课件成果辅导how to pass cissp

1、How to Pass the CISSPThe Evil Geniuses EditionThe CBKDivided into 10 SectionsThe test is 250 questionsEthics questions are guaranteed to be thereEvery test is differentExpect 20 questions from each sectionThese slides are based on the notes from someone who took the classSecurity Management Practice

2、sThe concept of due diligenceDue Diligence the idea that everything that could be done has. Mgt anything. If you see management as part of an answer consider it VERY seriously. Seems like it is always the right answer.Remember. C-I-A Confidentiality, Integrity, Availability. Same as above. If you se

3、e one of these as a possible answer, it is probably the correct answer.User is primarily responsible for security of data,this means that management may create controls to secure data but ultimately the user is the one who decides to follow them. Security Management Practices Least privilege “need t

4、o know” basis Standards, Baselines & Procedures, Guidelines Standards think HW, SW Mechanism like Norton is standard for Anti-virus Baseline think Platform unique Procedures think RequiredGuidelines think mendedSecurity Management PracticesThe BooksRed Book = Trusted Network Interpretation (orange b

5、ook for networks)Orange book = Trusted Computer security evaluation criteriaConfidentiality only.Government based Security Management PracticesThe CertificationsITSEC = international community attempt to “harmonization” more commercial flavorAdds Integrity and availabilty issuesCommon criteria = new

6、 effort to bring all together Replaces previous schemeC1, C2, B1, B2, ASecurity Management PracticesTypes of classification Object/subject object = passive (files, data, sometimes program) subject = active (usually people)SUI = sensitive but unclassified information Security Management PracticesWho

7、is responsible for what controls Owner has responsibility for physical/admin controlsCustodian has responsibility for logical controlsSeparation of duties tends to deter inside jobs Once your start working in an environment, the line between owner and custodian fades are you need access to perform t

8、asks.Security Management PracticesBusiness Continuity Planning (BCP) Vs Disaster Recover Planning (DRP)BCP tends to be enterprise driven down, Disaster Recovery tends to be functional driven up. (more here later) BCP How to keep businesses running after an incidentDRP How to keep your systems runnin

9、g after a disasterSecurity Management PracticesThe ISC2 way of defining virus/trojans Virus think seed, replication Worm think self-replicating program Trojan horse think “hidden code”. Trap door think undocumented access path.Know boot infectors, system infectors (aka kernel virus), and application

10、 infectors Security Management PracticesThe Foundations for Risk Formulas Threat = unfortunate event or activity Exposure = probability Vulnerability = weakness Countermeasure = safeguardSecurity Management PracticesHow to find the value of risk ALE = annualized lost expectancy = single loss expecta

11、ncy x asset value x annualized loss rate (like three times per year) Quantitative versus qualitative risk analysis. Compartmentalization = contain threat and prevent spread Worth of information = cost to acquire + value to owners + what others are willing to payRemember that countermeasure cost shou

12、ld never exceed worth of information Law, Ethics, investigations Masquerading = pretending to be someone who is authorized to access system, data, etc.414 Gang and Sloan Kettering Cancer facility led to Medical computer Crime Act of 1984hackers = tinkerers to fix crackers = bad guys- Looks like even

13、 ISC2 decided to get into thisIdeal = security built in (versus security added on)Owners have requirement to take action to secure systems, etc. If there is no access control (I.e. a password) there is no crimeLaws, Ethics and InvestigationsThe Laws:Privacy act of 1974. Federal Govt must use data on

14、ly for why it was collected and must protect it.Federal interest computers = anything connected to federal use or interstate computer usage Title 18 or Computer Fraud and Abuse Act of 1986 = felony Protection of intangible = primary reason why prosecution so difficult Computer Security Act of 1987 =

15、 NIST, SUI, NSA/encryptionElectronic Communication Privacy Act of 1986 = email privacy protection and wiretapping controlsFederal Sentencing Guidelines of 1991 provides federal judges consistent guidelines and requires organizations to report computer crimes. Added provision of computer related crim

16、e in 1997.National Infrastructure Protection Act of 1996 amended Computer Fraud And Abuse Act of 1986 . Protects all govt computers.49 states have computer laws (VT is coming)Laws, Ethics and InvestigationsThe ISC2 View of Evidence Collection Concept of “due care” mgt is responsible.Computer crime i

17、mpacts Shift from physical to intangible electronic environmentChain of Custody and Evidence. Collection, storage, presentation and return to owner.Computer generated evidence considered hearsay. Some exceptions.How collected is as important as what collectedRule (1001)3 Disk Dump and memory dumps .

18、 Saves state of computerGet corroboration.Laws, Ethics and InvestigationsMore on evidence and juristictionMust rely on record collection as routine part of doing business. Cannot target individuals.Suspect must have motive, ability and opportunitySecret Service (credit m) and FBI (computers)Key poin

19、t for computer evidence admissibility = relevance and preservation (I.e. hashed images of evidence)Surveillance requires routine activity that applies equally to all employees. (I.e. email filtering)Know difference between enticement and entrapmentComputer forensics = analysis Laws, Ethics and Inves

20、tigationEthics know that we are not supposed to share seminar or test content with other CISSP candidates OOOOOPs.Ethics . Know that it is unethical to purposely. *Gain unauthorized access to Internet resourcesDisrupt intended use of InternetWaste resourcesDestroy integrity of computer based infoPer

21、form negligently in Internet-wide experimentsMost of the rest is common sense Report deviations to management. ETC Laws, Ethics and InvestigationThe rest of the storyKnow what a CERT is.Know that HR should be involved if employees suspected of wrongdoing.Physical Security Two types of controls (Admi

22、n and Physical)Realize difference between Admin and Physical controls Admin = written documents and implementation. Physical = locks, card swipes, motion detectors, etc.Physical SecurityFire is biggest threat Blackout = loss of power Brownout = prolonged below normal voltage Fault = momentary power

23、out Spike = momentary high voltageSurge = prolonged high voltageTransient = noise UPS = uninterruptible power source to provide clean power even during outage Physical SecurityResidual Data IssuesData Remanence = stuff stays behind after erasure. Best to overwrite completely. Next best = degaussing

24、with magnetic field. CDs must be destroyed Magnetics sanitize data. For CBK best approach for object reuse is overwriting.Electromagnetic interference caused by wiresRFI caused by electronic components Laptops need file encryption Physical SecurityKnow difference between fire classesA common combust

25、ibles (uses water, soda acid)B Liquid (uses CO2/soda acid/Halon)C electric (uses CO2 and Halon)Electrical distribution causes most firesTraining best fixPhysical SecurityCombustion MUST have (to put fire out you must remove ONE) Fuel Oxygen Temperature Water reduces temperature Halon prevents chemic

26、al reaction CO2 removes oxygenPhysical Security Dry pipe sprinkler favor saving equipment NFPA National Fire Protection Associaton. Safety driven Montreal Protocol No new installs of Halon mends refill with alternativesCO2 potentially lethal. Best for facilities without people Physical SecurityTypes

27、 of Physical Authentication Card Badge readers. Embedded wire most secure because of construction. Transponders = sender and receiver Mantraps = 2-door system BiometricsAlways remember three things to identify yourself: What you have, What you are and What you knowPhysical SecurityTypes of Biometric

28、s Phyiscal = Access Control Authentication device = something you are. Crossover rate where false rejections equal false acceptances Lower the better. Best of breed is iris scan (0.5%) then retina (1.5%), then hand geometry (2%), fingerprint (5%), voice (10%) 3 unique Fingerprint, retina, and iris.R

29、etina uses vein patterns in back of eye Operations SecurityShoulder surfingSecurity perimeter = boundary where security features protect assetsSystem high sec mode = highest security levelClipping level establishes baseline for filtering out normal behaviorsChange control is importantOperations Secu

30、rity3 copies for backupsone at off site, one at on-site, and original Secondary storage is disks, tapes, etc.Primary is storage routinely accessed by system.Dual control = separate entities operating in parallel to plish task Operations SecurityKnow some problem areas like spamming, brute force atta

31、cks, Pseudo userid, salami = clipping 2cents off a lot of transactions.Closed shop = limiting access Business Continuity Planning BCP think recovering business functionality (especially critical functions) - Key element of Recovery planning is Business Impact AnalysisDRP think emergency responseDisa

32、ster recovery plan = comprehensive statement of actions to be taken before, during and after a disaster Business Continuity Planning * BIA includes financial and operational data.Also identifies acceptable level of outage Mgt commitment ESSENTIAL Testing is important- Ok to identify problems during

33、testing. Business Continuity Planning Emergency reaction team = first respondersRecovery team goes to alternative site to get critical functions goingEmergency repair team original site fixers (starting with least critical support functions first)Business Continuity Planning Cold site = AC and wirin

34、g ready for equipmentAdvantage = less expensiveDisadvantage = not immediately availableWarm site = hot site without expensive equipment (no computers but drives, controllers, etc.)Hot site = fully configured (HW & SW) Available in hoursAdvantage = availability and testableDisadvantage = costlyBusine

35、ss Continuity Planning Multiple In-house centers = testable, quick response, minimally disruptive recoveryBut, Configuration management important. And need formalized agreements to “share disaster”Service Bureaus = They run the ops.Advantages = quick response and testableDisadvantages = cost like ho

36、t sites. May be more than one client.Business Continuity Planning Electronic Vaulting = massive electronic transfer of backup data (batch job)Remote journaling = real-time transmission of journal or transaction logs to off-siteDatabase shadowing = uses remotely journaled data to create databaseEmerg

37、ency response think Safety first then equipment Business Continuity Planning Testing types (* once a year)Structure walk throughChecklistSimulationParallelFull-interruptionBusiness Continuity Planning Mitigate the emergency. Avoid the DRP !Application & Systems Security Important to build in securit

38、y versus adding on.Aggregation = situation where combining info creates greater sensitivity than individual parts.Inference = ability to derive information not explicitly availableObject reuse = media must contain no residual dataOverwriting is best approach followed by degausser Application & Syste

39、ms Security Trap Door versus Back Door. Back Door built in by designers.Covert channels = Comm channel that violates policy by communicating info Covert storage channel = write by one channel, read by another at lower security levelCovert timing channel = one process signals to other by modulating o

40、wn system useApplet = small program downloaded to client computer. Represent riskJava = SunActiveX = MicrosoftApplication & Systems Security Data Mining = analysis of databases with tools without knowledge of meaning of dataClosed environment = not connected to networkGranularity = fineness of secur

41、ity mechanismWork factor = measure of amount of effort required to e protective measureAssurance = confidence in security measures Application & Systems Security ControlsInput controls = Validity, completeness controls such as limit tests, logical checks, control totalsOutput controls = i.e., reconc

42、iliation procedures, physical handling procedures, authorization controlsTransaction controls = validity of transactions; limit controls, verification with expected results Application & Systems Security System Life Cycle = foundation of security architectureProject initiation = Concept defining/pro

43、posalFunctional design analysis & planningSystem design specificationSoftware developmentInstallationMaintenance supportRevisions and replacement Application & Systems Security Certification = operationally and technically CompleteAccreditation = approval to operateSeparation of duties requires coll

44、usion to perform bad things.Role-based access makes change management easier. easier to add/remove individualsCheckpoint restart = ability to restart process under control if hiccup occurs.Redundant array of inexpensive disks = RAIDApplication & Systems SecurityObject oriented programming provides f

45、or:Structure, discipline and modularity (reuse)EfficiencyBetter security mechanism implementationApplication & Systems Security Polyinstantiation (goal is lower cleared people) = iteratively producing a more defined version of an object by replacing variables with values or other variables.Polymorph

46、ism = different objects responding to the same command in different ways.Inheritance = object deriving data and functionality automatically from another objectAssociation mechanism = building larger class from set of smaller classes. Application & Systems SecurityEncapsulation = object protects priv

47、ate data from outside accessOLTP = On-Line transaction processing (allows for recovery from errors) supports AVAILABILITY objectiveDatabase Management System (DBMS) supports Multi-level security through a trusted front end.Testing of controls TEST ALL CHANGES.Disadvantage of content dependent protec

48、tion is increase in process overhead.Xmas virus affected availability Security Architecture & Models Trust = meets specification Therefore, can be trusted without security.Security relevant means not part of security but RELATED or Supports.Process isolation = ensures that multiple processes run con

49、currently without interference (availability)Least privilege = need to know Security Architecture & Models 3 ways to protect HW & SWLayering = each layer has specific activities. Usually layers can communicate only one layer above or below.Abstraction = process kept hiddenData hiding = like abstract

50、ion but deals with data. Layer has no access to data in other layers and data handled by other layers is hidden Security Architecture & ModelsSequential memory = computer sequentially accesses memory storage.Volatile memory = complete loss of information when shutoff.Compiler = translater to machine

51、 languageInterpreter = interprets and EXECUTES.Open systems = interoperabilityClosed systems = lacks interchangeability (e.g., Apple Security Architecture & ModelsState = set of values of all entity attributes in a systemMultistate processes data of 2 or more security levelsSupervisor state = progra

52、m can access entire systemProblem state = only nonprivileged instructions executed (application programs)Masked/Interruptible state = Interupt implies mask bit set.Security Architecture & ModelsAbstract data types (precise definition of semantics of data) = provides confidentiality protectionStrong

53、typing = robust enforcement of abstract data typing.TOCTOU = time of check, time of use = class of asynchronous attacks that take advantage of timelag between permission checking and actual use. Also known as a race condition. daveBinding = tying active entity to specific course of authorized action

54、sHandshaking = dialogue used to identify and authenticate each other (modems)Security Architecture & ModelsFault tolerance (availability) = ability to continue after equipment failureAccountability and audit trails = keeping track of who does what and when.Modes of Operation System high mode = All p

55、ersonnel have clearance and formal access approval BUT NOT NECESSARILY need to know. Partitioned or Compartmented mode = All people have clearance and need to know. Multi-level secure = not everyone has clearance or formal access approval or need to know for all info in the systemSecurity Architectu

56、re & Models Security perimeter = imaginary boundary around Trusted computing base = all protection mechanisms (HW, SW, and firmware) Security kernel = reference monitor = ALWAYS INVOKED = mechanism 3 characteristics Mediates ALL access Verifiably correct And protected from modification Security Arch

57、itecture & ModelsSystem integrity requires that undocumented capabilities should be minimized.Browsing = searching through storage without necessarily knowing existence or formatSpoofing = acting as authorized userExhaustive = brute force “pounding on the door”Inference = human deduction of informat

58、ion from something known or assumedTraffic analysis = inference based on observation of traffic flows Security Architecture & Models Security Models Bell-LaPadula BibaClark-Wilson Security Architecture & ModelsBell-LaPadual (B-L hereafter) Sponsored by Govt. Deals with confidentiality ONLYSubjects h

59、ave clearances, objects have classifications.Subjects can read from their clearance level DOWN = Read downSubjects can write from their clearance level UP = Write up (Star property aka *-property means NO write down) For example, TS person cannot write down to SECRET)SUMMARY! NO, NO, NO Read UP, Wri

60、te Down Security Architecture & ModelsBiba = Think INTEGRITY and OPPOSITE approach from B-L No, NO, NO Read down or Write up Because of integrity.Integrity *-property means NO write up Security Architecture & ModelsClark-Wilson adds users to the equation. Represents continuation of Biba.Addresses al