort. This inventory information includes detailed listings of people, equipment, documentation, supplies, hardware, software, vendors, other suppliers, critical applications, required data processing reports, networks/communications capabilities, vital records, transportation, data backup, backup facilities, backup site directions and amenities, civil authorities, customers (internal and external), recovery site personnel (third-party vendor), off-site storage personnel (third-party vendor), location of emergency funds, etc. 378

AU8231_C006.fm Page 379 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning Facilitating Continuity Plan Development by the CPPT. Table 6.8 is provided as a guide for how CPPT members may want to approach the documentation of continuity plans from a procedural standpoint. This table contains suggested approaches only; they are certainly subject to interpretation and customization depending upon their use. The Continuity Plan Contents. The continuity plan contents are:

• • • • • • • •

Plan overview and assumptions Responsibilities for development, testing, and maintaining the plans Continuity team structure and reporting requirements Detailed procedures for recovery of time-critical processes, applications, networks, systems, facilities, etc. Recovery locations and emergency operations centers Emergency operations communications channels Recovery timeframes Supporting inventory information (hardware, software, networks, data, people, space, transportation, external agents, documentation and data, etc.)

Contrasting Crisis Management and Continuity Planning Approaches.

Crisis management planning is defined in the American Heritage Dictionary as “special measures taken to solve problems caused by a crisis.” Crisis management planning is a term used to describe a methodology used by executives to respond to and manage a crisis. The objective is to gain control of the situation quickly so an organization can manage the crisis efficiently and minimize the negative impacts. Should a crisis strike, the organization crisis management team will be activated to manage the crisis until conclusion. The crisis management team is also utilized during the recovery effort. The continuity plans identify how the business operations (units) should receive support from members of the executive management and crisis management team. Typically, this support would be in the form of facilitated communications, resource allocation and access, and any other support required by the business and IT recovery teams to facilitate rapid continuation of time-critical functionality. Differences in Scope. The continuity plans deal with incidents that cause physical or logical damage to enterprise assets and resources. The crisis management plan deals with those types of incidents, as well as incidents that do not cause physical damage to assets of the organization, such as financial emergency, kidnapping, executive death, or injury. This is the main difference between the two types of plans. Building Crisis Management Plans. Crisis management planning is an integral part of the continuity planning process for the enterprise. Crisis management plans should be activated in a disaster or preemergency situ379

380

Establish communications processes and reporting timeframes with IT and business operations continuity planning teams, as well as with external communities (i.e., shareholders, civil authorities, customers/clients, employee families, press, etc.) Gather and document all inventory information for those resources that support time-critical resources

Facilitate development of activities and tasks to facilitate management of the organization through an emergency/crisis event Assign activities and tasks to continuity team members Identify and establish crisis management emergency operations center location(s)

Meet with client executive management and facilitate development of crisis management team structures

IT Continuity Plans (DRP)

Gather and document all inventory information for those resources that support time-critical resources

Meet with business unit management and facilitate development of continuity team structures for each BU involved in the effort Facilitate development of activities and tasks to recover time-critical BU resources (workstations, facilities, space, vital records, people, telephones, etc.) Assign activities and tasks to continuity team members Identify and establish BU emergency operations center location(s) for each BU involved Establish communications processes and reporting timeframes with client crisis management and IT continuity planning teams

Business Operations Continuity Plans (BCP)

Table 6.8. Continuity Plan Development Guidelines

Establish communications processes and reporting timeframes with IT and business operations continuity planning teams, as well as with external communities (i.e., shareholders, civil authorities, customers/clients, employee families, press, etc.) Gather and document all inventory information for those resources that support time-critical resources

Facilitate development of activities and tasks to facilitate management of the organization through an emergency/crisis event Assign activities and tasks to continuity team members Identify and establish crisis management emergency operations center location(s)

Meet with client executive management and facilitate development of crisis management team structures

Crisis Management Plans (CMP)

AU8231_C006.fm Page 380 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

AU8231_C006.fm Page 381 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning ation and be tightly interwoven with the continuity planning structure of the organization. The continuity plans identify how the business processes affected by the disaster are recovered. During that time, the business units receive support from members of executive management and the crisis management team. The role of the crisis management team is to manage the enterprise through the disaster situation and facilitate communication with other teams and parties. Emergency Operations Center (EOC) Designation. These potential scenarios call for at least two, if not three, identified and outfitted EOCs. The first EOC should be in the primary building location of the organization, possibly a large conference room that has been specifically identified as an EOC. The second location should be in a space that is relatively close to the primary location for ease of access by employees, should the disaster be localized in nature. This type of space could typically be another building owned and occupied by the organization, rented space, or a commercially available off-site workspace location. In some instances, where regional disasters are considered a possibility, a tertiary EOC should be established at some distance from the primary location, such as another close-by city or even in another state if necessary. Outfitting the EOC is a matter to be decided by organizational crisis management and continuity planning personnel. An efficiently equipped EOC might include a large number of workstation connections, telephones, tables and chairs, white boards, office supplies, communications equipment (radios, cell phones, satellite phones, etc.), cable television access for monitoring news channels, coffee-making equipment, and appropriate water and food, as desired. Acquisition of Backup or Recovery Resources. It is during this phase that the CPPT should be working with IT technicians and business operations and facilities representatives to acquire and install all those backup and recovery resources identified in the strategy development phase. Examples of the types of resources that should be considered for acquisition and implementation include:

• Commercial recovery site contracts for IT or business process support • IT Infrastructure circuits and supporting telecommunications equipment • Other IT backup and recovery equipment, such as disk drives, workstations, servers, software, and duplicate software licenses or permissions • Equipment such as server racks, mail room equipment, telephones and fax machines, Blackberry devices, cell phones, emergency-useonly radios, etc. Testing/Maintenance/Training Development Phase Description. T h i s phase of the methodology directs the CPPT to design the following: 381

AU8231_C006.fm Page 382 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® • Testing and maintenance strategies for short- and long-term continuity and crisis management • Continuity planning process training and awareness programs Developing Plan Testing Strategies. During this phase, the CPPT should work with the IT and business operations representatives to design appropriate continuity testing approaches and guidelines. The CPPT, however, should begin with the next step, which is to require all those IT and business operations that created plans to perform the very first walk-through test. Initial Testing of the Plans. The CPPT should strongly advise that immediately upon completion of the first continuity plan drafts (before they can possibly be called complete), they must undergo a very fundamental tabletop examination. It really could be considered the first test of the continuity plan, and is simply a walk-through/read-through test. Walk-Through Test Process Description. The objective of the initial continuity plan walk-through process is to bring the contingency organization, which is the same as the recovery team designated in the plan, together to review the entire continuity plan to ensure the accuracy of all information it contains, including:

• • • • • • • • •

Plan objectives Scope and assumptions Plan testing Maintenance Training requirements Contingency organizational structure Interim and alternate procedures Action plan checklists Adequacy of plan appendices

This process will serve to ensure that the plan accurately reflects the continuity strategy, will raise awareness of the continuity team members, and will train each of them in his or her particular continuity responsibilities. The approach to this test is as follows: • Call a meeting of the contingency organization for an appropriate length of time (usually one to two hours). The contingency organization is composed of all those individuals who make up the recovery teams as defined in the plan. There may be others who wish to attend, such as the internal auditor or department managers. • Prepare and distribute a copy of the continuity plan to each participant at the meeting. IT or business operations management, or the continuity management team leader, should lead the discussion by asking all participants to review the plan document, from beginning to end, in an organized manner. For instance, the manager may orally 382

AU8231_C006.fm Page 383 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning review the table of contents while the contingency team members follow along. Test participants should be instructed that they are to discuss the document and suggest changes to ensure that it reflects the true continuity needs of the department. Each chapter of the plan should then be reviewed in sequence. Particular attention should be given to the following areas: – Vital records identification and off-site storage arrangements (departmental plans only) – Plan scope and assumptions – Interim and alternate procedure steps – Team structure appropriateness • Action plan organization, activities, and tasks • Appendixes’ adequacy, completeness, and currency updated accordingly During the walk-through, one individual should be assigned the responsibility of taking notes on any suggested changes to the plan, and then arrange to update the plans accordingly. Once the plans have been updated, the older versions of the plan should be replaced with this new, clearly dated version, and distributed accordingly. Every effort should be made to replace each copy of the obsolete version. Prepare a report that addresses the results of the test, and communicate it to the appropriate people. This would be all levels of management concerned with all aspects of business continuity planning and recovery in the organization. This process should be repeated periodically, depending upon the number of changes that take place within the department, such as changes to the department procedures, organization, personnel, and location. The results of the walk-through test must be documented and the continuity plan updated, as soon as possible following the test. Once the plan has been updated, the initial version of the continuity plan can be considered completed, and the plan can then go into maintenance mode. It is important that members of the CPPT participate in as many of the walkthrough tests as possible. It is wise to divide the team and assign individual members to different departments’ walk-throughs for efficiency. Utilizing the internal/external audit staff in this capacity can also provide for an adequate number of third-party observers so that several departments can conduct their walk-through at the same time, thereby shortening the testing phase window. Developing Long-Term Testing Strategies. Regular and ongoing tests of continuity plans demonstrate their effectiveness, train personnel in continuity 383

AU8231_C006.fm Page 384 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® operations, and serve as a vehicle for updating the plan. The plan should have information describing the status of plan testing or, at a minimum, direction for the reader as to the location of plan test documentation and updated documentation. The importance of ongoing testing of the continuity plan cannot be overemphasized. Specific responsibilities, including test coordination, must be assigned to individuals and activities monitored. The functional titles and names of those responsible should be clearly delineated in the plan. Additionally, more detailed instruction or guidance should be given to those responsible for plan testing. The following are some suggested areas that may be included in test preparation, implementation, and follow-up documentation. TEST OBJECTIVES. What is the purpose and objective of the test? An example would be to test the plan with the objective of determining that the plan’s continuity team structure is adequate and will respond in a timely manner to a test or actual alert. MEASUREMENT CRITERIA. How will the test management team determine if the objectives of the test were achieved? Describe, in detail, the test evaluation criteria, and provide the test team with the materials and guidance required to properly document and evaluate the test’s effectiveness. TEST SCHEDULE. When will the test occur? The test should be scheduled so it does not impact regular production work. The test’s effectiveness will increase with the magnitude and complexity of the test subject matter, reflecting the fact that a disaster would not likely be restricted to one facet of the organization. TEST TIMEFRAMES. How long should the test take? Precise test timeframes should be defined and adhered to. Should the actual testing activity take longer than the defined timeframe, the reasons for it should be thoroughly examined and understood. PARTICIPANTS. Who will participate in the test? The selection of test participants is an important issue. Because one of the primary benefits of testing is the increased awareness and training of the contingency organization, test participants should be selected carefully, with frequent rotation of participants to achieve the maximum possible training benefit for the most participants. TEST SCRIPT. What are the instructions to the test participants? Depending upon the complexity of the test, preparation of the testing script will require more or less effort. Remember that the results of the test will be evaluated using the original test script as a guideline. 384

AU8231_C006.fm Page 385 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning The various types of testing (checklist, structured walk-through, simulation, parallel, and full interruption) are described in the implementation phase. Recovery Plan Updating Instructions and Responsibilities. O n c e c o m pleted, the continuity planning documentation or continuity planning software should be updated. What are the instructions that detail the maximum timeframes for updating the continuity media? Who has responsibility for updating the plans? Development of other follow-up measures may also be necessary. Each of these questions should be answered and documented. Notification of Interested Parties. Almost as important as the test itself is the notification of interested parties, including senior management. This is an essential component in the overall testing strategy of the organization. Timely notification of test results serves to keep senior management attuned to the status of continuity capabilities, and should also demonstrate the need to continue ongoing, regular continuity planning tests. Developing Plan Maintenance Strategies. Similar to the philosophy for longterm continuity planning testing described above, the CPPT should address the long-term strategies for maintaining the continuity and crisis management structure. Among the considerations to be addressed include the following. REGULAR REVIEWS AND UPDATES. Internal and external audit and internal compliance functions can be used to ensure that the plans are regularly reviewed and updated by the IT and business operations components that originally developed them. Regular or spot inspections by members of the CPPT also may prove useful. VERSION CONTROL. This topic is critically important. Obviously, organizations change on a daily basis: employees, employee assignments, departmental shifts, IT and infrastructure changes, etc. As a result, continuity plans, especially hard-copy plans, can get out of date very quickly. Out-ofdate contact lists of key players can result in real execution problems later on, so updating or, worse yet, not updating is vital, as simple as it may seem. As updates are made to the changing plans, a failure of version control could seriously and adversely impact the enterprise. This would happen if an event occurred and the continuity and crisis management teams referred to different versions of the plans. Retrieval and destruction of outdated plans is an important issue, so a process designed to facilitate this is also important. It should go without saying that version control is an absolute must. DISTRIBUTION OF UPDATED PLANS. Along the same lines as version control, distribution control of the plans can be challenging for a couple of reasons. 385

AU8231_C006.fm Page 386 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® The first, mentioned above, concerns version control. The second, however, also has serious ramifications because the information that plans contain is confidential, such as personnel data, confidential company process, and locations. The CPPT must ensure that plan distribution controls are adequate to protect this resource against disclosure to those who do not have the need to know. An automated system for documenting and storing continuity plans can be particularly useful for both version control and distribution challenges. Developing Continuity and Crisis Management Process Training and Awareness Strategies. A training and awareness program is key because it

is the organization’s people who will be designing, documenting, testing, and maintaining the continuity plans that may actually use the plans in an emergency situation. The CPPT should, as part of this phase, understand what internal organization resources are available to spread the word regarding employee awareness of continuity and crisis management activities. Internal groups such as human resources, training, risk management, and others may well already have mechanisms for spreading awareness and training programs available that cover many other topics. Taking advantage of existing organization channels for distribution of this type of information can be very effectively employed by the CPPT. Whether there are internal resources to increase awareness and training, the CPPT must take this reasonability very seriously and, if necessary, create an appropriate program to ensure its implementation. Sample Phase Activities and Tasks Work Plan. The work plan in Table 6.9 presents a sample of the high-level activities and tasks suggested as a starting point for planning for and executing all of the development phase.

Implementation Phase Description Much of the continuity planning process analysis, strategy, and design have been done at this point. The implementation phase is when the agreed upon strategies and action plans are deployed. The objective of this phase is to: • Analyze and validate CPPT implementation plans that were prepared earlier and ensure that initial walk-through tests have been completed • Meet with each of the specific organizational units that will be impacted by the implementation • Monitor recovery resource acquisition and plan implementation efforts Analyze CPPT Implementation Work Plans. The CPPT should consolidate and validate each of the IT and business operations unit implementa386

AU8231_C006.fm Page 387 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning Table 6.9. Sample Phase Activities and Tasks Work Plan Development Phase: Activity/Task

Deliverables

Milestone Definitions

Stage 1: Phase Start-Up and Preparation Define project charter Define project scope Define project management approach Define project organization Develop project plan Develop project work plan Develop PROJECT BUDGET Develop high-level project budget Develop value scorecard Develop value delivery process Kickoff project Prepare for kickoff meeting Run meeting Stage 2: Prepare Continuity Strategy Design Collect benchmarking information Identify potential people enablers Identify potential technology enablers Identify potential physical facilities enablers Plan for continuity strategy design meeting Stage 3: Continuity Strategy Design Session Conduct continuity strategy design meeting Establish success criteria Review leading practices/benchmarking info./enablers from stage 2 Generate improvement alternatives Develop and document high-level recovery strategy Generate rough order of magnitude alternative cost comparison Obtain management sign-off and approvals

Stage 4: Design Detailed Continuity Strategy Initiate detailed design of continuity strategy Design people, technology, and physical facilities continuity strategies Design people, technology and physical facility enablers Obtain detailed quotations/issue vendor RFQs Submit detailed continuity strategy to management for approvals

Management presentation

Recovery alternative recommendations

RFQ Management presentation

387

AU8231_C006.fm Page 388 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® tion work plans to ensure that coordination issues have been addressed, then stage the most appropriate deployment schedule, and then establish an appropriate get-together with each of the organizational entities to consider and validate implementation work plan strategies. Organizational Unit Plan Deployment. The CPPT should schedule deployment meetings with each of the IT and business units involved in the effort and address the following:

• The initial versions of the continuity plans or crisis management plans have been tested • The recovery team structures or the plans have been validated • That there have not been significant changes to the environment since initial planning efforts • The identification of the persons who are assigned continuity planning testing, maintenance, and training responsibilities for the unit • Present long-term testing and maintenance strategies validate understanding • Regular and ongoing communications have been established between the unit and the CPPT or organizational unit that will be taking over the continuity planning process management effort Monitor Implementation. As part of the established regular and ongoing communication paths determined during the deployment meetings, the CPPT must monitor IT and business operations implementation efforts and support those efforts as required. Delays in implementation should be monitored and managed accordingly. Program Short- and Long-Term Testing. This implementation phase includes the deployment and implementation of the long-term testing and maintenance strategies described below. Why Test? Regular ongoing testing, or exercising of continuity plans, demonstrates their effectiveness, trains personnel in recovery operations, and informs the planner of needed updates. Continuity plans should have information describing the status of plan tests or, at a minimum, direction for the reader as to the location of plan testing and updated documentation. Additionally, a walk-through of this plan should be accomplished as soon as possible. As mentioned previously, ongoing testing is vital. Specific responsibilities must be assigned and activities monitored. To achieve this goal, specific individuals must be appointed responsibility for BCP testing and test coordination. The functional titles and names of those responsible should be clearly delineated in the plan. Continuity Plan Testing (Exercise) Procedure Deployment. During plan testing, the CPPT works with business unit leaders to simulate potential disasters and test continuity plans for effectiveness. Any necessary adjust388

AU8231_C006.fm Page 389 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning ments and modifications are incorporated into the plans, so strategies remain flexible over time. There are some very basic tenants of continuity planning testing that should be observed. Objective of Continuity and Crisis Management Plan Tests (Exercises).

There is more than one reason to test. Obviously, the enterprise wants to test its recovery strategies and business continuity plans to see whether they work. Perhaps an even more important reason for the tests is that they serve as a training tool. Tests usually place the participants in a roleplaying situation. By thinking and reacting during the test, they mentally place themselves in a recovery situation and gain an awareness and understanding of what it might take to help the enterprise survive. Another reason for a test is to inventory and enhance the business continuity plans. In other words, a continuity planning test is a way to maintain the business continuity plan and be sure that the included business processes are updated. Tests also demonstrate the capability to recover rather than just demonstrate the existence of a plan to recover. They are also utilized by compliance entities such as internal and external auditors to verify recovery capabilities. Types of Tests. There are myriad ways that an organization can set up and conduct a test. Types of tests include the following. CHECKLIST. A checklist test is one in which the continuity planner or members of the recovery team validate the inventory checklists in their continuity plans by physically walking through the checklist and verifying that each of the inventory items is available and viable. As mentioned earlier, these inventory items include hardware, software, telecommunications, people, equipment, documentation, data, space, transportation, procedures, etc. Areas that may be included in test preparation, implementation, and follow-up documentation are set out in the development phase section of this chapter. TABLETOP WALK-THROUGH. A tabletop walk-through test consists of convening the recovery/continuity team members named in each specific continuity planning document to achieve two objectives. The first objective is for the team members to thoroughly study and discuss all aspects of the planning document or output and to challenge every assertion, assumption, activity, task, action, etc., called for within the plan. This challenge involves open discussions about the practicality, correctness, viability, and suitability of every aspect of the plan. Recovery team members should be encouraged to openly question any aspect of the planning strategies, etc., to work through areas of the plan that may well need to be changed. The second purpose for a tabletop walk-through is to serve as a training and awareness tool. It is intended to help the continuity planner to familiarize the recovery team members with their specific roles and responsibil389

AU8231_C006.fm Page 390 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® ities, and also begin to indoctrinate them into thinking like a recovery team — a practice event, if you will, that allows the team members to participate and begin to get comfortable with acting in a recovery team environment. SIMULATION. A simulation test is one where the organization actually conducts some level of simulation of an emergency/disaster event. The breadth and scope of this type of simulation exercise can vary significantly from a very small localized departmental simulation to an all-out enterprisewide simulation, and all events in between. PARALLEL. A parallel test is often used in a transaction-oriented business environment supported by IT. An organization may decide to retrieve yesterday’s backup data and apply today’s transactions against that data in a parallel way to compare the results to today’s actual processing files to ensure that they are exactly alike. This process will highlight any faults in the data reconstruction process. FULL INTERRUPTION. Not usually recommended as an appropriate testing approach because it requires interruption of actual production activities on a real-time basis, a full interruption test is an all-encompassing continuity planning test. Extreme care should be taken when conducting this type of test so as not to actually disrupt production or even cause a real disaster. Under certain circumstances, this may be a useful method, but care is advised, as it involves a deliberate interruption and then recovery of business processes.

Areas that may be included in test preparation, implementation, and follow-up are set out in the development phase section of this chapter. In addition, Geoffrey Wold in his book Business Continuity Preparedness10 presents a well-written discussion on testing the plan (Chapter 15, p. 15-1), including a detailed discussion on the advantages and disadvantages of test types. Program Short- and Long-Term Maintenance Strategies. S h o r t - a n d long-term maintenance strategies were designed and documented during the previous phase. It is here where the final approved strategies are deployed and introduced into systems and business process documentation and standard operating procedures. Each continuity plan should contain directives relative to short- and long-term maintenance responsibilities. This is also the time to ensure that any metrics that have been developed for the continuity planning process are updated with the shortand long-term maintenance strategy expectations. Regular Review and Updates. Depending upon the continuity plan documentation method (i.e., hard copy, internally automated, Web based), the continuity plan infrastructure should be subjected regularly to review for currency and viability. Given the significant investment in time and 390

AU8231_C006.fm Page 391 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning resources required to develop a viable continuity planning structure, the use of tools and techniques that facilitate a regular and ongoing review of the continuity plans is vital to protect that investment. In addition, keeping the plans current will help ensure that they are capable of doing what they were designed for: to drive down the impact of a disaster by facilitating rapid recovery actions and activities. Version Control. As mentioned previously, version control of continuity plans is a critical issue when the plans themselves are hard copy or paper based. Enterprise distribution and tracking of the plans is essential, so the continuity planner can efficiently facilitate their updating as circumstances change within the organization. It is very easy to understand that in times of emergency, everyone should be working from the same version. Even in an internal automated environment where hard-copy plans are merely stored on automated media, version control is critical. If the plans are Web based, with appropriate database capabilities, version control and change management issues are less challenging. This is one big reason why automation of continuity planning structures is desirable. Retrieval and Destruction of Outdated Plans. As mentioned above, if the continuity planning structure is paper based, document version control, storage, retrieval, and destruction processes must be developed and rigidly adhered to. Unlike other, more normal types of organizational information, continuity plans are often designed with the intention that they will be taken off-site and stored elsewhere, including employees’ homes, automobile trunks, etc. It is important that a continuity planner develop and oversee an effective plan inventory process. Updating Contact List of Key Stakeholders. Along with version control and inventory processes comes the necessity for a continuity planner to ensure that recovery team and key contact calling trees or contact lists are kept current. This is more easily accomplished in an automated environment than when paper-based plans are used. There is often a high degree of sensitivity also associated with this process. Key organizational stakeholder detailed contact information must be maintained under an appropriate level of control for obvious privacy and security purposes. Program Training, Awareness, and Education. Continuity planning, like the information security function, is much more a people issue than a technical issue. Why are the training, awareness, and education processes so important? Because of the following reasons:

• • • • •

It It It It It

is is is is is

the organization’s people who know the business processes. the people who must document that plan recovery processes. the people who will test and maintain the plans. the people who will be impacted by the event. these same people who will have to recover the organization. 391

AU8231_C006.fm Page 392 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Therefore, a high degree of importance must be placed by the organization on the people’s training, awareness, and education. A lesson learned from the 9/11 event was that although heroic efforts were put forth by many brave people, more focused attention on training the recovery teams would have been much more useful before the event, rather than devoting the thousands of hours by many organizations in documenting, to the nth degree, a comprehensive continuity plan that turned out to have little relevance to the situation at hand. In acknowledging the critical importance of this activity, it is often useful for a continuity planner to seek out internal or external training/education/awareness subject matter experts to assist in developing and deploying the most appropriate processes for achieving this vital objective. This would include focused attention on all three components of the process: training, awareness, and education of the organization’s people. Emergency Operations Center (EOC). When implementing the emergency operations center, two fundamental recovery scenarios must be considered:

• The disaster has occurred, but it has not affected the physical location, and therefore the organization’s people can stay at work and continue working, only without one or more of their supporting resources (IT, for instance). • The disaster has occurred, and it does impact the organization’s physical location or premise; thus, the people have to relocate to secondary locations to carry out time-critical process recovery. See the implementation phase for further guidance on the EOC. Management Phase Description The management phase of the methodology focuses the CISSP candidate upon those activities, tasks, and responsibilities associated with organizing and executing the day-to-day management of the continuity planning process on a go-forward basis. During this process, the CPPT works with the business process owner or representative to focus attention on program oversight and continuity planning manager roles and responsibilities. Program Oversight. Completely aside from the many phased tasks and activities presented in this chapter (most of what the continuity planning manager or function should be responsible for), there are a number of ongoing oversight duties that are required to ensure the health and viability of the continuity planning process (CPP). Continuity Planning Manager Roles and Responsibilities. Following is a list of some of the oversight duties that an enterprise continuity manager might be responsible for: 392

AU8231_C006.fm Page 393 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning • Continue to serve as the primary CPPT contact, even if the initial CPPT membership is pared down after implementation of the continuity planning process • Serve as the primary contact for the enterprise CPP; present information on such topics as status, requirements, and environmental changes that drive CPP changes, industry leading practices, threat potential, and the changing threat environment • Develop and maintain continuity planning policies, standards, procedures, and practices • Plan, lead, or otherwise observe the execution of major continuity planning exercises and tests • Serve as a communication clearinghouse for continuity planning subprocesses such as the IT disaster recovery planners, business continuity planners, facilities management, and members of the crisis management team • Serve on the crisis management team as the continuity planning expert • Ensure that continuity planning efforts are included when negotiating or otherwise dealing with significant external trading partners, business partners, and all other virtual organizational dependencies • Serve in a continuity planning consulting role to all disaster recovery, continuity planning, and crisis management planning functions • Interface with external continuity planning vendors, commercial recovery site representatives, relevant software vendors, consultants, and other CPP-related external entities • Advise and assist organization or business units with the need to verify or otherwise validate the continuity planning capabilities of an external entity, if their time-critical business processes rely on them • Develop, maintain, and participate in continuity planning-related training, education, and awareness programs • Interface with internal departments responsible for physical, environmental, and information security to ensure that coordination of activities is maintained • Ensure that the connections between formalized emergency response programs and written procedures include hooks into the crisis management and continuity plan structures • Work as a liaison with the IT disaster recovery lead to ensure that IT department and business operations RTO expectations are aligned and adjusted as needed, including consideration of off-site data backup practices, alternative recovery site status, RTO and RPO changes, etc. • Prepare short- and long-term CPP budgets and plan for future enhancements to the process • Participate with management in developing, maintaining, and abiding by a well-developed set of qualitative and quantitative CPP metrics 393

AU8231_C006.fm Page 394 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® • Lead periodic refreshers of the BIA, especially as enterprise organization conditions change • Work with internal and external audit and regulatory entities to ensure understanding and compliance with enterprise continuity planning policies and standards • Work with internal and external regulatory entities on follow-up of exceptions or deficiencies noted in past audits and help resolve issues • Periodically refresh the risk assessment to ensure awareness levels of the changing threat environment We started the chapter with the objective to provide the CISSP candidate with a step-by-step map on how to view, develop, implement, maintain, and measure an appropriate continuity planning process for his or her organization. We have provided a logical continuity planning methodology with the expectation that when finished studying this chapter, the CISSP candidate should have well-founded knowledge of the continuity planning process. We covered: Project initiation phase: This phase sets the tempo for each succeeding complementary phase. Clearly articulated or demonstrated management intentions and commitment will contribute to the success of later continuity planning phases. Current state assessment phase: This phase provides management with the practical information it must have to make informed decisions concerning business continuity planning activities. Design and development phase: This phase provides the continuity planning project team with the information needed to design an efficient and effective recovery. Implementation phase: In this phase, the CPPT formalizes and deploys all the plans, testing, maintenance, training, and measurement processes created in the development phase. Management phase: Finally, this phase focuses the CISSP candidate on those activities, tasks, and responsibilities required to successfully execute and manage the continuity planning process day to day. CISSP candidates must understand that continuity planning is truly a business process, rather than just an event or a plan to recover. It emphasizes the importance of time-critical business processes to the enterprise. Organizational survival is the primary rationale for planning, whether the organization is a business, government, educational, public, or private entity. Short- and long-term support of time-critical business (or organization) processes is the important factor. Avoidance of financial loss is an obvious need for planning. The possibility of customer service interruption or failure to fulfill the ethical and legal obligations of the organization to employees and shareholders also demonstrates the need for planning. Without effective planning, the organization is forced to attempt a 394

AU8231_C006.fm Page 395 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning response to a disaster without an understanding of its recovery priorities, the time and resources needed to reestablish time-critical business processes, and sources of services and products needed during recovery. The delays caused by such lack of planning can be fiscally lethal, depending upon the structure and purpose of the organization. Once developed and implemented, the individual components of the continuity planning process must be tested. What is more important is that the people who will participate in the recovery of the organization must be trained and made aware of their roles and responsibilities. Failure to do this properly was probably one of the largest lessons learned from the September 11 attacks. Continuity planning is all about people. An appropriate measurement system is also crucial to success. Organizations must measure not only the financial metrics, but also how the continuity planning process adds value to the organization’s people, processes, technologies, and mission. These metrics must be both quantitative and qualitative. Terminology The following list of terms represent more than just a definitions list; it also contains some explanation as to the application for the term discussed. Business continuity planning (BCP): Typically refers to the process or business function of continuity planning activities, also known as business resumption planning. Business impact analysis (BIA): The process of identifying, compiling, documenting, and analyzing the business requirements for continuity. The BIA is the process by which organizations can quantify, qualify, and validate the impact of potential threats on economic and operational capabilities; determine recovery timeframe requirements of essential business functions and supporting applications and IT infrastructure; establish recovery priorities; and recommend recovery priorities and strategies. Contingency organization: Simply another name for the recovery team structure that has been formed and named in the various continuity plans. The concept of a contingency organization is that it collapses the normal state structure to a more streamlined reporting structure that is required to execute a rapid recovery following an event. Once the event is over, the organization reverts to its traditional organization chart and decision processes. Continuity planning (CP): The ultimate purpose of continuity planning is to reduce the impact of an adverse event. The term as it will be used within the context of this chapter encompasses all aspects of an enterprisewide continuity planning infrastructure, otherwise referred to as the continuity planning process. Continuity planning 395

AU8231_C006.fm Page 396 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® is a process that includes all aspects of preparing continuity plans and ensuring that the continuity planning process is healthy and viable. It also acknowledges that the continuity planning process adds value to the people, processes, technologies, and mission of the enterprise. Crisis management plan (CMP): This plan focuses on developing an effective and efficient enterprisewide emergency/disaster response capability. This response capability includes forming appropriate management teams and training their members how to react to serious company emergency situations (i.e., hurricane, earthquake, flood, fire, serious hacker, or virus damage). CMP also encompasses response to life safety issues for personnel during a crisis or response to disaster. Defining disaster: It is impractical to attempt to anticipate all of the potential events that might be considered disasters. However, within the context of this chapter, a disaster is defined as any incident that results in the loss of support for time-critical business processes for longer than its predetermined recovery time objective (RTO). The RTO is normally determined during the business impact assessment (BIA) phase of the continuity planning development methodology. Disasters are commonly thought of as resulting from a fire, hurricane, earthquake, or flood — catastrophic acts of nature. This is not surprising, given the unprecedented number of disasters the world has suffered in the past decade. Given the tragic events of September 11, 2001, however, we know that disasters can be the result of manmade events. Events such as the introduction of a computer virus or worm into a computer system, a programming error, or a distributed denial-of-service attack (DDOS), for instance, are also considered disasters. Disasters can even occur as the result of a serious financial fluctuation, executive management disruption, or a simple power outage. Despite the widespread association of disasters with natural disasters, most continuity planning professionals have expanded the definition of disaster to include any event that disrupts business operations. Given the variability in causes of disaster, continuity planning specialists should not attempt to focus on specific types of disasters; rather, they should broaden their view to include any type of event that might disrupt time-critical organizational activity. Disaster recovery planning (DRP): This has traditionally been used to describe information systems or technology (IT)-related continuity efforts. DRP is sometimes referred to as IT continuity planning or, in some government terminologies, contingency planning. These technology-based continuity plans include attention to systems hardware, software (application and systems), and telecommunications infrastructure (both voice and data). Know, however, 396

AU8231_C006.fm Page 397 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning that not all organizations abide by these naming conventions, so it is the wise CISSP who understands and adapts to cultural differences in terminology. Emergency response planning (ERP): CISSP candidates should also be familiar with emergency response planning. The purpose of emergency response plans is to aid the enterprise in rapid identification of events that could cause significant disruption, to describe procedures designed to mitigate the disruption in the first place, and to subsequently reduce the severity of the impact. ERPs are designed to document rapid response actions that reduce the impact of events, while the continuity plans detail actions that the enterprise will utilize following the event to recover capabilities. Information resource continuity plans: These are detailed plans describing the recovery team structure, identifying emergency operations locations, and listing activities and tasks associated with recovery of time-critical systems. Also included are the listings of the inventory information (i.e., data, software, hardware, people, communications, documentation, transportation, off-site facilities, etc.) that the recovery teams must successfully activate. Information resource continuity plans serve to identify the resources and specify actions required to minimize losses that might otherwise result from a business interruption — no matter the cause — and to ensure the timely and orderly restoration of IT functionality in support of the organization’s business activities. Recovery point objective (RPO): Focuses on how much data loss an organization can tolerate without significant financial or operational impact to the business. RPO is defined as the most recent point in time to which data must be synchronized without adversely affecting the organization (financial or operational impacts). The RPO must be reflected in the timeliness of the data stored off-site. Shorter RTOs and RPOs generally result in more complex, technological, and expensive recovery requirements. Recovery time objective (RTO): The period of time within which systems, applications, or functions must be recovered after an outage (e.g., one business day). An RTO is often used as the basis for the development of recovery strategies and as a determinant as to whether to implement the recovery strategies during a disaster situation. Time-critical application: An application that is essential to the organization’s ability to perform necessary business functions. Loss of the time-critical applications would have a negative impact on the business, as well as legal or regulatory impacts. Time-critical processes: Of interest is the difference between the terms critical and time critical when describing a timely reliance on critical processes. Experience has shown that time-critical definitions are translated into what will be viewed as the RTO for those processes 397

AU8231_C006.fm Page 398 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® and resources requiring the shortest recovery windows, typically 8 to 72 hours. No fixed RTO should be assumed, but instead is dependent upon a timely business impact assessment. The time criticality defined for each supporting resource is typically determined during the business impact assessment process.

References 1. U. S. Securities and Exchange Commission. Comments on Proposed Rule: Draft Interagency White Paper on Sound Practices to Strengthen the Resilience of the U. S. Financial System. [Release No. 34-46432; File No. S7-32-02]. http://www.sec.gov/rules/ concept/s73202.shtml. 2. Rebecca, Herold, 2003. Addressing legislative compliance within business continuity plans, in Official (ISC)2® Guide to the CISSP® CBK®, Harold F. Tipton and Kevin Henry (eds.), Boca Raton, FL: CRC Press, 2007. 3. Jackson, Carl B. The role of continuity planning in the enterprise risk management structure, in Information Security Management Handbook, Harold F. Tipton and Micki Krause (Eds.), Boca Raton, FL: Auerbach Publications, 2004. 4. National Interagency Incident Management System, http://www.fs.fed.us/fire/ operations/niims.shtml. 5. Jackson, Carl B., The changing face of continuity planning, in Information Security Management Handbook, Harold F. Tipton and Micki Krause (Eds.), Boca Raton, FL: Auerbach Publications, 2003. 6. Hill, Gerard. The Complete Project Management Office Handbook, New York: Auerbach Publications, 2004. 7. Hiles, Andrew. Business Continuity: Best Practices, World-Class Business Continuity Management 2nd Edition. Brookfield, CT: Rothstein Associates, Inc., 2004. 8. Wallace, Michael and Webber, Lawrence. The Disaster Recovery Handbook: A Step-byStep Plan to Ensure Business Continuity and Protection Vital Operations, Facilities, and Assets, New York: AMACOM, 2004. 9. Harvard Business Essentials. Crisis Management, Mastering the Skills to Prevent Disasters, Boston, MA: Harvard Business School Press, 2004. 10. Wold, Geoffrey. Business Continuity Preparedness, Austin, TX: ALEX eSolutions, Inc., 2005.

Sample Questions 1. Which of the following is considered the most important component of the enterprisewide continuity planning program? a. Business impact assessment b. Formalized continuity plans c. Executive management support d. Hotsite arrangements 2. During the threat analysis phase of the continuity planning methodology, which of the following threats should be addressed? a. Physical security b. Environmental security c. Information security d. All of the above 398

AU8231_C006.fm Page 399 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning 3. The major objective of the business impact assessment process is to: a. Prioritize time-critical business processes b. Determine the most appropriate recovery time objective for business processes c. Assist in prioritization of IT applications and networks d. All of the above 4. Continuity of IT technologies or IT network infrastructure capabilities is addressed in what type of continuity plan? a. Disaster recovery plans b. Emergency response/crisis management plans c. Business continuity plans d. Continuous availability plans 5. Crisis management planning focuses management attention on the following: a. Preplanning that will enable management to anticipate and react in the event of emergency b. Reacting to a natural disaster such as a hurricane or earthquake c. Anticipating adverse financial events d. IT systems’ restart and recovery activities 6. Performing benchmarking and peer review relative to enterprise continuity planning business processes is a valuable method to do all of the following except: a. Help identify leading business continuity planning processes and practices b. Allow realistic goal setting for action plans and agendas c. Provide a method for developing metrics and measures for the continuity planning process d. Compare continuity planning personnel salary levels 7. An effective continuity plan will contain all of the following type of information except for: a. Prioritized list of business processes or IT systems to be recovered b. The business impact assessment report c. Recovery team structures and assignments d. The primary and secondary location where backup and recovery activities will take place 8. All but one of the following are advantages of automating or utilizing continuity planning software: a. It standardizes training approaches. b. It provides a platform for management and audit oversight. c. It eases long-term continuity plan maintenance. d. It provides business partners with an enterprisewide view of the continuity planning infrastructure. 9. Which is the least important reason for developing business continuity and disaster recovery plans? a. Disasters really do occur 399

AU8231_C006.fm Page 400 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

10.

11.

12.

13.

14.

15.

400

b. Budgeting IT expenditures c. Good business practice and standard of due care d. Legal or regulatory compliance When conducting the business impact assessment, business processes are examined relative to all but one of the following criteria: a. Customer interruption impacts b. Embarrassment or loss of confidence impacts c. Executive management disruption impacts d. Revenue loss potential impacts The primary purpose of formalized continuity planning test plans is to accomplish all except: a. Define test scope and objectives b. Define test timeframes c. Define test costs d. Define the test script The primary reason for conducting continuity planning tests is to: a. Provide employees’ families with a method for contacting management b. Ensure that continuity plans are current and viable c. Prepare third parties to react to an emergency within the enterprise d. Identify which employees can go home following a disaster During development of alternative recovery strategies, all of the following activities should be performed except: a. Use the prioritized business process maps developed during the BIA to map time-critical supporting resources b. Develop short- and long-term testing and maintenance strategies c. Prepare cost estimates for acquisition of continuity support resources d. Provide executive management with recommendations on acquiring appropriate continuity resources The primary phases of the enterprise continuity planning implementation methodology include all of the following except: a. Current state assessment phase b. Execution phase c. Design and development phase d. Management phase Which of the following statements most appropriately describes the timeliness of processes and supporting resources prioritization and recovery? a. The processes are mission critical b. The processes are critical c. The processes are time critical d. All of the above

AU8231_C006.fm Page 401 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning

Appendix A: Addressing Legislative Compliance within Business Continuity Plans Rebecca Herold, CISSP

When creating business continuity plans, one topic that is often overlooked, or perhaps skipped over because it is viewed as opening another can of worms you just do not want to deal with, is the issue of addressing legal and legislative compliance requirements. There are dozens of laws and legislative requirements in place today that include directives for security and privacy. Additionally, there you may face legal jeopardy as a result of your backup and storage practices. This appendix will briefly touch on a few of the major legislative issues to give you a high-level awareness of each, and to guide you to issues that are most likely to impact your own organization. Additionally, it provides a listing of other related legal and legislative issues that you need to think about and research. HIPAA The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was passed to provide insurance portability, fraud enforcement, and administrative simplification for the healthcare industry. The act touches upon BCP in several sections, including the need to destroy documents following legal proceedings, and similar directives. However, HIPAA provides some explicit requirements for document retention and BCP. The most significant BCP requirements are provided in §164.530, “Administrative Requirements: Policies and Procedures.” Covered entities must have policies and procedures in place to preserve documentation. These policies and procedures must ensure: • Documented policies and procedures are maintained and readily available to appropriate authorized individuals in written or electronic form • Any communications that are required in writing must be maintained in the original form or as an electronic copy as documentation • All actions, activities, or designations required by the regulation to be documented must be maintained as a written or electronic record of such actions, activities, or designations 401

AU8231_C006.fm Page 402 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Additionally, covered entities must retain the documentation listed above for at least six years from the date of creation or the date when it was last updated or in effect, whichever is later. GLB The Gramm–Leach–Bliley (GLB) Act was passed in 1999. Title V of GLB contains privacy provisions relating to consumers’ financial information. In general, these provisions require financial institutions to have restrictions on when they may disclose a consumer’s personal financial information to nonaffiliated third parties, in addition to providing their customers with documentation outlining the financial institution’s information collection and sharing practices. Within Title V are some brief, but significant, directives that will impact a financial institution’s BCP. Section 6801(b)(2) of GLB requires covered entities to provide protection for customer information against any anticipated threats or hazards, and to take appropriate actions to ensure the security of customer records and preserve the record integrity. Such protections must include policies, procedures, and measures to protect against destruction, damage, and unauthorized modification or loss of customer information as a result of conceivable environmental hazards (for example, fire or water damage) or technological failures. Financial organizations must review their business continuity plans to ensure they address these issues. Additionally, covered organizations must implement adequate and appropriate policies and procedures to ensure that customer information files are routinely backed up and stored at secure and off-site facilities that are a reasonable distance from the data center so that one incident cannot affect both facilities and destroy data files in both locations. Patriot Act The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, otherwise known as the USAPA and Patriot Act, was signed into law on October 26, 2001. The Patriot Act makes it much easier for the government to obtain information from organizations through several requirements and changes to past laws, such as those governing wiretaps and obtaining subpoenas. At a high level, the sections of the regulation that will impact organizational business continuity plans include: Section 209: Allows the government to obtain access to stored voice mail messages with a simple search warrant. Section 210: Expands the types of information that the government can subpoena from companies. Such information includes logs regarding user sessions, temporary network addresses, and session connection durations. Additionally, the government can request informa402

AU8231_C006.fm Page 403 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning tion about a customer’s method of payment for his Internet service, including bank accounts, credit card information, or other means of payment for the service. Section 211: Cable companies can now provide customer information to the government without notifying the customer, emphasizing the importance of a company’s documentation and retention procedures. Section 212: Requires emergency disclosure of electronic communications if the government determines there is a reasonable threat. Such information must be provided to the government “without delay,” emphasizing the importance for companies to keep comprehensive records, complete with date, time, and similar log information. Section 214: Increases the type of information that can be retrieved via pen registers and trap-and-trace devices. Companies need to be familiar with the legal consequences of such data-collecting methods. Section 215: Increases the types of information that can be subpoenaed by the government for investigating possible terrorist activities. The information includes all tangible items, such as papers, books, manuals, records, hard drives, diskettes, CDs, tapes, any type of computer peripheral used to store data, and any other type of item that can store information. This will require companies to keep comprehensive and accurate inventories of their storage equipment, along with directories of the information on each. Section 216: Specifies that the government can do information gathering of any type, include Internet traffic. As part of this requirement, company personnel may be required to assist the government in its investigation. This directive may very well increase the government’s requests for Internet traffic monitoring. Section 217: Protects the government from lawsuits resulting from what can be determined as warrantless searches. This also defines a computer trespasser as anyone who obtains unauthorized access of a “protected computer.” The government has the ability to intercept electronic communications of computer trespassers without a warrant. Section 218: This section is significant for companies that provide employees with Internet access. The company will be expected to provide logs of electronic communications if the government suspects that the information may be involved in some sort of foreign terrorist activities. This regulation is likely to increase the frequency of the government’s requests for such electronic information. Sections 219 and 220: These sections provide that a warrant issued in one jurisdictional area will be applicable to any other area where U.S. law is enforced, negating previous requirements that the government obtain warrants for separate jurisdictional areas in which terrorism is suspected. Because of the increased ease by which the government can obtain warrants and collect information, companies 403

AU8231_C006.fm Page 404 Thursday, October 19, 2006 7:02 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® can expect a likely increase in requests for information, personnel, or facilities from the government. Section 222: This makes it clear that companies cannot be forced to purchase additional equipment or other resources to comply with the Patriot Act requirements. So, the bulk of the work for companies will be in updating their policies, procedures, and business continuity plans. Of course, you need to be aware of all the sections of the Patriot Act. However, the focus of the previous list was the sections most closely related to BCP. The Patriot Act creates expectations for companies to be thorough and comprehensive in their record-keeping procedures and to be able to provide the government information at any time at its request. Other Issues The previous sections outlined just three of the many laws and regulations that may very well require your organization to take specific BCP actions and make updates. You need someone to identify the other laws and regulations with which your company must comply. The following lists just some of the other laws and regulations you need to review closely, and will help you get started on your important research: • European Union Data Protection Directive • Canada’s Personal Information Protection and Electronic Documents Act • Children’s Online Privacy Protection Act (COPPA) • Electronic Communications Privacy Act (ECPA) • Electronic Signatures in Global and National Commerce Act (E-SIGN) • 21 CFR Part 11 • Software license infringement • Copyright infringement • Civil liability issues • Duty • Breach of duty • Damage • Proximate cause • Negligence • Other legislation • Other laws (federal, state, multinational) OCC Banking Circular 177. Originally issued by the U.S. Treasury Office of the Comptroller of the Currency in the 1980s, BC 177 addresses the need for appropriate continuity planning for federally regulated financial institutions. BC 177 has been adopted by the Federal Financial Institutions Examination Council (FFIEC). The FFIEC 404

AU8231_C006.fm Page 405 Thursday, October 19, 2006 7:02 AM

Business Continuity and Disaster Recovery Planning is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS) and to make recommendations to promote uniformity in the supervision of financial institutions.

405

AU8231_C006.fm Page 406 Thursday, October 19, 2006 7:02 AM

AU8231_C007.fm Page 407 Wednesday, May 23, 2007 9:05 AM

Domain 7

Telecommunications and Network Security Alec Bass, CISSP and Peter Berlich, CISSP-ISSMP

Introduction The telecommunications and network security domain encompasses the structures, transmission methods, transport formats, and security measures used to provide integrity, availability, authentication, and confidentiality for transmissions over private and public communications networks and media. Network security is often described as the cornerstone of IT security. The network is a central asset, if not the most central, in most IT environments. Loss of network connectivity on any level can have devastating consequences, while control of the network provides an easy and consistent venue of attack. Conversely, a well-architected, -protected, and -guarded network provides powerful protection and will stop many attacks in their tracks. Hitherto, most attention has been paid to perimeter defense through firewalls and similar tools. As disappearance of network boundaries becomes a business requirement facilitated through hastened introduction of new technologies and a constant struggle between ease of use and security, it is widely recognized that the inside of a network must be as resilient as its perimeter, that tools alone are ineffective if not combined with proper process, and that the availability of a network is often its key value in business terms. In this chapter, we are going to focus heavily on the Open System Interconnect (OSI) model as a point of reference and Transmission Control Protocol/Internet Protocol (TCP/IP) as the most commonly used protocol stack. We will touch upon other protocol stacks as needed.1 Excellent books and Internet resources exist to learn the basics of networking, and we are only going to cover the basic network concepts insofar as they are required for the self-sufficiency of this book and useful for obtaining an understanding of network security concepts. 407

AU8231_C007.fm Page 408 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® It is not possible to give a complete and comprehensive overview of all possible attack scenarios. For the purposes of this chapter, we will focus on the most important security risks and those that will be instructive to the readers to gain an understanding of network security concepts and enable them to enhance their understanding and gain in-depth knowledge in self-study. CISSP® Expectations The professional should fully understand the seven-layer OSI reference model. Related terms include WWW, nonce, TACACS+, Kerberos, worm, radius, Domain Name Server (DNS), firewalls, proxy, and WEP. Additionally, the professional should fully understand: • Communications and network security as it relates to voice, data, multimedia, and facsimile transmissions in terms of local area, wide area, and remote access • Internet/intranet/extranet in terms of firewalls, routers, switches, gateways, and various protocols • Communications security management and techniques to prevent, detect, and correct errors so that integrity, availability, and confidentiality of transactions over networks may be maintained • Security boundaries and how to translate security policy to controls • How to detect intrusions and collect and preserve evidence • Methods of attack (worms, flooding, eavesdropping, sniffers, spamming, war driving) Basic Concepts Network Models Network communication is usually described in terms of layers. Several layering models exist; the most commonly used are: • OSI reference model, structured into seven layers (physical layer, data-link layer, network layer, transport layer, session layer, presentation layer, application layer) • TCP/IP or Department of Defense (DoD) model (not to be confused with the TCP/IP protocols), structured into four layers (link layer, network layer, transport layer, application layer) One feature that is common to both models and highly relevant from a security perspective is encapsulation. This means that not only do the different layers operate independently from each other, but they are also isolated on a technical level. Short of technical failures, the contents of any lower- or higher-layer protocol are inaccessible from any particular layer.2 Without restricting the generality of the foregoing, we are going to use the OSI model as a general point of reference herein. 408

AU8231_C007.fm Page 409 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security OSI Reference Model. The seven-layer3 OSI (Open System Interconnect)

model was defined in 1984 and published as an international standard (ISO/IEC 7498-1). The last revision to this standard was in 1994.4 Although sometimes considered complex, it has provided a practical and widely accepted way to describe engineer networking. In practice, some layers have proven to be less crucial to the concept (such as the presentation layer), while others (such as the network layer) have required more specific structure, and applications overlapping and transgressing layer boundaries exist. • Layer 1, the physical layer, describes the networking hardware, such as electrical signals, and bits and bytes, such as network interfaces and cabling. • Layer 2, the data-link layer, describes data transfer between machines, for instance, by an Ethernet. • Layer 3, the network layer, describes data transfer between networks, for instance, by the Internet Protocol (IP). • Layer 4, the transport layer, describes data transfer between applications, flow control, and error detection and correction, for instance, by TCP/User Datagram Protocol (UDP). • Layer 5, the session layer, describes the handshake between applications, for instance, authentication processes. • Layer 6, the presentation layer, describes the presentation of information, such as ASCII syntax. • Layer 7, the application layer, describes the structure, interpretation, and handling of information. In security terms, it is relevant because it relies on all underlying layers. From the point of view of the (ISC)2 Common Body of Knowledge, the application layer is covered in the “Operations” section. Each layer is defined so that it interacts with its corresponding layer on the remote host without concern for how the remote’s layer is implemented. In addition, each layer processes messages in a modular fashion, without concern for how the other layers on the same host process the message. For example, the layer that interacts directly with applications (layer 7) can communicate with its remote peer without knowing how the data is routed over the network (layer 3) or the hardware that is required (layers 1 and 2). When an application transmits data over a network, the data enters the top layer and moves to each successive lower level (moving down the stack) until it is transmitted over the network at layer 1. The remote host receives the data at layer 1 and moves to successive higher layers (moves up the stack) until it reaches layer 7 and then to the host’s application. 409

AU8231_C007.fm Page 410 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Layer 1: Physical Layer. At the physical layer, bits from the data-link layer are converted into electrical signals and transmitted on a physical circuit. Physical topologies are defined at this layer. Because the required signals depend on the transmitting media (e.g., required modem signals are not the same as ones for an Ethernet network interface card), the signals are generated at the physical layer.

Not all hardware consists of layer 1 devices. Even though many types of hardware, such as cables, connectors, and modems operate at the physical layer, some operate at different layers. Routers and switches, for example, operate at the network and data-link layers, respectively. Layer 2: Data-Link Layer. The data-link layer prepares the packet that it receives from the network layer to be transmitted as frames on the network. This layer ensures that the information that it exchanges with its peers is error-free. If the data-link layer detects an error in a frame, it will request that its peer resend that frame.

The data-link layer converts information from the higher layers into bits in the format that is expected for each networking technology, such as Ethernet, Token Ring, etc. Using hardware addresses, this layer transmits frames to devices that are physically connected only. As an analogy, consider the path between the end nodes on the network as a chain, and each link as a device in the path. The data-link layer is concerned with sending frames to the next link. The Institute of Electrical and Electronics Engineers (IEEE) data-link layer is divided into two sublayers: Logical link control (LLC): Manages connections between two peers. It provides error and flow control and control bit sequencing. Media access control (MAC): Transmits and receives frames between peers. Logical topologies and hardware addresses are defined at this sublayer. An Ethernet’s 48-bit hardware address is often called a MAC address as a reference to the name of the sublayer. Link layer encryption can be implemented at this layer. Be forewarned that link layer encryption only protects the information between two connected devices. To encrypt information between end nodes using link layer encryption, the information must be decrypted and reencrypted at each device along the path. The quality of the encryption of many of the devices may be out of the control of the owners of the two end nodes. Layer 3: Network Layer. It is important to clearly distinguish the function of the network and data-link layers. The network layer moves information between two hosts that are not physically connected. On the other hand, the data-link layer is concerned with moving data to the next physically connected device. Also, whereas the data-link layer relies on hardware 410

AU8231_C007.fm Page 411 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security addressing, the network layer uses logical addressing that is created when hosts are configured. Internet Protocol (IP) from the TCP/IP suite is the most important network layer protocol. IP has two functions: Addressing: IP uses the destination IP address to transmit packets through networks until the packets’ destination is reached. Fragmentation: IP will subdivide a packet if its size is greater than the maximum size allowed on a local network. IP is a connectionless protocol that does not guarantee error-free delivery. Layer 3 devices, such as routers, read the destination layer 3 address (e.g., destination IP address) in received packets and use their routing table to determine the next device on the network (the next hop) to send the packet. If the destination address is not on a network that is directly connected to the router, it will send the packet to another router. Routing tables are built either statically or dynamically. Static routing tables are configured manually and change only when updated by a human. Dynamic routing tables are built automatically as routers periodically share information that reflect their view of the network, which changes as routers go on- and offline, traffic congestion develops, etc. This allows the routers to effectively route packets as network conditions change. The Certified Information Systems Security Professional (CISSP) candidate is not required to be familiar with the details of dynamic routing. However, dynamic routing protocols include: • Routing Information Protocol (RIP) versions 1 and 2 • Open Shortest Path First (OSPF) • Border Gateway Protocol (BGP) Internet Control Message Protocol (ICMP) is a network layer protocol that is used for diagnostics and error correction. As we will see, this humble protocol has caused more than its share of heartaches by malicious users. With Internet Protocol Security (IPSec), the network layer can provide end-to-end encryption. Layer 4: Transport Layer. The transport layer creates an end-to-end transport between peer hosts. User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) are important transport layer protocols in the TCP/IP suite. UDP does not ensure that transmissions are received without errors, and therefore is classified as a connectionless unreliable protocol. This does not mean that UDP is poorly designed. Rather, the application will perform the error checking, instead of the protocol.

Connection-oriented reliable protocols, such as TCP, ensure integrity by providing error-free transmission. They divide information from multiple 411

AU8231_C007.fm Page 412 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® applications on the same host into segments to be transmitted on a network. Because it is not guaranteed that the peer transport layer receives segments in the order that they were sent, reliable protocols reassemble received segments into the correct order. When the peer layer receives a segment, it responds with an acknowledgment. If an acknowledgment is not received, the segment is retransmitted. Lastly, reliable protocols ensure that each host does not receive more data than it can process without loss of data. Layer 5: Session Layer. This layer provides a logical persistent connection between peer hosts. A session is analogous to a conversation that is necessary for applications to exchange information. The session layer is responsible for creating, maintaining, and tearing down the session.

Three modes are offered: (Full) duplex: Both hosts can exchange information simultaneously, independent of each other. Half duplex: Hosts can exchange information, but only one host at a time. Simplex: Only one host can send information to its peer. Information travels in one direction only. Session layer protocols include Network File System (NFS), Structured Query Language (SQL), and Remote Procedure Call. Layer 6: Presentation Layer. The applications that are communicating over a network may represent information differently, such as using incompatible character sets. This layer provides services to ensure that the peer applications use a common format to represent data. For example, if a presentation layer wants to ensure that Unicode-encoded data can be read by an application that understands the ASCII character set only, it could translate the data from Unicode to a standard format. The peer presentation layer could translate the data from the standard format into the ASCII character set.

This layer also provides services for encryption and compression of network data. However, other layers or the application often perform these services, instead of the presentation layer. Layer 7: Application Layer. This layer is the application’s portal to network-based services, such as determining the identity and availability of remote applications. When an application or the operating system transmits or receives data over a network, it uses the services from this layer.

Many well-known protocols, such as Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP), operate at this layer. 412

AU8231_C007.fm Page 413 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security It is important to remember that the application layer is not the application, especially when an application has the same name as a layer 7 protocol. For example, the FTP command on many operating systems initiates an application called FTP, which eventually uses the FTP protocol to transfer files between hosts. TCP/IP Model. The U.S. Department of Defense developed the TCP/IP model, which is very similar to the OSI model, but with fewer layers.

• The link layer provides physical communication and routing within a network. It corresponds to everything required to implement an Ethernet. It is sometimes described as two layers, a physical layer and a link layer. In terms of the OSI model, it covers layers 1 and 2. • The network layer includes everything that is required to move data between networks. It corresponds to the IP protocol, but also Internet Control Message Protocol (ICMP) and Internet Group Management Protocol (IGMP). In terms of the OSI model, it corresponds to layer 3. • The transport layer includes everything required to move data between applications. It corresponds to TCP and UDP. In terms of the OSI model, it corresponds to layer 4. • The application layer covers everything specific to a session or application, in other words, everything relating to the data payload. In terms of the OSI model, it corresponds to layers 5 through 7. Owing to its coarse structure, it is not well suited to describe application-level information exchange. As with the OSI model, data that is transmitted on the network enters the top of the stack, and each of the layers, with the exception of the physical layer, encapsulates information for its peer at the beginning and sometimes the end of the message that it receives from the next highest layer. On the remote host, each layer removes the information that its peer encapsulated before the remote layer passes the message to the next higher layer. Also, each layer processes messages in a modular fashion, without concern for how the other layers on the same host process the message. Layer 1: Link Layer. The data-link layer prepares the packets that it receives from the network layer to be transmitted as frames on the network. This layer ensures that the information that it exchanges with its peers is error-free. If the data-link layer detects an error in a frame, it will request that its peer resend that frame.

The IEEE data-link layer is divided into two sublayers: Logical link control (LLC): Manages connections between two peers. It provides error-flow control and control bit sequencing. 413

AU8231_C007.fm Page 414 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Media access control (MAC): Transmits and receives frames between peers. Logical topologies and hardware addresses are defined at this sublayer. An Ethernet’s 48-bit hardware address is often called a MAC address as a reference to the name of the sublayer. Layer 2: Network Layer. Like the OSI model’s network layer, this layer

transmits packets between two end-node hosts. Layer 3 devices, such as routers, examine the destination IP address of incoming packets and use routing tables to determine to which host to forward the packet. Because IP is an unreliable protocol, no error checking is performed. Internet Control Message Protocol (ICMP) is a network layer protocol that is used for diagnostics and error correction. Multicasts are sent as identical streams to multiple hosts in a multicast group simultaneously. Typically, multicasts are used by applications that require much bandwidth, such as videoconferencing. Hosts use the Internet Group Management Protocol (IGMP) to join and manage their membership in multicast groups. Layer 3: Transport Layer. The transport layer constructs, maintains, and tears down a transport between peer hosts. As with the OSI model, the transport layer supports two types of transports: reliable connection oriented and unreliable connectionless. Reliable connection-oriented transports are implemented with the TCP, which transmits streams and ensures that the peer layer receives all of the data and retransmits any data that the peer does not acknowledge. Because segments of the stream may arrive at the remote host in any order, the peer transport layer is responsible for reordering the segments into the correct order. TCP uses flow control so that hosts do not receive more data than they can process without data loss.

UDP is used for connectionless unreliable transports. The transport layer transmits datagrams without error checking. This protocol assumes that the application will guarantee that the datagrams are sent error-free. Layer 4: Application Layer. This layer performs the same functions as the OSI model’s application, presentation, and session layers. In addition, the application is included in this layer. The application layer converts the data into a format that can be processed by its peer layer and sends it to the transport layer.

Network Security Architecture The Role of the Network in IT Security. The Network as a Target of Attack. Attacks can be directed at the network itself, i.e., the network’s availability or one of its other services — especially security services — is at risk. At any rate, it is probably not so much the network itself, which is the final goal of such an attack. Normally, an 414

AU8231_C007.fm Page 415 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security attacker will be focused on any IT service that the network is an agent of; therefore, crippling, controlling, or simply using a network will be an intermediate step in his or her strategy. Common attacks falling in this category would include denial-of-service attacks, attempts to breach a firewall, or attempts to breach a router. The Network as an Enabler or Channel of Attack. We h a v e t o d i s t i n g u i s h between two subtly different situations here: where an attacker uses certain network characteristics to support his attack, for instance, by intelligence gathering, and where an attack is born across the network. We will focus on the second one, being the main concern in IT security.

Once an attacker avails himself of the use of a network — not necessarily at the cost of a full loss of control on the defender’s side — it can be used as a channel. Use of a network is not necessarily based on a breach of the network, for instance, in the case of a virus infection the breach may have occurred on a user’s laptop connected to the Internet. Although it is true that in such a case a deficiency in the network’s architecture was exploited, its own infrastructure and the security services that were designed into it have not technically been breached. Incidentally, the use of networks as a channel for an attack could be considered the security situation occurring most frequently, considering that the Internet infrastructure as a whole has become an enabler for certain types of attacks (zero day exploits would be impossible without it), while as far as is known, no attacker has yet managed to take over control over any significant portion of it. The Network as a Bastion of Defense. As described in the two previous sections, the network is a key, if not the most valuable, strategic asset in IT security.5 It is therefore paramount to implement strong and coherent network security architecture across an entire organization.

The security controls deployed in a network are fairly common based on the fact that the particularity of a network is its paramount importance as an asset, not the way in which its IT security is being managed. As described elsewhere (see the information security and risk management chapter, Domain 1, and the operations security chapter, Domain 9), such measures will typically be built around a complete security quality cycle of social, organizational, procedural, and technical activities. Measures will be based on the organization’s security policy and typically include configuration and change management, monitoring and log reviews, vulnerability and compliance testing and scanning (including detection scans on the network), security reviews and audits, backup and 415

AU8231_C007.fm Page 416 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® recovery, as well as awareness and training measures. They need to be balanced, appropriate, and affordable to the organization and commensurate with its business objectives and level of risk. Key concepts include: • Definition of security domains: This could be defined by level of risk or by organizational control. A prime example is the tendency of decentralized organizations to manage their IT — and thereby also their network security — locally, and to different degrees of success.6 • Segregation of security domains, control of traffic flows according to risk/benefit assessment, and taking into account formal models, such as the Bell–La Padula model, the Biba integrity model, or the Clark–Wilson model (see the security architecture and design chapter, Domain 5). • Incident response capability (see the legal, regulations, compliance, and investigations chapter, Domain 10), including but not limited to an inventory of business-critical traffic (to be allowed if possible; this could, for instance, be e-mail or Lotus Notes traffic, but also DNS), noncritical traffic (such as HTTP or FTP), a way to quickly contain breaches (for instance, by shutting off parts of the network or blocking certain types of traffic), and a process for managing the reaction. • Protecting network assets, such as firewalls and routers, in all ways as would be normal for an IT system (reference chapter Operations Security), but likely in a more stringent manner and to a far higher degree of security. • Contingency or network backup in case of network overload or failure. Network Security Objectives and Attack Modes. A l t h o u g h s e c u r i t y objectives are specific to each business, we can distinguish a number of key themes, which will be prioritized by each business differently, but often the order in which they are listed here is the one chosen.

A number of secondary objectives, such as interoperability and, in particular, ease of use, are undercurrents to these themes. A user expects the network (in particular, network security) to be fully transparent and will not easily accept restrictions.7 Conversely, it is a common perception that network security is the end to all other security measures, i.e., that firewalls will protect a corporation. It is intuitively clear that this is a flawed perception; in effect, working perimeter defense, while reducing the overall number of successful attacks, will also shift the balance toward insider attacks.8 Access Control. The network being a primary entry point into a corporate network provides access control in both directions — from the outside in and from the inside out.9 416

AU8231_C007.fm Page 417 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security • Attacks against outside-in access controls can be executed by stealing credentials and circumventing controls (i.e., by looking for open network ports, modems). • Another such method is breaking into a server in a demilitarized zone (DMZ) and using it as a stepping stone, either inbound or outbound. Proper countermeasures include the usual hardening, configuration, and monitoring measures, as well as proper firewall configuration that under no circumstances allows this server any type of inbound connection. • The proverbial laptop catching a virus infection on the Internet and spreading it on a corporate network is another way of circumventing inbound controls. The infection can happen, because the corporate network places transitive trust on the laptop to remain protected while it is not connected to the network. This implicit (and possibly undocumented) bidirectional trust relationship between network and client violates the principle of multilateral security10 in favor of an (arguably) simplified and cheaper security model.11 • Attacks against inside-out access controls include protocol tunneling12 (carrying a lower-layer network service through a higher layer) and sidestepping the restriction through use of unauthorized gateways (or unauthorized use of authorized gateway components), such as modems or wireless cards. Interestingly, this method can also be used to enable inbound connections, if the client is able to poll for waiting inbound connections.13 Conversely, not only does a user have to authenticate against the network, but ideally a network should also authenticate against the user to prevent, for instance, certain types of man-in-the-middle attacks.14 It is instructive to note that none of the aforementioned methods involves hacking, i.e., an actual breach of a perimeter gateway. They are all based on workarounds and creative use of existing protocols and components. Availability. In corporate networks, availability of the service is com-

monly the key business requirement. Conversely and for this very reason, network availability has also become a prime target for attackers and a key business risk. DENIAL-OF-SERVICE ATTACK. The easiest attack to carry out against a network, or so it may seem, is to overload it through excessive traffic. Although this may appear a simple concept, it is not. The reason for this is that the cost for the attacker would normally be exactly the same as for the target, which would make this type of attack very difficult to carry out.

Countermeasures would include a redundant network, load balancing, reserved bandwidth (quality of service, which would at least protect systems not directly targeted), and blocking traffic from an attacker on a fire417

AU8231_C007.fm Page 418 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® wall or upstream router. A target can also shift its IP address or DNS name to sidestep the attack.15 It is instructive to note that many protocols contain basic protection from message loss that would at least mitigate the effects of denial-of-service attacks. This starts with the TCP managing packet loss within certain limits, and ends with higher-level protocols, such as SMTP, that will provide robustness against temporary connection outages (store and forward). Fortunately, for the attacker, there are a number of ways to execute denial-of-service attacks while minimizing his own cost: • Distributed denial-of-service attack: Using a network of remote-controlled hosts (typically workstations that have been backdoored or time-triggered through a specific virus infection), the target is subjected to traffic from a wide range of sources that are very hard to block. The downside of this type of attack to both the attacker and network service provider is that the attack may already throttle upstream network channels, taking out more than just its intended target. • Distributed denial-of-service attacks have been used as a means of extortion,16 but also as a political instrument (referred to by their initiators as online demonstration), where activists would instigate users to frequently reload a certain Web site at a certain point in time.17 • Countermeasures are similar to those of conventional denial-of-service attacks, but simple IP or port filtering might not work. • Utilizing weaknesses in the design of TCP/IP to clog the network stack on the target system instead of the network itself, for instance, through SYN flood attacks. Such attacks can be executed over minimal bandwidth and can be hard to trace by their very nature (no complete transaction channel is ever established, and consequently, no logging occurs). • Countermeasures include protecting the operating system through securing its network stack. This is not normally something the user or owner of a system has any degree of control over; it is a task for the vendor. Finally, the network needs to be included in a corporation’s disaster recovery and business contingency plans. For local area networks, one may set high recovery objectives and provide appropriate contingency, based upon the fact that any recovery of services is likely to be useless without at least a working local area network (LAN) infrastructure. As wide area networks are usually outsourced, contingency measures might include acquisition of backup lines from a different provider, procurement of telephone or Integrated Services Digital Network (ISDN) lines, etc. (see business continuity and disaster recovery chapter, Domain 6).

418

AU8231_C007.fm Page 419 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security Confidentiality. The network, as the carrier of almost all digital information within a corporation, provides an attractive target to bypass access control measures on IT systems and access information while it is in transit. Among the information that can be acquired is not just the payload information, but also credentials, such as passwords. Conversely, an attacker might not even be interested in the information transmitted, but simply in the fact that communication has occurred. EAVESDROPPING (SNIFFING). To access information from the network, an attacker must have access to the network itself in the first place (see “Methodology of an Attack” section). An eavesdropping computer can be a legitimate client to the network or an unauthorized one. It is not necessary for the eavesdropper to become a part of the network (for instance, having an IP address); it is often far more advantageous for an attacker to remain invisible (and inaddressible) on the network. This is particularly easy in wireless LANs, where no physical connection is necessary.19

Countermeasures to eavesdropping include encryption of network traffic on a network or application level, traffic padding to prevent identification of times when communication happens, and rerouting of information to anonymize its origins and potentially split different parts of a message. Integrity. A network needs to support the integrity of its traffic. In many ways, the provisions taken for protection against interception, to protect confidentiality, will also protect the integrity of a message.

Although the modification of messages will often happen at the higher network layers (i.e., within applications), networks can be set up to provide robustness or resilience against interception and change of a message (man-in-the-middle attack) or replay attacks. Ways to accomplish this can be based on encryption or checksums on messages, as well as on access control measures for clients that would prevent an attacker from gaining the necessary access to send a modified message into the network. Conversely, many protocols, such as SMTP, HTTP, or even DNS, do not provide any degree of authentication (see below), so that it becomes relatively easy to inject messages with fake sender information into a network from the outside through an existing gateway. The fact that no application can rely on the security or authenticity of underlying protocols has become a common design factor in networking. Methodology of an Attack. Security attacks have been described formally as attack tree models.20 Attack trees are based upon the goal of the attacker, the risk of the defender, and the vulnerabilities of the defense systems. They form a specialized form of decision tree that can be used to formally evaluate system security.

419

AU8231_C007.fm Page 420 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® The following methodology describes not the attack tree itself (which is a defender’s view), but the steps that an attacker would undergo to successfully traverse the tree toward his or her target.21 Target Acquisition. In network security, an attack usually starts by intelligence gathering to obtain a collection of possible targets, for instance, by evaluating directory services and by network scanning.

If the attacker is after a specific target (as in industrial espionage settings), he will be using a different approach than if he were after any susceptible target (for instance, if an effected security breach would be a kind of trophy for the attacker with his peers). In the second case, the attacker is far more likely to use a form of discovery scanning before performing his target analysis. It is therefore important to limit information on a network and make intelligence gathering as difficult as possible. This would include installation of split DNS zones (internal nodes are only visible on the inside of a network), network address translation, limiting access to directories of persons and assets, using hidden paths, nonstandard privileged usernames, etc. Importantly, all of these obscurity measures do not have an inherent security value — they serve to slow the attacker down but will not in themselves provide any protection beyond this point.22,23 Target Analysis. In a second step, the identified target is analyzed for security weaknesses that would allow the attacker to obtain access. Depending on the type of attack, the discovery scan has already taken this into account, e.g., by scanning for servers susceptible to a certain kind of buffer overflow attack. Tools available for the target acquisition phase are generally capable of automatically performing a first-target analysis.

The most effective protection is to minimize security vulnerabilities, for instance, by applying software patches at the earliest possible opportunity and using an effective configuration management. In addition, target analysis should be made more difficult for the attacker. For example, system administrators should minimize the system information (e.g., system type, build, and release) that an attacker could glean, making it more difficult to attack the system. Target Access. In the next step, an attacker will obtain some form of access to the system. This can be access as a normal user or as a guest. The attacker could be exploiting known vulnerabilities or common tools for this, or bypass technical security controls altogether by using social engineering attacks.

To mitigate the risk of unauthorized access, existing user privileges need to be well managed, access profiles need to be up to date, and unused 420

AU8231_C007.fm Page 421 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security accounts should be blocked or removed. Access should be monitored and monitoring logs need to be regularly analyzed.24 Target Appropriation. As the second but last level of an attack, the attacker can then escalate his or her privileges on the system to gain system-level access. Again, exploitation of known vulnerabilities through existing or bespoke tools and techniques is the main technical attack vector; however, other attack vectors, such as (again and always) social engineering, need to be taken into account.

Countermeasures against privilege escalation, by nature, are similar to the ones for gaining access. However, because an attacker can gain full control of a system through privilege escalation, secondary controls on the system itself (such as detecting unusual activity in log files) are less effective and reliable.25 Network (router, firewall, and intrusion detection system) logs can therefore prove invaluable. Last but not least, the attacker may look to sustain control of the system to regain access at a later time or to use it for other purposes, such as sending spam or as a stepping stone for other attacks. To such an end, the attacker could avail himself of prefabricated rootkits to sustain control. Such a rootkit will not only allow access, but also hide its own existence from cursory inspection. To detect the presence of unauthorized changes, which could indicate access from an attacker or backdoors into the system, the use of hostbased intrusion detection systems26 can provide detection that cannot easily be bypassed. Output from the host-based IDS (such as regular snapshots or file hashes) need to be stored in such a way that they cannot be overwritten from the source system. Network Security Tools. Tools make a security practitioner’s job easier. Whether aids in collecting input for risk analysis or scanners to assess how well a server is configured, tools automate processes, which saves time and reduces error.27

Do not fall into the trap of reducing network security to collecting and using tools. Your ability as a practitioner has nothing to do with how cool your tools are. The only tool that really matters is the one that is between your ears. Use that one well, and you will go far. Intrusion Detection Systems. Intrusion detection systems (IDSs) monitor activity and send alerts when they detect suspicious traffic. There are two broad classifications of IDSs: host-based IDSs, which monitor activity on servers and workstations, and network-based IDSs, which monitor network activity. We will discuss network-based IDSs.

Currently, there are two approaches to IDSs. An appliance on the network can monitor traffic for attacks based on a set of signatures (analogous to anti421

AU8231_C007.fm Page 422 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® virus software), or the appliance can watch the network’s traffic for a while, learn what traffic patterns are normal, and send an alert when it detects an anomaly. Of course, an IDS can use a hybrid of the two approaches. Independent of the IDS’s approach, how an organization uses its IDS determines whether the tool is effective. Despite its name, IDS should not be used to detect intrusions. Instead, it should send an alert when it detects interesting, abnormal traffic that could be a prelude to an attack. For example, someone in the engineering department trying to access payroll information over the network at 3 A.M. is probably very interesting and not normal. Or, perhaps a sudden rise in network utilization should be noted. The above implies that an organization understands the normal characteristics of its network. Considering modern networks’ complexity and how much they change, that task is much easier said than done. The reader will want to familiarize himself with Snort,28 a free and opensource intrusion detection system. In addition, a large number of commercial tools are available. The reader is advised to consult the respective vendors’ Web sites. Scanners. A network scanner can be used in several ways:

• Discovery of devices and services on a network, for instance, to establish whether new or unauthorized devices have been connected. Conversely, this type of scan can be used for intelligence gathering on potentially vulnerable services. • Test of compliance with a given policy, for instance, to ensure certain configurations (deactivation of services) have been applied. • Test for vulnerabilities, for instance, as part of a penetration test, but also in preparation for an attack. DISCOVERY SCANNING. A discovery scan can be performed with very simple methods, for example, by sending a ping packet (ping scanning) to every address in a subnet. More sophisticated methods will also discover the operating system and services of a responding device. COMPLIANCE SCANNING. A compliance scan can be performed either from the network or on the device (for instance, as a security health check). If performed on the network, it will usually include testing for open ports and services on the device. VULNERABILITY SCANNING. A vulnerability scan can either test for vulnerability conditions or try an active exploitation of the vulnerability. A vulnerability scan can be performed in a nondisruptive manner or under acceptance of the fact that even a test for certain vulnerabilities might affect the target’s availability or performance. 422

AU8231_C007.fm Page 423 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security When new vulnerabilities have been published or are exploited, targeted scanner tools often become available from software vendors, antivirus vendors, independent vendors, or the open-source community. SCANNING TOOLS. This is not the place to describe the functionality of the many available scanning tools in detail. However, readers will want to familiarize themselves with the following tools:

• Nessus,29 a vulnerability scanner • Nmap,30 a discovery scanner that will allow determining not only services running on a machine, but also other host characteristics, such as a machine’s operating system In addition, a large number of commercial tools exist. Readers are advised to consult the respective vendor’s information on the Web. Layer 1: Physical Layer Concepts and Architecture A network’s physical topology relates to how network components are connected with each other. The appropriate topology for a network can be determined by assessing the available protocols, how end nodes will be used, available equipment, financial constraints, and the importance of fault tolerance. Communication Technology. Analog Communication. Analog signals use electronic properties, such as frequency and amplitude, to represent information. Analog recordings are a classic example: A person speaks into a microphone, which converts the vibration from acoustical energy to an electrical equivalent. The louder the person speaks, the greater the electrical signal’s amplitude. Likewise, the higher the pitch of the person’s voice, the higher the frequency of the electrical signal.

Analog signals are transmitted on wires, such as twisted pair, or with a wireless device. In radio communication, for example, the electrical representation of the person’s voice would be modulated with a carrier signal and broadcasted. Digital Communication. Whereas analog communication uses complex waveforms to represent information, digital communication uses two electronic states (on and off). By convention, 1 is assigned to the on state and 0 to off. Electrical signals that consist of these two states can be transmitted over cable, converted to light and transmitted over fiber optics, and broadcasted with a wireless device. In all of the above media, the signal would be a series of one of two states: on and off.

It is easier to ensure the integrity of digital communication because the two states of the signal are sufficiently distinct. When a device receives a dig423

AU8231_C007.fm Page 424 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

Figure 7.1. Network with a bus topology.

ital transmission, it can easily determine which digits are 0s and which are 1s (if it cannot, then the device knows the signal is erroneous). On the other hand, analog’s complex waveforms make ensuring integrity very difficult. Network Topology. Bus. A bus is a LAN with a central cable (bus) to which all nodes (devices) connect. All nodes transmit directly on the central bus. Each node listens to all of the traffic on the bus and processes only the traffic that is destined for it. This topology relies on the data-link layer to determine when a node can transmit a frame on the bus without colliding with another frame on the bus.

A LAN with a bus topology is shown in Figure 7.1. Advantages of buses include: • Adding a node to the bus is easy. • A node failure will not likely affect the rest of the network. Disadvantages of buses include: • Because there is only one central bus, a bus failure will leave the entire network inoperable. Tree. Tree topology is similar to a bus. Instead of all of the nodes connecting to a central bus, the devices connect to a branching cable. Like a bus, every node receives all of the transmitted traffic and processes only the traffic that is destined for it. Furthermore, the data-link layer must transmit a frame only when there is not a frame on the wire. A network with a tree topology is shown in Figure 7.2.

Advantages of a tree include: • Adding a node to the tree is easy. • A node failure will not likely affect the rest of the network. 424

AU8231_C007.fm Page 425 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security

Figure 7.2. Network with a tree topology.

Disadvantages of a tree include: • A cable failure could leave the entire network inoperable. Ring. Ring is a closed-loop topology. Data is transmitted in one direction. Each device receives data from its upstream neighbor only and transmits data to its downstream neighbor only. Typically rings use coaxial cables or fiber optics. A Token Ring network is shown in Figure 7.3.

Advantages of rings include: • Because rings use tokens, one can predict the maximum time that a node must wait before it can transmit (i.e., the network is deterministic). • Rings can be used as a LAN or network backbone. Disadvantages of rings include: • Simple rings have a single point of failure. If one node fails, the entire ring fails. Some rings, such as fiber distributed data interface (FDDI), use dual rings for failover. Mesh. In a mesh network, all nodes are connected to every node on the network. A full mesh network is usually too expensive because it requires many connections. As an alternative, a partial mesh can be employed in which only selected nodes (typically the most critical) are connected in a full mesh and the remaining nodes are connected to a few devices. As an 425

AU8231_C007.fm Page 426 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

Figure 7.3. Network with a ring topology.

Figure 7.4. Network with a mesh topology.

example, core switches, firewalls, and routers and their hot standbys are often all connected to ensure as much availability as possible. A full mesh network is shown in Figure 7.4. Advantages of a mesh include: • Mesh networks provide a high level of redundancy. Disadvantages of a mesh include: • Mesh networks are very expensive because of the enormous amount of cables that are required. 426

AU8231_C007.fm Page 427 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security

Figure 7.5. Network with a star topology. Star. All nodes in a star network are connected to a central device, such as a hub, switch, or router. Modern LANs usually employ a star typology. A star network is shown in Figure 7.5.

Advantages of a star include: • Star networks require fewer cables than full or partial mesh. • Star networks are easy to deploy, and nodes can be easily added or removed. Disadvantages of a star include: • The hub is a single point of failure. If the hub is not functional, all of the connected nodes lose network connectivity. Technology and Implementation Cable. Networks have very impressive devices, including computers with dozens of CPUs that act as many virtual servers and phone booth-size routers used by ISPs. It is tempting to underestimate the importance of cables in a network. Yet, without the cables, there would not be a network, just stand-alone components. One can think of cables as the glue that holds a network together.

Selecting proper cables in a network design is imperative. If inappropriate ones are used, the results can be as disastrous as using the wrong server or router. Cables have to withstand much that threatens the confidentiality, integrity, and availability of the information on the network. Consider the risk of someone tapping into a cable to intercept its signal, or electromagnetic interference from nearby devices, or simply the dangers of a cable breaking. This, considered with the technical parameters of cables, shows that the correct cable must be used for each application. Here are some parameters that should be considered when selecting cables: 427

AU8231_C007.fm Page 428 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Throughput: The rate that data will be transmitted. Certain cables, such as fiber optic, are designed for hauling an incredible amount of data at once. Distance between devices: The degradation or loss of a signal (attenuation) in long runs of cable is a perennial problem, especially if the signal is at a high frequency. Also, the time required for a signal to travel (propagation delay) may be a factor. A bus topology that uses collision detection may not operate correctly if the cable is too long. Data sensitivity: What is the risk of someone intercepting the data in the cables? Fiber optics, for example, makes data interception very difficult. Environment: It is a cable-unfriendly world. Cables may have to be bent when installing. The amount of electromagnetic interference is a factor because cables in an environment with a lot of interference may have to be shielded. Twisted Pair. Unshielded Twisted Pair. Pairs of copper wires are twisted together to reduce electromagnetic interference and cross talk. Each wire is insulated with a fire-resistant material, such as Teflon. The twisted pairs are surrounded by an outer jacket that physically protects the wires. The quality of cable, and therefore its appropriate application, is determined by the number of twists per inch, the type of insulation, and conductive material.

To help determine which cables are appropriate for an application or environment, cables are assigned into categories (Table 7.1). Unshielded twisted pair (UTP) has several drawbacks. Because UTP does not have shielding like shielded twisted-pair cables, UTP is susceptible to interference from external electrical sources, which could reduce the integrity of the signal. Also, to intercept transmitted data, an intruder can install a tap on the cable or monitor the radiation from the wire. Thus, UTP may not be a good choice when transmitting very sensitive data or when installed in an environment with much electromagnetic interference (EMI) or radio frequency interference (RFI).

Table 7.1. Cable Categories Category 1

Less than 1 Mbps

Category 2 Category 3 Category 4 Category 5

<4 Mbps 16 Mbps 20 Mbps 100 Mbps

Category 5e Category 6

1000 Mbps 1000 Mbps

428

Analog voice and basic interface rate (BRI) in Integrated Services Digital Network (ISDN) 4-Mbps IBM Token Ring LAN 10 Base-T Ethernet 16-Mbps Token Ring 100 Base-TX and Asynchronous Transfer Mode (ATM) 1000 Base-T Ethernet 1000 Base-T Ethernet

AU8231_C007.fm Page 429 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security Despite its drawbacks, UTP is the most common cable type. In fact, many grocery stores carry CAT-5 or CAT-5e cables. UTP is inexpensive, can be easily bent during installation, and, in most cases, the risk from the above drawbacks is not enough to justify more expensive cables. Shielded Twisted Pair (STP). Shielded twisted pair is similar to UTP. Pairs of insulated twisted copper are enclosed in a protective jacket. However, STP uses an electronically grounded shield to protect the signal. The shield surrounds each of the twisted pairs in the cable, surrounds the bundle of twisted pairs, or both. The shield protects the electronic signals from outside interference and from eavesdropping by intruders.

Although the shielding protects the signal, STP has disadvantages over UTP. STP is more expensive and is bulkier and hard to bend during installation. Coaxial Cable. Instead of a pair of wires twisted together, coaxial cable (or simply, coax) uses one thick conductor that is surrounded by a grounding braid of wire. A nonconducting layer is placed between the two layers to insulate them. The entire cable is placed within a protective sheath.

The conducting wire is much thicker than twisted pair, and therefore can support greater bandwidth and longer cable lengths. The superior insulation protects coaxial cable from electronic interference, such as EMI and RFI. Likewise, the shielding makes it harder for an intruder to monitor the signal with antennae or install a tap. Coaxial cable has some disadvantages. The cable is expensive and is difficult to bend during installation. For this reason, coaxial cable is used in specialized applications, such as cable TV. Fiber Optics. Fiber optics takes a very different approach to cabling. Instead of using a metal conductor to transmit and receive electrical signals, fiber optics uses glass or plastic to transmit light. Fiber optics consists of three components: a light source, the optical cable, and a light detector.

The light source transmits the optical signal on the fiber cable. There are two types of light sources: Light-emitting diodes (LEDs): Sophisticated cousins to the ubiquitous LEDs found in consumer electronics. LEDs are less expensive than diode lasers, but offer less bandwidth over a shorter distance. Typically LEDs are used in LANs. Diode lasers: A much more expensive alternative, especially because they require more expensive fiber cables and light detectors. This optical source is used by carriers on their backbone. Optical fiber is made from a very narrow glass or plastic fiber that is surrounded by a cladding that is designed to reflect transmitted light back into 429

AU8231_C007.fm Page 430 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® the fiber. The cladding in turn is covered by a protective sheath. There are two types of optical fiber: Multimode fiber: Light is transmitted in slightly different modes (paths) in fibers that are about 50 to 100 microns in diameter. Due to the relatively large diameter, the light disperses too much when using medium and long cable lengths. Single-mode fiber: Single-mode fiber is about 10 microns in diameter. As the name implies, the transmitted light will take a direct path down the center of the fiber. This allows for greater bandwidth and longer cable lengths. Single-mode fiber is suitable for carrier backbones. Light detectors convert transmitted optical signals back into electrical energy. Fiber optics has clear advantages over copper cables. Fiber optics can support 40 gigabits or more per second, which far exceeds coaxial cable or twisted-pair and longer cable distances without amplification. From a security perspective, fiber optics’ immunity to electromagnetic interference (EMI) and radio frequency interference (RFI) is important. Because fiber optics does not emit energy from the cable, data cannot be remotely intercepted.31 Fiber optics has disadvantages, though. It is relatively expensive compared to UTP, cumbersome to install, and relatively difficult to acquire. Therefore, fiber optics is generally reserved for high-bandwidth applications. Patch Panels. Even moderate-size data centers have many interconnected devices, such as switches, routers, servers, workstations, and even test equipment. It is a challenge for network administrators to organize the cables that connect these devices, and to easily modify how they are connected.

As an alternative to directly connecting devices, devices are connected to the patch panel. Then, a network administrator can connect two of these devices by attaching a small cable, called a patch cord, to two jacks in the panel. To change how these devices are connected, network administrators only have to reconnect patch cords. Modems. Modems (modulator/demodulator) allow users remote access to a network via analog phone lines. Essentially, modems convert digital signals to analog and visa versa. A modem that is connected to the user’s computer converts a digital signal to analog to be transmitted over a phone line. On the receiving end, a modem converts the user’s analog signal to digital and sends it to the connected device, such as a server. Of course, the process is reversed when the server replies. The server’s reply is converted from digital to analog and transmitted over the phone line, and so on. 430

AU8231_C007.fm Page 431 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security To address the problem of bandwidth reduction caused by errors in converting analog signals to digital, a new modem standard was created. Because most organizations that support modem access can do so without analog lines, V.90, and later V.92, were created. The new standards assume that a remote user’s connection is the only one that is analog. With only one analog connection, the above conversion errors are reduced, which yields greater bandwidth. Because the upstream transmission (i.e., from the user) is converted from analog to digital, the transfer speed is equivalent to that of a traditional modem. However, the downstream transmission is not converted from analog to digital, and therefore has the potential of speeds approaching the maximum 56 Kbps. The slower upstream speed is often not noticeable because much less data is transferred in that direction. For instance, consider a Web-browsing session. The upstream data is typically generated by mouse clicks and keystrokes, which does not need a lot of bandwidth. It is the download of information from the Web server that requires and receives that extra bandwidth.32 V.92 offers improved performance over V.90, including reducing the time required for connection, the ability not to disconnect when the user’s line receives a call-waiting signal, and increased bandwidth in both directions33 Modems allow remote users to access a network from almost any analog phone line worldwide. While this provides easy access to telecommuters, road warriors, etc., it also provides easy access for intruders, who know they can sneak in an organization’s backdoor while the security staff protects the Internet gateway. In fact, many organizations have implemented policies that forbid modems on the network. Wireless Transmission Technologies. Direct-Sequence Spread Spectrum (DSSS). Direct-sequence spread spectrum is a wireless technology that

spreads a transmission over a much larger frequency band, and with corresponding smaller amplitude. By spreading the signal over a wider band, the signal is less susceptible to interference at a specific frequency. In other words, the interference affects a smaller percentage of the signal. During transmission, a pseudorandom noise code (PN code) is modulated with the signal. The sender and receiver’s PN code generators are synchronized, so that when the signal is received, the PN code can be filtered out. Frequency-Hopping Spread Spectrum (FHSS). T h i s w i re l e s s t e c h n o l o g y spreads its signal over rapidly changing frequencies. Each available frequency band is subdivided into subfrequencies. Signals rapidly change (hop) among these subfrequencies in an order that is agreed upon between the sender and receiver. 431

AU8231_C007.fm Page 432 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® The benefit of FHSS is that the interference at a specific frequency will affect the signal during a short interval. Conversely, FHSS can cause interference with adjacent DSSS systems. Orthogonal Frequency Division Multiplexing (OFDM). A signal is subdivided into subfrequency bands, and each of these bands is manipulated so that they can be broadcasted together without interfering with each other. Frequency Division Multiple Access (FDMA). Frequency division multiple access is used in analog cellular only. It subdivides a frequency band into subbands and assigns an analog conversation to each subband. Time Division Multiple Access (TDMA). Time division multiple access multiplexes several digital calls (voice or data) at each subband by devoting a small time slice in a round-robin to each call in the band. Two subbands are required for each call: one in each direction between sender and receiver. Code Division Multiple Access (CDMA), CDMA 2000, Wideband CDMA. CDMA is a spread-spectrum wireless technology that is mostly used for cellular technology. Like DSSS, it spreads each call over a large frequency band and is tagged with a pseudorandom noise code to differentiate between the calls. Qualcomm is a driver of this technology and is able to multiplex approximately three times as many calls as other technologies.

CDMA 200034 offers an improved capability of ten times the number of calls and transmission rates of 153.6 Mbps.35 Wideband CDMA (or W-CDMA) uses a wider band than CDMA, which increases the throughput of the carrier. Mobile Telephony. GLOBAL SERVICE FOR MOBILE COMMUNICATIONS (GSM). GSM is the most popular cellular technology in the world. A frequency band is subdivided in simplex channels; each can support as many as eight callers using time division multiplexing (see Tannenbaum’s Computer Networks in “General References”).

Mobile subscribers are associated and identify themselves with their socalled International Mobile Subscriber Identifier (IMSI), a (usually) 15-digit number coded into the user’s Subscriber Identity Module (SIM) card and containing information about home country and network. Because the user (or mobile phone) authenticates with the network, but not the network with the mobile phone, a man-in-the-middle attack can be performed using a device called an IMSI catcher, which the attacker can use to masquerade as a base station. Such devices are regularly used by law enforcement agencies. The IMSI catcher can use a control command in GSM to deactivate encryption for a call from the targeted device. (Currently, commercially available 432

AU8231_C007.fm Page 433 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security mobile phones do not display whether encryption is activated for a connection.) Thus, mobile phone calls can be intercepted with relatively low effort. The drawback, at least from a law enforcement perspective, is that the whereabouts of the target needs to be known to successfully deploy an attack. Layer 2: Data-Link Layer Concepts and Architecture Architecture. In addition to providing throughput, a network’s architecture should also help protect its assets. Listed below are the key concepts concerning isolating networks in different domains of trust. Security Perimeter. The security perimeter is the first line of defense between trusted and untrusted networks. In general, it includes a firewall and router that helps filter traffic. Security perimeters may also include proxies and devices, such as an intrusion detection system (IDS), to warn of suspicious traffic.

It is important to note that while the security perimeter is the first line of defense, it must not be the only one. If there are not sufficient defenses within the trusted network, then a misconfigured or compromised device could allow an attacker to enter the trusted network. Network Partitioning. Segmenting networks into domains of trust is an effective way to help enforce security policies. Controlling which traffic is forwarded between segments will go a long way to protecting an organization’s critical digital assets from malicious and unintentional harm. Boundary Routers. Boundary routers primarily advertise routes that external hosts can use to reach internal ones. However, they should also be part of an organization’s security perimeter by filtering external traffic that should never enter the internal network. For example, boundary routers may prevent external packets from the Finger service from entering the internal network because that service is used to gather information about hosts.

A key function of boundary routers is the prevention of inbound or outbound IP spoofing attacks. In using a boundary router, spoofed IP addresses would not be routable across the network perimeter. DUAL-HOMED HOST. A dual-homed host has two network interface cards (NICs), each on a separate network. Provided that the host controls or prevents the forwarding of traffic between NICs, it can be an effective measure to isolate a network. BASTION HOST. Bastion hosts serve as a gateway between a trusted and untrusted network that gives limited, authorized access to untrusted hosts. 433

AU8231_C007.fm Page 434 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® For instance, a bastion host at an Internet gateway could allow external users to transfer files to it via the FTP. This permits files to be exchanged with external hosts without granting them access to the internal network. If an organization has a network segment that has sensitive data, it can control access to that network segment by requiring that all access must be from the bastion host. In addition to isolating the network segment, users will have to authenticate to the bastion host, which will help audit access to the sensitive network segment. For example, if a firewall limits access to the sensitive network segment, allowing access to the segment from only the bastion host will eliminate the need for allowing many hosts access to that segment. DEMILITARIZED ZONE (DMZ). A demilitarized zone (DMZ), also known as a screened subnet, allows an organization to give external hosts limited access to public resources, such as a company Web site, without granting them access to the internal network. Typically, the DMZ is an isolated subnet attached to a firewall (when the firewall has three interfaces — internal, external, and DMZ — this configuration is sometimes called a three-legged firewall). Because external hosts by design have access to the DMZ (albeit controlled by the firewall), organizations should only place in the DMZ hosts and information that are not sensitive. Transmission Technologies. There are many points that must be considered about transmitting information from sender to receiver. For example, will the information be expressed as an analog or digital wave? How many recipients will there be? If the transmission media will be shared with others, how can one ensure that the signals will not interfere with each other? Synchronous Communications. Synchronous communication uses a timing mechanism to synchronize the transmission of data. The communicating devices can use a clocking mechanism, or the transmitting device can include timing information in the stream.

When devices communicate synchronously, they transmit large frames of data, which are surrounded by synchronizing bit patterns, which is much more efficient than 3-bit overhead for every byte in asynchronous transmissions. Error checking in synchronous communication is more robust than in asynchronous communication. For instance, the transmitting device can apply a cyclic redundancy checking (CRC) polynomial to a frame and include the resulting value in the frame. CRC error checking will detect close to all erroneous transmissions. Because of its minimal use of overhead and superior error checking, synchronous communication is much more practical for high-speed, high-volume data transfer than asynchronous. 434

AU8231_C007.fm Page 435 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security Asynchronous Communications. In asynchronous communications, a clocking mechanism is not used. Instead, the sending device surrounds each byte with bits that mark the beginning and end of transmission. In addition, one bit is sent for error control. For each byte, a start bit is sent to signal the start of a transmission. Next, the data byte is sent, followed by a parity bit (for error control), and then a stop bit to signal the end of transmission. As you can see, each byte of data requires 3 bits of overhead.

Needless to say, the receiving device strips off the overhead bits before sending the data up the TCP/IP stack. Modems and dumb terminals are examples of devices that use asynchronous communication. Unicast, Multicast, and Broadcast Transmissions. Most communication, especially that directly initiated by a user, is from one host to another. For example, when a person uses a browser to send a request to a Web server, he or she sends a packet to the Web server. A transmission with one receiving host is called Unicast.

A host can send a broadcast to everyone on its network or subnetwork. Depending on the network topology, the broadcast could have anywhere from one to tens of thousands of recipients. Like a person standing on a soapbox, this is a noisy method of communication. Typically, only one or two destination hosts are interested in the broadcast; the other recipients waste resources to process the transmission. However, there are productive uses for broadcasts. Consider a router that knows a device’s IP address but must determine the device’s MAC address. The router will broadcast an Address Resolution Protocol (ARP) request asking for the device’s MAC address. Notice how one broadcast could result in hundreds or even thousands of packets on the network. Intruders often leverage this fact in denial-ofservice attacks. Public and private networks are used more often than ever for streaming transmissions, such as movies, videoconferences, and music. Given the intense bandwidth to transmit these streams, and the sender and recipients are not necessarily on the same network, how does one transmit the stream to only the interested hosts? The sender could send a copy of the stream via Unicast to each receiver. Unless there is a very small audience, Unicast delivery is not practical because the multiple simultaneous copies of the large stream on the network at the same time could cause congestion. Delivery with broadcasts is another possibility, but every host would receive the transmission, even if they were not interested in the stream. Multicast was designed to deliver a stream to only interested hosts. Radio broadcasting is a typical analogy for multicasting. To select a spe435

AU8231_C007.fm Page 436 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

Figure 7.6. Multicast transmission.

cific radio show, you tune a radio to the broadcasting station. Likewise, to receive a desired multicast, you join the corresponding multicast group. Multicast agents are used to route multicast traffic over networks and administer multicast groups. Each network and subnetwork that supports multicasting must have at least one multicast agent. Hosts use IGMP to tell a local multicast agent that it wants to join a specific multicast group. Multicast agents also route multicasts to local hosts that are members of the multicast’s group and relay multicasts to neighboring agents. When a host wants to leave a multicast group, it sends an IGMP message to a local multicast agent. Multicasts do not use reliable sessions. Therefore, the multicasts are transmitted as best effort, with no guarantee that datagrams are received. As an example, consider a server multicasting a videoconference to desktops that are members of the same multicast group as the server (Figure 7.6). The server transmits to a local multicast agent. Next, the multicast agent relays the stream to other agents. All of the multicast agents transmit the stream to local hosts that are members of the same multicast group as the server. Circuit-Switched Networks. Circuit-switched networks establish a dedicated circuit between endpoints. These circuits consist of dedicated switch connections. Neither endpoint starts communicating until the circuit is completely established. The endpoints have exclusive use of the circuit and its bandwidth. Carriers base the cost of using a circuitswitched network on the duration of the connection, which makes this 436

AU8231_C007.fm Page 437 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security type of network only cost-effective for a steady communication stream between the endpoints. Examples of circuit-switched networks are the plain old telephone service (POTS), Integrated Services Digital Network (ISDN), and Point-to-Point Protocol (PPP). Packet-Switched Networks. Packet-switched networks do not use a dedicated connection between endpoints. Instead, data is divided into packets and transmitted on a shared network. Each packet contains meta-information so that it can be independently routed on the network. Networking devices will attempt to find the best path for each packet to its destination. Because network conditions could change while the partners are communicating, packets could take different paths as they transverse the network and arrive in any order. It is the responsibility of the destination endpoint to ensure that the received packets are in the correct order before sending them up the stack.

Because carriers base the cost of using a packet-switched network on the amount of data that is transmitted, such networks are appropriate for transmissions with significant idle time (i.e., bursty transmissions). Switched Virtual Circuits (SVCs), Permanent Virtual Circuits (PVCs). Virtual circuits provide a connection between endpoints over high-bandwidth, multiuser cable or fiber that behaves as if the circuit were a dedicated physical circuit. There are two types of virtual circuits, based on when the routes in the circuit are established. In a permanent virtual circuit, the carrier configures the circuit’s routes when the circuit is purchased. Unless the carrier changes the routes to tune the network, respond to an outage, etc., the routes do not change. On the other hand, the routes of a switched virtual circuit are configured dynamically by the routers each time the circuit is used. Carrier Sense Multiple Access. As the name implies, Carrier Sense Multiple Access (CSMA) is an access protocol that uses the absence/presence of a signal on the medium that it wants to transmit on as permission to speak. Only one device may transmit at a time; otherwise, the transmitted frames will be unreadable. Because there is not an inherent mechanism that determines which device may transmit, all of the devices must compete for available bandwidth. For this reason, CSMA is referred to as a contentionbased protocol. Also, because it is impossible to predict when a device may transmit, CSMA is also nondeterministic.

There are two variations of CSMA based on how collisions are handled. LANs using Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) require devices to announce their intention to transmit by broadcasting a jamming signal. When devices detect the jamming signal, 437

AU8231_C007.fm Page 438 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® they know not to transmit; otherwise, there will be a collision. After sending the jamming signal, the device waits to ensure that all devices have received that signal, and then broadcasts the frames on the media CSMA/CA is used in the IEEE 802.11 wireless standard.36 Devices on a LAN using Carrier Sense Multiple Access with Collision Detection (CSMA/CD) listen for a carrier before transmitting data. If another transmission is not detected, the data will be transmitted. It is possible that a station will transmit before another station’s transmission had enough time to propagate. If this happens, two frames will be transmitted simultaneously, and a collision will occur. Instead of all stations simply retransmitting their data, which will likely cause more collisions, each station will wait a randomly generated interval before retransmitting. CSMA/CD is part of the IEEE 802.3 standard.37 Polling. A network that employs polling avoids contention by allowing a device (a slave) to transmit on the network only when it is asked by a master device. Polling is used mostly in mainframe protocols, such as Synchronous Data Link. The point coordination function, an optional function of the IEEE 802.11 standard, uses polling as well.38 Token Passing. Token passing takes a more orderly approach to media access. With this access method, only one device may transmit on the LAN at a time, thus avoiding retransmissions.

A special frame, known as a token, circulates through the ring. When a device wishes to transmit on the network, it must possess the token. The device replaces the token with a frame containing the message to be transmitted and sends the frame to its neighbor. When each device receives the frame, it relays it to its neighbor if it is not the recipient. The process continues until the recipient possesses the frame. That device will copy the message, modify the frame to signify that the message was received, and transmit the frame on the network. When the modified frame makes a trip back to the sending device, the sending device knows that the message was received. Token passing is used in Token Ring and FDDI networks. An example of a LAN using token passing is in Figure 7.7. Ethernet (IEEE 802.3). Ethernet, which is defined in IEEE 802.3, played a major role in the rapid proliferation of LANs in the 1980s. The architecture was flexible and relatively inexpensive, and it was easy to add and remove devices from the LAN. Even today, for the same reasons, Ethernet is the most popular LAN architecture. The physical topologies that are sup-

438

AU8231_C007.fm Page 439 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security

11010

Figure 7.7. LAN token passing.

ported by Ethernet are bus, star, and point to point, but the logical topology is the bus. With the exception of full-duplex Ethernet (which does not have the issues of collisions), the architecture uses CSMA/CD. This protocol allows devices to transmit data with a minimum of overhead (compared to Token Ring), resulting in an efficient use of bandwidth. However, because devices must retransmit when more than one device attempts to send data on the medium, too many retransmissions due to collisions can cause serious throughput degradation. The Ethernet standard supports coaxial cable, unshielded twisted pair, and fiber optics. Ethernet was originally rated at 10 Mbps, but like 10-megabyte disk drives, users quickly figured out how to use and exceed its capacity and needed faster LANs. To meet the growing demand for more bandwidth, 100 Base-TX (100 Mbps over twisted pair) and 100 Base-FX (100 Mbps over multimode fiber optics) were defined. When the demand grew for even more bandwidth over unshielded twisted pair, 1000 Base-T was defined, and 1000 Base-SX and 1000 Base-LX were defined for fiber optics. These standards support 1000 Mbps. Token Ring (IEEE 802.5). Originally designed by IBM, Token Ring was adapted with some modification by the IEEE as IEEE 802.5. Despite the architecture’s name, Token Ring uses a physical star topology. The logical topology, however, is a ring. Each device receives data from its upstream 439

AU8231_C007.fm Page 440 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® neighbor and transmits to its downstream neighbor. Token Ring uses ring passing to mediate which device may transmit. As mentioned in the section on token passing, a special frame, called a token, is passed on the LAN. To transmit, a device must possess the token. To transmit on the LAN, the device appends data to the token and sends it to its next downstream neighbor. Devices retransmit frames whenever the token is not the intended recipient. When the destination device receives the frame, it copies the data, marks the frame as read, and sends it to its downstream neighbor. When the packet returns to the source device, it confirms that the packet has been read. It then removes the frame from the ring. What happens if a device goes offline immediately after it transmits the data? No device will be able to remove the token from the ring, and it will continue to circulate forever, preventing any further transmissions. To recover from errors and perform ring maintenance, a device on the ring is designated as the active monitor. In the above scenario, the active monitor would purge the ring the second time the token was received. Because Token Rings are deterministic, the active monitor can calculate the maximum time interval required for a token to circulate around the ring. If the active monitor does not receive a token within that interval, then it assumes the token is lost and transmits a new one. All other devices that are not the active monitor are considered standby monitors. If the active monitor goes offline, then one of the standby monitors will be promoted to active monitor. Token Rings use a beaconing process to perform automatic error correction. For example, if a device detects a hardware fault, it will send a beacon frame, which contains the address of the device’s nearest upstream neighbor. When the neighbor receives the frame, it will perform self-diagnostics to determine if it is the cause of the fault (Figure 7.8). Token Ring allows devices on the network to receive a higher priority to transmit. Each device has an assigned priority number. When a frame with information is circulating around the ring, a device can set the priority of the frame so that the next generated token will only be able to be possessed by a device with that priority number or higher. Token Ring supports speeds of 4, 16, and 100 Mbps. Fiber Distributed Data Interface (FDDI). FDDI is a token-passing architecture that uses two rings. Because FDDI employs fiber optics, FDDI was designed to be a 100-Mbps network backbone. Only one ring (the primary) is used; the other one (secondary) is used as a backup. Information in the rings flows in opposite directions from each other. Hence, the rings are referred to as counterrotating. 440

AU8231_C007.fm Page 441 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security

Beacon

Figure 7.8. Token Ring beacon.

Devices that are on the FDDI ring fall into four categories: Single attachment station (SAS): A device that connects to the primary ring only. These are not expected to remain online. Single attachment concentrator (SAC): Used as a concentrator to connect SAS devices to the primary ring. Dual attachment station (DAS): A device that connects to both rings. Dual attachment concentrator (DAC): A device that attaches devices to both rings. SAS, SAC, and DAS devices connect to this device. Devices that are attached to both rings should not be turned offline or disconnected; otherwise, a fault condition will occur, and the two rings will failover to one ring. Copper distributed data interface (CDDI) allows FDDI to run on copper wire, instead of fiber optics. Although new developments in copper wire support faster transmission speed, copper cable segments cannot be as long as fiber. For this reason, CDDI is best suited for LANs. Technology and Implementation Ethernet. Ethernet is an important architecture. Due to its relatively low cost and ease of administration, it is one of the most important popular local area network technologies. Concentrators. Concentrators multiplex connected devices into one signal to be transmitted on a network. For instance, a FDDI concentrator multiplexes transmissions from connected devices to a FDDI ring. 441

AU8231_C007.fm Page 442 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Front-End Processors. Input and output involve moving parts, such as fingers typing and disks spinning, which are quite slow compared to the speed of CPUs (central processing units). Servicing input and output therefore reduce a computer’s throughput. Some hardware architectures employ a hardware front-end processor that sits between the input/output devices and the main computer. By servicing input/output on behalf of the main computer, front-end processors reduce the main computer’s overhead. Multiplexers. A multiplexer overlays multiple signals into one signal for transmission. Using a multiplexer is much more efficient than transmitting the same signals separately. Multiplexers are used in devices from simple hubs (see below) to very sophisticated dense-wave division multiplexers (DWDMs) that combine multioptical signals on one optical fiber. Hubs and Repeaters. Hubs are used to implement a physical star topology. All of the devices in the star connect to the hub. Essentially, hubs retransmit signals from each port to all other ports. Although hubs can be an economical method to connect devices, there are several important disadvantages:

• All connected devices will receive each other’s broadcasts, potentially wasting valuable resources processing irrelevant traffic. • All devices can read and potentially modify the traffic of other devices. • If the hub becomes inoperable, then the connected devices will not have access to the network. • As the distance between the sender and receiver increases, the signal’s quality can degrade due to attenuation. To allow longer distances while preserving signal quality, repeaters are used to reamplify signals. For example, a repeater can be used to increase the length of an Ethernet bus to accommodate a physically larger network. Switches and Bridges. As LANs grow in number of users, bandwidth utilization, and physical dimensions, they can reach thresholds that prevent the LAN from expanding. Bandwidth is exceeded, cable lengths cannot increase because of signal attenuation, and the LAN can be too large to manage.

On the other side of the coin, how would one interconnect LANs without reconfiguring the networks so that they can communicate? One possible solution to both issues is to use bridges. Bridges are layer 2 devices that filter traffic between segments based on MAC addresses. In addition, they amplify signals to facilitate physically larger networks. A basic bridge filters out frames that are not destined to another segment. (Consider the network shown in Figure 7.9.) When a client PC on segment A transmits to a server on segment A, the bridge will read the destination’s MAC address and not forward the traffic to segments B and C, relieving them of the burden of traffic that is not des442

AU8231_C007.fm Page 443 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security

Figure 7.9. Network segments connected with a bridge.

tined to a device on these segments. In this simple example, this might not seem important, but if the segments had hundreds of devices on long network segments, the bridge would greatly reduce unnecessary traffic and allow the network to physically grow without signal attenuation. Bridges can connect LANs with unlike media types, such as connecting a UTP segment with a segment that uses coaxial cable. Bridges do not reformat frames, such as converting a Token Ring frame to Ethernet. This means that only identical layer 2 architectures can be connected with a simple bridge (e.g., Ethernet to Ethernet, etc.). Network 443

AU8231_C007.fm Page 444 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

Figure 7.10. Simple switched network.

administrators can use encapsulating bridges to connect dissimilar layer 2 architectures, such as Ethernet to Token Ring. These bridges encapsulate incoming frames into frames of the destination’s architecture. Other specialized bridges filter outgoing traffic based on the destination MAC address. In the network in Figure 7.10, suppose the bridge were a filtering bridge. When a user on segment A sends traffic to a server on segment B, the bridge will forward the transmission to segment B only, reducing unnecessary traffic on segment C. Again, in the network in Figure 7.10, if a server on segment A sends out a broadcast on the wire, would segments B and C receive the broadcast? Because broadcasts are for all devices, the bridge will forward the broadcast. This is an important point to keep in mind about bridges: they do not filter broadcasts. Bridges do not prevent an intruder from intercepting traffic on the local segment. Switches solve the same issues posed at the beginning of this section, except the solutions are more sophisticated and more expensive. Essentially, a basic switch is a multiport device to which LAN hosts connect. Switches forward frames only to the device specified in the frame’s destination MAC address, which greatly reduces unnecessary traffic. (To illustrate, see Figure 7.10.) In this very simple LAN, client A transmits traffic to the server. When the switch receives the traffic, it relays it out of the port to which the server is connected. Client B does not receive any of the traffic. On the other hand,

444

AU8231_C007.fm Page 445 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security if the switch were a hub, client B would receive the traffic transmitted between client A and the server. Because client B does not receive the traffic between the other client and server, the likelihood of client B intercepting the traffic is reduced (there are sophisticated attacks that could trick a switch, especially a poorly configured one, into sending traffic to client B). Switches can perform more sophisticated functions to increase network bandwidth. Due to the increased processing speed of switches, models exist that can make forwarding decisions based on IP address and prioritization of types of network traffic. Like hubs and bridges, switches forward broadcasts. Wireless Local Area Networks. Wireless networks allow users to be mobile while remaining connected to a LAN. Unfortunately, this allows unauthorized users greater access to the LAN as well. In fact, many wireless LANs can be accessed off of the organization’s property by anyone with a wireless card in a laptop, which effectively extends the LAN where there are no physical controls. Below are some important wireless security issues and controls. General. AUTHENTICATION. As we will see, it is impractical for an organization to hide its access point’s signal from unauthorized users. Instead, authentication should be the first real line of defense. Unfortunately, many wireless authentication mechanisms are weak because they do not provide sufficient assurance that the client and access point are who they claim to be.

Open System Authentication — Open system authentication is the most basic form of wireless authentication. The wireless client is permitted to join the network if its SSID matches the wireless network’s. The wireless client sends an encrypted frame containing its SSID to the access point. Upon successful authentication (matching SSIDs), the client is associated with the wireless LAN. Shared-Key Authentication — In shared-key authentication, WEP is used to encrypt a shared secret between the access point and wireless client. After the client identifies its MAC address to the access point, the access point responds with a frame containing a randomly generated challenge using the WEP key stream generator. The client responds with the challenge encrypted with WEP. If the access point decrypts the challenge and it is the same as the one that it sent to the client, the client is authenticated. There is a serious flaw with shared-key authentication. Because exclusive or’s (XORs) are used in the authentication, an attacker can intercept 445

AU8231_C007.fm Page 446 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® the challenge and response and recover the key stream. Because of this, shared-key Authentication is not considered effective. MAC Address Tables — Authenticating based on MAC address is not very effective. Because it is very easy to spoof a MAC address, there is little assurance that the client is an authorized workstation, instead of an intruder who is advertising a bogus MAC address. SSID. Service Set Identifier (SSID) Broadcasting — The service set identifier is defined in IEEE 802.11 as a name for the wireless LAN, not as an authentication mechanism. Specifying the SSID of the wireless LAN to which you want to connect ensures that you connect to the correct one when several are in the same vicinity. That is the primary reason not to use the default SSID. If neighboring LANs use access points from the same manufacturer and both use the default SSID, then users could easily attempt to connect to the wrong wireless LAN.

Wireless client cards can broadcast a probe to ask wireless LANs that receive the probe to respond with their SSID. Network administrators often configure wireless LANs to block these requests or remove the SSID from the probe response. Because a patient attacker can still access these LANs, not broadcasting the SSID is a minor security control at best. SSID Naming Conventions — Although SSIDs are not for authentication, an organization should not advertise that it is the owner of the wireless LAN. In general, organizations should not use SSIDs that can be easily identified with them, such as company name, product, mascot, etc. PLACEMENT AND CONFIGURATION OF ACCESS POINTS. We previously discussed organizations broadcasting wireless signals past the confines of their property. Wireless access points should be placed and their power levels set to make it more difficult for unauthorized clients to receive a signal (e.g., do not place an access point by a window). However, organizations should not count on hiding their access point’s signal, especially from an intruder with a unidirectional antenna. Besides being unrealistic, that would be an example of security by obscurity — a fundamental fallacy.

Access point placement should focus on ensuring that authorized users can receive a strong signal from an access point. Keep access points away from electronically noisy machines that could interfere with an access point’s transmission. Many microwaves interfere with access points. Encryption. WIRED EQUIVALENT PRIVACY (WEP). Wired equivalent privacy uses a shared secret between the client and access point. Before each packet is transmitted, a CRC-32 checksum is appended to it and both are encrypted using RC4 with the shared secret and initialization vector. The encrypted packet 446

AU8231_C007.fm Page 447 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security with the initialization vector is transmitted. The recipient reverses the process. If the client has the same shared secret, then the packet will be decrypted. Due to flaws in the RC4 implementation in WEP, and the reuse of initialization vector values, WEP transmissions can be decrypted by an attacker in a very short time. WIFI PROTECTED ACCESS (WPA). After it was announced that WEP could not effectively protect traffic from eavesdropping, the WiFi Alliance had to replace WEP, but IEEE 802.11i was not ready. As a stopgap measure, it released WPA. This system uses an improved implementation of RC4 with 128-bit keys. The initialization vector was expanded from 24 to 48 bits, which supports many more shared secrets. To make an intruder’s task of cracking the encryption of intercepted traffic much more difficult, WPA uses the Temporal Key Integrity Protocol (TKIP). Instead of using the same key for the entire session, TKIP uses a different key for each packet. WEP’s CRC-32 checksum was replaced with a message integrity check, dubbed Michael. Michael protects the packet’s header and data and uses a frame counter to thwart replay attacks.

Another advantage of WPA is that both the client and network authenticate each other (mutual authentication). In addition to the network verifying that the client is authorized for network access, the client can be assured that he or she is not communicating with an imposter, posing as a network. When IEEE 802.11i was completed, WPA2 was certified. Although WPA did not have any significant security flaws, RC4 was replaced by the Advanced Encryption Standard (AES), a stronger encryption algorithm. Also, TKIP and Michael were replaced by the Counter-Mode/CBC-Mac Protocol (CCMP), which manages encryption keys and message integrity. WPA2 supports IEEE 802.1X authentication, which is based on the Extensible Authentication Protocol (EAP) framework. The framework allows the authenticating partners to negotiate the authentication method during the authentication phase. EAP authentication methods include: EAP-TLS (EAP, tunneled layered security): Both the client and authentication server mutually authenticate over a TLS session with digital certificates. In addition to ensuring that the client is authorized to access the network, the client can be confident that he or she is communicating with the desired network, not an imposter. This method is the most secure because an attacker must steal both a digital certificate and its password. However, organizations that have many clients may find there is too much overhead in administering the client certificates for EAP-TLS to be feasible. 447

AU8231_C007.fm Page 448 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® EAP-TTLS (EAP, tunneled TLS): Like EAP-TLS, digital certificates are used. However, to establish an encrypted tunnel, the authentication server only presents a certificate to the client. Once the tunnel is established, the client authenticates to the authentication server using an EAP or legacy mechanism that is easier to administer than client-side digital certificates. The lack of client-side certificates makes EAP-TTLS easier to administer than EAP-TLS, but the less robust client authentication makes EAP-TTLS less secure than EAPTLS. Of course, the extent of how much less secure depends on the strength of the client authentication. EAP-PEAP (EAP, protected EAP): EAP-PEAP is very similar to EAP-TLS. To establish an encrypted tunnel, the authentication server authenticates to the client with a digital certificate, and the client employs a nondigital certificate mechanism to authenticate to the server. However, EAP-PEAP requires that the client authenticates with an EAP method. As with EAP-TTLS, EAP-PEAP is easier to administer than EAP-TLS, but the lack of a client-side certificate makes this method less secure than EAP-TLS. During 802.1X authentication, a client (called a supplicant) contacts an authenticator (an access point, for wireless authentication). The authenticator blocks all traffic from the client to the network, except for what is required for authentication. The authenticator sends an EAP challenge to the client and forwards the challenge and client’s EAP response to an authentication server on the wired network. The authentication server, a RADIUS server, establishes the appropriate authentication method and sends the corresponding challenge to the client via the access point. The client sends the response back to the authentication server via the access point. If the authentication is successful, a session key is generated and the authenticator removes the network traffic restriction. Instead of EAP, homes or organizations without RADIUS can use preshared 32-byte keys between the access point and clients. In low-risk environments, the use of preshared keys is cost-effective. However, due to the relatively weak authentication and lack of accountability (all clients use the same key), businesses should avoid this option, if feasible. WI-FI PROTECTED ACCESS (WPA2). WPA2, created by the IEEE 802.11i working group, addresses the many problems with wireless security. It supersedes the weak WEP and the stopgap WPA. It uses 802.1x access control to start an EAP authentication method and Counter-Mode/CBC-Mac Protocol (CCMP) for encryption.

WPA2 implements the final IEEE 802.11i amendment to the 802.11 standard (as opposed to WPA, which only implements a subset of IEEE 802.11i) and is compliant with FIPS 140-2. 448

AU8231_C007.fm Page 449 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security IEEE 802.11b. This amendment to IEEE 802.11 was ratified in 1999. It continued the usage of CSMA/CA and direct-sequence spread spectrum (DSSS). The bandwidth was increased to 5.5 and 11 Mbps, and continued the support of the original 1- and 2-Mbps rates. The slower rates can be used when signal quality is poor. Use of DSSS ensured that transmissions were resilient to interference due to the number of chips used per broadcasted bit.

There are 14 transmission channels in the 2.4-GHz band, each 5 MHz wide. Channel 14 is used in Japan only. IEEE 802.11a. IEEE 802.11a was ratified in 1999. Because the 2.G-Hz band specified in IEEE 802.11b was overused, which increased the potential of problems from interference, this amendment used the 5-GHz band. The higher frequency has the disadvantage that more access points are required because the receiver and sender must be near the line of site from each other.

This amendment employs orthogonal frequency division multiplexing (OFDM), using 20-MHz channels subdivided into 52 subcarriers (48 are used for data). The maximum transmission speed is 52 Mbps. IEEE 802.11a is not compatible with IEEE 802.11b. IEEE 802.11g. This standard, which was ratified in 2003, combines the frequency band of 802.11b (2.4 GHz) with the increased speed of 802.11a (52 Mbps). IEEE 802.11g is fully compatible with IEEE 802.11b. Cards are available to compensate for the incompatibility of some of the standards.

Both IEEE 802.11g and IEEE 802.11b are very popular. Bluetooth. Bluetooth allows Bluetooth-enabled devices to communicate over a very short distance without wires. The convenience of wireless exchange of information, cell phone earpieces without cables, etc., has become very popular. Today, Bluetooth technology can be found in electronics such as cell phones, PDAs, and laptops. In fact, the IEEE based its IEEE 802.15 standard on Bluetooth.

Unfortunately, the technology’s security features are inadequate. To make matters worse, far too many owners of Bluetooth devices are not aware of the technology’s vulnerabilities. Some of the vulnerabilities include: Blue jacking: Allows an anonymous message to be displayed on the victim’s device. Buffer overflow: An attacker can remotely exploit bugs in software on Bluetooth-enabled devices. Blue bug attack: An attacker can use the AT commands on a victim’s cell phone to initiate calls, send SMS messages, etc. 449

AU8231_C007.fm Page 450 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Bluetooth devices are designed to communicate over a distance of 10 m (30 ft), but longer ranges are possible. Class 1 Bluetooth devices contain a 100-mW transmitter and are known to bridge distances of up to 1 km. Devices transmit at the 2.4-GHz band using frequency-hopping spread spectrum (FHSS). Address Resolution Protocol (ARP). Given a layer 3 IP address of a device, ARP determines the device’s layer 2 MAC address. ARP tracks IP addresses and their corresponding MAC addresses in a dynamic table called ARP cache. To determine a device’s address, ARP first looks in its cache to see if the MAC address is already known. If it is not, ARP sends out a broadcast asking all devices to return the MAC address, if they know it. The returned MAC address is added to the cache.

Because ARP does not require authentication, an attacker could place bogus entries in the ARP cache to carry out other attacks, such as a man in the middle. Adding bogus entries in ARP cache is called ARP poisoning. Point-to-Point Protocol (PPP). PPP is used to connect a device to a network over a serial line to a network. Generally, this protocol is used to connect a remote workstation over a phone line. For example, ISPs use PPP to allow dial-up users access to the Internet.

PPP supports authentication, including the following protocols: Password Authentication Protocol (PAP): A simple insecure protocol that transmits in plaintext. Challenge Handshake Authentication Protocol (CHAP): A protocol that uses a three-way handshake. The server sends the client a challenge, which includes a random value (a nonce) to thwart replay attacks. The client responds with a MD5 hash of the nonce and the password. The authentication is successful if the client’s response is the one that the server expected. Extensible Authentication Protocol (EAP): An authentication framework whereby the authentication partners establish the authentication method during the authentication phase. See the section on WPA (See Section Encryption) for details. PPP replaced the Serial Line Internet Protocol (SLIP) in many uses. Layer 3: Network Layer Concepts and Architecture Local Area Network (LAN). Local area networks service a relatively small area, such as a home, office building, or office campus. In general, LANs service the computing needs of their local users. LANs consist of most modern computing devices, such as workstations, servers, and peripherals 450

AU8231_C007.fm Page 451 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security connected in a star topology or internetworked stars. Ethernet is the most popular LAN architecture because it is inexpensive and very flexible. Most LANs have connectivity to other networks, such as dial-up or dedicated lines to the Internet, access to other LANs via wide area networks (WANs), and so on. Virtual Local Area Networks (VLANs). For IT to be successful, it must provide effective computing resources for the business. However, a business rarely aligns itself to make IT’s job easier, which includes physically locating users with similar computing requirements in the same area. For instance, engineers who mostly access the same servers could be scattered throughout a campus on different subnetworks.

Virtual local area networks (VLANs) allow network administrators to use switches to create software-based LAN segments that can be defined based on factors other than physical location. Devices that share a VLAN communicate through switches, without being routed to other subnetworks, which reduces overhead due to router latency (as routers become faster, this is less of an advantage). Furthermore, broadcasts are not forwarded outside of a VLAN, which reduces congestion due to broadcasts. Placing devices that often communicate with each other in the same VLAN allows them to do so more efficiently. For example, the engineers in the above scenario can be placed in a dedicated VLAN with their servers. The throughput between the devices in the VLAN is increased because the traffic is not routed. Also, the broadcasts from the devices are isolated to the VLAN, which improves throughput for the entire LAN. Because VLANs are not restricted to the physical location of devices, they help make networks easier to manage. When a user or group of users change their physical location, network administrators can simply change the membership of ports within a VLAN. Likewise, when additional devices must communicate with members of a VLAN, it is easy to add new ports to a VLAN. VLANs can be configured based on switch port, IP subnet, MAC address, and protocols. It is important to remember that VLANs do not guarantee a network’s security. At first glance, it may seem that traffic cannot be intercepted because communication within a VLAN is restricted to member devices. However, there are attacks that allow a malicious user to see traffic from other VLANs (so-called VLAN hopping). Therefore, a VLAN can be created so that engineers can efficiently share confidential documents, but the VLAN does not significantly protect the documents from unauthorized access. 451

AU8231_C007.fm Page 452 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Wide Area Network (WAN) Technologies. Modems and Public Switched Telephone Networks (PSTN). The PSTN is a circuit-switched network that was originally designed for analog voice communication. When a person places a call, a dedicated circuit between the two phones is created. Although it appears to the callers that they are using a dedicated line, they are actually communicating through a complex network. As with all circuit-switched technology, the path through the network is established before communication between the two endpoints begins, and barring an unusual event, such as a network failure, the path remains constant during the call. Phones connect to the PSTN with CAT 3 copper wires to a central office (CO), which services an area of about 1 to 10 km (see Tannenbaum’s Computer Networks in “General References”).

The central offices are connected to a hierarchy of tandem offices (for local calls) and toll offices (toll calls), with each higher level of the hierarchy covering a larger area. Including the COs, the PSTN has five levels of offices. When both endpoints of a call are connected to the same CO, the traffic is switched within the CO. Otherwise, the call must be switched between a toll center and a tandem office. The greater the distance between the calls, the higher in the hierarchy the calls are switched. For example, in Figure 7.11, a call between callers 1 and 2 is switched within their central office. However, a call between callers 1 and 3 must be switched within the leftmost primary toll office. To accommodate the high volume of traffic, toll centers communicate with each other over fiber-optic cables. Today, the PSTN is also used for data communication over wide area networks. Users can use a modem to access a network over a phone line (see “Modems” in the “Layer 1” section of this chapter). Or, a digital subscriber line (DSL) can be used to access the Internet over a phone line. To meet the demands for improved reliability necessary for data communication, phone companies have converted most of the communication within the PSTN to digital. The most notable exception is the connection between the user and the CO, which is still analog. The PSTN is vulnerable to attacks. There is a subculture of phone hackers (phreaks) that attempt to make toll calls for free, manipulate public and private phone switches, gain unauthorized access to voice mail systems, etc. For example, in the 1960s, phone hackers discovered that AT&T signaled a 2600-Hz tone on all free toll lines and devised methods of reproducing that tone to make free long-distance calls. Although modems allow remote access to networks from almost anywhere, they could be used as a portal into the network by an attacker. Using automated dialing software, he or she can dial the entire range of phone numbers used by the company to identify modems. If the host, to 452

AU8231_C007.fm Page 453 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security

Figure 7.11. PSTN.

which the modem is attached, has a weak password, then the attacker can easily gain access to the network. Worse yet, if voice and data share the same network, then both voice and data could be compromised. The best defense to this attack is not to use modems. However, if modems are necessary, then organizations must ensure that the passwords protecting the attached host are strong, preferably with the help of authentication mechanisms, such as RADIUS, one-time passwords, etc. Also, shutting modems off when not in use will reduce the risk posed by the modem. Users with modems that are connected to a network, especially the Internet, could be an easy target of attack. Sensitive information on the connected workstation could be stolen, or the workstation could become infected by malicious software, such as viruses, worms, or programs that allow an attacker to remotely control the workstation. To greatly reduce the risk of accessing a network remotely, workstations should be protected with personal firewalls, and antivirus software with current virus signatures. Security patches should also be installed as soon as possible. More importantly, users should learn and practice safe habits while connected to a network. For instance, do not open suspicious e-mail attachments, download software from trusted Web sites only, etc. 453

AU8231_C007.fm Page 454 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

Figure 7.12. ISDN. Integrated Services Digital Network (ISDN). Before the days of DSL and cable modems, users wanted remote access with higher bandwidth than dial-up. ISDN provides such bandwidth by using a set of protocols and specialized equipment (see Figure 7.12). ISDN uses two types of channels: the B channel (bearer) is used for voice and data (at 64 kbps) and the D channel (delta) is used for signaling (at 16 kbps) and can also be used for data. The D channels are used to establish, maintain, and tear down connections with a remote site. Voice and data traffic are sent on the B channel. Each B channel can support a separate call or can be multiplexed (B channel bonding) to combine the bandwidth into a single channel.

ISDN comes in two varieties, basic rate interface (BRI) and primary rate interface (PRI). BRI supports two B channels and one D channel. Each B channel will support separate 64-kbps sessions or can be multiplexed into one 128-kbps session. PRI is ISDN’s high-end. When all of the B channels are bonded, the ISDN connection provides the bandwidth of a leased line. In North America, PRI supports 23 B channels and 1 D channel that can support as many as 23 sessions or, combined, 1 1.55-Mbps session (a full T1). In Europe and Australia, PRI supports 30 B channels and 1 D channel. The B channels can support 30 sessions or, bonded, 1 2.0-Mbps channel (a full E1). The following are common ISDN devices: Terminal equipment 1 (TE1): Computer, fax, etc., is ISDN ready. Terminal equipment 2 (TE2): Computer, fax, etc., cannot be directly attached to an ISDN network. To connect to ISDN, a TE2 must connect to a terminal adapter. 454

AU8231_C007.fm Page 455 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security Channel # 1

2

3

4

5

6

1 101 1001 11110010 00110011 01001011 11100111 11000101

23

24

10001111 10110011

Framing bit

Figure 7.13. Structure of a T1 frame.

Network termination 1 (NT1): Marks the end of the phone company and the beginning of the customer’s network. Network termination 2 (NT2): Acts as a concentrator. NT2 devices are typically not used in the home. Terminal adapter (TA): Interfaces with TE2 devices to allow them to access an ISDN network. Some organizations use PRI ISDN as a low-cost backup for a leased line. Point-to-Point Lines. A point-to-point line connects two endpoints, most often over a WAN. In a wired WAN, point to point uses high-bandwidth fiber cable, but unlike FDDI, the traffic is dedicated to the endpoints. Point-topoint lines are an expensive option. T1, T3, etc. T1 carrier is a popular WAN method in North America and Japan. Using time division multiplexing, T1 multiplexes 24 channels over copper cable. In a 193-bit frame, each of the channels in a round-robin transmits 8 bits (seven data and one control bit). One bit for synchronization is appended to the beginning of the frame. A T1 frame is shown in Figure 7.13.

Eight thousand T1 frames are transmitted every second. Therefore, the transmission rate is 1.544 Mbps (8000 frames/sec × 193 bits/frame). Fractional T1 is available for organizations with a modest T1 budget. Customers may purchase fewer than 24 channels, which could be much less expensive than a full T1. Channels that are not purchased do not carry data. To meet the demand for more WAN bandwidth, multiple T1 channels are multiplexed into technologies with more throughput. In general, customers use T1 and T3. A summary of T channels is shown in Table 7.2. Fractional T3 is available at a reduced cost for organizations that do not need all T3 channels. As with fractional T1, fractional T3 channels that are not purchased do not carry data. E1, E3, etc. E-carrier, used in Europe, employs a similar concept as T-carrier. Using time division multiplexing, 32 channels take their turn transmitting 8 bits of data in a frame. E1 transmits 8000 frames per second (the same rate as T1). The throughput for E1 is therefore 2.048 Mbps. 455

AU8231_C007.fm Page 456 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Table 7.2. T-Carrier Bandwidth Channel

Multiplex Ratio

Bandwidth (Mbps)

T1 T2 T3 T4

1 T1 4 × T1 7 × T2 6 × T3

1.544 6.312 44.736 274.176

Table 7.3. E-Carrier Bandwidth Channel

Bandwidth (Mbps)

E1 E2 E3 E4

2.048 8.848 34.304 139.264

As with T-carrier, E1 channels are multiplexed into E-carrier technology with more bandwidth. Each successive E-carrier level contains four times the channels as the previous one. Table 7.3 shows the bandwidth of E1 to E4. Customers typically use E1 and E3. In addition, fractional E-carrier lines are available for organizations that do not require the entire capacity of E1 or E3 line. OC1, OC12, etc. T- and E-carriers facilitate high bandwidth over a WAN, but have limitations. First, the carriers are incompatible with each other and other technologies. Also, the fastest incarnations for the carriers, E4 and T4, will not keep pace with the enormous amount of voice and data that organizations will want to transmit over WANs in the future. Synchronous optical network (SONET) standards address these two issues by using single-mode fiber and synchronous communication to facilitate transfer rates as fast as 9953 Mbps (and in the future, faster), which is compatible worldwide.

SONET employs a master clock to tightly control the timing of transmissions and is designed to tolerate timing differences in network devices. User data can be inserted almost anywhere in the frame. Furthermore, frames are continually transmitted. When there is no data to transmit, SONET will transmit frames with dummy data. Like T- and E-carriers, 8000 frames are transmitted per second. However, a SONET frame is larger and more complex, as shown in Figure 7.14. A SONET frame is a 90 × 9 byte matrix (810 bytes) with overhead in the first three columns. The overhead includes information for network management and the pointer to the start of user data. The rest of the frame is 456

AU8231_C007.fm Page 457 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security 3 columns of overhead

Synchronous Payload Envelope (User Data)

9 Bytes

1 column of overhead 90 Bytes

Figure 7.14. SONET frame.

Table 7.4. OC Bandwidth OC Level OC-1 OC-3 OC-9 OC-12 OC-18 OC-24 OC-36 OC-48 OC-192

Bandwidth (Mbps) 51.84 155.52 466.56 622.08 933.12 1244.16 1866.24 2488.32 9953.28

devoted to user data, known as the synchronous payload envelope (SPE), which can start at any byte within that area. However, the first column of the SPE is used as overhead. SONET’s basic transfer rate, optical carrier-1 (OC1) is 51.84 Mbps (810 bytes × 8 bits/byte × 8000 bytes/s). Time division multiplexing of SONET signals is used to generate levels of SONET with a faster bandwidth. Table 7.4 shows the potential speed of various OC levels. . Digital Subscriber Lines (DSL). To meet the ever-growing demand by home users for more affordable bandwidth, telephone companies offer digital subscriber lines (DSLs) that use CAT-3 cables and the local loop. Fortunately for telephone companies, this technology requires relatively little change to their equipment.

The local loop, the weakest link of the PSTN, can support a relatively high transmission rate. Traditionally, all frequencies above 4 KHz are filtered to optimize the network for human speech. When the filter is removed from the line, the line has the capacity for frequencies as high as 1.1 MHz, which is ample for the desired throughput of DSL. 457

AU8231_C007.fm Page 458 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Customer

Central Oﬃce

ADSL Modem Splitter Voice NID + Splitter DSLAM

To ISP

Figure 7.15. ADSL network.

There are several methods of implementing DSL, including: Asymmetric digital subscriber line (ADSL): Downstream transmission rates are much greater than upstream ones, typically 256 to 512 kbps downstream and 64 kbps upstream. Rate-adaptive DSL (RADSL): The upstream transmission rate is automatically tuned based on the quality of the line. Symmetric digital subscriber line (SDSL): Uses the same rates for upstream and downstream transmissions. Very high bit rate DSL (VDSL): Supports much higher transmission rates than other DSL technologies, such as 13 Mbps downstream and 2 Mbps upstream. Due to ADSL’s popularity, we will focus on it here. ASDL, like V.90 modems, dedicates more bandwidth for downstream transmission (from CO to user) than upstream, which matches the bandwidth requirements of most home users. For example, a user’s mail client requires very little bandwidth to ask a mail server if the user has new mail. On the other hand, downloading mail could require much more network resources. A typical ADSL network is shown in Figure 7.15. The network interface device (NID), which is usually installed on a customer’s outside wall, marks the end of the telephone company’s responsibility. The phone line is attached to the NID. Splitters are installed at both ends of the phone line to separate voice and data traffic. How does a home computer transmit at high speeds on a creaky old local loop over CAT-3 cable? The leading method is to use discrete multitone (DMT). The 1.1-MHz bandwidth of the local loop is subdivided into 256 channels. Voice is transmitted over one channel; 250 channels are allocated for ADSL, and 5 unused channels help isolate ASDL and voice. Because downstream transmission is favored over upstream, many more channels are allocated for downstream. All channels are modulated by an ASDL modem before transmitting over the local loop. 458

AU8231_C007.fm Page 459 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security At the CO, the ASDL channels are forwarded to a digital subscriber line access multiplexer (DSLAM), which demodulates the signal and sends the resulting bits to an ISP. There are two significant issues with all variations of DSL: • There is a limit to the length of the phone line between the CO and the customer. The precise limit depends on several factors, including the quality of the cable and transmission rates. In other words, the customer cannot be too far from the CO. • DSL allows the users to be connected to the Internet for much longer time intervals. Certainly, this is very convenient for the user, but extended time exposed to the hostile Internet greatly increases the risk of being attacked. To mitigate this serious risk, it is imperative that the host has a firewall, vendor security patches are installed, and dangerous and unused protocols are disabled. Cable Modem. As with DSL, cable modems allow home users to enjoy high-speed Internet connectivity. Instead of sending data through the phone company, cable modems use their cable provider as an ISP. The user connects their PC Ethernet NIC to a cable modem, which is connected via coaxial cable to the cable provider’s network.

Most major cable providers supply cable modems that comply with Data-Over-Cable Service Interface Specifications (DOCSIS), which helps ensure compatibility. At a high level, when a cable modem is powered on, it is assigned upstream and downstream channels. Next, it establishes timing parameters by determining how far it is from the head end (the core of the cable network). The cable modem makes a Dynamic Host Configuration Protocol (DHCP) request to obtain an IP address. To help protect the cable provider from piracy and its users from their data being intercepted by other cable users, the modem and head end exchange cryptography keys. From that point forward, all traffic between the two ends is encrypted.39 Like DSL, cable modems make it practical for home users to remain connected to the Internet for an extended time, which exposes cable modem users to the same risks as DSL users. Cable modem users must take the same precautions as DSL users: ensure that PCs on the home network have a personal firewall, install vendor security patches, and disable dangerous and unused protocols. X.25. X.25 is a protocol from a very different era of networking. In the 1970s, when it was developed, users had dumb terminals (essentially a cathode ray tube monitor and keyboard) that were connected to a large computer. Also, networks were very unreliable, and a lot of resources had to be invested in error checking and correction. 459

AU8231_C007.fm Page 460 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

Router with DTE Frame Relay Cloud

Router with DTE

Figure 7.16. Frame Relay network.

X.25 allows users and hosts to connect through a modem to remote hosts via a packet-switched network. As with all packet-switched networks, the user’s stream of data is subdivided into packets and forwarded through the X.25 network to the destination host. Although it may seem as if the user has a dedicated circuit over the WAN, actually, packets could take different paths along the way. Because networks were very unreliable when X.25 was developed, packets go through rigorous error checking, which add much overhead — too much by today’s standards. Most organizations now opt for Frame Relay and ATM, instead of X.25, for packet switching. Frame Relay. Frame Relay is an economical alternative to circuitswitched networks and dedicated lines between networks that have significant idle time. Because Frame Relay uses packet-switching technology, organizations are charged for used bandwidth, which is less expensive than maintaining a dedicated line or the cost of a circuit that is based on the duration of the connection.

A Frame Relay network is shown in Figure 7.16. The heart of a Frame Relay network is the Frame Relay cloud of switches on the provider’s premises. All Frame Relay customers share the resources in the cloud, which are assumed to be reliable, and do not require the intense error checking and correcting of X.25. This significantly increases the throughput over X.25. Devices within the cloud are considered data circuit-terminating equipment (DCE). 460

AU8231_C007.fm Page 461 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security Devices that connect to the Frame Relay cloud, which are generally customer owned and on the customer’s premises, are considered data terminal equipment (DTE). Communication between endpoints is connection oriented over permanent virtual circuits or switched virtual circuits. Organizations use a permanent virtual circuit when the connection between the DTEs will be active most of the time. For occasional connections, a switched virtual circuit is more cost-effective because the connection will be disconnected when it is completed. Frame Relay provides a mechanism that guarantees a customer-specified throughput through the cloud, called the committed information rate (CIR). For example, if 10 Kbps is specified, the provider will ensure that 10 Kbps will be available. In addition, the provider will permit bursts of higher throughput if the resources are available in the cloud. Naturally, higher CIRs are more expensive. Asynchronous Transfer Mode (ATM). Asynchronous Transfer Mode (ATM) is a connection-oriented protocol designed to transmit data, voice, and video over the same network at very high speeds, such as 155 Mbps. This is facilitated by using small, fixed-length 53-byte cells for all ATM traffic.

Another hallmark of ATM is the use of virtual circuits. Cells transferred between circuit endpoints use the same path. To initiate a circuit, a cell is sent to the destination. As this cell transverses the network, all devices in the cell’s path allocate necessary resources to prepare for the eventual transfer of data. As with IP, ATM does not guarantee the delivery of cells. Virtual circuits can be either permanent or switched. Switched virtual circuits are torn down after the connection is terminated. Permanent virtual circuits, on the other hand, remain active. Traffic engineering is an aspect of ATM. All virtual circuits are classified in one of the following categories: Constant bit rate (CBR): The circuit’s cells are transmitted at a constant rate. Variable bit rate (VBR): The circuit’s cells are transmitted within a specified range. This is often used for bursty traffic. Unspecified bit rate (UBR): The circuit’s cells receive bandwidth that has not been allocated by circuits in other categories. This is ideal for applications that are not interactive, such as file transfers. Available bit rate (ABR): The circuit’s throughput is adjusted based on feedback from monitoring the available network bandwidth. Broadband Wireless. As mentioned in the DSL section, a customer cannot subscribe to DSL if his or her premises are too far from the CO. If using a 461

AU8231_C007.fm Page 462 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® cable modem or satellite is not an option, then these users cannot enjoy high-speed Internet access. To solve this and other problems, the IEEE has defined the IEEE 802.16 standard. The standard covers technology that allows users to connect to wireless base stations (access points) miles from where they are located and obtain access to a metropolitan area network (MAN). Base stations can be easily deployed on top of a building, which ensures complete coverage. The IEEE amended the standard with IEEE 802.16a, which addresses issues such as improved access when a base station and user are not in line of site. The new technology promises many features. The channel sizes are flexible, which allows providers to comply with local broadcast regulations. Broadband wireless will support protocols and services such as ATM, voice, video, IP, etc. Finally, security is part of the standard, using AES to protect the integrity and confidentiality of wireless data and the Extensible Authentication Protocol.40 Wireless Local Loop. IEEE 802.16, described in the previous section, allows a user to directly connect to a MAN, which could finally resolve the problem of the last mile, not by replacing the CAT-3 cables of the local loop, but by not using cables at all. Wireless local loop removes two major obstacles:

• The bandwidth limitation of a CAT-3 cable, designed for analog voice, is replaced by high-speed wireless. • The limit on the length of the CAT-3 cable, especially for provisioning DSL, is replaced with the ability to connect to a wireless base station from many miles away. Wireless local loops will also allow underdeveloped and rural areas to use broadband without the limitations of an analog voice telephone system. Wireless Optics. As an alternative to running fiber cables between buildings that are in line of sight, an organization can use lasers to transmit data. In principle, two laser transceivers are aimed at each other to communicate at speeds comparable to SONET. Wireless optics has advantages over microwave because wireless optics transmissions are harder to intercept, and a license is not required for deployment.

Unfortunately, wireless optics can be unreliable during inclement weather, especially heavy fog, which can outweigh its benefits until the technology is improved. Metropolitan Area Network (MAN). Metropolitan area networks encompass the area of a large city. For example, a business may connect offices scattered throughout a city with FDDI or SONET. 462

AU8231_C007.fm Page 463 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security Global Area Network (GAN). Internet. The Internet, a global network of interconnected networks, is changing life on Earth. People from anywhere on the globe can share information almost instantaneously. With a few keystrokes, a document can be sent from one continent to another just as easily and fast as sending it next door. Regrettably, there are people and governments that abuse the Internet for destructive purposes, such as identity theft, espionage, fraud, etc. Governments, organizations, and people must understand the risk and threats of sharing information on the Internet and take appropriate measures to reduce such risks to an acceptable level. Intranet. An intranet is a network of interconnected networks within an organization, which allows information to be shared to make the organization more effective. Hosts can replicate information so that such information is easier to access. During a project, staff in a global company can exchange documents, thereby working together almost as if they were in the same office. As with the Internet, the ease with which information can be shared comes with the responsibility to protect it from harm. As law enforcement organizations often state, the threat from within a company is greater than from outside. Extranet. To be more competitive, companies share information with their business partners. This exchange allows companies to make better decisions. For example, to tightly manage inventory, it is now common practice for manufacturing companies to share information with their suppliers and with the companies to which they supply.

It is not sufficient for executives of partner companies to chat during a round of golf. Companies must share large quantities of information, often in an automated fashion. An effective way to accomplish this is to implement an extranet between the two companies. Typically, one company will grant the other controlled access to an isolated segment of its network to exchange information. Granting an external organization access to a network comes with significant risk. Both companies have to be certain that the controls, both technical and nontechnical (e.g., contracts), effectively minimize the risk of unauthorized access to information. This includes protecting a business partner from accessing a third-party’s information. Companies that share an extranet do not have control of each other’s security posture. Who knows what can happen to a company if it shares an extranet with an organization whose network has been compromised, has poor change control processes, etc. To mitigate this, some companies demand that certain security controls are in place before granting access to an extranet.

463

AU8231_C007.fm Page 464 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Technology and Implementation Routers. Routers forward packets to other networks. They read the destination layer 3 address (e.g., destination IP address) in received packets, and based on the router’s view of the network, it determines the next device on the network (the next hop) to send the packet. If the destination address is not on a network that is directly connected to the router, it will send the packet to another router.

Routers can be used to interconnect different technologies. For example, connecting a Token Ring and Ethernet networks to the same router would allow IP Ethernet packets to be forwarded to a Token Ring network. Firewalls. Firewalls are devices that enforce administrative security policies by filtering incoming traffic based on a set of rules. Often firewalls are thought of as protectors of an Internet gateway only. While a firewall should be placed at Internet gateways, there are more general considerations when one might be appropriate. Firewalls should be placed between entities that have different trust domains. For instance, if an engineering department LAN segment is on the same network as general LAN users, there would be two trust domains: general LAN users and engineers with the organization’s intellectual property. Installing a firewall where the two trust domains meet would help protect the intellectual property from the general LAN user population, as shown in Figure 7.17.

Firewalls will not be effective right out of the box. Firewall rules must be defined correctly and not inadvertently grant unauthorized access. Like all hosts on a network, administrators must install patches to the firewall and disable all unnecessary services. Also, firewalls offer limited protection against vulnerabilities caused by software on other hosts. For example, a firewall will not prevent an attacker from manipulating a database to disclose confidential information. Filtering. As mentioned previously, firewalls filter traffic based on a rule set. Each rule instructs the firewall to block or forward a packet based on one or more conditions. For each incoming packet, the firewall will look through its rule set for a rule whose conditions apply to that packet, and block or forward the packet as specified in that rule. Below are two important conditions used to determine if a packet should be filtered. BY ADDRESS. Firewalls will often use the packet’s source or destination address, or both, to determine if the packet should be filtered. For example, in the case shown in Figure 7.17, to grant a trusted user access to the engineering LAN segment, a rule can be defined to forward a packet whose source address is from a trusted user’s host on the general LAN. BY SERVICE. Packets can also be filtered by service. The firewall inspects the service the packet is using (if the packet is part of the TCP or UDP, the 464

AU8231_C007.fm Page 465 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security

Engineering LAN

Engineering Dept. Domain of Trust

General LAN Domain of Trust

Figure 7.17. Firewall between two domains of trust.

service is the destination port number) to determine if the packet should be filtered. For example, firewalls will often have a rule to filter the Finger service to prevent an attacker from using it to gather information about a host. Address and service are often combined in rules. If the engineering department wanted to grant anyone on the LAN access to its Web server, a rule could be defined to forward packets whose destination address is the Web server’s and the service is HTTP (TCP port 80). Network Address Translation (NAT). Firewalls can change the source address of each outgoing (from trusted to untrusted network) packet to a different address. This has several applications, most notably to allow hosts with RFC 191841 addresses access to the Internet by changing their nonroutable address to one that is routable on the Internet.

Anonymity is another reason to use NAT. Many organizations do not want to advertise their IP addresses to an untrusted host, and thus unnecessarily give information about the network. They would rather hide the entire network behind translated addresses. Port Address Translation (PAT). An extension to NAT is to translate all addresses to one routable IP address and translate the source port number in the packet to a unique value. The port translation allows the firewall to keep track of multiple sessions that are using PAT. 465

AU8231_C007.fm Page 466 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Static Packet Filtering. When a firewall uses static packet filtering, it examines each packet without regard to the packet’s context in a session. Packets are examined against static criteria, for example, blocking all packets with a port number of 79 (finger). Because of its simplicity, static packet filtering requires very little overhead, but has a significant disadvantage. Static rules cannot be temporarily changed by the firewall to accommodate legitimate traffic. If a protocol requires a port to be temporarily opened, administrators have to choose between permanently opening the port and disallowing the protocol. Stateful Inspection or Dynamic Packet Filtering. Stateful inspection examines each packet in the context of a session, which allows it to make dynamic adjustments to the rules to accommodate legitimate traffic and block malicious traffic that would appear benign to a static filter. Consider FTP. A user connects to an FTP server on TCP port 21 and then tells the FTP server on which port to transfer files. The port can be any TCP port above 1023. So, if the FTP client tells the server to transfer files on TCP port 1067, the server will attempt to open a connection to the client on that port. A stateful inspection firewall would watch the interaction between the two hosts, and even though the required connection is not permitted in the rule set, it would allow the connection to occur because it is part of FTP.

Static packet filtering, in contrast, would block the FTP server’s attempt to connect to the client on TCP port 1067 unless a static rule was already in place. In fact, because the client could instruct the FTP server to transfer files on any port above 1023, a static rule would have to be in place to permit access to over 65,536 ports (see Section Transmission Control Protocol). Proxies. A proxy firewall communicates to untrusted hosts on behalf of the hosts that it protects. It forwards traffic from trusted hosts, creating the illusion to the untrusted server that the traffic originated from the proxy firewall, thus hiding the trusted hosts from potential attackers. A typical interaction with a server through a proxy is shown in Figure 7.18.

To the user, it appears that he or she is communicating directly with the untrusted server. Proxy servers are often placed at Internet gateways to hide the internal network behind one IP address and to prevent direct communication between internal and external hosts. CIRCUIT-LEVEL PROXY. A circuit-level proxy creates a conduit through which a trusted host can communicate with an untrusted one. This type of proxy does not inspect any of the traffic that it forwards, which adds very little overhead to the communication between the user and untrusted server. The lack of application awareness also allows circuit-level proxies to for-

466

AU8231_C007.fm Page 467 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security

2 1 4 User

3 Proxy Server

Untrusted Server

1 - User’s request goes to proxy server 2 - Proxy server forward the request to untrusted host. To the untrusted host, it will appear as if the request originated from the proxy server. 3 - The untrusted host responds to the proxy server. 4 - The proxy server forwards the response to the user.

Figure 7.18. Accessing a server through a proxy.

ward any TCP and UDP port. The disadvantage is that traffic will not be analyzed for malicious content. APPLICATION-LEVEL PROXY. An application-level proxy relays the traffic from a trusted host running a specific application to an untrusted server. Each application-level proxy can support one application only, such as FTP, HTTP, etc. Therefore, a separate proxy is required for each application. The most significant advantage of application-level proxies is that they analyze the traffic that they forward for malicious packets and can restrict some of the application’s functionality. Application-level proxies add overhead to using the application because they scrutinize the traffic they forward.

Web proxy servers are a very popular example of application-level proxies. Many organizations place one at their Internet gateway and configure their users’ Web browsers to use the Web proxy whenever they browse an external Web server (other controls are implemented to prevent users from bypassing the proxy server). The proxies typically include required user authentication, inspection of URLs to ensure that users do not browse inappropriate sites, logging, and caching of popular Web pages. Personal Firewalls. The firewalls that we have discussed so far protect a network or a segment of one. But what protects users from hosts that are behind a firewall? For example, the firewall in Figure 7.17 does not protect a user on the engineering LAN segment from someone on the same segment.

Following the principle of security in depth, personal firewalls are installed on workstations, which protect the user from all hosts on the network. It is critical for home users with DSL or cable modem access to the Internet to have a personal firewall installed on every PC, especially if they do not have a firewall protecting their network.

467

AU8231_C007.fm Page 468 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Because personal firewalls are employed by general users, they are easy to install and configure. Firewall rules are created with a nontechnical interface that does not require expertise in networking or security. Although they do not provide the flexibility of the best enterprise firewalls, they provide all of the essential functions of a firewall, such as stateful inspection, logging, etc. End Systems. In a way, this section should be called beginning systems because most of the topics here are the reason networks exist — to allow these systems to exchange information. Because the information on these devices is the crown jewel of the network, there are many opportunities for harm to come to them. Much could be written about protecting some of the following, but we will present the highlights. Operating Systems. Have you ever thought about what is required to execute several applications simultaneously, or how data is physically located on disks, or how to share memory among programs when the total demand for memory is greater than the memory on the computer? Probably not — nor should you. These are a sample of the behind-the-scenes details that are tended to by operating systems.

An operating system is the layer of software that interfaces between programs42 and the hardware. It services requests for peripherals on behalf of the users and interfaces with the central processing unit. The operating system responds to numerous potentially simultaneous events, such as a mouse click, input from the network, and a user authenticating, and juggles the demands for the computer’s resources by applications and its own processes. Operating systems also ensure that everything on the computer runs smoothly. Anything that threatens the integrity of the system or a process is identified and handled, which could include routinely asking a remote system to retransmit a packet with an error or attempting to gracefully shut down after a catastrophic event, such as a fatal software error or loss of power. Security is an integral and critical function of the operations system. Operating systems implement access control lists to help ensure that users only access resources to which they are authorized. Users have to prove their identity to the operating system through authentication. Operating systems also provide mechanisms to improve the availability of information, such as redundant array of independent disks (RAID) and computer clusters. Regardless of the applications that are running on a computer, the operating system will always be a target of attack because a compromised operation system will allow an intruder to control the computer. Therefore, 468

AU8231_C007.fm Page 469 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security owners should remove unnecessary targets of attack, such as dangerous or unused services, and install security patches as soon as it is feasible. Servers and Mainframes. Servers and mainframes are repositories of information, much of which is critical to an organization’s mission, its employees, and clients. These computers contain information to support critical business processes, customer databases, and intellectual property. Further, information on these hosts is protected by an ever-growing number of international, national, and local security and privacy regulations.

There is much risk posed to the information due to its importance and the accessibility of servers and mainframes on a network. Often people think that an intruder is a nameless and faceless person breaking into a server or mainframe from an external machine. Yet, it is internal personnel, many of whom abuse the trust of their employers, who most often gain unauthorized access. Also, many do not realize that human error can be just as devastating as malicious activity. Due to the importance of the information on servers and mainframes, it is vital that organizations minimize the risk posed to the information. Much in this book covers this, but here are a few important controls. Owners should only grant access that is required for personnel to perform their duties, log such access sufficiently to support forensic investigation, and regularly review logs. Because a failure of an application could increase the risk to other applications on the same host, multiple applications should not run on the same physical or virtual machine. For instance, a compromise of low-risk application (which may not be rigorously protected) could allow an intruder access to a high-risk application on the same server. Or, a failure of a development instance of an application could corrupt production, especially if the applications share the same database. Also, sensitive data should be encrypted with strong encryption algorithms. Likewise, risks from remote access should be reduced. Use controls discussed previously, such as firewalls, to help ensure that only authorized clients may access the servers and mainframes. Verify, perhaps with digital certificates, that clients are authorized to access the server, and a middleware server is not an attacker’s machine masquerading as middleware. Finally, when appropriate, encrypt network traffic between client and servers/mainframes. Workstations. Workstations are computers that users physically log into, and are typically used as clients. As with all network devices, they are potential targets of attack. Some of the vulnerabilities are similar to servers, for example, unpatched operating systems and unnecessary network services. In fact, some workstation operating systems provide server functionality, such as a lightweight FTP and Web server. This allows worksta469

AU8231_C007.fm Page 470 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® tion users, who probably are not being trained in system administration, to install server functionality that is poorly configured and is never patched. Workstations are less expensive than servers. While this allows employees to have PCs at their desk, the low cost has a downside. Business units can purchase new workstations and attach them to the network without IT’s knowledge or approval, and not install security patches, personal firewalls, and antivirus software. As a result, these hosts threaten the entire network because of their poor installation. Workstation user behavior can threaten a network. Some users forget that they do not own their workstation and freely engage in dangerous behavior, such as downloading from untrusted sites, chatting with instant messaging, or leaving their office with their workstation unprotected. It is also common for users to underestimate the sensitivity of the information on their workstation, and therefore the importance of protecting it. Many users do not realize that if their workstation is compromised, it can be used to attack the network and it would appear as if they were the perpetrator. To mitigate these risks, IT should always administer workstations, instead of the business units, because IT is familiar with current leading practices and vulnerabilities. Organizations should consider not granting privileged rights to workstation users. As with other end systems, software updates must be installed as soon as possible, unnecessary and dangerous services must be disabled, and antivirus software and personal firewalls should be installed. Organizations can remedy behavioral problems with policies and security training and awareness. Managers and users should be shown the dangers of administering their workstations and attaching them to the network, and how inappropriate behavior, such as using instant messaging, can threaten the network. In addition, appropriate behavior must be enforced by policies that are visibly supported by executives. Notebooks. Notebooks (also known as laptops) share the same problems as workstations. However, there are additional issues because of the notebook’s portability. From a physical standpoint, the notebook can be easily stolen or lost, potentially disclosing sensitive information that is on the computer. Furthermore, the notebook is not protected by the organization’s firewall when a user attaches the notebook to another network, such as a home network or wireless hot spot. There is a significant danger that the user could unintentionally download malicious code on his or her notebook when attached to another network, and unleash it on the organization when the notebook returns to the office.

The above issues can be partly mitigated with technical controls, such as ensuring that all notebooks have personal firewalls and antivirus soft470

AU8231_C007.fm Page 471 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security ware with current signatures. Also, sensitive files and disks should be encrypted in case the notebook is lost or stolen. Notebook users must be educated on their additional responsibilities of using a notebook, and must understand how to use their notebook on a different network and how to physically protect it from thieves. Tablet PCs, notebooks that use a specialized stylus for handwritten input, have the same issues as notebooks. Because Tablet PCs are used to take meeting notes, a lost or stolen Tablet PC could cause very sensitive information to be disclosed. Personal Digital Assistants. Personal digital assistants can store confidential and private information. Yet many models do not include sufficient controls, such as strong encryption, to protect their contents in the event they are stolen or lost.

A thief can easily steal information by downloading it to a PDA from an unprotected computer. Also, a PDA with a camera attachment can be used to take unauthorized photographs. Encrypting data on a PDA will help protect the information if the device is lost or stolen. To help reduce the risk of confidential information walking out of the office on a PDA, computer ports, where PDAs are attached to computers to download information, should be physically and logically protected. The most effective defense is for users, through awareness, to understand the threat of PDAs and how to stop it. Smart Phones. Smart phones are a combination of PDAs and cell phones. Although they offer the convenience of both devices, they also have the security issues of both. In addition to the issues discussed in the previous section, a smart phone’s Subscriber Identity Module (SIM) can be cloned and used to steal personal information that is on the card. A thief can install the cloned SIM in a phone and make calls that will be charged to the owner of the original SIM.

A thief can use the cellular capabilities of a smart phone to e-mail stolen information while still on his or her victim’s premises. As with PDAs, the best defenses to the above issues are encrypting sensitive information on the smart phones, protecting computer ports that can be used to download information, and education to learn how to recognize and stop theft with a smart phone. Internet Protocol (IP). Internet protocol (IP) is responsible for sending packets from the source to the destination hosts. Because it is an unreliable protocol, it does not guarantee that packets arrive error-free or in the 471

AU8231_C007.fm Page 472 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Table 7.5. Network Classes

Class

Range of First Octet

A B C D E

1–127 128–191 192–223 224–239 240–255

Number of Octets for Network Number

Number of Hosts in Network

1 2 3

16,777,216 65,536 256 Multicast Reserved

correct order. That task is left to protocols on higher layers. IP will subdivide packets into fragments when a packet is too large for a network. Hosts are distinguished by the IP addresses of their network interfaces. The address is expressed as four octets separated by a dot (.), for example, 216.12.146.140. Each octet may have a value between 0 and 255. However, 0 and 255 are not used for hosts. The latter is used for broadcast addresses, and the former’s meaning depends on the context in which it is used. Each address is subdivided into two parts: the network number and the host. The network number, assigned by an external organization, such as the Internet Corporation for Assigned Names and Numbers (ICANN), represents the organization’s network. The host represents the network interface within the network. Originally, the part of the address that represented the network number depended on the network’s class. As shown in Table 7.5, a Class A network used the leftmost octet as the network number, Class B used the leftmost two octets, etc. The part of the address that is not used as the network number is used to specify the host. For example, the address 216.12.146.140 is a Class C network. Therefore, the network is 216.12.146 and the host within the network is 140. The address Class A network 127.0.0.0 is reserved for a computer’s loopback address. Usually the address 127.0.0.1 is used. The explosion of Internet utilization in the 1990s caused a shortage of unallocated IP addresses. To help remedy the problem, classless interdomain routing (CIDR) was implemented. CIDR does not require that a new address is allocated based on the number of hosts in a network class. Instead, addresses are allocated in contiguous blocks from the pool of unused addresses. To ease network administration, networks are typically subdivided into subnets. Because subnets cannot be distinguished with the addressing scheme discussed so far, a separate mechanism, the subnet mask, is used 472

AU8231_C007.fm Page 473 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security to define the part of the address that is used for the subnet. Bits in the subnet mask are 1 when the corresponding bits in the address are used for the subnet. The remaining bits in the mask are 0. For example, if the leftmost three octets (24 bits) are used to distinguish subnets, the subnet mask is 11111111 11111111 11111111 00000000. A string of 32 1s and 0s is very unwieldy, so the mask is usually converted to decimal: 255.255.255.0. Alternatively, the mask is expressed with a slash (/) followed by the number of 1s in the mask. The above mask would be /24. IPv6. After the explosion of Internet usage in the mid-1990s, IP began to experience serious growing pains. It was obvious that the phenomenal usage of the Internet was stretching the protocol to its limit. The most obvious problems were a shortage of unallocated IP addresses and serious shortcomings in security.

IPv6 is a modernization of the current IP, IPv4 (version 5 was an experimental real-time streaming protocol), that includes: A much larger address field: IPv6 addresses are 128 bits, which supports 2128 hosts. Suffice it to say that we will not run out of addresses. Computing how many hosts will be supported by IPv6 and comparing the result to some other large constant will be left as an exercise for the student. Improved security: As we will discuss below, IPSec must be implemented in IPv6. This will help ensure the integrity and confidentiality of IP packets, and allow communicating partners to authenticate with each other. A more concise IP packet header: Hosts will require less time to processes each packet, which will result in increased throughput. Improved quality of service: This will help services obtain an appropriate share of a network’s bandwidth. The slow process of converting to IPv6 has already begun. Public IPv6 networks, such as 6Net43 and 6Bone,44 are accepting additional networks to connect to their IPv6 network. Because there are always stragglers, it will probably take a long time for every network to convert to the new protocol. But if recent history is an indicator, the vast majority of networks will convert in a relatively small interval of time. Risks and Attacks. IP FRAGMENTATION ATTACKS. Teardrop — In this attack, IP packet fragments are constructed so that the target host calculates a negative fragment length when it attempts to reconstruct the packet. If the target host’s IP stack does not ensure that fragment lengths are reasonable, the host could crash or become unstable.

This problem is fixed with a vendor patch. 473

AU8231_C007.fm Page 474 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Overlapping Fragment Attack — Overlapping fragment attacks are used to subvert packet filters that only inspect the first fragment of a fragmented packet. The technique involves sending a harmless first fragment, which will satisfy the packet filter. Other packets follow that overwrite the first fragment with malicious data, thus resulting in a harmful packet bypassing the packet filter and being accepted by the victim host. A solution to this problem is for TCP/IP stacks not to allow fragments to overwrite each other. IP ADDRESS SPOOFING. Packets are sent with a bogus source address so that the victim will send a response to a different host. Spoofed addresses can be used to abuse the three-way handshake that is required to start a TCP session. Under normal circumstances, a host offers to initiate a session with a remote host by sending a packet with the SYN option. The remote host responds with a packet with the SYN and ACK options. The handshake is completed when the initiating host responds with a packet with the ACK option.

An attacker can launch a denial-of-service attack by sending the initial packet with the SYN option with a source address of a host that does not exist. The victim will respond to the forged source address by sending a packet with the SYN and ACK options, and then wait for the final packet to complete the handshake. Of course, that packet will never arrive because the victim sent the packet to a host that does not exist. If the attacker sends a storm of packets with spoofed addresses, the victim may reach the limit of uncompleted (half-open) three-way handshakes and refuse other legitimate network connections. The above scenario takes advantage of a protocol flaw. To mitigate the risk of a successful attack, vendors have released patches that reduce the likelihood of the limit of uncompleted handshakes being reached. In addition, security devices, such as firewalls, can block packets that arrive from an external interface with a source address from an internal network. SOURCE ROUTING EXPLOITATION. Instead of only permitting routers to determine the path a packet takes to its destination, IP allows the sender to explicitly specify the path. An attacker can abuse source routing so that the packet will be forwarded between network interfaces on a multihomed computer that is configured not to forward packets. This could allow an external attacker access to an internal network.

Source routing is specified by the sender of an IP datagram, whereas the routing path would normally be left to the router to decide. The best solution is to disable source routing on hosts and to block source-routed packets. 474

AU8231_C007.fm Page 475 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security SMURF AND FRAGGLE ATTACKS. Both attacks use broadcasts to create denial-

of-service attacks. • A Smurf attack misuses the ICMP echo request to create denial-ofservice attacks. In a Smurf attack, the intruder sends an ICMP echo request with a spoofed source address of the victim. The packet is sent to a network’s broadcast address, which forwards the packet to every host on the network. Because the ICMP packet contains the victim’s host as the source address, the victim will be overwhelmed by the ICMP echo replies, causing a denial-of-service attack. • The Fraggle attack uses UDP instead of ICMP. The attacker sends a UDP packet on port 7 with a spoofed source address of the victim. Like the Smurf attack, the packet is sent to a network’s broadcast address, which will forward the packet to all of the hosts on the network. The victim host will be overwhelmed by the responses from the network. Virtual Private Network (VPN). A VPN is an encrypted tunnel between two hosts that allows them to securely communicate over an untrusted network (e.g., the Internet). Remote users employ VPNs to access their organization’s network, and depending on the VPN’s implementation, they may have most of the same resources available to them as if they were physically at the office. As an alternative to expensive dedicated point-topoint connections, organizations use gateway-to-gateway VPNs to securely transmit information over the Internet between sites or even with business partners. IPSec Authentication and Confidentiality for VPNs. IP Security (IPSec) is a suite of protocols for communicating securely with IP by providing mechanisms for authenticating and encryption. Implementation of IPSec is mandatory in IPv6, and many organizations are using it over IPv4. Further, IPSec can be implemented in two modes, one that is appropriate for end-toend protection and one that safeguards traffic between networks.

Standard IPSec authenticates only hosts with each other. If an organization requires users to authenticate, they must employ a nonstandard proprietary IPSec implementation, or use IPSec over L2TP (Layer 2 Tunneling Protocol). The latter approach uses L2TP to authenticate the users and encapsulate IPSec packets within L2TP. Because IPSec interprets the change of IP address within packet headers as an attack, NAT does not work well with IPSec. To resolve the incompatibility of the two protocols, NAT-Transversal (a.k.a. NAT-T) encapsulates IPSec within UDP port 4500 (see RFC 3948 for details).45 AUTHENTICATION HEADER (AH). The authentication header is used to prove the identity of the sender and ensure that the transmitted data has not 475

AU8231_C007.fm Page 476 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® been tampered with. Before each packet (headers + data) is transmitted, a hash value of the packet’s contents (except for the fields that are expected to change when the packet is routed) based on a shared secret is inserted in the last field of the AH. The endpoints negotiate which hashing algorithm to use and the shared secret when they establish their security association. To help thwart replay attacks (when a legitimate session is retransmitted to gain unauthorized access), each packet that is transmitted during a security association has a sequence number, which is stored in the AH. In transport mode, the AH is shimmed between the packet’s IP and TCP header. The AH helps ensure integrity, not confidentiality. Encryption is implemented with the encapsulating security payload. ENCAPSULATING SECURITY PAYLOAD (ESP). The encapsulating security payload encrypts IP packets and ensures their integrity. Both services are optional; however, at least one must be used. ESP contains four sections:

ESP header: Contains information showing which security association to use and the packet sequence number. Like the AH, the ESP sequences every packet to thwart replay attacks. ESP payload: The payload contains the encrypted part of the packet. If the encryption algorithm requires an initialization vector (IV), it is included with the payload. The endpoints negotiate which encryption to use when the security association is established. Because packets must be encrypted with as little overhead as possible, ESP typically uses a symmetric encryption algorithm.46 ESP trailer: May include padding (filler bytes) if required by the encryption algorithm or to align fields. Authentication: If authentication is used, this field contains the integrity check value (hash) of the ESP packet. As with the AH, the authentication algorithm is negotiated when the endpoints establish their security association. SECURITY ASSOCIATIONS. A security association (SA) defines the mechanisms that an endpoint will use to communicate with its partner. All SAs cover transmissions in one direction only. A second SA must be defined for twoway communication. Mechanisms that are defined in the SA include the encryption and authentication algorithms, and whether to use the AH or ESP protocol.

Deferring the mechanisms to the SA, as opposed to specifying them in the protocol, allows the communicating partners to use the appropriate mechanisms based on risk. TRANSPORT MODE AND TUNNEL MODE. Endpoints communicate with IPSec using either transport or tunnel mode. In transport mode, the IP payload is 476

AU8231_C007.fm Page 477 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security protected. This mode is mostly used for end-to-end protection, for example, between client and server. In tunnel mode, the IP payload and its IP header are protected. The entire protected IP packet becomes a payload of a new IP packet and header. Tunnel mode is often used between networks, such as with firewall-to-firewall VPNs. INTERNET KEY EXCHANGE (IKE). Internet key exchange allows communicating partners to prove their identity to each other and establish a secure communication channel. IKE uses two phases:

Phase 1: In this phase, the partners authenticate with each other, using one of the following: Shared secret: A key that is exchanged by humans via telephone, fax, encrypted e-mail, etc. Public key encryption: Digital certificates are exchanged. Revised mode of public key encryption: To reduce the overhead of public key encryption, a nonce is encrypted with the communicating partner’s public key, and the peer’s identity is encrypted with symmetric encryption using the nonce as the key. Next, IKE establishes a temporary security association and secure tunnel to protect the rest of the key exchange. Phase 2: The peers’ security associations are established, using the secure tunnel and temporary SA created at the end of phase 1. Secure Shell (SSH). Users often want to log on to a remote computer. Unfortunately, most early implementations to meet that need were designed for a trusted network. Protocols/programs, such as TELNET, RSH, and rlogin, transmit unencrypted over the network, which allows traffic to be easily intercepted.

Secure shell (SSH) was designed as an alternative to the above insecure protocols and allows users to securely access resources on remote computers over an encrypted tunnel. SSH’s services include remote log-on, file transfer, and command execution. It also supports port forwarding, which redirects other protocols through an encrypted SSH tunnel. Many users protect less secure traffic of protocols, such as X Windows and VNC (virtual network computing), by forwarding them through a SSH tunnel. The SSH tunnel protects the integrity of communication, preventing session hijacking and other man-in-the-middle attacks. Another advantage of SSH over its predecessors is that it supports strong authentication. There are several alternatives for SSH clients to authenticate to a SSH server, including passwords and digital certificates. Keep in mind that authenticating with a password is still a significant improvement over the other protocols because the password is transmitted encrypted. 477

AU8231_C007.fm Page 478 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® There are two incompatible versions of the protocol, SSH-1 and SSH-2, though many servers support both. SSH-2 has improved integrity checks (SSH-1 is vulnerable to an insertion attack due to weak CRC-32 integrity checking) and supports local extensions and additional types of digital certificates, such as Open PGP.47 SSH was originally designed for UNIX, but there are now implementations for other operating systems, including Windows, Macintosh, and OpenVMS. SOCKS. SOCKS is a popular circuit proxy server with several commercial and freeware implementations. The heart of SOCKSv5 (the current version) is RFC 1928, which does not require that developers include encryption of traffic in their implementations.

Users employ the SOCKS client to access a remote server. The client initiates a connection to the SOCKS proxy server, which accesses the remote server on behalf of the user. If the implementation supports encryption, then the server can act as a VPN, protecting the confidentiality of the traffic between the SOCKS and remote servers. Because SOCKS is concerned with maintaining a circuit, it can be used with almost any application. A key advantage of SOCKS and SSL VPNs is the possibility to use proxy servers. This is a feature most other VPNs are lacking. A SOCKS server may require that a user authenticates before providing services. SSL/TLS VPNs. SSL VPNs are another approach to remote access that is gaining momentum. Instead of building a VPN around the IPSec and the network layer, SSL VPNs leverage SSL/TLS (see Section Transport Layer Security) to create a tunnel back to the home office. Remote users employ a Web browser to access applications that are in the organization’s network. Even though users employ a Web browser, SSP VPNs are not restricted to applications that use HTTP. With the aid of plug-ins, such as Java, users can have access to back-end databases, and other non-Web-based applications.

SSL VPNs have several advantages over IPSec. They are easier to deploy on client workstations than IPSec, because they require a Web browser only, and almost all networks permit outgoing HTTP. SSL VPNs can be operated through a proxy server. In addition, applications can restrict users’ access, based on criteria, such as the network that the user is on, which is useful for building extranets with several organizations. IPSec VPNs, on the other hand, grant access directly to a network. A user is usually given access to applications and devices as if he or she were located at the office. Of course, this is a double-edged sword. Just as an authorized user has access to many devices on the internal net478

AU8231_C007.fm Page 479 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security work, so will an intruder who can steal IPSec VPN access. Currently, SSL VPNs do not support network-to-network tunnels. A significant disadvantage of IPSec VPNs is that a VPN client must be installed and updated on every workstation. Tunneling. Point-to-Point Tunneling Protocol (PPTP). Point-to-Point Tunneling Protocol (PPTP) is a VPN protocol that runs over other protocols. PPTP relies on generic routing encapsulation (GRE) to build the tunnel between the endpoints. After the user authenticates, typically with Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2), a Pointto-Point Protocol (PPP) session creates a tunnel using GRE.

PPTP came under much fire in the 1990s. Cryptographers announced weaknesses in the protocol, including flaws with MSCHAPv1 (the authentication protocol) and the encryption implementation, and the use of user passwords as keys. Microsoft released PPTPv2, which addressed many of its predecessor’s weaknesses, such as using an improved version of MSCHAP for authentication, but PPTPv2 is still vulnerable to offline passwordguessing attacks. A key weakness of PPTP is the fact that it derives its encryption key from the user’s password. This violates the cryptographic principle of randomness and can provide a basis for attacks. Password-based VPN authentication in general violates the recommendation to use two-factor authentication for remote access. Layer 2 Tunneling Protocol (L2TP). Layer 2 Tunneling Protocol (L2TP) is a hybrid of Cisco’s Layer 2 Forwarding (L2F) and Microsoft’s PPTP. It allows callers over a serial line using PPP to connect over the Internet to a remote network. A dial-up user connects to his ISP’s L2TP access concentrator (LAC) with a PPP connection. The LAC encapsulates the PPP packets into L2TP and forwards it to the remote network’s layer 2 network server (LNS). At this point, the LNS authenticates the dial-up user. If authentication is successful, the dial-up user will have access to the remote network.

LAC and LNS may authenticate each other with a shared secret, but as RFC 2661 states, the authenticating is effective only while the tunnel between the LAC and LNS is being created.48 L2TP does not provide encryption and relies on other protocols, such as tunnel mode IPSec, for confidentiality. Dynamic Host Configuration Protocol (DHCP). S y s t e m a n d n e t w o r k administrators are busy people and hardly have the time to assign IP addresses to hosts and track which addresses are allocated. To relieve administrators from the burden of manually assigning addresses, many organizations use Dynamic Host Configuration Protocol (DHCP) to auto479

AU8231_C007.fm Page 480 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® matically assign IP addresses to workstations (servers and network devices usually are assigned static addresses). Dynamically assigning hosts configuration is fairly simple. When a workstation boots, it broadcasts a DHCPDISCOVER request on the local LAN, which could be forwarded by routers. DHCP servers will respond with a DCHPOFFER packet, which contains a proposed configuration, including an IP address. The DHCP selects a configuration from the received DHCPOFFER packets and replies with a DHCPREQUEST. The DHCP server replies with a DHCPACK (DHCP acknowledgment), and the workstation adapts the configuration. Receiving a DHCP-assigned IP address is referred to as receiving a lease. A client does not request a new lease every time it boots. Part of the negotiation of IP addresses includes establishing a time interval for which the lease is valid and timers that reflect when the client must attempt to renew the lease. As long as the timers have not expired, the client is not required to ask for a new lease. Within the DHCP servers, administrators assign IP addresses from which addresses are dynamically assigned. In addition, they can assign specific hosts to have static (i.e., permanent) addresses. Because the DHCP server and client do not authenticate with each other, neither host can be sure that the other is legitimate. For example, in a DHCP network, an attacker can plug his or her workstation into a jack and receive an IP address, without having to obtain one by guessing or social engineering. Also, a client cannot be certain that a DHCPOFFER packet is from a DHCP server, instead of an intruder masquerading as a server. Although these vulnerabilities are not trivial, the ease of administration of IP addresses usually makes the risk from the vulnerabilities acceptable, except in very high security environments. Internet Control Message Protocol (ICMP). The Internet Control Message Protocol (ICMP) is used for the exchange of control messages between hosts and gateways and is used for diagnostic tools, such as ping and traceroute.

ICMP can be leveraged for malicious behavior, including man-in-the-middle and denial-of-service attacks. Ping of Death. Ping is a diagnostic program to determine if a specified host is on the network and can be reached from the pinging host. It sends an ICMP echo packet to the target host and waits for the target to return an ICMP echo reply. Amazingly, an enormous number of operating systems would crash or become unstable upon receiving an ICMP echo greater than the legal packet limit of 65,536 bytes. 480

AU8231_C007.fm Page 481 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security Before the ping of death became famous, the source of the attack was difficult to find because many system administrators would ignore a harmless-looking ping in their logs. ICMP Redirect Attacks. A router may send an ICMP redirect to a host to tell to it to use a different, more effective default route. However, an attacker can send an ICMP redirect to a host telling it to use the attacker’s machine as a default route. The attacker will forward all of the redirected traffic to a router so that the victim will not know that his or her traffic has been intercepted. This is a good example of a man-in-the-middle attack.

Some operating systems would crash if they received a storm of ICMP redirects. Ping Scanning. Ping scanning is a basic network mapping technique that helps narrow the scope of an attack. An attacker can use one of many tools that can be downloaded from the Internet to ping all of the addresses in a range. If a host replies to a ping, then the attacker knows that a host exists at that address. Traceroute Exploitation. Traceroute is a diagnostic tool that displays the path a packet transverses between the source and destination hosts. Traceroute can be used maliciously to map a victim network and learn about its routing. In addition, there are tools, such as Firewalk, that use techniques similar to those of traceroute to enumerate a firewall rule set.49 Internet Group Management Protocol (IGMP). IGMP is used to manage multicasting groups, which are a set of hosts anywhere on a network that are interested in a particular multicast. Recall from the discussion of multicasting that multicast agents administer multicast groups. Hosts send IGMP messages to local agents to join and leave groups. There are three versions of the protocol, whose highlights follow:

Version 1: Multicast agents periodically send queries to a host on its network to update its database of multicast groups’ membership. Hosts stagger their replies to prevent a storm of traffic to the agent. When replies no longer come from a group, agents will stop forwarding multicasts to that group. Version 2: This version extends the functionality of version 1. It defines two types of queries: a general query to determine membership of all groups and a group-specific query to determine the membership of a particular group. In addition, a member can notify all multicast routers that it wishes to leave a group. Version 3: This version further enhances IGMP by allowing hosts to specify from which sources they want to receive multicasts. Routing Information Protocol (RIP). Routing Information Protocol is a dynamic routing protocol that is designed for small networks. Routers in a 481

AU8231_C007.fm Page 482 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® RIP network regularly merge their view of the network by exchanging their routing table with their neighbors. The number of hops is used to determine the best path for packets. However, RIP cannot route to a network or host that is more than 15 hops away. RIP has several shortcomings, including: • Routers exchange their entire route table every 30 s (by default), which can cause network congestion. • RIP only works in classful networks. In other words, RIP cannot be used in networks with different subnet masks. • There is no way for a router to verify the trustworthiness of a route update from its neighbors, which could allow an attacker to manipulate route tables with bogus route updates. RIP version 2 (RIPv2) was implemented to address some of RIP’s limitations. For example, RIPv2 can be used in a network with different subnet masks. Also, routers authentice with each other, originally with a plaintext password, and later, using RFC 2082, keyed MD5 authentication. Virtual Router Redundancy Protocol (VRRP). Organizations that demand that their network have 99.999 percent availability cannot tolerate critical routers as single points of failure. The most acceptable option is for a secondary router to automatically take the place of another router when it fails (i.e., failover). VRRP is a protocol that supports automatic failover. A virtual router is configured that appears to the rest of the network as a physical router.

Configured with the virtual router are physical routers, a primary router and at least one secondary. The primary router performs all of the routing on behalf of the virtual router. If the primary router fails, one of the secondary routers will automatically perform the routing for the virtual router. As long as hosts forward packets to the virtual router, it will not matter which physical router is doing the work. Primary and secondary routers are often placed in separate data centers to improve resilience against disasters (see the business continuity and disaster recovery chapter, Domain 6). Layer 4: Transport Layer The transport layer provides data communication between hosts. It is concerned with the information payload. It relies on the correct addressing (routing) of information happening on layer 3 while deferring any processrelated handling, starting from authentication, to layers 5 and above. Concepts and Architecture Layer 4 offers two principal types of communication: • A connection mode, where delivery of information is guaranteed and flow control and error recovery are provided 482

AU8231_C007.fm Page 483 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security Table 7.6. TCP Quick Reference Ports Definition

0/TCP … 65535/TCP RFC 79350

• A connectionless mode, where no such guarantee is required, for instance, due to performance considerations Attacks on layer 4 seek to manipulate, disclose, or prevent delivery of the payload as a whole. This can, for instance, happen by reading the payload (as would happen in a sniffer attack, for example) or changing it (which could happen in a man-in-the-middle attack). While disruptions of service can be done on other layers as well, the transport layer has become a common attack ground via ICMP (Section Internet Control Message Protocol). Commonly, the transport layer is implemented as part of an integrated network stack with layer 3 (TCP/IP stack). Transmission Control Protocol (TCP). The Transmission Control Protocol provides connection-oriented data management and reliable data transfer.

TCP, as well as UDP (see Section User Datagram Protocol), is mapping data connections by so-called port numbers. TCP and UDP port numbers are managed by the Internet Assigned Numbers Authority (IANA).51 A total of 65,536 (216) ports exist (see Table 7.6). These are structured into three ranges:52 Well-known ports: Ports 0 through 1023 are well known. Ports in this range are assigned by IANA53 and, on most systems, can only be used by privileged processes and users. This makes use of these ports contingent on privilege escalation. However, because no ad hoc assumptions should be made on the trustworthiness of any system (i.e., any unknown system on the Internet is considered untrusted by default) and anyone can establish a system on which he has system privileges, this should not be seen as adding any degree of security. Registered ports: Ports 1024 through 49151 can be registered with IANA by application developers but are not assigned by them. The reason for choosing a registered instead of a well-known port can be that on most systems, the user may not have the privileges to run an application on a well-known port.54 Dynamic or private ports: Ports 49152 through 65535 can be freely used by applications; one typical use for these ports is initiation of return connections. Attacks to TCP include sequence number attacks, session hijacking, and SYN floods. 483

AU8231_C007.fm Page 484 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Table 7.7. UDP Quick Reference Ports Definition

0/UDP … 65535/UDP RFC 76855

User Datagram Protocol (UDP). The User Datagram Protocol provides a lightweight service for connectionless data transfer without error detection and correction.

For UDP, the same considerations for port numbers as described for TCP in Section Transmission Control Protocol apply. Responding to technical development, a number of protocols within the transport layer have been defined on top of UDP, thereby effectively splitting the transport layer into two. Protocols stacked between layers 4 and 5 include Real-time Protocol (RTP) and Real-time Control Protocol (RTCP) as defined in RFC 3550,56 MBone, a multicasting protocol, Reliable UDP (RUDP), and Stream Control Transmission Protocol (SCTP) as defined in RFC 2960.57 As a connectionless protocol, UDP services are easy prey to spoofing attacks. Technology and Implementation Scanning Techniques. Port Scanning. Port scanning is the act of probing for TCP services on a machine. It is performed by establishing the initial handshake for a connection. Although not in itself an attack, it allows an attacker to test for the presence of potentially vulnerable services on a target system.

Port scanning can also be used for fingerprinting an operating system by evaluating its response characteristics, such as timing of a response, details of the handshake, etc. Protection from port scanning includes restriction of network connections, e.g., by means of a host-based or network-based firewall or by defining a list of valid source addresses on an application level. FIN, NULL, AND XMAS SCANNING. In FIN scanning, a stealth scanning method, a request to close a connection is sent to the target machine. If no application is listening on that port, a TCP RST or an ICMP packet will be sent.

This attack commonly only works on UNIX machines, as Windows machines behave in a slightly different manner, deviating from RFC 793 (always responding to a FIN packet with an RST, thereby rendering recognition of open ports impossible) and thereby being unsusceptible to the scan. 484

AU8231_C007.fm Page 485 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security Firewalls putting a system into stealth mode (i.e., suppressing responses to FIN packets) are available. In NULL scanning, no flags are set on the initiating TCP packet; in XMAS scanning, all TCP flags are set (or “lit,” as in a Christmas tree). Otherwise, these scans work in the same manner as the FIN scan. SYN SCANNING. As traditional TCP scans became widely recognized and were blocked, various stealth scanning techniques were developed. In TCP half scanning (also known as TCP SYN scanning), no complete connection is opened; instead, only the initial steps of the handshake are performed.

This makes the scan harder to recognize (for instance, it would not show up in application log files). However, it is possible to recognize and block TCP SYN scans with an appropriately equipped firewall. TCP Sequence Number Attacks. To detect and correct loss of data packets, TCP numbers transmitted data packets. If a transmission is not reported back as successful, a packet will be retransmitted.

By eavesdropping traffic, these sequence numbers can be predicted and fake packets with the correct sequence number can be introduced into the data stream by a third party. This class of attacks can, for instance, be used for session hijacking. Protection mechanisms against TCP sequence number attacks have been proposed based on better randomization of sequence numbers as described in RFC 1948.58 Session Hijacking. Session hijacking is the act of unauthorized insertion of packets into a data stream. It is normally based on sequence number attacks, where sequence numbers are either guessed or intercepted.

Different types of session hijacking exist: IP spoofing: Based on a TCP sequence number attack, the attacker would insert packets with a faked sender IP address and a guessed sequence number into the stream. The attacker would not be able to see the response to any commands inserted. Man-in-the-middle attack: The attacker would sniff or intercept packets, removing legitimate packets from the data stream and replacing them with his own. In fact, both sides of a communication would then communicate with the attacker instead of each other. Countermeasures against IP spoofing can be executed on layer 3 (see “IP Address Spoofing” section). As TCP sessions only perform an initial authentication, application layer encryption can be used to protect against man-in-the-middle attacks.

485

AU8231_C007.fm Page 486 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Denial of Service. SYN Flooding. A SYN flood attack is a denial-of-service attack against the initial handshake in a TCP connection. Many new connections from faked, random IP addresses are opened in short order, overloading the target’s connection table.

Countermeasures include tuning of operating system parameters (concretely, the size of the backlog table) according to vendor specifications. Another solution, which requires modification to the TCP/IP stack, is SYN cookies — changing TCP numbers in a way that makes faked packets immediately recognizable.59 Layer 5: Session Layer Concepts and Architecture As mentioned, the session layer provides a logical persistent connection between peer hosts. This includes several different types of services, which can be dependent upon one another. Arguably one of the most basic functions is directory services, allowing identification of objects between hosts. Another one is remote procedure calls, allowing execution of objects between hosts.60 Equally important to the higher layers are access services, such as NFS, which allow accessing and manipulating objects on another host. Technology and Implementation Remote Procedure Calls. Remote procedure calls (RPCs) are a general concept of executing objects across hosts.

Generically, several (mutually incompatible) services in this category exist, such as distributed computing environment RPC (DCE RPC) and open network computing RPC (ONC RPC, also referred to as SunRPC or simply RPC). Common Object Request Broker Architecture (CORBA) and Microsoft Distributed Component Object Model (DCOM) can be viewed as RPC-type protocols. Generically, RPC services are not limited to layer 5. In the context of this book, we will look at ONC RPC, as it is representative for other implementations. Open Network Computing Remote Procedure Call (ONC RPC).

ONC RPC or SunRPC was codeveloped with NFS, whose foundation it forms. It is important to note that RPC does not in fact provide any services on its own; instead, it provides a brokering service, by providing (basic) authentication and a way to address the actual service.

486

AU8231_C007.fm Page 487 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security Table 7.8. ONC RPC Quick Reference Ports Definition

111/TCP, 111/UDP RFC 105061 RFC 105762 RFC 183163 RFC 183364 RFC 269565

The core service of RPC is a so-called port mapper. Any client wishing to avail himself of services provided by an RPC server will obtain access through the port mapper. The client will request a service number, obtained from a map of services available through the client (preferably as a local file). The request will be sent to the port mapper daemon on the server, which is commonly listening on TCP or UDP port 111. The port mapper will then redirect the client to the TCP port on which the actual application providing the service is running. Security problems with RPC include its weak authentication mechanism and any implementation problem, which, due to the fact that the port mapper will normally run under administrative privileges, can be quickly leveraged for privilege escalation by an attacker. Directory Services. Domain Name Service (DNS). Of the network services below the application layer, the Domain Name System is arguably one of the most prominent and the most visible to the end user. The reason for this is DNS’s role in e-mail and WWW addresses (Uniform Resource Locators (URLs)), which have become a ubiquitous element of everyday life, be it in advertising or private communication.

By virtue of this fact, DNS has become a prominent target of attack, aggravating preexistent weaknesses in the protocol. By manipulating DNS, it is certainly possible to divert, intercept, or prevent the vast majority of end-user communications without having to resort to attacking any end-user devices. The Domain Name System as a whole is a distributed, hierarchical database. Through its caching architecture, it possesses a remarkable degree of robustness, flexibility, and scalability. Conversely, DNS does not enforce data consistency and integrity, its built-in authentication mechanisms are weak,66 and management of the global DNS infrastructure has become a subject of political and economical controversy, while the objects it manages — domain names — are often the subject of local and global trademark disputes. DNS’s central element is a set of hierarchical name (domain) trees, starting from a so-called top-level domain (TLD). A number of so-called root 487

AU8231_C007.fm Page 488 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Table 7.9. DNS Quick Reference Ports Definition

53/TCP, 53/UDP RFC 88269 RFC 103470 RFC 103571

servers manage the authoritative list of TLD servers. To resolve any domain name, each Domain Name Server in the world must hold a list of these root servers.67 Various extensions to DNS have been proposed, to enhance its functionality and security, for instance, by introducing authentication (DNSSEC; see below), multicasting, or service discovery.68 DNS SPOOFING. To resolve a domain name query, such as mapping a Web server address to an IP address, the user’s workstation will in turn have to undertake a series of queries through the Domain Name Server hierarchy. Such queries can be either recursive (a name server receiving a request will forward it and return the resolution) or iterative (a name server receiving a request will respond with a reference).

An attacker aiming to poison a DNS server’s (name server) cache by injecting fake records, and thereby falsifying responses to client requests, will need to send a query to this very name server. The attacker now knows that the name server will shortly send out a query for resolution. • In the first case, the attacker has sent a query for a domain, whose primary name server he controls. The response from this query will contain additional information that was not originally requested, but which the target server will now cache. • The second case is a dissimilar method that can also be used in iterative queries. Using IP spoofing, the attacker will send a response to his own query before the authoritative (correct) name server has a chance to respond. In both cases, the attacker has used an electronic conversation to inject false information into the name server’s cache. Not only will this name server now use the cached information, but the false information will propagate to other servers, making inquiries to this one. We note that due to the caching nature of DNS, attacks on DNS servers as well as countermeasures always have certain latency, determined by the configuration of a (domain) zone. There are two principal vulnerabilities here, both inherent in the design of the DNS protocol: it is possible for a DNS server to respond to a recursive query with information that was not requested, and the DNS server will not authenticate information. 488

AU8231_C007.fm Page 489 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security Approaches to address or mitigate this threat have only been partly successful. • Later versions of DNS server software are programmed to ignore responses that do not correspond to a query. • However, approaches to generally introduce stronger (or even better) authentication into DNS (for instance, through the use of DNSSEC72) have not found wider resonance, and authentication has been widely upward delegated to higher protocol layers. In other words, applications in need of guaranteeing authenticity cannot rely on DNS to provide such but will have to implement a solution themselves.73 MANIPULATION OF DNS QUERIES. Technically, the following two techniques are only indirectly related to DNS weaknesses. However, it is worth mentioning them in the context of DNS because they seek to manipulate name resolution in other ways.

• Manipulation of the host’s file is a technique employed, for instance, by certain viruses. A host’s file (/etc/hosts on many UNIX machines, C:\Windows\I386\Hosts on Windows XP) is the resource first queried before a DNS request is issued. It will always contain the mapping of the host name local host to the IP address 127.0.0.1 (loopback interface, as defined in RFC 333074) and potentially other hosts.75 The virus will add addresses of antivirus software vendors with invalid IP addresses to the hosts file to prevent download of virus pattern files. • Social engineering techniques will not try to manipulate a query on a technical level, but can trick the user into misinterpreting a DNS address that is displayed to him in an e-mail or in his Web browser address bar. One way to achieve this in e-mail or Hypertext Markup Language (HTML) documents is to display a link in text where the actual target address is different from what is displayed. Another way to achieve this is the use of non-ASCII character sets (for instance, Unicode — ISO/IEC 10646 — characters) that closely resemble ASCII (i.e., Latin) characters to the user. This may become a popular technique with the popularization of internationalized domain names. INFORMATION DISCLOSURE. Smaller corporate networks do not split naming zones, i.e., names of hosts that are accessible only from an intranet are visible from the Internet.

Although knowing a server name will not enable anyone to access it,76 this knowledge can aid and facilitate preparation of a planned attack as it provides an attacker with valuable information on existing hosts (at least with regard to servers), network structure, and, for instance, details such 489

AU8231_C007.fm Page 490 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® as organizational structure or server operating systems (if the OS is part of the host name, etc.). A business should therefore operate split DNS zones wherever possible and refrain from using telling naming conventions for their machines.77 In addition, a domain registrar’s database of administrative and billing domain contacts (Whois database) can be an attractive target for information and e-mail harvesting. NAMESPACE-RELATED RISKS. Besides the technical risks described, a number of other risks exist that, although not strictly security related, can lead to equivalent exposure.

• Domain litigation: Domain names are subject to trademark risks, related to a risk of temporary unavailability or permanent loss of an established domain name. For the business in question, the consequences can be equivalent to the loss of its whole Internet presence in an IT-related disaster. Businesses should therefore put in place contingency plans if they are concerned with trademark disputes of any kind over a domain name used as their main Web and e-mail address. Such contingency plans might include setting up a second domain unrelated to the trademark in question (based, for instance, on the trademark of a parent company) that can be advertised on short notice, if necessary. • Cyber squatting and illegitimate use of similar domains, containing common misspellings or representing the same second-level domain under a different top-level domain.78 The only way to protect a business from this kind of fraud is the registration of the most prominent adjacent domains or by means of trademark litigation. A residual risk will always remain, relating not only to public misrepresentation, but also to potential loss or disclosure of e-mail. Lightweight Directory Access Protocol (LDAP). LDAP is a client/server-based directory query protocol loosely based upon X.500,79 commonly used for managing user information. As opposed to DNS, for instance, LDAP is a front end and not used to manage or synchronize data per se.

Back ends to LDAP can be directory services, such as NIS (cf. “Network Information Service (NIS), NIS+” section), Lotus Notes, Microsoft Exchange, etc.

Table 7.10. LDAP Quick Reference Ports Definition

490

389/TCP, 389/UDP RFC 177780

AU8231_C007.fm Page 491 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security Table 7.11. NetBIOS Quick Reference Ports

Definition

135/UDP 137/TCP 138/TCP 139/UDP RFC 100184 RFC 100285

LDAP provides only weak authentication based on host name resolution. It would therefore be easy to subvert LDAP security by breaking DNS (cf. Section Domain Name Service). LDAP communication is transferred in cleartext and therefore is trivial to intercept. One way to address the issues of weak authentication and cleartext communication is deployment of LDAP over SSL, providing authentication, integrity, and confidentiality. Various other extensions to LDAP have been proposed to address these shortcomings; however, they have not widely gained ground.81 Conceivably, a reason for this could be that LDAP was meant to be simple and that building, for instance, a strong authentication and encryption framework around it could at least to a certain extent defeat that purpose. Note, however, that Microsoft Active Directory (see next section) does address these through its use of Kerberos. MICROSOFT ACTIVE DIRECTORY. LDAP is also the basis of Microsoft’s Active Directory Service (ADS). Applications such as Microsoft NetMeeting (cf. real-time communication in Section Instant Messaging) are making heavy use of LDAP for this reason.

As opposed to its predecessor, NetBIOS, ADS is fully TCP/IP and DNS based. ADS authentication is based on Kerberos (see Chapter 3). Network Basic Input Output System (NetBIOS). The NetBIOS application programming interface (API) was developed in 1983 by IBM. NetBIOS was later ported to TCP/IP (NetBIOS over TCP/IP, also known as NetBT); however, implementations running on top of NetBEUI82 or IPX83 are still in use.

Under TCP/IP, NetBIOS is running over TCP on ports 137 and 138 and over UDP on port 139. In addition, it uses port 135 for remote procedure calls (see Section Remote Procedure Calls). NetBIOS is susceptible to a number of attacks.

491

AU8231_C007.fm Page 492 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® • Exploiting the fact that its credentials are static, a user can be made to deliver his credentials by tricking his host into setting up a NetBIOS connection with a host under an attacker’s control. • NetBIOS services can be used for information collection (they will disclose information on users, hosts, and domains). • NetBIOS ports have become popular targets of attacks for Internet worms. Circulating exploits rely on weaknesses in the implementation of NetBIOS, not in the protocol itself. Network Information Service (NIS), NIS+. NIS and NIS+ are directory services developed by Sun Microsystems, which are mostly used in UNIX environments. They are commonly used for managing user credentials across a group of machines, for instance, a UNIX workstation cluster or client/server environment, but can be used for other types of directories. NIS. NIS (see Table 7.12) is using a flat namespace in so-called domains. It is based on RPC and manages all entities on a server (NIS server). NIS servers can be set up redundantly through the use of so-called slave servers.

NIS is known for a number of security weaknesses.86 • The fact that NIS does not authenticate individual RPC requests can be used to spoof responses to NIS requests from a client. This would, for instance, enable an attacker to inject fake credentials and thereby obtain or escalate privileges on the target machine. • Retrieval of directory information is possible if the name of a NIS domain has become known or is guessable, as any client can associate themselves with a NIS domain. Conversely, the fact that a NIS server is an attractive target of attacks cannot be considered a weakness of NIS as such; it is, in fact, an architectural issue with all client/server platforms. A number of guides have been published on how to secure NIS servers. The basic steps here are to secure the platform a NIS server is running on, to isolate the NIS server from traffic outside of a LAN, and to configure it in a way that limits the probability for disclosure of authentication credentials, especially system privileged ones.87 NIS+. NIS+ (see Table 7.13) is using a hierarchical namespace. It is based on Secure RPC (see Section Remote Procedure Calls).

Table 7.12. NIS Quick Reference Ports Definition

492

See RPC (Section Remote Procedure Calls) See RPC (Section Remote Procedure Calls)

AU8231_C007.fm Page 493 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security Table 7.13. NIS+ Quick Reference Ports Definition

See RPC (Section Remote Procedure Calls) See RPC (Section Remote Procedure Calls)

Table 7.14. CIFS/SMB Quick Reference Ports Definition

445/TCP See also NetBIOS (Section Network Basic Input Output System) Proprietary90

Authentication and authorization concepts in NIS+ are more mature; they require authentication for each access of a directory object. However, NIS+ authentication in itself will only be as strong as authentication to one of the clients in a NIS+ environment, as NIS+ builds on a trust relationship between different hosts. The most relevant attacks against a correctly configured NIS+ network come from attacks against its cryptographic security. NIS+ can be run at different security levels; however, most levels available are irrelevant for an operational network. Access Services. Common Internet File System (CIFS)/Server Message Block (SMB). CIFS/SMB88 (see Table 7.14) is a file-sharing protocol prevalent on

Windows systems. A UNIX/Linux implementation exists in the free Samba project.89 SMB was originally designed to run on top of the NetBIOS (see Section Network Based Input Output System) protocol; it can, however, be run directly over TCP/IP. CIFS is capable of supporting user-level and tree/object-level (sharelevel) security. Authentication can be performed via challenge/response authentication as well as by transmission of credentials in cleartext. This second provision has been added largely for backward compatibility in legacy Windows environments. The main attacks against CIFS are based upon obtaining credentials, be it by sniffing for cleartext authentication or by cryptographic attacks. Network File System (NFS). Network File System is a client/server file-sharing system common to the UNIX platform. It was originally developed by Sun Microsystems, but implementations exist on all common UNIX platforms, including Linux, as well as Microsoft Windows. NFS (see Table 7.15) has been revised several times. NFS VERSIONS 2 AND 3. NFS version 2 was based on UDP, and version 3 introduced TCP support. Both are implemented on top of RPC (see Section 493

AU8231_C007.fm Page 494 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Table 7.15. NFS Quick Reference Ports Definition

See RPC (Section 10.6.2.1) RFC 109491 RFC 181392 RFC 301093 RFC 353094

Remote Procedure Calls). NFS versions 2 and 3 are stateless protocols, mainly due to performance considerations. As a consequence, the server must manage file locking separately. NFS versions 2 and 3 have several drawbacks from a security perspective, due to their rather basic authentication mechanisms and to the fact that a file system protocol must possess some form of state management, for which some workarounds have to be introduced on top of the stateless protocol to enable, for instance, file locking. An attacker would have several opportunities to attack NFS, be it from a client, a server, or a network perspective. The first step in setting up an NFS connection will be the publication (exporting) of file system trees from the server. These trees can be arbitrarily chosen by the administrator. Access privileges are granted based upon the client IP address and directory tree. Within the tree, the privileges of the server file system will be mapped to client users. Several points of risk exist:95 • Export of parts of the file system that were not intended for publication or with inappropriate privileges, for instance, by accident or through the existence of UNIX file system hard links (which can be generated by the user). This is of particular concern if parts of the server root file system are made accessible. One can easily imagine scenarios where a password file can be assessed and the encrypted passwords contained therein subsequently broken by an off-theshelf tool. Regular review of exported file system trees is an appropriate mitigation. • Using an unauthorized client. Because NFS identifies the client by its IP address or (indirectly) a host name, it is relatively easy to use a different client than the authorized one, by means of IP spoofing or DNS spoofing.96 At the very least, resolution of server host names should therefore happen by a file (/etc/hosts on UNIX), not by DNS. • Incorrect mapping of user IDs between server and client. In fact, any machine not controlled by the server administrator can be used as an attack as NFS relies on user IDs as the only form of credential. An attacker, having availed himself of administrative access to a client, could generate arbitrary user IDs to match those on the 494

AU8231_C007.fm Page 495 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security server. It is paramount that user IDs on server and client are synchronized, e.g., through the use of NIS/NIS+ (see Section Network Information Service). • Sniffing and access request spoofing. Because NFS traffic, by default, is not encrypted, it is possible to intercept it, either by means of network sniffing or by a man-in-the-middle attack. Because NFS does not authenticate each RPC call, it is possible to access files if the appropriate access token (file handle) has been obtained, for instance, by sniffing. NFS itself does not offer appropriate mitigation, but use of secure NFS. • SetUID files. The directories accessed via NFS are used in the same way local directories are. On UNIX systems, files with the SUID bit can therefore be used for privilege escalation on the client. NFS should therefore be configured in such a way as to not respect SUID bits. SECURE NFS (SNFS). NFS offers secure authentication and encryption on the basis of secure RPC (Section Remote Procedure Calls), based on Data Encryption Standard (DES) encryption. In contrast to standard NFS, secure NFS (or rather secure RPC) will authenticate each RPC request.

This will increase latency for each request as the authentication is performed and introduces a light performance premium, mainly paid for in terms of computing capacity. Secure NFS uses DES encrypted time stamps as authentication tokens. If server and client do not have access to the same time server (see “Network Time Protocol (NTP)” section), this can lead to short-term interruptions until server and client have resynchronized themselves.97 NFS VERSION 4. The latest installment, NFS version 4,98 is a stateful protocol that solves a number of security issues resulting at the core. NFS version 4 uses TCP port 2049. UDP support (and dependency) has been discontinued.

NFS version 4 implements its own encryption protocols on the basis of Kerberos and has discontinued use of RPC. Foregoing RPC also means that additional ports are no longer dynamically assigned, which enables use of NFS through firewalls. This should not be interpreted as mitigation of the risks of operating NFS beyond a network perimeter, as described in the previous section. Operating NFS through firewalls remains bad practice. Layer 6: Presentation Layer Concepts and Architecture The presentation layer as a conceptual node of information translation may appear less relevant from a network security perspective. 495

AU8231_C007.fm Page 496 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Table 7.16. TLS Quick Reference Ports

Definition

Depending on protocol using SSL/TLS; commonly used ports include 443/TCP, 443/UDP: HTTPS (Section 10.8.2.5.3) 563/TCP, 563/UDP: NNTPS (Section 10.8.2.3.1) 636/TCP, 636/UDP: LDAPS (Section 10.6.2.2.2) 989/TCP, 989/UDP, 990/TCP, 990/UDP: FTPS (Section 10.8.2.5.1) 992/TCP, 992/UDP: TELNETS (Section 10.8.2.8.1) 993/TCP, 993/UDP: IMAPS (used to be port 585 for IMAP4-SSL) (Section 10.8.2.3) 995/TCP, 995/UDP: POP3S (Section 10.8.2.2) 5061/TCP, 5061/UDP: SIP-TLS (Section 10.8.2.10.1) RFC2246100

However, the presentation layer is also pertinent to compression and encryption. Although a separate chapter is dedicated to cryptography (see Chapter 3), we will at least examine the concepts of Transport Layer Security (TLS), which — despite its name — has its place on layer 6. 99 In the future, layer 6 may also be considered the layer for digital rights management. Technology and Implementation Transport Layer Security (TLS). Several methods of providing a secure and authenticated channel between hosts on the Internet above the transport layer have been proposed. In the end, the SSL protocol became the basis for TLS (see Table 7.16). From a model perspective, both would be considered transport layer elements, but, in implementation form, a software tier above the transport layer and below the TCP/IP application layer.

SSL was developed by Netscape Communications Corporation to improve security and privacy of HTTP connections. SSL is application independent and capable of negotiating encryption keys as well as server authentication. The TLS protocol is the successor to the earlier Secure Socket Layer (SSL) protocol, providing: • Mutual authentication of server and client (whereas client authentication is hardly used in practice) • Encrypted connections, extensibly based on algorithms implemented on both client and server TLS is composed of two protocols: • The TLS Handshake Protocol, establishing an opaque connection by exchanging asymmetric encryption keys and then creating a channel (of better performance) based on symmetric encryption 496

AU8231_C007.fm Page 497 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security • The TLS Record Protocol, maintaining the integrity of communications through an appropriate hash function The client can authenticate the server by verifying the signature of the server’s certificate using a hard-coded root CA public key, which is typically preinstalled on the client as part of its Web browser installation. Authentication based on symmetric keys can be provided via a Kerberos over TLS implementation (RFC 2712101). An open-source implementation of TLS is the Open SSL102 project. Layer 7: Application Layer Concepts and Architecture The application layer consists of protocols used directly by applications — it does therefore not describe applications, but the interfaces open to them. The application layer is sometimes used to compensate for deficiencies on the lower layers. One example for this is S-HTTP. Conversely, deficiencies on the application layer, i.e., lack of authentication mechanisms, can defeat security measures on the lower layers. Technology and Implementation Asynchronous Messaging (E-mail and News). Simple Mail Transfer Protocol (SMTP) and Enhanced Simple Mail Transfer Protocol (ESMTP) (see Tables 7.17 and 7.18). SMTP is a protocol to route e-mail on the

Internet. SMTP is pervasive and used for practically all mail routing outside of closed application networks (such as Lotus Notes). SMTP is a client/server protocol, using port 25/TCP; information on mail servers for Internet domains is managed through DNS (in so-called mail exchange (MX) records). Although SMTP takes a fairly simple approach at authentication, it is fairly robust in the way it deals with unavailability; an SMTP server will try to deliver e-mail over a configurable period. From a protocol perspective, SMTP’s main shortcomings are its nonexistent authentication and its lack of encryption. Identification is performed by the sender’s e-mail address. A mail server will be able to restrict sending access to certain hosts (which should be on the same network as the mail server), as well as set conditions on the sender’s e-mail address (which should be one of the domains served by this particular mail server). Otherwise, the mail server may be configured as an open relay (see below). From an implementation perspective, a number of mail agents have become notorious for their security holes. Not a few of them aggravate the 497

AU8231_C007.fm Page 498 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Table 7.17. SMTP Quick Reference Ports Definition

25/TCP RFC 821104 RFC 822105

Table 7.18. ESMTP Quick Reference Ports Definition

25/TCP RFC 2821106

problem due to the fact that they are running with system privileges on the server.103 To address the weaknesses identified in SMTP, an enhanced version of the protocol, ESMTP, was defined. ESMTP is modular in that client and server can negotiate the enhancements used. ESMPT does offer authentication, among other things, and allows for different authentication mechanisms, including basic and several secure authentication mechanisms. E-MAIL SPOOFING. As SMTP does not possess an adequate authentication mechanism, e-mail spoofing is extremely simple. The most effective protection against this is a social one, whereas the recipient can confirm or simply ignore implausible e-mail.

Spoofing e-mail sender addresses is extremely simple, and it can be done with a simple TELNET command to port 25 of a mail server and by issuing a number of SMTP commands. E-mail spoofing is frequently used as a means to obfuscate the identity of a sender in spamming (see below), whereas the purported sender of a spam e-mail is in fact another victim of spam, whose e-mail address has been harvested by or sold to a spammer. OPEN MAIL RELAY SERVERS. An open mail relay server is an SMTP server that allows inbound SMTP connections for domains it does not serve (i.e., for which it does not possess a DNS MX record). An open mail relay is generally considered a sign of bad system administration. 107

Open mail relays are a principal tool for distribution of spam, as they allow an attacker to hide his identity. A number of blacklists for open mail relay servers exist that can be used for blacklisting open mail relays (i.e., a legitimate mail server would not accept any e-mail from this host because it has a high likelihood of being spam).108 Although using blacklists as one indicator in spam filtering has its merits, it is risky to use them as an exclusive indicator. Generally, they are run 498

AU8231_C007.fm Page 499 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security by private organizations and individuals according to their own rules, they are able to change their policies on a whim, they can vanish overnight for any reason, and they can rarely be held accountable for the way they operate their lists. SPAM. We touched on the subject of spam (or unsolicited commercial email (UCE)) in the previous section.109 Spam benefits from the low cost of e-mail, as opposed to phone calls or letters. It can be sent in massive amounts with little additional cost and a low risk of retribution.

Over the years, sending spam has become a professional and highly profitable business. This means that spammers are highly organized and structured. In general, spam is not limited to e-mail; it can also occur in newsgroups, Web logs (blogs), or instant messaging (see “Spam over Instant Messaging (SPIM)” section). • Spam often promotes illegitimate or fraudulent businesses and shady Web sites. • It is often crafted in such a way as to trick the user into thinking that either he has been addressed personally (for instance, by inclusion of personal names or e-mail addresses) or that he has accidentally received an important e-mail intended for someone else. Spam per se is less of a security problem than a problem of acceptable use. However, spam relies on illegitimate (and security breaching) means for its distribution. Because spam is nowhere welcome and the majority of providers have acceptable use policies in place that disallow the sending of UCE, spammers have to resort to (illegitimate) distribution and redistribution of their e-mail and to obfuscation of its origin. • Spam is almost always sent with invalid (faked) sender addresses. • Spam can be sent through open mail relays. The legitimacy of this tactic is at least questionable. While, in our opinion, due care is certainly missing on behalf of the system administrator of the open mail relay, an intent to allow relaying can hardly be inferred. • Spam appears to be increasingly sent via virus-infected, backdoored hosts (zombie networks). Where this is the case, a security breach is exploited and the spammer may be a party in performing it. The average amount of spam a user receives can easily outnumber his normal e-mail. It has therefore become common practice to implement spam filters in e-mail gateways to protect network and server capacity, save working time on behalf of the recipient, and reduce the risk of actual e-mail accidentally being discarded. • By far the most common way of suppressing spam is e-mail filtering on an e-mail gateway. A large variety of commercial products exist, based on a variety of algorithms. Filtering based on simple key499

AU8231_C007.fm Page 500 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® words can be regarded as technically obsolete; (1) the method is prone to generate false-positives,110 and (2) spammers are having an easy day working around this type of filter. More sophisticated filters, based, for instance, upon statistical analysis or analysis of e-mail traffic patterns, have come to market. Filtering can happen on an e-mail server (mail transfer agent (MTA)) or in the client (mail user agent (MUA)). • As an administrator of a mail server, the server can be configured to limit or slow down an excessive number of connections (tar pit).111 • A mail server can be configured to honor blacklists (of spam sources) either as a direct blocking list or as one of several indicators for spam. Organizations need to take precautions against becoming a spam haven; i.e., their mail servers and hosts need to be secured to avoid becoming a relay point for spam. Organizations sending spam — whether deliberately or involuntarily — may face dire consequences and retribution, starting with being cut off from their own mail and Internet access partly or in its entirety. Post Office Protocol (POP). Although SMTP addresses the task of sending and receiving e-mail on a server, POP (see Table 7.19) solves the problem of accessing e-mail on a server from a client. Widely implemented in its current (and probably last) version (version 3 — POP3), POP only offers basic functionality, such as username/password authentication and unencrypted transmission.

Modern e-mail clients therefore rely on encryption through TLS to at least provide secure transmission to protect the confidentiality and integrity of a message. Once downloaded onto a client, e-mail will be protected (only) by the client’s operating system security. Internet Message Access Protocol (IMAP). IMAP (see Table 7.20) is one of two dominant protocols for accessing e-mail on a server (the other one being POP; Section Post Office Protocol). IMAP offers a number of notable functional security enhancements over POP’s simple authentication and e-mail management.

Table 7.19. POP Quick Reference Ports Definition

500

110/TCP RFC 1734112 RFC 1939113

AU8231_C007.fm Page 501 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security Table 7.20. IMAP Quick Reference Ports Definition

143/TCP RFC 1730114 RFC 3501115

Functional enhancements, which are remotely relevant from an availability and integrity perspective, are concurrent access from different clients and to different mailboxes and the ability to synchronize e-mail to a client from a server, as opposed to POP’s download-and-delete approach, whereby the availability of messages was delegated to the client. More importantly, IMAP offers native support for encrypted authentication as well as encrypted data transfer. IMAP supports plaintext transmission if forced by the server. Network News Transfer Protocol (NNTP). Network news was one of the first discussion systems on the Internet, predating Web-based discussion forums116 and loosely modeled after former dial-up mailbox electronic discussion systems. Internet newsgroups — in their entirety also known as Usenet, even though based on a social, rather than physical or logical, network — are distributed through a protocol called NNTP (see Table 7.21), which from the client perspective matches SMTP in its simplicity, but from a server perspective offers a vastly different set of functionality, as the basic requirement here is not the routing of e-mail but the hierarchical distribution of information to temporary caches, as well as the administration of the server and the newsgroup hierarchy.

From a security perspective, the main shortcoming in NNTP is again authentication. Confidentiality of the message is much less of a concern, as the information is indeed intended for publication; however, the proper identification and authentication of the sender remains a strong concern. One of the earlier solutions users found to this problem was signing messages with PGP. However, this did not prevent impersonation or faked identities, as digital signatures were not a requirement, and indeed would be unsuitable for the repudiation problem implied. To make matters worse, NNTP offers a cancellation mechanism to withdraw articles already published. Naturally, the same authentication weakness applies to the control messages used for these cancellations, allowing users with even moderate skills to delete messages at will. On a related note, network news have been plagued with spam for more than a decade (in essence, since Usenet spam became economically viable). A number of mechanisms to deal with this problem have evolved. It can be safely said that all technical measures are just add-ons to what is mostly a social self-regulation mechanism.117 501

AU8231_C007.fm Page 502 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Table 7.21. NNTP Quick Reference Ports Definition

119/TCP RFC 1036120

• The original Usenet way of dealing with unwanted information was maintenance of client-based blacklists by the user, so-called kill files.118 • Some newsgroups have been set up as moderated to prevent misuse, mostly by partisan participants, but naturally the mechanism also works against spam, even though it comes at an increased workload to the moderator of a newsgroup. • Over time, a convention evolved, after which messages classified as spam by well-defined criteria (excessive repetitions or cross-posting of identical or highly similar messages) were legitimate targets for cancellations. The problem of authentication has never been adequately addressed in NNTP, and it might even be undesirable to do so: in a certain way, Usenet as a social construct may well depend on the ability to post anonymously or under pseudonyms.119 Instant Messaging. Applications and Protocols. Instant messaging systems can generally be categorized in three classes: peer-to-peer networks, brokered communication, and server-oriented networks.

Most chat applications do offer additional services beyond their text messaging capability, for instance, screen sharing, remote control, exchange of files, and voice and video conversation. Some applications allow command scripting. We can expect convergence with Voice-over-IP services in the future (Section Voice-over-IP). It should be noted that many of the risks mentioned here apply also to online games, which today offer instant communication between participants. For instance, multiplayer role-playing games, such as multiuser domains (MUDs), rely heavily on instant messaging that is similar in nature to Internet Relay Chat (IRC), even though it is technically based on a variant of the TELNET protocol. A large collection of real-time communication protocols and applications exists. We will focus on applications based on open protocols.121 OPEN PROTOCOLS, APPLICATIONS, AND SERVICES. Extensible Messaging and Presence Protocol (XMPP) (see Table 7.22) and Jabber — Jabber122 is an open instant messaging protocol for which a variety of open-source clients exist. A number of commercial services based on Jabber exist.

502

AU8231_C007.fm Page 503 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security Table 7.22. XMPP Quick Reference Ports Definition

5222/TCP, 5222/UDP RFC 3920125 RFC 3921126

Jabber has been formalized as an Internet standard under the name Extensible Messaging and Presence Protocol (XMPP), as defined in RFC 3920123 and RFC 3921.124 Jabber is a server-based application. Its servers are designed to interact with other instant messaging applications. As with IRC, anybody can offer a Jabber server. The Jabber server network can therefore not be considered trusted. Although Jabber traffic can be encrypted via TLS, this does not prevent eavesdropping on the part of server operators. However, Jabber does provide an API to encrypt the actual payload data. Jabber itself offers a variety of authentication methods, including cleartext and challenge/response authentication. To implement interoperability with other instant messaging systems from the server, however, the server will have to cache the user’s credentials for the target network, enabling a number of attacks, mainly on behalf of the server operator, but also for anyone able to break into a server. Internet Relay Chat (IRC) — Of the widely deployed chat systems on the Internet, IRC (see Table 7.23) was arguably the first. IRC is still popular in academia, but has lost its dominant position to commercial services. Communication is organized in public discussion groups (channels) and private messaging between individual users. IRC is a client/server-based network. IRC is unencrypted, and therefore an easy target for sniffing attacks. The basic architecture of IRC, based on trust between servers, enables special forms of denial-of-service attacks, whereby a malicious user can hijack a channel while a server or group of servers has been disconnected from the rest (net split). IRC is also a common platform for social engineering attacks, aimed at inexperienced or technically unskilled users. Although original clients were UNIX based, IRC clients are now available for many platforms, including Windows, Apple Macintosh, and Linux. PROPRIETARY APPLICATIONS AND SERVICES. Readers will want to familiarize themselves128 with proprietary applications such as IBM Lotus Instant Mes503

AU8231_C007.fm Page 504 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Table 7.23. IRC Quick Reference Ports Definition

194/TCP, 194/UDP RFC1459127

saging and Web Conferencing (Sametime), as well as commercial services such as: • AOL Instant Messaging and ICQ, based on the proprietary Open System for Communication in Real-Time (OSCAR) protocol • Google Talk, based on open Jabber/XMPP • Microsoft MSN Messenger/Windows Messenger, based on the proprietary Mobile Status Notification Protocol (MSNP) • Yahoo! Messenger, based on a proprietary protocol All of these applications and services are server based. Interoperability between these services can be achieved through a server-based approach a la XMPP or through multiple protocol clients. As usual, security of all of these applications rests in the strength of the protocol, quality of the implementation, trustworthiness of the operator, and behavior of the user. If these applications are to be used in a business context, stringent architectural and policy measures need to be put in place to prevent security gaps. This is all the more important as many instant messaging applications by design support a variety of communication channels, offer the ability to tunnel through HTTP, and offer online awareness services that can be misused for technical or social attacks. Risks. AUTHENTICITY. User identification can be easily faked in chat applications

by: • Choosing a misleading identity upon registration or changing one’s nickname while online • Manipulating the directory service (if the application requires one) • Manipulating either the attacker’s or the target’s client to send or display a wrong identity Although these risks are inherent to all kinds of communication networks (and are also common in e-mail), they present an increased risk in real-time communication, where a user potentially has less time to analyze the communication presented to him or her. CONFIDENTIALITY. Many chat systems transmit their information in cleartext. Similar to unencrypted e-mail, information can be disclosed by sniffing on the network. 504

AU8231_C007.fm Page 505 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security A different form of confidentiality breach may occur based upon the fact that chat applications can generate an illusion and expectation of privacy, e.g., by establishing “closed rooms.” Depending on the kind of infrastructure used, all messages can however be read in cleartext by privileged users such as the chat system’s operators. File transfer mechanisms embedded in instant messaging clients can be considered an uncontrolled channel for information — especially file — leakage. Due to the large number of other, similarly uncontrollable channels, the resulting additional risk should not be overestimated, while of course the overall risk may still be high. SCRIPTING. Certain chat clients, such as IRC clients, can execute scripts that are intended to simplify administration tasks, such as joining a chat channel. Because these scripts are executed with the user’s privileges with relatively unsophisticated (no sandbox) or nonexistent protection, they are an attractive target for social engineering or other attacks. Once the victim has been tricked into executing commands, he can leave his computer wide open for other attacks. SOCIAL ENGINEERING. Similar to e-mail, but in a different social setting, attackers can exploit the lack of authenticity to evoke an impression of legitimacy, for instance, by claiming to belong to a certain company or social group.

As the social setting is informal and community oriented, there might even be social pressure to behave in an insecure manner, for instance, to demonstrate trust. The lack of authenticity (and subsequently of nonrepudiation) should be a concern, especially in business situations where chat systems can be used to give online support or enable other forms of customer interaction. SPAM OVER INSTANT MESSAGING (SPIM). With the proliferation of Windows clients with Windows Messenger Service enabled, a particular form of SPIM through pop-up windows ran rampant for a while. The easiest countermeasure is to disable the service. TUNNELING FIREWALLS AND OTHER RESTRICTIONS. Similar to streaming audio and video applications, corporate firewalls were perceived as an obstacle in establishing direct contact with Internet peers. The easy, but arguably illegitimate, solution for developers was to enable tunneling through the protocol that would always be available: HTTP.

Depending on the client, it can even be possible to enable incoming connections by polling an external server. (This technique has been widely exploited in another type of application, a certain kind of remote-access software.) 505

AU8231_C007.fm Page 506 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Control of HTTP tunneling can happen on the firewall or the proxy server. It should, however, be considered that in the case of peer-to-peer protocols, this would require a “deny by default” policy, and blocking instant messaging without providing a legitimate alternative is not likely to foster user acceptance and might give users incentive to utilize even more dangerous workarounds. Although we have discussed confidentiality risks in the information security and risk management chapter, Domain 1, it should be noted that inbound file transfers can also result in circumvention of policy or restrictions in place, in particular for the spreading of viruses. An effective countermeasure can be found in on-access antivirus scanning on the client (which probably should be enabled anyway). Data Exchange (World Wide Web). File Transfer Protocol (FTP). Before the advent of the World Wide Web and proliferation of HTTP (which is built on some of its features), FTP (see Table 7.24) was the protocol for publishing or disseminating data over the Internet.

In its early days, the usual way to use FTP was in a nonfirewalled environment from a UNIX command shell. The protocol reflects some of the early design decisions made to support this environment, even though it is typically used via dedicated FTP clients or Web browsers. As opposed to, for instance, HTTP, FTP is a stateful protocol. FTP requires two communication channels, one control channel on port 21 under TCP, over which state information is exchanged, and a data channel on port 20, through which payload information is transmitted. In its original form, FTP authentication is simple username/password authentication, and credentials as well as all data are transmitted in cleartext. This makes the protocol subject to guessing or stealing of credentials, man-in-the-middle attacks, and sniffing. Although this can be addressed by use of encryption on underlying layers, it is a severe drawback, as additional effort is required for secure configuration and additional requirements to support encryption have to be met by the client. FTP offers two principal modes of data transfer: ASCII and binary. In ASCII mode, a conversion of layer 6 representation, depending on the target platform, is performed, whereas this conversion is omitted in binary mode. Table 7.24. FTP Quick Reference Ports Definition

506

20/TCP (data stream) 21/TCP (control stream) RFC 959129

AU8231_C007.fm Page 507 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security TRANSFER MODES. Although the control channel is always opened by the client, there are two different modes for the data channel:130

• Active mode (PORT mode), where the server initiates the data connection to the client. This mode has obvious drawbacks in firewalled environments, as incoming connections to the client can (and should) be blocked. A number of firewall products still support active mode. • Passive mode (PASV mode), where the client initiates the data connection to the server. Even though RFC 959 does not mandate implementation of passive FTP, the majority of FTP servers in the market offer this type of connection. ANONYMOUS FTP. Before the advent and proliferation of HTTP, publication of information to an unspecific user group was fulfilled by FTP services offering guest authentication to anyone who so desired. These services were called anonymous FTP due to the fact that the guest user would be mapped to the FTP log-in ID “anonymous,” whereas the user would pseudoauthenticate (and thereby identify) himself with his e-mail address.

In practice, the user could have been using any password or e-mail address, whereas using one’s true e-mail address would still have been considered common courtesy. Although Web browsers still support the (social) protocol as such, the use of anonymous FTP has widely fallen by the wayside. There are probably three main reasons why: • With HTTP, anonymous publication of information can be handled in a much more efficient and seamless manner. • Disclosure of e-mail addresses on the part of the user (or a requirement to do so) is widely regarded as an unsafe and privacy-violating practice that will expose the user to address harvesting by spammers. • Guest access can expose the FTP server to security risks. Although these can be properly addressed by configuration measures, and a misconfigured HTTP server will expose quite a similar set of vulnerabilities (such as disclosure of credentials and directory traversal), the fact that the default configuration for FTP servers is authenticated communication, while for HTTP servers the default configuration will not require the user to authenticate, makes HTTP the preferred choice for server administrators. TRIVIAL FILE TRANSFER PROTOCOL (TFTP). TFTP (see Table 7.25) is a simplified version of FTP, which is used when authentication is not needed and quality of service is not an issue. TFTP runs on port 69/UDP. It should therefore only be used in trusted networks of low latency.

507

AU8231_C007.fm Page 508 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Table 7.25. TFTP Quick Reference Ports Definition

69/UDP RFC 1350131

In practice, TFTP is used mostly in LANs for the purpose of pulling packages, for instance, in booting up a diskless client. Hypertext Transfer Protocol (HTTP). HTTP (see Table 7.26), originally conceived as a stateless, stripped-down version of FTP, was developed at the European Organization for Nuclear Research (CERN132) to support the exchange of information in Hypertext Markup Language (HTML).

It is probably not an overstatement to say that it changed the world — the protocol has proven to be uniquely suited to publish information anywhere, anytime, it has driven the proliferation of the Internet as an ubiquitous commodity, and it has probably generated more security headaches than any other protocol. This last view is not due to the design of the protocol, which is fairly lightweight, but its popularity. • On one hand, HTTP’s popularity caused the deployment of an unprecedented number of Internet facing servers, not a small number of which were deployed with out-of-the-box, vendor preset configurations — most of which at the time were geared at convenience, rather than security. • If this were not bad enough, a whole number of previously closed applications were suddenly marketed as “Web enabled.” By implication, not much time was spent on developing the Web interface in a secure manner and authentication was simplified to become a browser-based style. • On the other hand, HTTP will work from within most networks, shielded or not, and thereby lends itself to tunneling an impressive number of other protocols, even though HTTP neither supports quality of service nor bidirectional communication — both for which workarounds were quickly developed. HTTP does not support encryption and has a fairly simple authentication mechanism based on domains, which in turn are normally mapped to directories on a Web server. Although in principle HTTP authentication is extensible, it is most often used in the classic username/password style. As we already said, nothing of this is, strictly speaking, HTTP’s fault. It was never really designed for its own success, by virtue of which security has been delegated in most cases to lower levels (TLS) or had to be coded into the application altogether. 508

AU8231_C007.fm Page 509 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security Table 7.26. HTTP Quick Reference Ports Definition

80/TCP; other ports are in use, especially for proxy services133 RFC 1945134 RFC 2109135 RFC 2616136

HTTP PROXYING. Anonymizing Proxies — Because HTTP is transmitting data in cleartext and generates a slew of logging information on Web servers and proxy servers along the road, resulting information can be readily used for competitor intelligence and illegitimate activities, such as industrial espionage activities or simply to satisfy a Web master’s curiosity.

To address this significant concern, a number of commercial and free services are available that allow anonymization of HTTP requests. These services are mainly geared at the privacy market. A relatively popular free service is JAP137; a number of commercial services exist that interested readers may want to familiarize themselves with. Open Proxy Servers — Like open mail relays, open proxy servers allow unrestricted access to GET commands from the Internet. They can therefore be used as stepping stones or simply to obscure the origin of illegitimate requests. More importantly, an open proxy server bears an inherent risk of opening access to protected or intranet pages from the Internet. (A misconfigured firewall allowing inbound HTTP requests would need to be present on top of the open proxy to allow this to happen.) As a general rule, HTTP proxy servers should not allow queries from the Internet. It is best practice to separate application gateways (sometimes implemented as reverse proxies) from the proxy for Web browsing, as both have very different security levels and business importance. (It would be even better to implement the application gateway as an application proxy and not an HTTP proxy, but this is not always possible.) Content Filtering — In many organizations, the HTTP proxy is used as a means to implement content filtering, for instance, by logging or blocking traffic that has been defined or is assumed to be nonbusiness related. Although filtering on a proxy server or firewall as part of a layered defense can be quite effective to prevent, for instance, virus infections (though it should never be the only protection against viruses), it will be only moderately effective in preventing access to unauthorized services (such as certain remote-access services or file sharing), as well as preventing download of unwanted content.138 509

AU8231_C007.fm Page 510 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Table 7.27. HTTP over TLS Quick Reference Ports Definition

443/TCP RFC 2818140

HTTP TUNNELING. HTTP tunneling is technically a misuse of the protocol (on the part of the designer of such tunneling applications). It has become a popular feature with the rise of the first streaming video and audio applications and has been implemented into many applications that have a market need to bypass user policy restrictions.139

Usually, HTTP tunneling is based on encapsulating outgoing traffic in an HTTP request and incoming traffic in a response. Often, this will require the client polling for inbound connections from time to time. Suitable countermeasures include filtering on a firewall or proxy server and assessing clients for installations of unauthorized software. However, a security officer will have to balance the business value and effectiveness of these countermeasures with the incentive for circumvention that a restriction of popular protocols will create. HTTP OVER TLS (HTTPS — SEE TABLE 7.27). It is important to note that for most applications, the security offered (and touted) through the use of HTTP over TLS is limited to confidentiality, i.e., HTTP over TLS offers protection against eavesdropping, depending on the strength of encryption jointly supported by both client and server. Common Web browsers, which make for the main share of clients, support 128-bit DES encryption, which is not a very high degree of protection (see Chapter 3).

HTTP over TLS is broadly supported and is even recognized in the general public as a secure solution and has become a de facto standard for online retailers of all kinds, all of which are offering encrypted connections for their ordering and credit card billing systems. On the other hand, the very popularity of HTTPS can lull the user into a false sense of security. • The security offered by TLS is mostly used to protect against eavesdropping, while authentication is still based on username/password credentials. This opens up the possibility of man-in-the-middle attacks, which can be executed, for instance, by DNS spoofing. • It is a safe guess that many users will not hesitate to accept any server certificate presented to them and ignore warnings about a mismatch between the fully qualified domain name (FQDN) of a site in DNS and that in the certificate. This is easily the case in phishing attacks. • Even confidentiality may not be protected if encryption does not cover all parts of the site. This might occur if transactions are served 510

AU8231_C007.fm Page 511 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security Table 7.28. S-HTTP Quick Reference Ports Definition

80/TCP RFC 2660142

through a server farm of different applications and can be avoided by using a reverse proxy as a front end.141 SECURE HYPERTEXT TRANSFER PROTOCOL (S-HTTP). As opposed to the HTTP over TLS protocol, which relies on an underlying TLS or SSL tunnel to protect its connection, S-HTTP (see Table 7.28) is an enhancement to HTTP 1.1 and aims to manage encryption entirely on the application layer.

S-HTTP is designed to coexist with HTTP and can use the same port. A server will distinguish an S-HTTP request from an HTTP request by header information. S-HTTP goes hand in hand with security extensions to HTML, as defined in RFC 2659.143 S-HTTP is a highly flexible protocol that allows negotiation and renegotiation of encryption mechanisms and security policies. Through its integration into the client/server requests, S-HTTP is more resilient than HTTP over TLS, and, in particular, less susceptible to man-in-the-middle attacks and known plaintext attacks. An application can be selective in which parts of a request to encrypt and thereby enhance performance. Although the entire approach gives the application greater control, it also gives rise to an increase in complexity for the server administrator, as well as for the page designer/application programmer. Consequently, SHTTP has not gained the same uniform acceptance and implementation support as HTTPS. RFC 2660 is explicitly marked as describing an “experimental protocol,” and no successor has been published. Passive and Active Content (HTML, ActiveX, Java, JavaScript). The subject of content structure and its potential side effects is not, strictly speaking, a network security topic but one of client security. It is mentioned here because security attacks carried through active content are executed in a network client, the Web browser.

Different types of active content come with different forms of protection: • Microsoft’s ActiveX security model is based upon security zones that will determine the actions active content is allowed to perform on a given client. Microsoft’s Internet Explorer browser (the only one in the market able to execute ActiveX controls) has four types of zones.144 • In Sun’s Java, applets are executed in a sandbox, a protected environment isolated from the operating system. 511

AU8231_C007.fm Page 512 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® • In Netscape’s JavaScript, restrictions are based in the language, i.e., a number of dangerous actions are impossible to express to start with, while others will be executed with the privilege of the user. The WWW client (browser) being the point of attack, it is also the first bastion of defense. Network and system administrators need to ensure that security zones are configured properly in all browsers on a network and clients are regularly updated through patches to close security holes. Peer -to-Peer Applications and Protocols. Peer -to-peer applications have gained recent popularity — or notoriety, depending on one’s point of view — due to their controversial role in sharing of intellectual property, mainly multimedia files.

Although bandwidth consumption, acceptable use conduct, and legal implications (see the legal, regulations, compliance and investigations chapter, Domain 10) may be sufficient to warrant attention, policing, and auditing peer-to-peer applications in a business environment, we focus on the security risks associated with peer-to-peer use. It is in the nature of the that market peer-to-peer (P2P) applications are moving in that they quickly gain popularity, and sometimes vanish just as quickly.145 Arguably, the first popular P2P application was Napster, whose demise was brought upon by legal disputes that the company lost, based among other things on the fact that it was operating a set of servers through which intellectual property violations had been committed.146 The security risks associated with P2P applications are associated with the nature of these applications, in particular the business model of their supplier, as well as the content distributed over these applications. • P2P applications are often designed to open an uncontrolled channel through network boundaries (normally through tunneling). They therefore provide a way for dangerous content, for instance, spyware applications or viruses, to enter an otherwise protected network. • The applications themselves may contain spyware or other undesired functionality. • Legal risks due to the nature of content that is often found in P2P networks can hit an organization even if it did not approve of the use of P2P applications. Administrative Services. Remote Authentication Dial-in User Service (RADIUS). R A D I U S ( s e e Ta b l e 7.29) is an authentication protocol used mainly in networked environments, such as Internet service providers (ISPs), or for similar services requiring single sign-on for layer 3 network access, for scalable authentica512

AU8231_C007.fm Page 513 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security Table 7.29. RADIUS Quick Reference Ports Definition

1812/TCP, 1812/UDP 1813/TCP, 1813/UDP RFC 2865147

tion combined with an acceptable degree of security. On top of this, RADIUS provides support for consumption measurement such as connection time. RADIUS authentication is based on provision of simple username/password credentials. These credentials are encrypted by the client using a shared secret with the RADIUS server. RADIUS is victim to a number of cryptographic attacks and can be successfully attacked with a replay attack.148 RADIUS also suffers from a lack of integrity protection and the fact that just specific fields are transmitted encrypted. Nonetheless, within its usual scope of deployment, RADIUS is generally considered to be sufficiently secure. An ISP, in particular, will want to balance the risk of unauthorized access (and theft of bandwidth) with deployment cost. As RADIUS is relatively easy to deploy and supported by a large number of devices in the market; its resulting cost reduction will offset the ISP’s risk. Conversely, RADIUS may not be sufficiently secure for higher security requirements, such as access to a corporate network. In these cases, the added security offered by VPNs or IPSec is clearly desirable. Simple Network Management Protocol (SNMP). SNMP (see Table 7.30) is designed to manage network infrastructure. While its basic architecture is a fairly simple client/server architecture with a relatively limited set of commands, managing a network via SNMP is anything but simple, so within the scope of this book, we can only start highlighting security issues with SNMP.

SNMP architecture consists of a management server (called manager in SNMP terminology) and a client, usually installed on network devices (such as routers and switches) (called an agent). SNMP allows the manager to retrieve (“get”) values of variables from the agent, as well as “set” variables. Such variables could be routing tables or performance-monitoring information.151

Table 7.30. SNMP Quick Reference Ports149 Definition

161/TCP, 161/UDP 162/TCP, 162/UDP RFC 1157150

513

AU8231_C007.fm Page 514 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Although SNMP has proven to be remarkably robust and scalable, and its near omnipresence suggests a high degree of resilience against common attacks, it does have a number of clear weaknesses. Some of them are by design; others are subject to configuration parameters. • Probably the most easily exploited SNMP vulnerability is a bruteforce attack on default or easily guessable passwords. This may sound like a moot point, but given the scale of deployment, combined sometimes with perhaps relative inexperience of network administrators, it is certainly a realistic scenario, and a potentially severe but easily mitigated risk at that. • Until version 2, SNMP does not provide any degree of authentication or transmission security. Authentication consists of an identifier called a community string, by which a manager will identify itself against an agent (this string is configured into the agent) and a password sent with a command. In other words, passwords can be easily intercepted and commands sniffed upon or faked. Remote-Access Services. The services described under this section, TELNET, rlogin, and the X Window System (X11), while present in many UNIX operations, and, when combined with NFS and NIS, provide the user with seamless remote working capabilities, do in fact form a risky combination if not administrated properly.

Conceptually, because they are built on mutual trust, they can be misused to obtain access and to horizontally and vertically escalate privileges in an attack. Their authentication and transmission capabilities are insecure by design; they therefore had to be retrofitted (as X11) or replaced altogether (TELNET and rlogin by SSH). TCP/IP Terminal Emulation Protocol (TELNET). TELNET (see Table 7.31) is a command line protocol designed to give command line access to another host. Although implementations for Windows exist, TELNET’s original domain was the UNIX server world, and in fact, a TELNET server is standard equipment for any UNIX server. (Whether it should be enabled is another question entirely, but in small LAN environments, TELNET is still widely used.)

Being a fairly low-level TCP implementation, a TCP client can be used to emulate other protocols, as shown below in the HTTP dialog in a TELNET shell: Arthur$ Ping elvis elvis is alive Arthur$ Telnet elvis 80 GET / 514

AU8231_C007.fm Page 515 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security Table 7.31. TELNET Quick Reference Ports Definition

23/TCP RFC 854152 RFC 855153

TELNET offers little security, and indeed, its use poses serious security risks in untrusted environments: • TELNET is limited to username/password authentication. • TELNET does not offer encryption. • Once an attacker has obtained even a normal user’s credentials, he has an easy road toward privilege escalation, as he cannot only transfer data from and to a machine, but also execute commands. • As the TELNET server is running under system privileges, it is an attractive target of attack in itself; exploits in TELNET servers pave the way to system privileges for an attacker. It is therefore reasonable to discontinue use of TELNET over the Internet and on Internet facing machines. In fact, the standard hardening procedure for any Internet facing server should include disabling its TELNET service (which under UNIX systems would normally run under the name of telnetd). Remote Log-in (rlogin), Remote Shell (rsh), Remote Copy (rcp). I n i t s m o s t generic form, rlogin is a protocol used for granting remote access to a machine, normally a UNIX server. Similarly, rsh grants direct remote command execution while rcp copies data from or to a remote machine (see Table 7.32).

If a rlogin daemon (rlogind) is running on a machine, rlogin access can be granted in two ways, by a central configuration file or by a user configuration. By the latter, a user may grant access that was not permitted by the system administrator. The same mechanism applies to rsh and rcp, while they are relying on a different daemon (rshd). Authentication can be considered host/IP address based. Although rlogin grants access based on user ID, it is not verified; i.e., the ID a remote client claims to possess is taken for granted if the request comes from a trusted host. The rlogin protocol transmits data without encryption and is hence subject to eavesdropping and interception. The rlogin protocol is of limited value — its main benefit can be considered its main drawback: remote access without supplying a password. It should only be used in trusted networks, if at all. A drastically more secure replacement is available in the form of SSH for rlogin, rsh, and rcp. 515

AU8231_C007.fm Page 516 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Table 7.32. rlogin, rsh, rcp Quick Reference Ports Definition

513/TCP RFC 1258

X Window System (X11). The X Window System (see Table 7.33) is a comprehensive environment for remote control and display of applications. Although its original realm is the world of UNIX workstations, implementations for other operating systems, such as Windows and Mac OSX, exist.

X Window is composed of a server (which is running on the user’s client (!)) used to display graphics and send local events such as mouse clicks back to the client (the remote machine (!)).154 The X Window System’s core functionality is also its key risk from a security perspective. X Window allows remote administration and remote display of graphics. If the server is not adequately configured, any client on the Internet can use it to display graphics on an attached console.155 This may sound humorous at first (and in fact has been the subject of many lab pranks). However, it would be equally possible to use an open X Window Server for eavesdropping, screen shots, and key logging. The X Window System is built on unencrypted communication. This can be addressed by using lower-layer encryption or by tunneling the X Window System, for instance, through SSH. Based on its simple security model, which can be used to subvert and compromise other, stronger authentication mechanisms, the X Window System should only be used in trusted environments, for instance, in a LAN-based UNIX cluster. Running X11 servers on the Internet bears serious risks, and Internet facing servers should never have X11 running. IDENTIFICATION, AUTHENTICATION, AND AUTHORIZATION. Identification and authorization under the X Window System is based on a host’s IP address or DNS name. A machine running an X Window Server can be dynamically configured to accept commands from a client (using the xhost command under UNIX).

Practically all approaches that have been described earlier that can be used to subvert such an authorization scheme are practical under X11. On a related note, an attacker who is able to log in on a given machine running an X Window Server will be able to access said server. To address this significant shortcoming, X11 has been fitted with a mechanism called xauth. Xauth is based on authentication strings called magic cookies, which are kept in a configuration file in the user’s home directory under UNIX. It should be noted that this mechanism is fairly complex to handle and that using the traditional “opening of a display” on an X 516

AU8231_C007.fm Page 517 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security Table 7.33. X Window Services Quick Reference Ports Definition

6000 and higher/TCP RFC 1013156

Table 7.34. Finger Quick Reference Ports Definition

79/TCP RFC 742158 RFC 1288159

Window Server using the xhost command will not only override, but compromise, the xauth authorization scheme. Information Services. Finger User Information Protocol. Finger (see Table 7.34) is an identification service that allows a user to obtain information about the last log-in time of a user and whether he is currently logged into a system. The “fingered” user has the possibility to have information from two files in his home directory displayed (the .project and .plan files).

Developed as early as 1971, Finger is implemented as an UNIX daemon, fingerd. Finger has become less popular for several reasons: • Finger has been the subject of a number of security exploits.157 • Finger is raising privacy and security concerns; it can easily be abused for social engineering attacks. • The user’s self-actuation (an important social aspect in early UNIX networks) happens on Web pages today. For all practical purposes, the Finger protocol has become obsolete. Its use should be restricted to situations where no alternatives are available. Network Time Protocol (NTP). NTP synchronizes (see Table 7.35) computer clocks in a network.160 This can be extremely important for operational stability (for instance, under NIS), but also for maintaining consistency and coherence of audit trails, such as in log files.

Table 7.35. NTP Quick Reference Ports Definition

123/TCP, 123/UDP RFC 778161 RFC 891162 RFC 956163 RFC 958164 RFC 1305165

517

AU8231_C007.fm Page 518 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® A variant of NTP exists in Simple Network Time Protocol (SNTP), offering a less resource consuming but also less exact form of synchronization. From a security perspective, our main objective with NTP is to prevent an attacker from changing time information on a client or a whole network by manipulating its local time server. NTP can be configured to restrict access based upon IP address. From NTP version 3 onward, cryptographic authentication has become available, based upon symmetric encryption, but to be replaced by public key cryptography in NTP version 4. To make a network robust against accidental or deliberate timing inaccuracies, a network should have its own time server and possibly a dedicated, highly accurate clock. As a standard precaution, a network should never depend on one external time server alone, but synchronize with several trusted time sources. Thus, manipulation of a single source will have no immediate effect. To detect desynchronization, standard logging mechanisms can be used with NTP to ensure synchronicity of time stamping. Voice-over -IP (VoIP). Although the possibility of transmitting voice over Internet connections has existed for a long time, only in recent years has the widespread acceptance of broadband home access created a market for Voice-over-IP solutions. In essence, Internet and telephony are switching roles — while previously the telephone network was a ubiquitous commodity that would carry Internet dial-up traffic,166 the Internet is taking over the role of the principal commodity.167

Increasingly VoIP is replacing corporate telephony networks. While the benefits, such as negligible connection cost at a comparable initial investment and a larger degree of configurability, are obvious, VoIP networks are impacted by security risks in ways that would have left traditional telephony systems unaffected, such as being assailable by viruses and hacking and being dependent on electric power at all communication endpoints. In addition, VoIP systems are significantly more complex and need higher expertise to operate. For public services, questions of interconnectivity and interoperability come into focus. From a legal perspective, the situation is still unclear as to whether VoIP networks should be regulated in the same way as the public switched telephone network (PSTN). One common requirement is the availability of gateways to public emergency services. Another one is access for lawful interception, which, while legitimate from a public policy perspective, raises concerns from a security perspective because of the potential design of backdoors into existing systems, which could then be exploited by third parties.168 518

AU8231_C007.fm Page 519 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security Table 7.36. SIP Quick Reference Ports Definition171

5060/TCP, 5060/UDP RFC 2543172 RFC 3261173 RFC 3325174

Deployment of VoIP services may raise security concerns for its carrier network, for instance, with regard to enabling interconnectivity with other VoIP applications in a secure manner. Last but not least, a form of backup communication channel should be available with any VoIP installation, to have independent communication channels available in case of a disaster or network outage. Readers may also want to familiarize themselves with protocols such as H.323.169 Session Initiation Protocol (SIP). As its name implies, SIP170 (see Table 7.36)

is designed to manage multimedia connections. It is not a comprehensive protocol suite and leaves much of the actual payload data transfer to other protocols, for instance, Real-Time Transport Protocol (RTP). A number of phone companies have begun offering SIP services to end users. SIP has been included in applications such as Microsoft Windows Messenger, and open-source clients have been developed. SIP is designed to support digest authentication structured by realms, similar to HTTP (basic username/password authentication has been removed from the protocol as of RFC 3261). In addition, SIP provides integrity protection through MD5 hash functions. SIP supports a variety of encryption mechanisms, such as TLS.175,176 Privacy extensions to SIP, including encryption and caller ID suppression, have been defined in extensions to the original Session Initiation Protocol (RFC 3325). Although SIP, which has been closely modeled after HTTP (see Section Hypertext Transfer Protocol), is a peer-to-peer application by design, it is possible to proxy SIP and thereby build a scalable and manageable public infrastructure. Conversely, SIP does not work with network address translation (NAT), as it is impossible for at least one client to address the other. This results in a target conflict between network security and VoIP operation that must be resolved in a secure manner, for instance, by building a gateway in the form of a session controller. This controller can act as a proxy for SIP sessions (not necessarily for some of the streaming protocols carrying the actual voice information). On a related note, a SIP client is also a server that can receive requests from another machine. This may be considered a general risk for the 519

AU8231_C007.fm Page 520 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® machine the software is deployed to, because as with any server software, there is a risk of security gaps such as buffer overflows that can be exploited over the network. Proprietary Applications and Services. Readers will want to familiarize themselves with proprietary applications, such as Skype.177

Most commercial chat services mentioned in Section Instant Messaging are also equipped with Voice-over-IP capabilities. General References For the reader’s reference and further study, we are listing a number of books that have been useful in preparation of this chapter. R. Bace, Intrusion Detection, Indianapolis, IN: MacMillan Technical Publishing, 2000. R. Bates, D. Gregory, and J. Ranade, Voice and Data Communications Handbook, New York: McGraw-Hill, 1998. T. Bautts et al., Hack Proofing Your Wireless Network, Rockland, MA: Syngress Publishing, 2002. C. Brenton, Mastering Network Security, Alameda, CA: Network Press, 1999. J. Cooper, Computer and Communications Security: Strategies for the 1990s, New York: McGrawHill, 1989. C. Davis, IPSec Securing VPNs, New York: Mc-Graw-Hill, 2001. N. Doraswamy and D. Harkins, IPSec: The New Security Standard for the Internet, Intranets and Virtual Private Networks, Upper Saddle River, NJ: Prentice Hall, 1999. Aaron E. Earle, Wireless Security Handbook, Boca Raton: Auerbach Publications, 2005. T. Escamilla, Intrusion Detection, Network Security beyond the Firewall, New York: John Wiley & Sons, 1998. B. Furht and M. Ilyas, Wireless Internet Handbook: Technologies, Standards, and Applications, New York: Auerbach Publications, 2003. S. Garfinkel and G. Spafford, Practical Unix and Internet Security, Sebastapol, CA: O’Reilly and Associates, 1996. S. Garfinkel and G. Spafford, Web Security and Commerce, Sebastapol, CA: O’Reilly and Associates, 1997. D. Harley, R. Slade, and U. Gattiker, Viruses Revealed: Understand and Counter Malicious Software, New York: McGraw-Hill, 2001. G. Held, The ABCs of IP Addressing, New York: Auerbach Publications, 2001. G. Held, The ABCs of TCP/IP, New York: Auerbach Publications, 2002. G. Held, Understanding Data Communications, Indianapolis: Sams Publishing, 1994. M. Ilyas and S. Ahson, Handbook of Wireless Local Area Networks: Applications, Technology, Security, and Standards, New York: Auerbach Publications, 2005. S. Jones and R. Kovac, Introduction to Communications Technologies: A Guide for Non-Engineers, New York: Auerbach Publications, 2002. M. Kaeo, Designing Network Security: A Practical Guide to Creating a Secure Network Infrastructure, Indianapolis: Cisco Press, 1999. V. Kasacavage, Complete Book of Remote Access: Connectivity and Security, New York: Auerbach Publications, 2002. L. Klander, Hacker Proof: The Ultimate Guide to Network Security, Las Vegas: Jamsa Press, 1997. M. Köhntopp, M. Seeger, and L. Gundermann, Firewalls, Munich: Computerwoche, 1998. M.K. Littman, Building Broadband Networks, New York: Auerbach Publications, 2002. M. Maxim and D. Plooino, Wireless Security, New York: McGraw-Hill, 2002. S. McClure, J. Scambray, and G. Kurtz, Hacking Exposed: Network Security Secrets and Solutions, San Francisco: Osborne/McGraw-Hill, 1999.

520

AU8231_C007.fm Page 521 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security R. Nichols, D. Ryan, and J. Ryan, Defending Your Digital Assets against Hackers, Crackers, Spies and Thieves, New York: McGraw-Hill, 2000. T.C. Piliouras, Network Design: Management and Technical Perspectives, 2nd ed., New York: Auerbach Publications, 2004. A. Rubin, D. Geer, and M. Ranum, Web Security Sourcebook: A Complete Guide to Web Security Threats and Solutions, New York: John Wiley & Sons, 1997. B. Schneier, E-mail Security: How to Keep Your Electronic Messages Private, New York: John Wiley & Sons, 1995. C. Scott, P. Wolfe, and M. Erwin, Virtual Private Networks, Sebastapol, CA: O’Reilly and Associates, 1999. A. Tannenbaum, Computer Networks, Upper Saddle River, NJ: Prentice Hall, 1998. J.S. Tiller, A Technical Guide to IPSec Virtual Private Networks, New York: Auerbach Publications, 2000. H.F. Tipton and M. Krause, Information Security Management Handbook, Part I, Boca Raton, FL: Auerbach, 1999. A. Tiwana, Web Security, London: Butterworth-Heinemann, 1999. J.R. Vacca, Public Key Infrastructure: Building Trusted Applications and Web Services, New York: Auerbach Publications, 2004. T. Wadlow, The Process of Network Security, Reading, MA: Addison-Wesley, 2000. S. Young and D. Aitel, The Hacker’s Handbook: The Strategy behind Breaking into and Defending Networks, New York: Auerbach Publications, 2003.

Endnotes 1. Because protocol design does not always happen according to the OSI model, there may be a certain ambiguity as to which layer a protocol can best be mapped. This is especially true on OSI layers 5 and 6. 2. In technical terms, this is accomplished by defining different sections of defined length or structure within a data packet. 3. As a mundane joke, the system user is sometimes referred to as layer 8. 4. ISO/IEC 7498-1:1994, http://isotc.iso.org/livelink/livelink/fetch/2000/2489/Ittf_Home/ PubliclyAvailableStandards.htm, current as of August 22, 2005. 5. Not unrelated, it was not uncommon in the early days of the field for an organizational integration of IT security into network security, or slightly more explicit: the person who managed the firewall is also — formally or informally — considered the security person for everything. This is still a normal situation in smaller IT organizations. 6. It should be intuitively clear that one gap in a corporation’s perimeter defense can invalidate the entire investment made elsewhere. 7. Although it is not uncommon in all areas of security for users to work around security measures perceived as an obstacle to achieving their primary objectives, network security measures (such as filtering) can become especially annoying (and correspondingly provide a high incentive for circumvention), as they are external to the user’s activity and can come as a surprise to the user, i.e., they are not taken into account in setting objectives. 8. The oft-quoted “80 percent of all attacks come from the inside” highlights that perimeter defense has become successful and commoditized, but not put an end to security breaches per se. 9. An example for the former would be controlling access for inbound VPN connection, where the network perimeter becomes the primary controlling instance for enabling access to a large number of other services. An example for the latter would be blocking of certain applications, such as peer-to-peer applications on a firewall. 10. A. Pfitzmann, Technologies for multilateral security, in Multilateral Security in Communications, G. Müller and K. Rannenberg, Eds., Addison-Wesley, Reading, MA, 1999.

521

AU8231_C007.fm Page 522 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® 11. The reason this is especially bad is that the trusted component is under limited physical control and open to manipulation, even by a legitimate user. As laptop users may have or avail themselves of system-level access to their machines, laptops remain an extremely weak link in the network security chain. 12. Tunneling through HTTP has in fact become a standard feature in streaming video and audio clients, real-time communication (chat) clients, even from major vendors, and, of course, peer-to-peer applications. It does defeat the purpose of layering entirely (and is discouraged), but it does quite effectively solve a user’s (or even administrator’s) convenience problem at the cost of security. 13. Several such “poor man’s VPN” services exist, offering remote administration capabilities through HTTP, thereby enabling access to a PC from the outside through a firewall and from a Web browser in an Internet café. The PC needs to stay switched on and will poll every so often for inbound connection requests. These services are described as secure by their vendors because the connection is encrypted. However, it is clear that they can easily be misused to circumvent corporate policy. 14. A trivial example is IMSI catchers (see Section Mobile Telephony) used to intercept GSM phone calls. As the network (or rather the GSM base station) does not authenticate against the mobile phone, this can be used to — lawfully or illegitimately — intercept and eavesdrop mobile phone calls. Have you ever wondered about the authenticity of a wireless LAN in a hotel, station, or airport when you were asked your credit card number for an hour of Internet access? 15. This was applied, for instance, by the administrators of the server www.whitehouse.gov in the W32/Nimda worm outbreak. 16. For an account of one such case, see S. Berinato, How a Bookmaker and a Whiz Kid Took on an Extortionist — and Won, http://www.csoonline.com/read/050105/extortion.html, current as of August 9, 2005. 17. For an account of one such case, see J. Libbenga, Lufthansa Online Activist Found Guilty, http://www.theregister.co.uk/2005/07/05/lufthansa_demo/, current as of August 9, 2005. 18. A conceivable and simple example would be logging of telephone or fax calls or registering e-mail traffic with another company. An unusual traffic pattern might already allow conclusions on business activities, such as an acquisition. 19. It has become more common for wireless sniffing to become targeted and prosecuted for eavesdropping, but also for stealing bandwidth. This so far has not prevented the detection and hijacking of weakly secured wireless networks to become a sport, based among other things on the fact that the targets of such attacks may rarely become aware of it, while others may not even care. As always in security, there is a fine line between making someone aware of an existing risk and outright trespassing. Finding the secure speed requires more than just technical skills, but we are optimistic. 20. B. Schneier, Attack Trees, http://www.schneier.com/paper-attacktrees-ddj-ft.html, current as of August 9, 2005, and Dr. Dobb’s Journal, December 1999. 21. It is important to note that depending on the type of an attack, the attacker might stop at any given level, as he may have already achieved his goal. For instance, gathering intelligence of a DNS hierarchy could be the final goal of someone preparing a social engineering attack on a company (so this is where it would end from a network perspective), and escalation of privileges would be unnecessary in a denialof-service attack. 22. As a real-world example, a rudimentary form of content security on the Web involves using a hidden path on a Web server (i.e., a path that no link is published to). As a number of businesses or educational institutions found out to their detriment, paths can be guessed (i.e., by varying names, dates, etc.), discovered (e.g., by search engines), or tried using brute-force attacks. From a security perspective, the defender would bear some responsibility for the lack of protection, which might even weaken their legal position, depending, of course, on local legislation.

522

AU8231_C007.fm Page 523 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security 23. The Internet Storm Center (http://isc.sans.org/index.php?on=port) reports ongoing scans on the Internet. It is educational to take a look at the history of these scans, which, for instance, clearly mark major virus outbreaks or the discovery of new security exploits. 24. A very common way of obtaining access to a system is through a Web server that may be running on the system. If the Web server is improperly configured, it may open access to files or allow execution of code through its common gateway interface (CGI). Similarly, an anonymous FTP server (allowing guest access to everybody) is an easy target for attacks for this very reason. Countermeasures include limiting access to a directory subtree and providing the FTP server with its own password directory. 25. Buffer overflows provide a common venue for privilege escalation. If an attacker has gained access to a system allowing him or her to execute nonprivileged commands, this access can then be escalated by exploiting an application with missing or defective boundaries checking on input parameters to overwrite other storage areas in a way that gives the attacker access to privileged commands. Buffer overflows are a common method to attack Web servers, for instance, this was one attack built into the 2001 W32/Nimda worm (for details cf. CERT® Advisory CA-2001-26, Nimda Worm, http://www.cert.org/advisories/CA-2001-26.html). The worm would generate a very long HTTP request to an IIS Web server, which would then execute code (to download the worm) with the privileges of the Web server, which was running under administrator privileges. 26. The Host Based Intrusion Detection FAQ (http://www.sans.org/resources/idfaq/ host_based.php, current as of August 29, 2005) provides a brief overview of existing offerings in this market. 27. A list of common network security tools, including a variety of commercial ones, is available on http://www.insecure.org/tools.html, current as of August 29, 2005. 28. The Snort home page is available at http://www.snort.org/, current as of August 29, 2005. 29. The Nessus Open Source Vulnerability Scanner Project home page can be found at http://www.nessus.org/, current as of August 29, 2005. 30. Nmap home page, http://www.insecure.org/nmap/, current as of August 29, 2005. 31. It should be noted that fiber-optics communications is not immune to interception per se. 32. V90 home page, http://www.v90.com/, current as of August 22, 2005. 33. CDMA2000 is a registered trademark of the Telecommunications Industry Association (TIA-USA) in the United States. 34. See also http://www.cellular.co.za/technologies/cdma/cdma2000.htm, current as of August 25, 2005. See also http://www.cellular.co.za/technologies/cdma/ cdma2000.htm. 35. V92 home page, http://www.v92.com/, current as of August 22, 2005. 36. M.S. Gast, 802.11 Wireless Networks: The Definitive Guide, 2nd ed., O’Reilly Media, Sebastopol, CA, 2005, p. 33. 37. 802.3 IEEE Standard for Information Technology, Institute of Electrical and Electronics Engineers, New York, 2002, pp. 44–47. 38. M.S. Gast, 802.11 Wireless Networks: The Definitive Guide, 2nd ed., O’Reilly Media, Sebastopol, CA, 2005, p. 216. 39. See also http://www.nextgendc.com/, current as of August 28, 2005. 40. See also http://wimax.com/education/faq/faq29. 41. Y. Rekhter, B. Moskowitz, D. Karrenberg, G.J. de Groot, and E. Lear, RFC 1918: Address Allocation for Private Internets, February 1996, http://www.ietf.org/rfc/rfc1918.txt, current as of October 2, 2005. 42. We are including software, such as browsers, e-mail clients, compilers, word processors, etc.

523

AU8231_C007.fm Page 524 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® 43. 6Net home page, http://www.6net.org/, current as of August 22, 2005. 44. 6Bone home page, http://www.6bone.net/, current as of August 22, 2005. 45. A. Huttunen et al., RFC 3948: UDP Encapsulation of IPsec ESP Packets, January 2005, http://www.ietf.org/rfc/rfc3948.txt, current as of October 3, 2005. 46. S. Kent and R. Atkinson, RFC 2406: IP Encapsulating Security Payload (ESP), November 1998, http://www.ietf.org/rfc/rfc2406.txt, current as of August 22, 2005. 47. See also http://www.snailbook.com/faq/ssh-1-vs-2.auto.html, current as of August 22, 2005. 48. D. Harrington, R. Presuhn, and B. Wijnen, RFC 2661: Layer Two Tunneling Protocol L2TP, January 1998, http://www.ietf.org/rfc/rfc2661.txt, current as of August 22, 2005. 49. See also http://www.packetfactory.net/firewalk/firewalk-final.html, current as of August 22, 2005. 50. J. Postel, Ed., RFC 793: Transmission Control Protocol, September 1981, http://www.ietf.org/rfc/rfc793.txt, current as of October 2, 2005. 51. Internet Assigned Numbers Authority (IANA) is a collection of registration services provided by the Internet Corporation for Assigned Names and Numbers (ICANN, http://www.icann.org/, current as of October 2, 2005). The home page of IANA can be found at http://www.iana.org/, current as of October 2, 2005. A memorandum of understanding about the respective roles of the Internet Engineering Task Force (IETF, http://www.ietf.org/, current as of October 2, 2005), ICANN, and IANA that may be instructive to the reader can be found at http://www.icann.org/general/ietf-icann-mou01mar00.htm, current as of October 2, 2005. 52. An up-to-date list of port number assignments can be found at http://www.iana.org/assignments/port-numbers, current as of October 2, 2005. Interestingly, of the 1024 wellknown ports, roughly two thirds have been assigned or reserved, and of the 48,128 registered ports, less than one tenth have been used. 53. It is important to note that technically any application can use any port without IANA registration. A common example is the occasional use of port 81 for HTTP proxy services. This is not a problem as long as the administrator is aware of possible side effects, such as effectively inhibiting use of the registered application for this port, but it is generally considered bad practice. 54. See, for instance, SIP (Section Voice-over-IP). 55. J. Postel, RFC 768: User Datagram Protocol, August 28, 1980, http://www.ietf.org/rfc/rfc768.txt, current as of October 2, 2005. 56. H. Schulzrinne, S. Casner, R. Frederick, and V. Jacobson, RFC 3550: RTP: A Transport Protocol for Real-Time Applications, July 2003, http://www.apps.ietf.org/rfc/rfc3550.html, current as of October 2, 2005. 57. R. Stewart, Q. Xie, K. Morneault, C. Sharp, H. Schwarzbauer, T. Taylor, I. Rytina, M. Kalla, L. Zhang, and V. Paxson, RFC 2960: Stream Control Transmission Protocol, October 2000, http://www.ietf.org/rfc/rfc2960.txt, current as of October 2, 2005. 58. S. Bellovin, RFC 1948: Defending against Sequence Number Attacks, May 1996, http://www.ietf.org/rfc/rfc1948.txt, current as of October 2, 2005. 59. Description of SYN cookies: http://cr.yp.to/syncookies.html. 60. Interestingly, remote procedure calls can depend on directory services and vice versa. 61. Sun Microsystems, RFC 1050: Remote Procedure Call Protocol Specification, April 1988, http://www.ietf.org/rfc/rfc1050.txt, current as of October 2, 2005. 62. Sun Microsystems, RFC 1057: RPC: Remote Procedure Call Protocol Specification Version 2, June 1988, http://www.ietf.org/rfc/rfc1057.txt, current as of October 2, 2005. 63. R. Srinivasan, RFC 1831: RPC: Remote Procedure Call Protocol Specification Version 2, August 1995, http://www.ietf.org/rfc/rfc1831.txt, current as of October 2, 2005. 64. R. Srinivasan, RFC 1833: Binding Protocols for ONC RPC Version 2, August 1995, http://www.ietf.org/rfc/rfc1833.txt, current as of October 2, 2005. 65. A. Chiu, RFC 2695: Authentication Mechanisms for ONC RPC, September 1999, http://www.ietf.org/rfc/rfc2695.txt, current as of October 2, 2005.

524

AU8231_C007.fm Page 525 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security 66. An overview of weaknesses in the Domain Name System can be found in C. Schuba, Addressing Weaknesses in the Domain Name System Protocol, M.Sc. thesis, Purdue University, August 1993, http://ftp.cerias.purdue.edu/pub/papers/christoph-schuba/schuba-DNS-msthesis.pdf, current as of August 21, 2005. 67. DNS does not, in fact, enforce uniformity, and in principle, it is possible to set up TLDs or even root servers that are running outside of the canonic Domain Name System. Attempts to set up competing root servers (for instance, Open Root Server Confederation, http://www.open-rsc.org/, and OpenNIC, http://www.opennic.unrated.net/, current as of August 21, 2005), however, have not met with a significant degree of commercial or political success, wherefore this option is considered academic as far as the Internet is concerned. In corporate networks, it is likewise possible to use private TLDs as a means of preventing information disclosure (cf. Section Domain Name Services). 68. Through so-called MX (mail exchanger) records, DNS provides specific support for SMTP (cf. Section Post Office Protocol), which is necessary to support SMTP routing. In principle, similar elements for other protocols would be trivial to implement. One such measure has received recent attention: http://antispam.yahoo.com/domainkeys. 69. P. Mockapetris, RFC 882: Domain Names — Concepts and Facilities, November 1983, http://www.ietf.org/rfc/rfc0882.txt, current as of August 21, 2005. 70. P. Mockapetris, RFC 1034: Domain Names — Concepts and Facilities, November 1987, http://www.ietf.org/rfc/rfc1034.txt, current as of August 21, 2005. 71. P. Mockapetris, RFC 1035: Domain Names — Implementation and Specification, November 1987, http://www.ietf.org/rfc/rfc1035.txt, current as of August 21, 2005. 72. DNSSEC home page, http://www.dnssec.net/, current as of August 21, 2005. 73. This has become especially important in the area of e-mail spam, where fake e-mail sender addresses are the rule and a mail server currently has limited possibility to ensure its counterpart is the server it claims to be. 74. IANA, RFC 3330: Special-Use IPv4 Addresses, September 2002, http://www.ietf.org/rfc/rfc3330.txt, current as of August 21, 2005. 75. For instance, to block banner ads, cf. http://www.everythingisnt.com/hosts.html, current as of August 21, 2005. 76. Users unfamiliar with the workings of the WWW are sometimes surprised to find that knowing a pointer (an address) will not enable one to access the target. A closely related, all too common misconception is that keeping addresses secret will prevent illegitimate access — this of course is not true. 77. A convention of a01.business.*, a02.business.*, a03.business.*, … will obviously be a lot less useful for an attacker than payroll.hr.business.*, presentations.auditorium.business.*, and accesslog.reception.business.*. 78. Easily one of the most prominent cases of this kind is the White House. Although its proper domain is whitehouse.gov (with http://www.whitehouse.gov/ being its Web address), very different Web services were offered under the equivalent .com address. It has become a common pastime to register domain names similar to politicians’ names and use them to voice opposing positions. 79. X.500 is a standard for hierarchical directories developed by the International Telecommunications Union and designed to work with X.400 e-mail services. X.500 defines a Directory Access Protocol (DAP) for queries that is fairly complex, thereby giving an incentive for the development of a lightweight DAP. While X.400-based e-mail services are limited to certain niches, X.500-based directory services that were originally designed to support them have gained much wider popularity, through the adoption of X.509 (see Chapter 3) for management of PKI certificates. For the interested reader, a description of X.500 is available at http://sec.cs.kent.ac.uk/x500book/, current as of August 21, 2005. 80. W. Yeong, T. Howes, and S. Kille, RFC 1777: Lightweight Directory Access Protocol, March 1995, http://www.ietf.org/rfc/rfc1777.txt, current as of August 21, 2005.

525

AU8231_C007.fm Page 526 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® 81. See, for instance, G. Barr, Security Issues with LDAP Connections (http:// search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP/Security.pod, current as of August 21, 2005) for a discussion of alternative and supplementary security solutions for LDAP. 82. NetBIOS Extended User Interface (NetBEUI) is a connection-oriented layer 4 protocol. It is nonroutable, which makes it unsuited for larger LANs. 83. Internetwork packet exchange (IPX) is a connectionless layer 3 protocol developed for Novell NetWare, supplemented by sequence packet exchange (SPX) on layer 4. IPX/SPX has lost its former market share almost entirely to TCP/IP. 84. NetBIOS Working Group, RFC 1001: Protocol Standard for a NetBIOS Service on a T C P / U D P Tr a n s p o r t : C o n c e p t s a n d M e t h o d s , M a r c h 1 9 8 7 , h t tp://www.ietf.org/rfc/rfc1001.txt, current as of October 2, 2005. 85. NetBIOS Working Group, RFC 1002: Protocol Standard for a NetBIOS Service on a T C P / U D P Tr a n s p o r t : D e t a i l e d S p e c i fi c a t i o n s , M a r c h 1 9 8 7 , h t tp://www.ietf.org/rfc/rfc1002.txt, current as of October 2, 2005. 86. An overview of NIS security weaknesses is available in D. Hess, D. Safford, and U. Pooch, A Unix Network Protocol Security Study: Network Information Service, Texas A&M University, http://www.deter.com/unix/papers/nis_paper.pdf, current as of August 22, 2005. 87. A starting point for obtaining more in depth information is K. Westphal, NFS and NIS Security, January 22, 2001, http://www.securityfocus.com/infocus/1387, current as of August 22, 2005. 88. Microsoft CIFS home page: ftp://ftp.microsoft.com/developr/drg/CIFS/cifs.html, current as of August 15, 2005. 89. Samba project home page: http://us1.samba.org/samba/, current as of August 15, 2005. 90. However, see the description of the CIFS protocol by Microsoft on http://msdn.microsoft.com/library/en-us/cifs/protocol/cifs.asp, current as of October 2, 2005. 91. Sun Microsystems, RFC 1094: NFS: Network File System Protocol Specification, March 1989, http://www.ietf.org/rfc/rfc1094.txt, current as of August 15, 2005. 92. B. Callaghan, B. Pawlowski, and P. Staubach, RFC 1813: NFS Version 3 Protocol Specification, June 1995, http://www.ietf.org/rfc/rfc1813.txt, current as of August 15, 2005. 93. S. Shepler et al., RFC 3010: NFS Version 4 Protocol, December 2000, http://www.ietf.org/rfc/rfc3010.txt, current as of August 15, 2005. 94. S. Shepler et al., RFC 3530: Network File System (NFS) Version 4 Protocol, http://www.ietf.org/rfc/rfc3530.txt, current as of August 15, 2005. 95. Vendors have published their own instructions on how to securely configure NFS. An overview of NFS security configuration questions for Linux systems, which is also instructive for administrators of other UNIX platforms, is available at http://nfs.sourceforge.net/nfs-howto/security.html, current as of August 16, 2005. 96. It is possible to do the same in reverse, i.e., trick a client into assessing a server that is not the correct one. 97. An instructive configuration overview of secure NFS is available at http://www.unet. univie.ac.at/aix/aixbman/commadmn/nfs_secure.htm, current as of August 16, 2005. 98. NFS version 4 home page: http://playground.sun.com/pub/nfsv4/webpage/, current as of August 16, 2005. 99. The sorting of “transport” layer security under the presentation layer may be surprising; we consider it as a protocol that adds security to the transport layer (that the transport layer fails to provide), not on the transport layer. 100. T. Dierks and C. Allen, RFC 2246: The TLS Protocol, January 1999, http://www.ietf.org/rfc/rfc2246.txt, current as of October 2, 2005. 101. A. Medvinsky and M. Hur, RFC 2712: Addition of Kerberos Cipher Suites to Transport Layer Security (TLS), October 1999, http://www.ietf.org/rfc/rfc2712.txt, current as of October 3, 2005. 102. OpenSSL home page: http://www.openssl.org/, current as of August 25, 2005.

526

AU8231_C007.fm Page 527 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security 103. Of the free MTAs, sendmail has been plagued for a while by frequent security holes. In the meantime, sendmail has become more stable and secure; however, it is still a fairly complex piece of software to configure, which bears risks of misrouting or loss of e-mail. The user will want to consult the vendor’s Web site as to the specific security gaps of the software used in specific installations. 104. J. Postel, RFC 821: Simple Mail Transfer Protocol, August 1982, http://www.ietf.org/rfc/rfc0821.txt, current as of October 2, 2005. 105. D. Crocker, RFC 822: Standard for ARPA Internet Text Messages, August 13, 1982, http://www.ietf.org/rfc/rfc0822.txt, current as of October 2, 2005. 106. J. Klensin, Ed., RFC 2821: Simple Mail Transfer Protocol, April 2001, http://www.ietf.org/rfc/rfc2821.txt, current as of October 2, 2005. 107. The liabilities associated with operating an open mail relay server should encourage any system administrator to ensure its mail servers are properly configured. 108. Examples of such blacklist services are at http://www.rahul.net/falk/index.html#blacklists, current as of August 28, 2005. 109. The term spam is derived from a Monty Python sketch, in which a horde of Vikings recite the word spam ad nauseam, rendering any conversation impossible. 110. Did you know that the word sex means the number 6 in Swedish? Ambiguities of this kind exist galore, and a simple keyword filter will never be able to properly analyze the (omni-important) context in which a word was used. 111. A general set of provisions aimed at the sendmail MTA but useful for other mail servers is available at http://www.sendmail.org/antispam.html, current as of August 28, 2005. 112. J. Myers, RFC 1734: POP3 AUTHentication command, December 1994, http://www.ietf.org/rfc/rfc1734.txt, current as of October 2, 2005. 113. J. Myers and M. Rose, RFC 1939: Post Office Protocol — Version 3, May 1996, http://www.ietf.org/rfc/rfc1939.txt, current as of October 2, 2005. 114. M. Crispin, RFC 1730: Internet Message Access Protocol — Version 4, December 1994, http://www.ietf.org/rfc/rfc1730.txt, current as of October 2, 2005. 115. M. Crispin, RFC 3501: Internet Message Access Protocol — Version 4rev1, March 2003, http://www.ietf.org/rfc/rfc3501.txt, current as of October 2, 2005. 116. Yes, these times existed and glorious indeed they were. Even today, the more useful information can be retrieved from newsgroups. 117. It is instructive from a social perspective (less from a technical one) that the newsgroup alt.hackers introduced a self-moderation mechanism aimed at requiring the would-be poster to possess certain technical skills to manipulate his posting in such a way that it would bypass a simple filter. We will not give away the trick, of course. 118. A standing Usenet joke is the word *plonk*, which supposedly reflects the sound of a new entry hitting the bottom of the (already crowded but infinitely large) kill file. 119. Although commercial or free posting services existed (and still exist) that allow this, legal precedents forced the disclosure of the users’ true identities. 120. M. Horton and R. Adams, RFC 1036: Standard for Interchange of Usenet Messages, December 1987, http://www.ietf.org/rfc/rfc1036.txt, current as of October 2, 2005. 121. Because many of these applications have become multipurpose software, including the ability to share files, messages, and voice messages, we have grouped them by their main objective. A comprehensive overview of chat software is available, for instance, on Wikipedia, e.g., List of Instant Messengers (http://en.wikipedia.org/wiki/List_of_instant_messengers, current as of August 7, 2005) and List of Instant Messaging Protocols (http://en.wikipedia.org/wiki/List_of_instant_messaging_protocols, current as of August 7, 2005). 122. Home page of the Jabber Software Foundation: http://www.jabber.org/, current as of August 24, 2005. 123. RFC 3920: Extensible Messaging and Presence Protocol (XMPP): Core, http://www.ietf.org/rfc/rfc3920.txt, current as of August 24, 2005.

527

AU8231_C007.fm Page 528 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® 124. RFC 3921: Extensible Messaging and Presence Protocol (XMPP): Instant Messaging and Presence, http://www.ietf.org/rfc/rfc3921.txt, current as of August 24, 2005. 125. P. Saint-Andre, Ed., RFC 3920: Extensible Messaging and Presence Protocol (XMPP): Core, October 2004, http://www.ietf.org/rfc/rfc3920.txt, current as of August 24, 2005. 126. P. Saint-Andre, Ed., RFC 3921: Extensible Messaging and Presence Protocol (XMPP): Instant Messaging and Presence, October 2004, http://www.ietf.org/rfc/rfc3921.txt, current as of August 24, 2005. 127. J. Oikarinen and D. Reed, RFC 1459: Internet Relay Chat Protocol, May 1993, http://www.ietf.org/rfc/rfc1459.txt, current as of August 7, 2005. 128. A starting point for a comparison of these and other applications and protocols is, for instance, http://en.wikipedia.org/wiki/Comparison_of_instant_messengers, current as of August 24, 2005. 129. J. Postel and J. Reynards, RFC 959: File Transfer Protocol (FTP), 1985, http://www.ietf.org/rfc/rfc0959.txt, current as of August 28, 2005. 130. An overview of some of the nonsecurity-related issues regarding active and passive mode is given at http://www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html, current as of August 28, 2005. 131. K. Sollins, RFC 1350: The TFTP Protocol (Revision 2), http://www.ietf.org/rfc/ rfc1350.txt, current as of August 28, 2005. 132. CERN home page: http://www.cern.ch/, current as of August 29, 2005. 133. It is not uncommon that alternative ports are variations on the number 80, e.g., 81, 8080, etc. The use of port numbers below 1024 (i.e., in the well-known range) is of course not advisable, as these should be kept free for new services. 134. T. Berners-Lee, R. Fielding, and H. Frystyk, RFC 1945: Hypertext Transfer Protocol — HTTP/1.0, May 1996, http://www.ietf.org/rfc/rfc1945.txt, current as of October 2, 2005. 135. D. Kristol and L. Montulli, RFC 2109: HTTP State Management Mechanism, February 1997, http://www.ietf.org/rfc/rfc2109.txt, current as of October 2, 2005. 136. R. Fielding et al., RFC 2616: Hypertext Transfer Protocol — HTTP/1.1, June 1999, http://www.ietf.org/rfc/rfc2616.txt, current as of October 2, 2005. 137. JAP home page: http://anon.inf.tu-dresden.de/index_en.html, current as of August 29, 2005. 138. In the authors’ opinion, although network controls can be used as a bottleneck to control user behavior, they arguably should not be interpreted as a security measure as such, because the risk they are trying to mitigate is unrelated to IT operations. It is an unfortunate fact that organizations mix acceptable use policy and security policy, generating a perception that they are one and the same, when in actuality business ownership resides in quite different parts of the organization, namely, line management and IT operations. 139. While it is practically possible to tunnel any protocol through any other (at least in the TCP world), HTTP access is ubiquitous and cannot be easily restrained. 140. E. Rescorla, RFC 2818: HTTP over TLS, May 2000, http://www.ietf.org/rfc/rfc2818.txt, current as of October 3, 2005. 141. The reader is invited to look out for sites, especially online retailers, that do deploy encryption inconsistently. Household fallacies include offering secure authentication but no secure transmission of information (which opens up the possibility of manin-the-middle attacks). This is especially dangerous when an authentication page is transmitted securely — evoking the impression of a secure page — but the HTML form submission (i.e., the transmission of actual authentication information back to the server) is not. It is important to note that in such a case, the user might start from an encrypted page and land on an encrypted page, but that the HTML forms transmission in between is unencrypted. 142. E. Rescorla and A. Schmiffman, RFC 2660: The Secure HyperText Transfer Protocol, August 1999, http://www.ietf.org/rfc/rfc2660.txt, current as of October 3, 2005.

528

AU8231_C007.fm Page 529 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security 143. E. Rescorla and A. Schiffman, RFC 2659: Security Extensions for HTML, August 1999, http://www.ietf.org/rfc/rfc2659.txt, current as of October 3, 2005. 144. In practice, permissions, even in the untrusted Internet zone, will need to be set to a fairly permissive degree due to the fact that many sites rely on active content for their normal functioning. Managing these permissions on a per-site basis will be impractical for a nonsavvy user, especially as quite a number of sites traverse domains. 145. The dynamic development of the field makes it difficult to even start to list the most important P2P applications. A useful starting point is http://en.wikipedia.org/wiki/P2P, current as of August 27, 2005. 146. Successors of Napster tried to reduce or remove their dependency on centralized servers. In some architectures, centralized servers or services (which can be Web sites) still exist as a directory, while others have fully moved to a deentralized, clientbased model. 147. C. Rigney, S. Willens, A. Rubens, and W. Simpson, RFC 2865: Remote Authentication Dial in User Service (RADIUS), June 2000, http://www.ietf.org/rfc/rfc2865.txt, current as of October 2, 2005. 148. A detailed description of attacks on RADIUS is, for instance, available at http:// www.untruth.org/~josh/security/radius/radius-auth.html, current as of August 28, 2005. 149. Certain vendor implementations may be using additional or different ports. 150. J. Case, M. Fedor, M. Schoffstall, and J. Davin, RFC 1157: A Simple Network Management Protocol (SNMP), May 1990, http://www.ietf.org/rfc/rfc1157.txt, current as of October 2, 2005. 151. The information exchanged between agent and manager is defined in and structured by a management information base (MIB). An MIB is a table with clearly defined entries residing on an agent. 152. J. Postel and J. Reynolds, RFC 854: TELNET Protocol Specification, 1983, http://www.ietf.org/rfc/rfc854.txt, current as of August 28, 2005. 153. J. Postel and J. Reynolds, RFC 854: TELNET Options Specifications, 1983, http://www.ietf.org/rfc/rfc855.txt, current as of August 28, 2005. 154. The terminology used by the X Window System in which host it regards as the server and which host it regards as the client may be slightly surprising and confusing at first. The reader should think of the X Window Server as the element one needs to address to trigger windowing events. Conversely, the X Window System does not have an expectation as to how it is used for remote controlling. In fact, a machine running an X Window Server will practically always also run an X Window Client. 155. Note that an X Window Server can have more than one display; it is possible to export one’s entire display to another machine, which of course has to be an X Window Server. 156. R. Scheifler, RFC 1013: X Window System Protocol, Version 11, 1987, http:// www.ietf.org/rfc/rfc1013.txt, current as of August 28, 2005. 157. fingerd played a role in one of the Internet’s first, most well-known, and devastating attacks, the Morris Worm. The Morris Worm exploited a buffer overflow condition in fingerd (as well as a number of other vulnerabilities, namely, in sendmail and rsh). The Morris Worm could thereby very well be considered a predecessor of modern blended threats. A description of the Morris Worm’s functionality is available in E. Spafford, The Internet Worm Program: An Analysis (http://www.textfiles.com/100/tr823.txt, current as of August 24, 2005) and B. Page, A Report on the Internet Worm (http://www.ee.ryerson.ca:8080/~elf/hack/iworm.html, current as of August 24, 2005). 158. K. Harrenstien, RFC 742: Name/Finger, December 20, 1977, http://www.ietf.org/rfc/ rfc742.txt, current as of August 24, 2005.

529

AU8231_C007.fm Page 530 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® 159. D. Zimmerman, RFC 1288: The Finger User Information Protocol, December 1991, http://www.ietf.org/rfc/rfc1288.txt, current as of August 24, 2005. 160. Network Time Synchronization Project home page: http://www.eecis.udel.edu/~mills/ntp.html, current as of August 24, 2005. 161. D. Mills, RFC 778: DCNET Internet Clock Service, April 18, 1981, http:// www.ietf.org/rfc/rfc778.txt, current as of August 24, 2005. 162. D. Mills, RFC 891: DCN Local-Network Protocols, December 1983, http:// www.ietf.org/rfc/rfc891.txt, current as of August 24, 2005. 163. D. Mills, RFC 956: Algorithms for Synchronizing Network Clocks, September 1985, http://www.ietf.org/rfc/rfc956.txt, current as of August 24, 2005. 164. D. Mills, RFC 958: Network Time Protocol (NTP), September 1985, http:// www.ietf.org/rfc/rfc958.txt, current as of August 24, 2005. 165. D. Mills, RFC 1305: Network Time Protocol (Version 3) Specification, Implementation and Analysis, March 1992, http://www.ietf.org/rfc/rfc1305.txt, current as of August 24, 2005. 166. It is interesting to note that until not too long ago, regulations existed in some countries on the use of modems that would at least in theory have prohibited their use altogether. A combination of theoretical illegitimacy and practical tolerance helped grow the then dial-up mailbox community that later developed into an Internet scene. Up to now, a number of countries and not a few telephony providers restrict the use of VoIP to protect existing telephony monopolies or market share. 167. As the authors’ personal opinion, it is probably fair to say that the analog PSTN will face an imminent decline in market share due to VoIP, and that digital mobile telephony may come next. It is not unreasonable to assume that after the convergence of Internet and PSTN, we will next see convergence of phones and workstations. 168. It should be noted that the design of interfaces for the public executive is not a new requirement; it has been a legal requirement for telecommunication services in general in various legislations for some time. Apart from the political debate on how much surveillance is affordable and legitimate, a common question in this context is who should cover the resulting cost, i.e., whether it would be considered a requirement imposed by the state (and therefore be funded from tax money) or a cost of doing business for providers. 169. An introduction to H.323 is available at http://en.wikipedia.org/wiki/H.323, current as of August 24, 2005. 170. A large number of Web sites giving a technical overview of SIP are available, for instance, http://www.voip-info.org/wiki-SIP or http://en.wikipedia.org/wiki/Session_ Initiation_Protocol, both current as of August 25, 2005. 171. A comprehensive overview of SIP RFCs is available at http://www.networksorcery.com/enp/protocol/sip.htm, current as of August 24, 2005. 172. M. Handley et al., RFC 2543: SIP: Session Initiation Protocol, March 1999, http://www.ietf.org/rfc/rfc2543.txt, current as of August 24, 2005. 173. J. Rosenberg et al., RFC 3261: SIP: Session Initiation Protocol, June 2002, http://www.ietf.org/rfc/rfc3261.txt, current as of August 24, 2005. 174. C. Jennings, J. Peterson, and M. Watson, RFC 3325: Private Extensions to the Session Initiation Protocol (SIP) for Asserted Identity within Trusted Networks, November 2002, http://www.ietf.org/rfc/rfc3325.txt, current as of August 24, 2005. 175. An overview of SIP security is available, for instance, in A. Steffen, D. Kaufmann, and A. Stricker, SIP Security, http://security.zhwin.ch/DFN_SIP.pdf, current as of August 24, 2005. 176. SIP over TLS is known as the Secure Session Initiation Protocol (SIPS).

530

AU8231_C007.fm Page 531 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security 177. Skype (http://www.skype.com/, current as of October 2, 2005) is an online telephony/Voice-over-IP application that offers clearing points with the public switched telephony network (PSTN). Although the protocol is proprietary, its basic architecture has been published by the vendor, as well as independent analysis. From a security perspective, Skype’s peer-to-peer architecture is its most important feature. Any Skype client can turn into a so-called super node; i.e., it will serve as a gateway for communication from other clients.

Sample Questions 1. In the OSI reference model, on which layer can a telephone number be described? a. Layer 1, because a telephone number represents a series of electrical impulses b. Layer 3, because a telephone number describes communication between different networks c. This depends on the nature of the telephony system (for instance, Voice-over-IP versus public switched telephony network (PSTN)) d. None, as the telephone system is a circuit-based network and the OSI system only describes packet-switched networks 2. Which transmission modes exist on OSI layer 5? a. Simplex, all other modes can be described as a series of simplex connections b. Simplex, duplex, triplex c. Simplex, half duplex, duplex d. Duplex, as the other modes are only maintained for legacy and not part of modern standards 3. In which of the following situations is the network itself not a target of attack? a. A denial-of-service attack on servers on a network b. Hacking into a router c. A virus outbreak saturating network capacity d. A man-in-the-middle attack 4. Which of the following are effective protective or countermeasures against a distributed denial-of-service attack? a = Redundant network layout; b = Secret fully qualified domain names (FQDNs); c = Reserved bandwidth; d = Traffic filtering; e = Network Address Translation (NAT). a. b and e b. b, d, and e c. a and c d. a, c, and d

531

AU8231_C007.fm Page 532 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® 5. What is the optimal placement for network-based intrusion detection systems (NIDSs)? a. On the network perimeter, to alert the network administrator of all attack attempts b. On network segments with business-critical systems (e.g., demilitarized zones (DMZs) and on certain intranet segments) c. At the network operations center (NOC) d. At an external service provider 6. Which of the following are meaningful uses for network-based scans? a = Discovery of devices and services on a network; b = Test of compliance with the security policy; c = Detection of attackers in a network, for instance, sniffers; d = Test for vulnerabilities and backdoors, for instance, as part of a penetration test or to detect PCs infected by Trojans; a. a, b, and c b. a, b, and d c. a, c, and d d. b, c, and d 7. Which of the following is an advantage of fiber-optic over copper cables from a security perspective? a. Fiber optics provides higher bandwidth. b. Fiber optics are more difficult to wiretap. c. Fiber optics are immune to wiretap. d. None — the two are equivalent; network security is independent from the physical layer. 8. Which of the following devices should not be part of a network’s perimeter defense? a. A screening router b. A firewall c. A proxy server d. None of the above — all are needed to protect the network behind the perimeter 9. Which of the following is a principal security risk of wireless LANs? a. Lack of physical access control b. Demonstrably insecure standards c. Implementation weaknesses d. War driving 10. Which of the following configurations of a WLAN’s SSID offers adequate security protection? a. Using an obscure SSID to confuse and distract an attacker b. Not using any SSID at all to prevent an attacker from connecting to the network c. Not broadcasting an SSID to make it harder to detect the WLAN d. None of the above 532

AU8231_C007.fm Page 533 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security 11. Which of the following is the principal security risk of broadband Internet access proliferation for home users? a. Users using peer-to-peer file-sharing networks for breaches of intellectual property. b. PCs connected permanently to the Internet are prone to receive more spam mails, thereby increasing the risk for the user to become infected with viruses and Trojans. c. PCs will become infected with dialers on DSL lines (run over telephony lines), thereby exposing the user to almost limitless financial risk. d. Home computers that are not securely configured or maintained and are permanently connected to the Internet become easy prey for attackers. 12. Who should be allowed to change rules on a firewall and for which reason? a. The network administrator, for testing and troubleshooting purposes b. The firewall administrator, on request of users after having assessed the validity of the business reason c. The firewall administrator in compliance with a change process that will, in particular, validate the request against the organization’s security policy and provide proper authorization for the request d. The security manager, who will, in particular, validate the request against the organization’s security policy and provide proper authorization for the request 13. Which of the following is the principal benefit of a personal firewall? a. They provide a PC on a public network with a reasonable degree of protection; if the PC connects to a trusted network later on (for instance, an Intranet), it will prevent the PC from becoming an agent of attack (e.g., by spreading viruses). b. They offer an additional degree of protection on intranets to the PC because, due to the trend of incremental weakening of the network boundary, these networks can no longer be considered trusted. c. They protect networks the PC connects to from threats, such as virus infections, that the PC could become an agent to. d. They prevent attacks on individual PCs. If everybody would use them, the Internet would be safe from virus attacks. 14. Which of the following are true statements about IPSec? a = IPSec provides mechanisms for authentication and encryption. b = IPSec provides mechanisms for nonrepudiation. c = IPSec will only be deployed with IPv6. d = IPSec authenticates hosts against each other. e = IPSec only authenticates clients against a server. f = IPSec is implemented in SSH and TLS. 533

AU8231_C007.fm Page 534 Wednesday, May 23, 2007 9:05 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® a. a and d b. a, b, and e c. a, b, c, d, and f d. a, b, c, e, and f 15. Which of the following statements about well-known ports (0 through 1023) on layer 4 is true? a. Well-known ports all run TCP, as UDP was considered not secure enough. b. Well-known ports historically were the ones defined in early (10bit address) implementations of TCP. When address space was extended to 16 bits, registered and dynamic ports were added. c. On most operating systems, use of well-known ports requires system-level (administrative, superuser) access. d. The distinction between well-known, registered, and dynamic ports will become obsolete in IPv6, as the service used becomes part of the IP address. 16. Which of the following is the enabler for TCP sequence number attacks, and which mitigation exists? a. The fact that packets can arrive in random order. Mitigation is offered by better control of the carrier medium, as described in RFC 2549. b. The fact sequence numbers can be assumed to monotonously increase, which enables guessing of a valid (but random) higher sequence number. Mitigation is offered by switching to UDP, as described in RFC 768. c. The fact that sequence numbers can be predicted, enabling insertion of illegitimate packets into the data stream. Mitigation is offered by better randomization, as described in RFC 1948. d. TCP sequence number attacks are based on a brute-force attack of guessing valid sequence numbers. No mitigation is possible. 17. Which of the following is the principal weakness of DNS (Domain Name System)? a. Lack of authentication of servers, and thereby authenticity of records b. Its latency, which enables insertion of records between the time when a record has expired and when it is refreshed c. The fact that it is a simple, distributed, hierarchical database instead of a singular, relational one, thereby giving rise to the possibility of inconsistencies going undetected for a certain amount of time d. The fact that addresses in e-mail can be spoofed without checking their validity in DNS, caused by the fact that DNS addresses are not digitally signed

534

AU8231_C007.fm Page 535 Wednesday, May 23, 2007 9:05 AM

Telecommunications and Network Security 18. Which of the following statements about open e-mail relays is incorrect? a. An open e-mail relay is a server that forwards e-mail from domains other than the ones it serves. b. Open e-mail relays are a principal tool for distribution of spam. c. Using a blacklist of open e-mail relays provides a secure way for an e-mail administrator to identify open mail relays and filter spam. d. An open e-mail relay is widely considered a sign of bad system administration. 19. A cookie is a way to: a. Track a user’s e-mail b. Add statefulness to the (originally stateless) HTTP c. Disclose a user’s identity d. Add history information to the (originally stateless) HTTP 20. From a disaster recovery perspective, which of the following is the principal concern associated with Voice-over-IP services? a. They can make the IP network of an organization a single point of failure for communication. b. They will increase the chance of a network outage due to capacity saturation. c. They will make the overall IT environment more complex, thereby increasing cost for the recovery site, dependency on external suppliers, and time needed to make it operational. d. None of the above — the choice of telephony technology is immaterial to business continuity planning. 21. Why is public key encryption unsuitable for multicast applications? a. The processing overhead is too high. b. The system is susceptible to man-in-the-middle attacks. c. All data is going to all members of the multicast group. d. Distribution of too many public keys allows them to be broken.

535

AU8231_C007.fm Page 536 Wednesday, May 23, 2007 9:05 AM

AU8231_C008.fm Page 537 Thursday, October 19, 2006 7:03 AM

Domain 8

Application Security Robert M. Slade, CISSP*

Domain Description and Introduction Application security involves processes and activities regarding the planning, programming, and management of software and systems. Somewhat recursively, the field also deals with those controls that may be installed within software systems to ensure the confidentiality, integrity, and availability of either software or data under processing. In addition, this domain concentrates on concepts involved in databases and database management and Web applications, because database applications are a major and unique field of applications and systems, and the World Wide Web is a ubiquitous and widely used interface to all manner of systems. As well as discussing the proper and secure means of designing and controlling applications, we also review maliciously created software, or malware. Current Threats and Levels Although information security has traditionally emphasized the systemlevel access controls, recent history has focused attention on applications. A great many information security incidents now involve software vulnerabilities in one form or another. Evidence is increasing that malware is much more than a mere nuisance: it is now a major security risk. Major consultancies and information technology publications and groups are noting that software security is a major problem. Development of in-house systems, commercial and off-the-shelf software, and controls on the choice, maintenance, and configuration of applications must be given greater attention than has been the case in the past. Unfortunately, too few security professionals have a significant programming or systems development background. At the same time, training in programming and development tends to emphasize speed and productivity over quality, let alone considerations of security. From the perspective of many developers, security is an impediment and roadblock. This perception is changing, but slowly, and in the current development environment, the security professional needs to take care not to be seen as a problem to be avoided. *© 2007 by Robert M. Slade. Used by permission.

537

AU8231_C008.fm Page 538 Thursday, October 19, 2006 7:03 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® The CISSP® candidate who looks back over the past few years will recall many security incidents. When examined, most major problems will be found to involve software vulnerabilities in some way. Software is increasingly large and complex, offering many opportunities for difficulty simply on the basis of random chance alone. In addition, applications software is becoming standardized, both in terms of the programs and code used and in regard to the protocols and interfaces involved. Although this provides benefits in training and productivity, it also means that a troublesome characteristic may affect the computing and business environment quite broadly. Also, we are finding that legacy code, as well as design decisions taken decades ago, are still involved in current systems and interact with new technologies and operations in ways that may open additional vulnerabilities. A recent FBI computer crime survey examined the costs of various categories of events. It found not only that malware presented a significant cost to business, but also that malware accounted for fully a third of the total cost to business of all reported incidents. This was in spite of the fact that antivirus and antispyware protection was used almost universally throughout the surveyed companies. Application Development Security Outline This chapter addresses the important security concepts that apply during the software development, operation, and maintenance processes. Software includes both operating system software and application software. The computing environment is layered. The foundation is the hardware of the computer system and the functions that are built into that hardware. In some cases, a layer of microcode or firmware is implemented, to generate or ease the use of certain common operations. The operating system provides management of the computer hardware resources. The applications sit on top of the operating system and associated utilities. The user interacts with data and the network resources through applications. In some cases, there are additional layers, very often in terms of the interface either with the user or between systems. In considering applications security, one must remember the applications that the users use to do their jobs and interact with the operating system. However, also be aware that the fundamental concepts of application development also apply to operating system software development, even though most users purchase an existing operating system. Thus, although most enterprises do not develop operating system code, they do design, develop, operate, and maintain proprietary applications relevant to their business needs. Throughout this chapter, examples are given regarding the securityrelated problems that can and do occur during the operations of a com538

AU8231_C008.fm Page 539 Thursday, October 19, 2006 7:03 AM

Application Security puter system. The environment where software is designed and developed is also critical in providing security for the system. Therefore, this chapter can never be exhaustive, and as with the material on security management, we encourage readers to thoughtfully apply these concepts to the specifics of their own company or situation. Operating system and application software consist of increasingly complex computer programs. Without this software, it would be impossible to operate the computer for the purposes we currently require of it. In the early days of computers, users had to write code for each activity to be undertaken using a language native to the specific machine. To improve productivity, sets or libraries of code were developed that would implement many of the more common instructions. These standard files of functions, along with utilities to ease their use, became the forerunners of what we now know as programming languages. The development of programming languages has been referred to in terms of generations. There are specific concerns at each level of this progression, but particularly in more recent environments, where the tendency has been to have functions and operations masked from the user and handled by the system in the background. Reliance on the programming environment and code libraries may prevent the developer from fully understanding the dependencies and vulnerabilities included in the final structure. Expectation of the CISSP in This Domain The information system security professional should fully understand: • The principles related to designing secure information system software • Security and controls of the systems development process, application controls, change controls, data warehousing, data mining, knowledge-based systems, program interfaces, and concepts used to ensure data and application integrity, confidentiality, and availability • The knowledge, practices, and principles for securing systems and applications during the processes known as life-cycle management • The security and controls that should be included within systems and application software • The steps and security controls in the software life cycle and change control process • Concepts used to ensure data and software integrity, confidentiality, and availability • Malicious code and software, such as computer viruses • How malicious code can be introduced into the computing environment 539

AU8231_C008.fm Page 540 Thursday, October 19, 2006 7:03 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® • Mechanisms that can be used to prevent, detect, and correct malicious code and their attacks • That security is a system-level attribute Please note that this list is only a rough outline. Refer to the Common Body of Knowledge listing at the end of this chapter for full details. It should be noted that the CISSP is not required to be an expert programmer or know the inner workings of developing application software code, like the Fortran programming language, or how to develop Web code using Java. It is not even necessary that the CISSP know detailed security specific coding practices, such as the reason for preferring str(n)cpy to strcpy in the C language (although all such knowledge is, of course, helpful). Because the CISSP may be the person responsible for ensuring that security is included in such developments, the CISSP should know the basic procedures and concepts involved during the design and development of software programming. That is, in order for the CISSP to manage the software development process and verify that security is included, the CISSP must understand the fundamental concepts of programming developments and the security strengths and weaknesses of various application development processes. This chapter could be arranged in many ways, such as by specific threat or the different types of applications. We will begin with the general process of development: outlining the needs for the protection of software and systems; the programming and development process itself, and the role software plays in the functioning of the computer; some of the protection mechanisms that can be used to overcome the threats and vulnerabilities to software, such as using a system development life-cycle (SDLC) methodology; and methods of assurance that the functional security requirements are properly implemented and operated. System assurance is an indispensable, and all too often disregarded, part of information systems security, and thus will be underscored in a major section of its own. In a similar fashion, we will then examine issues specific to the topic of malware, and the countermeasures against it. Database concepts, management systems, safeguards, and the particular aspects of data warehousing and mining make up a third major section. Due to its increasing importance in the current application environment, the security of Web applications will be given a section as well. Applications Development and Programming Concepts and Protection The security of data and information is one of the most important elements of information system security. It is through software mechanisms that we process and access the data on the system. In addition, almost all technical controls are implemented in software. The objective of information security is to make sure that the system and its resources are available when 540

AU8231_C008.fm Page 541 Thursday, October 19, 2006 7:03 AM

Application Security needed, that the integrity of the processing of the data and the data itself is ensured, and that the confidentiality of the data is protected. All of these purposes rely upon secure and properly operating software. Application development procedures are absolutely vital to the integrity of systems. If applications are not developed properly, data may be processed in such a way that the integrity of either the original data or the processed results is corrupted. In addition, the integrity of both application and operating system software itself must be maintained, in terms of both change control and attack from malicious software such as viruses. If special protection requirements (such as confidentiality) for the data controlled by a system are required, protective mechanisms and safeguards (like encryption) should be designed and built into the system and code from the beginning, and not added on as an afterthought. Because operating system software is also responsible for many of the controls on access to data and systems, it is vital that these areas of programming be tightly protected. Current Software Environment Information systems are becoming more distributed, with a substantial increase in open protocols, interfaces, and source code, as well as sharing of resources. Increased sharing requires that all resources be protected against unauthorized access. Many of these safeguards are provided through software controls, especially operating system mechanisms. The operating system must offer controls that protect the computer’s resources. In addition, the relationship between applications and the operating system is also important. Controls must be included in operating systems so that applications cannot damage or circumvent the operating system controls. A lack of software protection mechanisms can leave the operating system and critical computer resources open to corruption and attack. Some of the main security requirements for applications and databases are to ensure that only valid, authorized, and authenticated users can access the data; permissions related to use of the data can be controlled; the software provides some type of granularity for controlling the permissions; encryption is available for protecting sensitive information such as password storage; and audit trails can be implemented and reviewed. It is becoming increasingly evident that many problems in access control, networking, and operations security are related to the development of software and systems. Whether caused by improper system development, sloppy programming practices, or a lack of rigorous testing, it is clear that a number of vulnerabilities are present, and continue to be created, in the software that is in widespread use. An expanding number of titles in the security literature address this topic. 541

AU8231_C008.fm Page 542 Thursday, October 19, 2006 7:03 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® Essentially, security in operating systems, applications, and databases focuses on the ability of the software to enforce controls over the storage and transfer of information in and between objects. Remember that the underlying foundation of the software security controls is the organization’s security policy. The security policy reflects the security requirements of the organization. Therefore, if the security policy requires that only one set of users can access information, the software must have the capability to limit access to that specific group of users. Keep in mind that the ability to refer to a system as secure is based upon the reliable enforcement of the organization’s security policy. Open Source The term open source has a number of competing definitions. However, most advocates would agree to the basic condition that the vendor releases the software source code so that users may modify the software either to suit their own situation or for further development. When the source is open, this also means that others can comment on or assist in debugging the code. Traditionally, vendors have relied on the secrecy of their proprietary code to protect the intellectual property of their product: hiding the source code and releasing only an executable version in machine or object code. There is a trend toward open-source codes in commercial software houses, and many successful business models support this activity, but most software companies still keep their source code secret, relying on proprietary code to prevent others from producing competing products. Advocates of open-source software believe that security can be improved when source code is available to the public. This is expressed in Linus’s law: With sufficiently many eyeballs looking at the code, all bugs will become apparent. Let other developers and programmers review the code and help to find the security vulnerabilities. The idea is that this openness will lead to quick identification and repair of any issues, including those involved with security. Other developers disagree. Will other programmers be able to find all of the security vulnerabilities? Just releasing the source code does not ensure that all security bugs will be found, and the automatic assumption of reliability can lead to a false sense of security. Devotees of proprietary systems note that dishonest programmers may find security vulnerabilities but not disclose the problem, or at least not until they have exploited it. There have been instances where those in the black hat community tried to blackmail software vendors when they found problems. A final determination on this issue has not yet been made. However, in general, it is known that “security by obscurity” — the idea that if a sys542

AU8231_C008.fm Page 543 Thursday, October 19, 2006 7:03 AM

Application Security tem is little known, there is less likelihood that someone will find out how to break into it — does not work. Whether programs are available in source or only executable versions, observation, reverse engineering, disassembly, trial and error, and random chance may be able to find security vulnerabilities. (Turning to another field of security, in cryptography this abjuration against obscurity is formalized in Kerckhoff’s law, which states that reliance upon secrecy of the cryptographic algorithm used is false security.) Full Disclosure. A related issue, frequently tied to the idea of the open-

source model, is full disclosure. Full disclosure means that individuals who find security vulnerabilities will publicly disseminate the information, possibly including code fragments or programs that might exploit the problem. Many models of partial disclosure exist, such as first contacting the vendor of the software and asking that the vulnerability and a subsequent fix be released to the public, or the release only of information of the vulnerability and possible workaround solutions. Rather than making policy regarding the purchase of open-source or proprietary software, for security purposes it may be better to look at how the software was designed. Was security included as an initial consideration when decisions were made about such issues as programming languages, features, programming style, and tests and evaluations? Programming In the development phase, programmers have the option of writing code in several different programming languages. A programming language is a set of rules telling the computer what operations to perform. Programming languages have evolved in generations, and each language is characterized into one of the generations. Those in the lower level are closer in form to the binary language of the computer. Both machine and assembly languages are considered low-level languages. As the languages become easier and more similar to the language people use to communicate, they become higher level. High-level languages are easier to use than lowerlevel languages and can be used to produce programs more quickly. In addition, high-level languages are beneficial because they enforce coding standards and can provide more security. Programming langauges are frequently referred to by generations. The first generation is generally held to be the machine language, opcodes (operating codes), and object code used by the computer itself. These are very simple instructions that can be executed directly by the CPU of a computer. Each type of computer has its own machine language. However, the blizzard of hexadecimal or binary code is difficult for people to understand, and so a second generation of assembly language was created, 543

AU8231_C008.fm Page 544 Thursday, October 19, 2006 7:03 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK® which uses symbols as abbreviations for major instructions. The third generation, usually known as high-level language, uses meaningful words (generally English) as the commands. COBOL, FORTRAN, BASIC, and C are examples of this type. Above this point there may be disagreement on definitions. Fourth-generation languages, sometimes known as very high level languages, are represented by query languages, report generators, and application generators. Fifth-generation languages, or natural language interfaces, require expert systems and artificial intelligence. The intent is to eliminate the need for programmers to learn a specific vocabulary, grammar, or syntax. The text of a natural language statement very closely resembles human speech. Process and Elements. Many of those working in the information sys-

tems security profession are not experienced programmers. Therefore, the following is a very quick and simplistic explanation of the concepts and processes of different types of programming. It is provided purely for background understanding for the other material in this domain. Those who have experience with programming can skip this section. I need to start out by making a point that will be completely and simplistically obvious to those familiar with machine language programming — and totally bizarre to those who are not. Machine language does not consist of the type of commands we see in higher-level languages. Higher-level languages use words from normal human languages, and so, while a given program probably looks odd to the nonprogrammer, nevertheless we see recognizable words such as print, if, load, case, and so forth, which give us some indication of what might be going on in the program. This is not true of machine language. Machine language is, as we frequently say of other aspects of computing and data communications, all just ones and zeroes. The patterns of ones and zeroes are directions to the computer. The directive patterns, called opcodes, are the actual commands that the computer uses. Opcodes are very short — in most desktop microcomputers generally only a single byte (8 bits) in length, or possibly two. Opcodes may also have a byte or two of data associated with them, but the entire string of command and argument is usually no more than 4 bytes, or 32 bits, altogether. This is the equivalent of a word of no more than four letters. Almost all computers in use today are based on what is termed von Neumann architecture (named after John von Neumann). One of the fundamental aspects of von Neumann architecture is that there is no inherent difference between data and programming in the memory of the computer. Therefore, in isolation, we cannot tell whether the pattern 4Eh (00101110) is the letter N or a decrement opcode. Similarly, the pattern 72h (01110010) may be the letter r or the first byte of the “jump if below” opcode. There544

AU8231_C008.fm Page 545 Thursday, October 19, 2006 7:03 AM

Application Security

-d ds:100 11f B8 19 06 BA CF 03 05 FA-0A 3B 06 02 00 72 1B B4 .........;...r.. 09 BA 18 01 CD 21 CD 20-4E 6F 74 20 65 6E 6F 75 .....!. Not enou -u ds:100 0AEA:0100 0AEA:0103 0AEA:0106 0AEA:0109 0AEA:010D 0AEA:010F 0AEA:0111 0AEA:0114 0AEA:0116 0AEA:0118 0AEA:0119 0AEA:011A 0AEA:011C 0AEA:011D 0AEA:011E 0AEA:011F

11f B81906 MOV AX,0619 BACF03 MOV DX,03CF 05FA0A ADD AX,0AFA 3B060200 CMP AX,[0002] 721B JB 012A B409 MOV AH,09 BA1801 MOV DX,0118 CD21 INT 21 CD20 INT 20 4E DEC SI 6F DB 6F 7420 JZ 013C 65 DB 65 6E DB 6E 6F DB 6F 7567 JNZ 0188

Figure 8.1. Display of the same section of a program file, first as data and then as an assembly language listing.

fore, when we look at the contents of a program file, as we do in Figure 8.1, we will be faced with an initially confusing agglomeration of random letters and symbols and incomprehensible garbage. Ultimately, understanding this chaotic blizzard of symbols is going to be of the greatest use to machine language programmers or software forensic specialists. Source code may be available, particularly in cases where we are dealing with script, macro, or other interpreted programming. To explain some of those objects, we need to examine the process of programming itself. The Programming Procedure. In the beginning, programmers created object (machine or binary) files directly. The operating instructions (opcodes) for the computer and any necessary arguments or data were presented to the machine in the form that was needed to get it to process properly. Assembly language was produced to help with this process: although there is a fairly direct correspondence between the assembly mnemonics and specific opcodes, at least the assembly files are formatted in a way that is relatively easy for humans to read, rather than being strings of hexadecimal or binary numbers. You will notice in the second part of Figure 8.1 a column of codes that might almost be words: MOV (move), CMP (compare), DEC (decrement), and ADD (I hope I do not have 545

AU8231_C008.fm Page 546 Thursday, October 19, 2006 7:03 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

OPEN INPUT RESPONSE-FILE OUTPUT REPORT-FILE INITIALIZE SURVEY-RESPONSES PERFORM UNTIL NO-MORE-RECORDS READ RESPONSE-FILE AT END SET NO-MORE-RECORDS TO TRUE NOT AT END PERFORM 100-PROCESS-SURVEY END-READ END-PERFORM begin. display "My parents went to Cape Cod and all they got" display "for me was this crummy COBOL program!".

Figure 8.2. Two sections of code from different COBOL programs. Note that the intention of the program is reasonably clear, as opposed to Figure 8.1.

to expand on that one). Assembly language added these mnemonics because “MOV to register AX” makes more sense to a programmer than simply B8h or 10111000. An assembler program also takes care of details regarding addressing in memory so that every time a minor change is made to a program, all the memory references and locations do not have to be manually changed. With the advent of high-level (or at least higher-level) languages (the socalled third generation), programming language systems split into two types. High-level languages are those where the source code is somewhat more comprehensible to people. Those who work with C or APL may dispute this assertion, of course. The much maligned COBOL is possibly the best example: as you can see in Figure 8.2, the general structure of a COBOL program should be evident from the source code, even for those not trained in the language. Compiled languages involve two separate processes before a program is ready for execution. The application must be programmed in the source (the text or human-readable) code, and then the source must be compiled into object code that the computer can understand: the strings of opcodes. Those who actually do programming will know that I am radically simplifying a process that generally involves linkers and a number of other utilities, but the point is that the source code for languages like Fortran and Modula cannot be run directly: it must be compiled first. Interpreted languages shorten the process. Once the source code for the program has been written, it can be run, with the help of the interpreter. The interpreter translates the source code into object code “on the 546

AU8231_C008.fm Page 547 Thursday, October 19, 2006 7:03 AM

Application Security fly,” rendering it into a form that the computer can use. There is a cost in performance and speed for this convenience: compiled programs are native, or natural, for the CPU to use directly (with some mediation from the operating system) and so run considerably faster. In addition, compilers tend to perform some level of optimization on the programs, choosing the best set of functions for a given situation. However, interpreted languages have an additional advantage: because the language is translated on the machine where the program is run, a given interpreted program can be run on a variety of different computers, as long as an interpreter for that language is available. Scripting languages, used on a variety of platforms, are of this type. JavaScript applets, such as the example in Figure 8.3, may be embedded in Web pages and then run in browsers that support the language regardless of the underlying computer architecture or operating system. (JavaScript is probably a bad example to use when talking about crossplatform operation, because a given JavaScript program may not even run on a new version of the same software company’s browser, let alone one from another vendor or for another platform. But, it is supposed to work across platforms.) As with most other technologies where two options are present, there are hybrid systems that attempt to provide the best of both worlds. Java, for example, compiles source code into a sort of pseudo-object code called bytecode. The bytecode is then processed by the interpreter (called the Java Virtual Machine, or JVM) for the CPU to run. Because the bytecode is already fairly close to object code, the interpretation process is much faster than for other interpreted languages. And because bytecode is still undergoing an interpretation, a given Java program will run on any machine that has a JVM. (Java does have a provision for direct compilation into object code, as do a number of implementations for interpreted languages, such as BASIC.)* The Software Environment The situation in which software operates is fundamental to computer operations. This environment begins with the standard model of hardware resources, with items such as the central processing unit (CPU), memory, input/output (I/O) requests, and storage devices. The operating system is *As a side note, because we have mentioned both, JavaScript is a language most commonly used in Web pages. It is not Java and has no relation to Java: it was originally named LiveScript and was renamed as a marketing strategy. It is interpreted by the user’s Web browser and allows control over most of the features of the Web browser. It has access to most of the contents of the Hypertext Markup Language (HTML) document and has full interaction with the displayed content. Depending upon the browser, it may have significant access to the system itself. Its security management is minimal — it is either enabled or disabled.

547

AU8231_C008.fm Page 548 Thursday, October 19, 2006 7:03 AM

OFFICIAL (ISC)2® GUIDE TO THE CISSP® CBK®

Adding input <script> document.write ("Hello, "); document.write ("class.
This line "); document.write ("is written by the JavaScript in the header."); document.write ("
but appears in the body of the page,");
This line is the first line that is written by HTML itself.

Notice that this is the last line that appears until after the new input is obtained.