a quick guide to cissp certification
TRANSCRIPT
-
7/28/2019 A quick guide to CISSP certification
1/93
CISSPCISSP Exam Notes will help you pass CISSP exam
It is concise, to-the-point, and quick way to determine if
you are ready for the CISSP exam
Draft Version 43
Date of Publish: 19 September 2009
RAFEEQ UR REHMAN, CISSP
A quick guide to CISSP certification
-
7/28/2019 A quick guide to CISSP certification
2/93
Chapter One: Information Security and Risk Management
Copyright 2009 Rafeeq Rehman Page: 2 of 93
Copyright Notice
This book is copyright 2009 of Rafeeq Ur Rehman and Conformix Technologies Inc. No part
of this book can be distributed or reproduced in any form or shape without written permissionof the Author and the Publisher.
Disclaimer
The book is made available without any direct, indirect, or implied warranty of any kind,
including the correctness of material presented here. The author and the publisher of this book
are not responsible for any direct or indirect loss as a result of use of this book.
Trademarks and Service Marks
All references to trademarks and service marks used in this book are the property of respective
owners.
Published By
Rafeeq Rehman
ISBN13: 978-0-9724031-1-5
ISBN: 0-9724031-1-6
Web: http://www.cisspbook.com
Latest Edition of this book is always available on this web site.
Email: [email protected]
-
7/28/2019 A quick guide to CISSP certification
3/93
Chapter One: Information Security and Risk Management
Copyright 2009 Rafeeq Rehman Page: 3 of 93
Table of Contents
1 Information Security and Risk Management .......................................................................... 101.1 Definitions ......................................................................................................................... 10
1.2 Introduction ....................................................................................................................... 111.3 Basic Principles ................................................................................................................. 121.4 Availability ........................................................................................................................ 14
1.4.1 Avoiding Single Points of Failure ............................................................................. 141.5 Data Classification ............................................................................................................ 141.6 Personnel Security ............................................................................................................ 151.7 Risk Management and Risk Lifecycle .............................................................................. 161.8 Security Policies and Standards security policy and standards .......................................171.9 Education and Awareness education and awareness ...................................................... 181.10 Roles and Responsibilities ................................................................................................ 181.11 Attacks and Vulnerabilities .............................................................................................. 181.12 Miscellaneous .................................................................................................................... 19
2 Access Control .......................................................................................................................... 212.1 Definitions ......................................................................................................................... 212.2 Access Control ................................................................................................................... 22
2.2.1 Access Control Types ................................................................................................. 252.3 Remote Authentication ..................................................................................................... 252.4 Biometrics ......................................................................................................................... 262.5 Passwords Security ........................................................................................................... 262.6 Identity Management and Directory Services ................................................................. 27
2.6.1 Kerberos ..................................................................................................................... 282.6.2 Light Weight Directory Access Protocol or LDAP .................................................... 292.6.3 OpenID ...................................................................................................................... 292.6.4 NTLM ......................................................................................................................... 30
2.6.5 Microsoft Active Directory Active Directory ............................................................ 302.7 Controlling Access in Networks ....................................................................................... 302.8 Types of Access Controls .................................................................................................. 312.9 Access Control Monitoring ............................................................................................... 312.10 Attacks and Vulnerabilities .............................................................................................. 31
3 Cryptography ............................................................................................................................ 333.1 Terminology ...................................................................................................................... 333.2 Introduction ...................................................................................................................... 343.3 Alogrithms ......................................................................................................................... 35
3.3.1 Digital Encryption Standard (DES) .......................................................................... 353.3.2 Triple Digital Encryption Standard (3DES) ............................................................. 353.3.3 Advanced Encryption Standard or AES AES ........................................................... 36
3.4 Public Key Cryptography .................................................................................................. 363.4.1 RSA Algorithm ........................................................................................................... 37
3.5 PGP .................................................................................................................................... 373.6 Hashing ............................................................................................................................. 373.7 Encrypting Data-At-Rest .................................................................................................. 383.8 Public Key Infrastructure (PKI) ....................................................................................... 38
3.8.1 Digital Certificates ..................................................................................................... 393.8.2 Certificate and Key Management Key Management ................................................ 41
3.9 Attacks and Vulnerabilities .............................................................................................. 42
-
7/28/2019 A quick guide to CISSP certification
4/93
Chapter One: Information Security and Risk Management
Copyright 2009 Rafeeq Rehman Page: 4 of 93
3.10 Miscellaneous .................................................................................................................... 424 Physical Security ...................................................................................................................... 44
4.1 Definitions ......................................................................................................................... 444.2 Introduction ...................................................................................................................... 444.3 Physical Access Controls .................................................................................................. 454.4 Environmental Controls and HVAC ................................................................................. 46
4.5 Fire Control ....................................................................................................................... 474.6 Facility Design and Planning ............................................................................................ 484.7 Monitoring and Surveillance ............................................................................................ 494.8 Attacks and Vulnerabilities .............................................................................................. 494.9 Miscellaneous .................................................................................................................... 50
5 Security Architecture and Design ............................................................................................ 515.1 Definitions ......................................................................................................................... 515.2 Computer and System Architecture ................................................................................. 51
5.2.1 The Central Processing Unit - CPUCPU ................................................................... 515.3 Security Architecture ........................................................................................................ 535.4 Models for Access Control ................................................................................................ 535.5 Security Certification and Accreditation .......................................................................... 53
5.6 System Evaluation ............................................................................................................ 535.7 Attacks and Vulnerabilities .............................................................................................. 535.8 Miscellaneous .................................................................................................................... 53
6 Business Continuity and Disaster Recovery ............................................................................ 546.1 Definitions ......................................................................................................................... 546.2 Introduction ...................................................................................................................... 556.3 Business Impact Analysis (BIA) ....................................................................................... 556.4 Parts of Business Continuity Plan (BCP) ......................................................................... 566.5 Disaster Recovery Plan (DRP) .......................................................................................... 576.6 Data Center Recovery ....................................................................................................... 586.7 Attacks and Vulnerabilities .............................................................................................. 586.8 Miscellaneous .................................................................................................................... 59
7 Telecommunication and Network Security ............................................................................. 607.1 Definitions ......................................................................................................................... 607.2 ISO-OSI Network Model .................................................................................................. 607.3 TCP/IP Network Layers.................................................................................................... 62
7.3.1 Physical Layer ............................................................................................................ 627.3.2 Data Link Layer ......................................................................................................... 627.3.3 IP Layer ...................................................................................................................... 637.3.4 Transport Layer and TCP/UDP ................................................................................ 637.3.5 Application Layer ...................................................................................................... 64
7.4 Network Tiers and Defense-in-Depth defense in depth .................................................. 657.5 Network Services Security ................................................................................................ 65
7.5.1 Domain Name System or DNS.................................................................................. 657.5.2 Email .......................................................................................................................... 667.5.3 Web Servers ............................................................................................................... 667.5.4 Telnet ......................................................................................................................... 677.5.5 Secure Shell or SSH ................................................................................................... 677.5.6 FTP and SFTP ............................................................................................................ 677.5.7 TCP Wrappers ........................................................................................................... 677.5.8 Network Time Protocol or NTP ................................................................................ 67
7.6 Network Transport Level Security ................................................................................... 687.6.1 SSL/TLS SSL TLS ...................................................................................................... 68
-
7/28/2019 A quick guide to CISSP certification
5/93
Chapter One: Information Security and Risk Management
Copyright 2009 Rafeeq Rehman Page: 5 of 93
7.6.2 IPSec and GRE Tunnels ............................................................................................ 687.6.3 Secure Shell (SSH) SSH ............................................................................................ 68
7.7 Firewalls ............................................................................................................................ 687.7.1 Application Layer Firewalls and Application Proxies .............................................. 687.7.2 Load Balancers .......................................................................................................... 68
7.8 Network Address Translation or NAT ............................................................................. 68
7.9 Remote Access and Virtual Private Networks VPN ......................................................... 687.10 Intrusion Detection Systems IDS ..................................................................................... 697.11 Commonly Used Ports and Protocols .............................................................................. 707.12 Cellular Networks ............................................................................................................. 70
7.12.1 CDMA ........................................................................................................................ 707.12.2 GPRS .......................................................................................................................... 707.12.3 GSM ........................................................................................................................... 707.12.4 3G Wireless ................................................................................................................ 707.12.5 EDGE ......................................................................................................................... 707.12.6 EVDO ......................................................................................................................... 70
7.13 Voice Over IP or VoIP ....................................................................................................... 707.14 Attacks and Vulnerabilities .............................................................................................. 70
7.15 Miscellaneous .................................................................................................................... 708 Application Security ..................................................................................................................71
8.1 Definitions ..........................................................................................................................718.2 Security of Web Based Applications ................................................................................ 72
8.2.1 Three-Tier Architecture ............................................................................................ 728.2.2 User Registration and CAPTCHA ............................................................................. 728.2.3 Use of SSL .................................................................................................................. 72
8.3 Securing Client/Server Applications ................................................................................ 728.4 Single Sign On (SSO) ........................................................................................................ 728.5 Cross Company Authentication (CCA)............................................................................. 728.6 Common Attacks on Web-Based Applications ................................................................ 728.7 Attacks and Vulnerabilities .............................................................................................. 72
8.8 Miscellaneous .................................................................................................................... 728.9 Introduction ...................................................................................................................... 728.10 Software Development Life Cycle (SDLC) ....................................................................... 738.11 Application Security Testing ............................................................................................ 748.12 Security of Web Based Applications ................................................................................ 74
8.12.1 Three-Tier Architecture ............................................................................................ 758.12.2 User Registration and CAPTCHA ............................................................................. 758.12.3 Web Server Security .................................................................................................. 758.12.4 Use of SSL .................................................................................................................. 75
8.13 Security Web Services ....................................................................................................... 758.14 AJAX and Web 2 Technologies ........................................................................................ 758.15 Securing Client/Server Applications ................................................................................ 758.16 Single Sign On (SSO SSO) ................................................................................................ 758.17 Cross Company Authentication (CCA CCA) .................................................................... 758.18 Common Application Attacks and Flaws ......................................................................... 758.19 Attacks and Vulnerabilities .............................................................................................. 768.20 Miscellaneous .................................................................................................................... 76
9 Operations Security .................................................................................................................. 779.1 Definitions ......................................................................................................................... 779.2 Introduction ...................................................................................................................... 779.3 Securing Server ................................................................................................................. 78
-
7/28/2019 A quick guide to CISSP certification
6/93
Chapter One: Information Security and Risk Management
Copyright 2009 Rafeeq Rehman Page: 6 of 93
9.3.1 Securing Windows Servers........................................................................................ 789.3.2 Securing UNIX/Linux Servers .................................................................................. 789.3.3 Securing Mail Servers ............................................................................................... 789.3.4 Securing Web Servers ............................................................................................... 789.3.5 Creating Server Check Lists and Security Templates .............................................. 78
9.4 Securing Desktop .............................................................................................................. 78
9.5 Patch Management ........................................................................................................... 789.6 Vulnerability Testing ........................................................................................................ 789.7 Password Cracking ............................................................................................................ 789.8 Data Destruction ............................................................................................................... 789.9 Attacks and Vulnerabilities .............................................................................................. 789.10 Miscellaneous .................................................................................................................... 78
10 Legal, Regulations, Compliance and Investigation ............................................................. 8010.1 Definitions ........................................................................................................................ 8010.2 Computer Crimes .............................................................................................................. 82 10.3 Ethics ................................................................................................................................. 8210.4 Laws ................................................................................................................................... 8210.5 Incident Management ...................................................................................................... 83
10.6 Investigation and Forensics ............................................................................................. 8310.7 Attacks and Vulnerabilities .............................................................................................. 8310.8 Miscellaneous .................................................................................................................... 83
11 Commonly Used TCP and UDP Ports ..................................................................................... 8412 Glossary .................................................................................................................................... 8713 Index ......................................................................................................................................... 8914 Sample Questions ..................................................................................................................... 91
14.1 Introduction ...................................................................................................................... 9114.2 Questions .......................................................................................................................... 91
-
7/28/2019 A quick guide to CISSP certification
7/93
Chapter One: Information Security and Risk Management
Copyright 2009 Rafeeq Rehman Page: 7 of 93
Preface, Acknowledgements andIntroduction
CISSP certification needs a lot of preparation and breadth of knowledge. This book will help you
assess your knowledge quickly to help you know if you are really prepared for the CISSP exam. If
you are an experienced information security professional, it also helps you refresh your
knowledge quickly.
Acknowledgements
I am thankful to all of my friends who shared their thoughts and gave feedback to prepare
manuscript for this book.
How to Read This Book
By this time, you may have noticed that this book is very short compared to other CISSP exam
preparation books. The objective is to save your time (and money) while preparing for the CISSP
exam. The book also gives you a chance to see how prepared you are for the CISSP examination
by going through the bulleted points.
This book provides a quick overview of each topic in CISSP certification exam. You should read
it when you start preparing for the examination. At this stage, it will give you an idea about your
current level of knowledge.
At the end of each chapter, you will see a number of links where you can find more detailed
information about the CISSP exam. While reading information from those resources, if you find
something new that is not in this book, just keep on adding your notes with the empty pages.
This way you will keep on creating your own notes as well.
By the time you have reached the end of this book, you will have a decent amount of knowledge
that you can quickly browse through.
Questions, Comments, Criticism, Appreciations
Please contact the Author, Rafeeq Ur Rehman, [email protected] any questionsor comments or provide any feedback that can be helpful in the next version of this book. All
types of critique is welcomed.
mailto:[email protected]:[email protected]:[email protected]:[email protected] -
7/28/2019 A quick guide to CISSP certification
8/93
Chapter One: Information Security and Risk Management
Copyright 2009 Rafeeq Rehman Page: 8 of 93
Support This Free Book Project By Your Advertisement
You can support this book by placing your advertisement in this book. For more information,
[email protected]. If you are a vendor of information security products, you will
reach the right audience and it will be the best use of your marketing dollars.
mailto:[email protected]:[email protected]:[email protected]:[email protected] -
7/28/2019 A quick guide to CISSP certification
9/93
Chapter One: Information Security and Risk Management
Copyright 2009 Rafeeq Rehman Page: 9 of 93
ADVERTISEMENT
-
7/28/2019 A quick guide to CISSP certification
10/93
Chapter One: Information Security and Risk Management
Copyright 2009 Rafeeq Rehman Page: 10 of 93
Chapter One
1Information Security
and Risk
Management
1.1 DefinitionsConfidentiality of information prevents disclosure, unauthorized use of information.
Information should be made available who have a need-to-know.
Integrityensures that data is not modified in an un-authorized manner and it is consistent
Availability means that the data is available when it is needed by authorized persons or
processes.
Single Point of Failure is something that, if broken, can cause the whole system or process to
stop working.
Defense-In-Depth or DID means that there are multiple lines of defense to secure data
-
7/28/2019 A quick guide to CISSP certification
11/93
Chapter One: Information Security and Risk Management
Copyright 2009 Rafeeq Rehman Page: 11 of 93
SLA or Service Level Agreement defines the minimum standard of a service provided to
customers.
Certification is the formal process of risk assessment for a system and documenting the risk
with due-diligence
Accreditation is a process where business owners formally accept risk associated with a
project or system. Accreditation happens after certification
Riskis likelihood of loss.
Safeguardor a control or a counter measure is measure to reduce risk.
Threatis an event that can cause harm to assets (natural or man-made)
Threat Agentis an entity that can cause harm to an asset, e.g. an Internet attacker.
Vulnerability is a weakness in a system or process that can be exploited by a threat agent to
get access to an asset.
Exposure Factor or EF is the percentage loss (in dollar) from a single incident.
Single Loss Expectancy or SLE is loss in term of dollar from a single successful incident.
SLE= EF x Asset Value
Annual Rate of Occurrence or ARO is an estimate of how many time an incident will occur
within a year that will cause loss.
Annual Loss Expectancy or ALE is the total estimated loss within a year. This estimate is
based upon SLE and ARO. ALE=SLE x ARO
1.2 Introduction1. Organizations need to have a program to manage information security risk
2. An organization need to have policies, standards, guidelines, and procedures to ensure
information security.
3. Policies are generic whereas standards are specific. So a policy may state that data must
be protected whereas a standard may have specific language about protecting data by
encryption with AES encryption.
4. Policies and Standards are mandatory, whereas guidelines are not.
5. Procedures are detailed processes to do certain tasks
-
7/28/2019 A quick guide to CISSP certification
12/93
Chapter One: Information Security and Risk Management
Copyright 2009 Rafeeq Rehman Page: 12 of 93
6. Policies include controls framework and are very high level. Sample controls frameworks
are ISO 17799/ISO 27002.
7. ISO 17799 security controls framework is divided into 10 domains 1. These ten domains
are:
i. Organization of information security management
ii. Asset control
iii. Human resources
iv. Physical and environmental security
v. Telecommunications and operations
vi. Access control
vii. IT systems development and maintenance
viii. Incident management
ix. Business continuity and disaster recovery
x. Compliance
xi. An organization must also have a mission statement that shows the fundamental
principle of the organization.
8. An organization must also have a mission statement that shows the fundamental
principle of the organization.
9. SLA or Service Level Agreement defines the minimum standard of a service provided to
customers.
1.3 Basic Principles1. Risk management includes two major parts: risk assessment and risk mitigation.
2. Risk assessment is performed on different risk/attack scenarios keeping in view
vulnerabilities and controls.
3. Risk management consists of:
1 This book follows those ten domains, starting from this chapter
-
7/28/2019 A quick guide to CISSP certification
13/93
Chapter One: Information Security and Risk Management
Copyright 2009 Rafeeq Rehman Page: 13 of 93
4. Mitigating the risk by using some safeguards and counter measures.
5. Transferring the risk to other entities, like buying insurance
6. Assuming the risk, if expenditure on mitigation or transfer is more than the risk itself.
7. Three basic principles of information security are Confidentiality, Integrity, and
Availability or C-I-A. It is also called information securitytriad.
8. Opposite to CIA is DAD which is Disclosure-Alteration-Destruction.
9. To achieve defense-in-depth, you need to do many things including:
a. Have multiple layers of network separated by firewalls.
b. Implement solutions from different vendors at different layers to ensure a
problem with one vendor does not impact all layers.
c. Incorporate security principles, policies, best practices, education, and awareness
programs
d. Implement monitoring systems including log monitoring, intrusion detection and
prevention, event correlation, and log retention.
e. Implement the principle of separation of duties such that one person is not able
to perform end-to-end tasks
f. Avoid single points of failure
g. Implement network segmentation to create choke points so that parts of network
can be quarantined if needed.
10.Data classification means that data should be categorized based upon level of sensitivity
and level of protection required for a particular of data. Sample classifications may
include confidential, protected, public etc.
11.A person must be in-charge of overall management of information security
12.Roles are responsibilities must be defined based upon the principle of separation of
duties
13.Organizations must implement a program for security certification and accreditation
(SC&A) to identify, document, and manage risk related to projects.
14.A network architecture should be created for defense-in-depth that implements multiple
lines of defense, also called network tiers
-
7/28/2019 A quick guide to CISSP certification
14/93
Chapter One: Information Security and Risk Management
Copyright 2009 Rafeeq Rehman Page: 14 of 93
15. Information security practices should be integrated in human resources hiring and firing
processes
16.Senior management is responsible for creating information security program
17.
You should use multiple controls to protect data. These controls include:
a. Administrative controls such as security policies.
b. Technical controls such as encryption.
c. Physical controls such as key card access, security guards.
1.4 Availability1. Single points of failure affect availability and reliability of a system.
2. Highly Available (HA) systems dont have single points of failure
1.4.1 Avoiding Single Points of Failure1. Hardware: Dual power supplies, RAID including disk mirroring, fail-over clustering,
parity, multiple network adapters, hot swappable components
2. Software and Systems: failover clustering, multiple data centers
3. Network: multiple network paths, dynamic routing algorithms, dial backup, multiple
telecom providers, firewall clusters
4. Processes: Multiple vendors and service providers, multiple employees trained for each
job.
1.5 Data Classification1. Data classification is important to put appropriate security controls around data
depending upon its importance
2.
Data classification is based upon different criteria like: value of data, regulatoryrequirements, retention period.
3. Data value will be high if the data is related to company secrets, customer and employee
information, credit card and bank/financial information, health information, etc.
4. Different types of security controls are applied depending upon data classification.
-
7/28/2019 A quick guide to CISSP certification
15/93
Chapter One: Information Security and Risk Management
Copyright 2009 Rafeeq Rehman Page: 15 of 93
5. Ideally, all data should be marked with its classification irrespective of how it is stored
(electronic, paper)
6. US government data classifications include (in order of sensitivity): Unclassified,
Sensitive but Unclassified, Confidential, Secret, and Top Secret.
7. Private organizations may define their own classification depending upon their own
requirements. Examples: restricted, confidential, internal user only, public, etc.
8. Data owner data owner is a an executive or senior management person who is officially
responsible and personally liable for the security of data.
9. A data custodian data custodian has the day to day responsibility of managing data. Data
custodians may network administrator, DBA, system administrator or other people in
similar role. The owner has the ultimate responsibility whereas the custodian has the
day-to-day responsibility to ensure security.
10.The owner performs data classification, create policy to protect data, and assign
custodians. Custodians on the other hand backup and restore data, perform encryption,
manage privileged user accounts, and so on.
11. Regular users who have access to data are responsible for following policies defined by
data owners.
12.Data classification must be reviewed at some defined intervals because it may change
over time depending upon changed risk posture to a company
13.During data classification process, factors like value of data, age of data, competitive
advantage, etc should be considered.
1.6 Personnel Security1. Where needed, hiring process should include drug testing, background checks, credit
history, and security clearance.
2. Minimum notice should be given to a candidate for drug test, preferably one to two days
only to get good results.
3. The new employee orientation process should include introduction to security policy
4. The HR policies should include accepted guidelines for computers and other company
resources.
5. Employee references and application data must be verified for new employees
-
7/28/2019 A quick guide to CISSP certification
16/93
Chapter One: Information Security and Risk Management
Copyright 2009 Rafeeq Rehman Page: 16 of 93
6. If an employee is fired from company, the HR process must include notification to IT
staff to immediately disable user accounts and access to network. In other words, the HR
process must be tied to the identity management process.
7. Security badges and key card access must be used for employees with access to sensitive
locations, including data centers.
8. If an employee has knowledge of shared account/generic accounts, passwords for those
accounts must be changed when an employee leaves the company or moves to another
position in the company
9. Upon termination of employment, notice should be sent to other employees, vendors,
service providers, and so on.
10.It is accepted industry practice that company email is the property of a company. There
should be a policy to keep email of terminated employees for a certain period of time.
Incoming email for a terminated employee may be redirected to the manager for a
specified period of time to avoid missing email from vendors.
11. There should be a specific job description for each employee to ensure roles and
responsibilities understood by all.
12.Job rotation is a way to minimize risk related to collusion. In collusion, two or more
people work together to commit fraud.
13.The principle of separation of duties should be implemented to ensure a single person is
not able to control any process completely.
1.7 Risk Management and Risk Lifecycle1. Risk is a measure of a corporations tolerance to security events. It depends upon threat
vectors, vulnerabilities, and estimation of loss in number of dollars. In many places in
the text, the formula is: risk = threat x vulnerability. The author believes that this
formula does not show the complete picture because it does not take into account
expected loss2.
2. Risk goes through different stages in its life. Some stages are: identified, documented,
assessed, transferred, mitigated, closed
2 SMART (http://smart.conformix.com) is a system to manage information risk
-
7/28/2019 A quick guide to CISSP certification
17/93
Chapter One: Information Security and Risk Management
Copyright 2009 Rafeeq Rehman Page: 17 of 93
3. Risk associated with a security issue may change over time. For example, new laws and
regulations, change in business practices, and new threats may change risk level.
4. After identification, risk can be controlled in three ways: it can be mitigated, assumed, or
transferred to other entities.
5. Risk controlling should be cost effective. This means that if a risk is worth $100, you
should spend less than $100 to control it.
6. An example of transferring risk is buying an insurance to an asset.
7. Risk can never be zero. However it can be mitigated to an acceptable level.
8. Quantitative risk analysis includes estimating risk in terms on number of dollars or
numbers.
9.
Qualitative risk analysis is usually in terms of ``High'', ``Medium'', and ``Low''. It doesnot deal with numbers and is more subjective than quantitative risk analysis.
10.Quantitative risk analysis may include complex formulas, needs data, and may take more
time to perform. On the other hand, qualitative risk analysis is more subjective, does not
include many calculations, and does not need that much data as the quantitative risk
analysis.
11. Compensation controls compensation controls are measures that you take to reduce risk.
12.Risk is never zero. There is always a residual risk even if good controls are implemented
13.OCTAVEis a risk assessment methodology.
1.8 Security Policies and Standards security policy andstandards
1. Policies3 are high level statements from senior management.
2. Standards define how the policies will be implemented.
3. Guidelines are not mandatory. These are used to help implement the informationsecurity policy.
4. Procedures are detailed, step-by-step processes to do certain tasks.
3 PolicyDOC (http://www.policydoc.com) is a policy and procedure management software.
http://www.policydoc.com/http://www.policydoc.com/http://www.policydoc.com/http://www.policydoc.com/ -
7/28/2019 A quick guide to CISSP certification
18/93
Chapter One: Information Security and Risk Management
Copyright 2009 Rafeeq Rehman Page: 18 of 93
5. If a security policy can't be implemented for any reason, there must be an exception
process to the security policy
6. Since technologies keep on changing, security policies must be updated on regular basis
1.9 Education and Awareness education and awareness1. Security awareness program is important for overall information security management.
2. Awareness programs help in avoiding attacks related to social engineering, data leakage
by accident.
3. The programs need to be continuous in nature (not a one-time item).
4. Items like security policies, data destruction, importance of paper shredding, roles,
responsibilities, data classification, physical security, importance of key card access,
appropriate use of email and the Internet, should be covered in these programs.
5. Security newsletters, seminars, etc may be part of awareness programs.
1.10 Roles and Responsibilities1. Owner is an executive level person who is the ultimate responsible person to protect
information.
2. Custodian is appointed by the owner and has responsibility of securing information from
a day to day routine perspective.
3. Information Users are the end users of the information who are given access by the
custodian on the basis of need-to-know.
1.11 Attacks and VulnerabilitiesIn the absence of a well established information security and risk management program, the
organization may become vulnerable to a number of attacks as listed below.
1. Lack of education and awareness may result in successful social engineering attacks.
Social engineering is a type of attack where an attacker will try to get information by
social interaction like pretending to be a fellow company employee, using phone calls to
get information, etc.
2. If employees are not trained in data destruction \footnoteData destruction means
destroying data when no longer needed, e.g. shredding papers, degaussing disks,
-
7/28/2019 A quick guide to CISSP certification
19/93
Chapter One: Information Security and Risk Management
Copyright 2009 Rafeeq Rehman Page: 19 of 93
shredding tapes, etc.data destruction, attacks like dumpster diving \footnoteIn dumpster
diving, attackers look into company dumpsters to find papers and other useful data
dumpster diving may result in data disclosure
3. Absence of data classification may confuse employees about which information is
sensitive and how it should be protected. As a result, employee may divulge sensitiveinformation.
4. Denial of Service (DoS) Denial of Serviceattacks cause availability issues. DoS attacks try
to make a system (web site, databases) unavailable to users causing in loss.
5. Distributed Denial of Service (DDoS) Distributed Denial of Service is a special type of
attack that Internet attackers launch against web sites. Typically, a large number of
hacked computers are used to launch attack against a web site. These attacks include
creating a large Internet traffic volume to the web site to bring it down or to make it very
difficult for the real users to access it.
6. Attackers, social engineering, unprotected files, insecure communication protocols, are
some examples of major threats to confidentiality of data
7. Natural disasters, power outages, system failures, denial of service attacks are major
threats to availability of data.
8. Usually software patches are used to fix vulnerabilities in software. Vulnerabilities
related to poor network design are difficult to fix until new network design is
implemented.
1.12 Miscellaneous1. Separation of duties help in safeguarding data from internal threats. Job rotation is
another way to combat internal threats.
2. People should also be considered as single point of failure if there is only one person to
do a certain business function.
3. Education and awareness may include publication of security newsletters, security
training, employee orientation, etc.
4. Baselines are minimum security processes implemented in an organization.
-
7/28/2019 A quick guide to CISSP certification
20/93
Chapter One: Information Security and Risk Management
Copyright 2009 Rafeeq Rehman Page: 20 of 93
-
7/28/2019 A quick guide to CISSP certification
21/93
Chapter Two: Access Control
Copyright 2009 Rafeeq Rehman Page: 21 of 93
Chapter Two
2Access Control
Access controls domain scope is related to all of the following:
1. Authentication and authorization
2. User account provisioning, management, deletion
3. Password controls
4. Network access controls
2.1 DefinitionsAccounting is mechanism to calculate for how long a resource is used or for how long a
user has been logged in to a web site.
Identification is a process to ensure that an entity (person, program, computer) is what it
claims to be. In a typical scenario, an account is created after identification.
Authentication happens after identification. Typically it is a login process using
username/password. Other mechanisms like X.509 certificates, PINs, token, cards, etc can
also be used.
Authorization is used after authentication to grant a certain level of access based upon
authentication. For example, all authenticated users may not be allowed to alter
information. Only users in administrator group may alter/add/delete information.
-
7/28/2019 A quick guide to CISSP certification
22/93
Chapter Two: Access Control
Copyright 2009 Rafeeq Rehman Page: 22 of 93
SSO (Single Sign On) is a mechanism of getting access to multiple resources (systems,
applications, etc) by entering username/password only once.
Graded Authorization systems implement multiple levels of authorization. For example,
a person may be granted read-only access to a web account, read-only access plus view bills,
and all of the above plus make payments
Risk-based Authorization is used to grant access resources based upon risk level
associated with an account, account creation, or authentication method.
Cognitive Passwords are based upon some facts or something you remember, e.g.
mother's maiden name, color of your first car, etc.
Passphrase is a string that is longer than password and is used in place of password. The
actual password is generated by the application based upon passphrase. PGP is an example
of the application that uses passphrase.
2.2 Access Control1. Access controls are put in place to control and monitor flow or retrieval of information in
networks, databases, and other systems.
2. Username/password, certificates, group memberships, access lists are some mechanisms
for access control.
3. Access Controls are put in place to protect Availability, Confidentiality, and Integrity of
information.
4. Availability means that information must be available to users in timely manner.
5. Confidentiality means that information will be made available to only those entities
(people, systems, applications) who have a need to get that information.
6. Integrity means that information should be protected from unauthorized alteration.
7. Access can be controlled using many factors like physical access, logical access, access
based upon time of day, etc.
8. Access should always be granted on the basis of need-to-know.
9. When granting access, principle of least-privileges should be implemented. By thin
principle, a person should have no more privileges than needed to do his/her job.
-
7/28/2019 A quick guide to CISSP certification
23/93
Chapter Two: Access Control
Copyright 2009 Rafeeq Rehman Page: 23 of 93
10.Role-based access helps in granting access to a person based upon his/her role. If role of
a person changes, the access level also changes.
11. Role-based access helps in controlling access creep which results from employees
moving from one department to another and previous access is not fully revoked. In role-
based access, when a role changes, access for the previous role is automatically revoked.
12.A good practice of granting access is to always start with ``no access'' to a resource.
Example: while creating access list on a firewall, first deny everything and then open
ports on as-needed basis.
13.Authentication is based upon three items: Something you know, something you have, or
something you are.
14.Strong authentication happens when a system uses multiple mechanisms (know, have,
is).
15. Two factor authentication means you are using two out of three mechanisms (know,
have, is).
16.Pass phrases are longer strings than passwords. Typically a system will convert a
passphrase into a password for actual authentication.
17. Memory cards store information which is used for authentication. Smart cards are
capable of storing and processing information. Smart cards usually have integrated chips
on them. Some smart cards work on contact while others are contact-less.
18.RADIUS (Remote Authentication Dial-in User Service) and TACACS (Terminal Access
Controller Access Control System) are used for centralized access control.
19.Microsoft RAS is another centralized access control mechanism for remote users.
20.PAP (Password Authentication Protocol) and CHAP (Challenge Handshake
Authentication Protocol) are also used for remote as well as client-server access controls.
21.EAP (Extensible Authentication Protocol) is also used for access control for remote
users.
22.AAA (Authentication, Authorization, Accounting) is a name for process that does all
these three items.
23.Accounting is mechanism to calculate for how long a resource is used or for how long a
user has been logged in to a web site.
-
7/28/2019 A quick guide to CISSP certification
24/93
Chapter Two: Access Control
Copyright 2009 Rafeeq Rehman Page: 24 of 93
24.Always start with no access to a resource. Example: while creating access list on a
firewall, first deny everything and then open ports on as-needed basis.
25.Identification is a process to ensure that an entity (person, program, computer) is what it
claims to be. In a typical scenario, an account is created after identification.
26.Identity Management is a process of creating/modifying/deleting identities. It also
includes services for authentication and authorization.
27.LDAP (Lightweight Directory Access Protocol) is used to store and retrieve
authentication and authorization information. OpenLDAP is open source
implementation of LDAP.
28.There are other directory services as well, like Novell NDS, Oracle OID, etc.
29.Kerberos is an authentication and authorization mechanism used in many systems
including Microsoft Windows. In Greek mythology, Kerberos is name of a three headeddog.
30.SSO (Single Sign On) is a mechanism of getting access to multiple resources (systems,
applications, etc) by entering username/password only once.
31.Kerberos can be used for single sign on (SSO).
32.In Kerberos, KDC (Key Distribution Center which is a component of Kerberos) generates
tickets for principals.
33.Principals use tickets to get access to different resources in a Kerberos system.
34.Certificates with public/private encryption keys are used in Kerberos.
35.Authentication happens after identification. Typically it is a login process using
username/password. Other mechanisms like X.509 certificates, PINs, token, cards, etc
can also be used.
36.Authorization is used after authentication to grant a certain level of access based upon
authentication. For example, all authenticated users may not be allowed to alter
information. Only users in administrator group may alter/add/delete information.
37.Authentication is based upon three items: Something you know, something you have, or
something you are.
38.Strong authentication happens when a system uses multiple mechanisms (know, have,
is).
-
7/28/2019 A quick guide to CISSP certification
25/93
Chapter Two: Access Control
Copyright 2009 Rafeeq Rehman Page: 25 of 93
39.Two factor authentication means you are using two out of three mechanisms (know,
have, is).
40.Graded authorization means you give a lower level of access initially and if the person
needs more access, you ask for additional proof to grant more access.
41.Risk-based authorization means you provide access to entities based upon risk level
associated with the object and the security clearance of the person needing access.
42.Pass phrases are longer strings than passwords. Typically a system will convert a
passphrase into a password for actual authentication.
43.Memory cards store information which is used for authentication. Smart cards are
capable of storing and processing information. Smart cards usually have integrated
chips on them. Some smart cards work on contact while others are contact-less.
44.Memory and smart cards are vulnerable to attacks where an attacker can steelinformation by placing rogue card readers.
2.2.1 Access Control Types1. Discretionary access control (DAC) access based systems allow the owner of a resource to
decide who can access the resource.
2. Mandatory access control (MAC) based systems ensure that the operating system makes
a determination about who can access a resource.
3. Mandatory access controls systems assign sensitivity levels to different resources. If auser has permission equal to or higher of the sensitivity level, the user is allowed to
access the resource.
4. Role-based access control (RBAC) systems work on the basis of roles assigned to users.
Permissions to access a resource are granted to different roles instead of particular users.
The access to a resource is controlled by the system.
2.3 Remote Authentication1. RADIUS (Remote Authentication Dial-in User Service) RADIUS and TACACS (Terminal
Access Controller Access Control System) TACACS are two protocols used for centralized
access control.
2. Microsoft RAS is another centralized access control mechanism for remote users.
-
7/28/2019 A quick guide to CISSP certification
26/93
Chapter Two: Access Control
Copyright 2009 Rafeeq Rehman Page: 26 of 93
3. PAP (Password Authentication Protocol) PAP and CHAP (Challenge Handshake
Authentication Protocol) CHAP are also used for remote as well as client-server access
controls.
4. EAP (Extensible Authentication Protocol) EAP is also used for access control for remote
users.
5. AAA (Authentication, Authorization, Accounting) AAA is a name for process that does all
these three items.
2.4 Biometrics1. Biometrics (finger prints, retina and iris scans, facial recognition, hand geometry and
topography, voice print, signatures characteristics, etc) are also used for authentication.
Biometrics are used to authentication based upon what you are.
2. Biometric systems are not 100% accurate and can reject authorized individuals (Type I
errors) or allow unauthorized users (Type II errors).
3. Things to consider in biometric: processing speed, Crossover Error Rate (CER), cost,
sensitivity.
4. CER shows the point where Type I and Type II errors become equal. The lower CER, the
better the device is. To get CER, Type I and Type II errors are plotted against sensitivity.
The point where both curves cross shows CER.
5. Each authenticated entity must have unique credentials (e.g. unique username) for
accountability and logging.
2.5 Passwords Security1. Passwords are usually stored in directory services (like LDAP), database tables, or in flat
files. Passwords must be encrypted.
2. Many systems use passwords in one-way hash (e.g. MD5, SHA1, etc) forms. Hashed
passwords are better than encrypted because if someone finds encryption key, thatperson can decrypt passwords. However, there is no reverse process for hashed
passwords.
3. Passwords are vulnerable to attacks like brute force, dictionary attacks, social
engineering, password crackers, network traffic sniffing.
-
7/28/2019 A quick guide to CISSP certification
27/93
Chapter Two: Access Control
Copyright 2009 Rafeeq Rehman Page: 27 of 93
4. Password controls should be put in place. Password controls include password aging,
password expiration, disallowing dictionary words as passwords, enforcing a
combination of letter and numbers, password history so that old passwords cant be
reused, and so on.
5. Password aging forces user to change passwords within a certain period of time.
6. When a password is reset by a customer service representative, the user must be
enforced to change it at the first login.
7. If more than one person knows passwords, it is a bad sign for security.
8. One time use passwords (OTP) are created dynamically with the help of a token device.
The token device generates these based upon sequence number of time stamp.
9. Token devices are vulnerable if stolen and user ID (username) is not kept confidential.
10.Self-service password reset can be achieved in a number of ways, including:
a. Sending email to a pre-registered email address
b. Asking the user to answer to one or more questions that the user has already
stored on the web site
c. Sending a text message to a pre-registered cell phone
2.6 Identity Management and Directory Services1. Identity Management is a process of creating/modifying/deleting identities. It also
includes services for authentication and authorization.
2. LDAP (Lightweight Directory Access Protocol) is used to store and retrieve
authentication and authorization information.
3. OpenLDAP is open source implementation of LDAP.
4. There are other directory services as well, like Novell NDS, Oracle OID, etc.
-
7/28/2019 A quick guide to CISSP certification
28/93
Chapter Two: Access Control
Copyright 2009 Rafeeq Rehman Page: 28 of 93
2.6.1 Kerberos1. Kerberos4 is an authentication and authorization mechanism used in many systems
including Microsoft Windows. In Greek mythology, Kerberos is name of a three-headed
dog.
2. Kerberos was developed in MIT as part of project Athena.
3. Many systems including Windows 2000 and Windows 2003 use Kerberos.
4. Passwords are never sent over network during authentication process used in Kerberos.
5. Kerberos can be used for single sign on (SSO).
6. In Kerberos, KDC (Key Distribution Center which is a component of Kerberos) generates
tickets for principals'.
7. Principals use tickets to get access to different resources in a Kerberos system.
8. KDC provides authentication and key distribution. KDC is the center of trust in
Kerberos. Any compromise to KDC has the potential of compromise of the whole system.
9. Principals can be considered as clients' and they may be regular users, computers,
printers, and so on.
10.Kerberos is essentially a 3-party system where two principles authenticate to each other
using KDC.
11. Remember the following about the Kerberos system:
a. KDC runs Authentication Service (AS) and Ticket Granting Service (TGS)
b. When a user first time authenticates to Kerberos, KDC issues a Ticket Granting
Ticket (TGT).
c. A principal will keep TGT and will use to get a ticket from KDC when needed
d. The authenticator is part of ticket that contains identification information of a
user.
e. A Service Center (SS) is usually a principal that provides a service to a client.
12.A session key is used between two principals to secure data.
4 http://web.mit.edu/kerberos
-
7/28/2019 A quick guide to CISSP certification
29/93
Chapter Two: Access Control
Copyright 2009 Rafeeq Rehman Page: 29 of 93
13.KDC is a single point of failure in Kerberos.
14.Kerberos keys are vulnerable to memory attacks because these are stored in RAM by
principals.
15.
A secret key is established between a principal and the KDC. KDC and the principalstrust each other based upon that secret key.
16.KDC acts as a trusted party among different principals who don't trust each other
directly.
17.All tickets have time limit and protected from replay attacks and someone captures
network traffic.
18.Kerberos uses symmetric encryption (DES). Some extensions allow use of PKI and
certificates as well.
19.Kerberos is mutual authentication protocol where both parties taking part in a
conversation verify each other.
20.Recent updates to Kerberos has implemented stronger encryption to Kerberos, including
AES.
21.Kerberos time synchronization among principals and KDC to verify validity of tickets.
22.Use of protocols like NTP is needed to run Kerberos smoothly.
2.6.2 Light Weight Directory Access Protocol or LDAP1. One of more LDAP servers are used to store information about objects. Most of the
servers can synchronize their databases.
2. LDAP clients connect to directory servers for authentication and authorization purposes.
3. Authorization is performed based upon different attributes associated with an object.
2.6.3 OpenID1. OpenID5 is used mostly for authentication with web-based applications.
2. OpenID is a 3-party system: Identity Provider, Relying Party, and the User Agent (or web
browser)
5 http://www.openidbook.com for my other book on OpenID
-
7/28/2019 A quick guide to CISSP certification
30/93
Chapter Two: Access Control
Copyright 2009 Rafeeq Rehman Page: 30 of 93
2.6.4 NTLM1. NTLM or NT LAN Manager is a Microsoft protocol.
2. NTLM is a challenge-response protocol. It is an evolution of an older Microsoft protocol
known as LAN Manager.
3. NTLM has two versions: NTLMv1 and NTLMv2.
4. NTLM is an older protocol and is replaced by Kerberos in Windows 2000 onwards.
5. NTLM is still being used when a computer is not part of a Windows domain or where no
Windows domain exists. Examples: peer-to-peer networks like Windows workgroups in
small offices.
6. It can be used for authentication based upon IP addresses.
2.6.5 Microsoft Active Directory Active Directory1. Active Directory or AD is the directory service that comes with Microsoft Windows
servers and it is the main directory repository from Microsoft.
2. Active Directory implements the concept of forest in which there may be multiple
domains.
3. Each domain can contain multiple Organizational Units or OU. OU is used to group
objects and implements controls on the group.
4. Different types of trusts can be established among Active Directory domains.
2.7 Controlling Access in Networks1. To control access on network, it is advisable to segment network in different domains.
Example: administration domain should be separate from Internet.
2. Each domain should be separated by firewalls with only limited traffic to pass through.
3. Network should also have layers of security. Three layers between Internet and core
database computers are recommended.
4. Layers should be separated by firewalls.
5. While opening firewall ports, use individual IP addresses for source and destination
computers instead of network addresses.
-
7/28/2019 A quick guide to CISSP certification
31/93
Chapter Two: Access Control
Copyright 2009 Rafeeq Rehman Page: 31 of 93
2.8 Types of Access Controls1. One way to classify access controls is based upon how they are utilized. In this regard,
access controls may be preventive or detective in nature.
2.
Access controls may also be classified as physical, technical, and administrative.
3. Preventive access controls are used to stop an attacker from getting access to data or
system, such as passwords. Detective access controls are used to detect any violation
after the fact, such as log files.
4. Examples of physical access controls are security guards, locks, key card access, and so
on.
5. Example of technical access controls are passwords, firewalls, etc.
6.
Examples of administrative access controls are policies, security templates, backgroundchecks, etc.
2.9 Access Control Monitoring1. Access controls violations need to be monitored at multiple places. The controls should
be monitored at least at Network level, Operating Systems level, and applications level.
2. Access control monitoring is performed in many ways using logs, IDS/IPS, etc.
3.
In Microsoft Windows, event viewer shows failed logins.
4. In UNIX/Linux systems, Syslog can be used to monitor failed and successful logins.
5. The logs data must be stored on log servers instead of locally at each machine. The
reason is that if a system is compromised and log data is stored on the same system, the
attacker will remove that data to delete any footprints.
2.10 Attacks and Vulnerabilities1. Keyboard loggers are commonly used by attackers to steel username and password
information. Key loggers are software or other mechanisms that log keyboard
information without a user knowledge and send this information to an attacker.
2. Phishing attacks are also commonly used against popular attacks to get username and
password information. This is done by sending fake emails that look like official and
luring innocent users to click on links in the email to go to a rouge web site that looks like
an official company web site.
-
7/28/2019 A quick guide to CISSP certification
32/93
Chapter Two: Access Control
Copyright 2009 Rafeeq Rehman Page: 32 of 93
3. Password crackers are software that are used to crack password. These programs work
on common password vulnerabilities and dictionaries to crack passwords. For example, a
password cracker may get a UNIX password file and start password cracking by using
the same password as the username, first name, last name, and so on.
4. Memory and smart cards are vulnerable to attacks where an attacker can steelinformation by placing rogue card readers.
-
7/28/2019 A quick guide to CISSP certification
33/93
Chapter Three: Cryptography
Copyright 2009 Rafeeq Rehman Page: 33 of 93
Chapter Three
3Cryptography
3.1 TerminologyCryptography is field of science that deals with encryption.
Plaintextis converted to ciphertextas a result of encryption. Plaintext is intelligible data.
Plaintext is also called cleartext.
Akey is used to convert plaintext to ciphertext. Key is a string of characters and depending
upon type of encryption, it may have different lengths.
The opposite of encryption is decryption.
Cryptanalysis is the field of study to break encryption. It is used to decrypt data without the
keys.
If two parties were engaged in a communication and one of them denies of having the
communication, it is called repudiation. Encryption is also used to overcome this problem
by ensuring non-repudiation.
The work factor is the amount of time required to break encryption or other protective
measures.
In block-mode ciphers, data is broken into blocks for encryption.
-
7/28/2019 A quick guide to CISSP certification
34/93
Chapter Three: Cryptography
Copyright 2009 Rafeeq Rehman Page: 34 of 93
In block-chaining ciphers, data is broken into block for encryption but parts of blocks
overlap.
In stream-ciphers, data is passed through the encryption mechanism as a stream of bits or
characters instead of breaking it into blocks.
Cryptographic Algorithms are used to convert plain text to cipher text and vice versa.
Link Encryption enables encrypting data on a communication link, like a computer network.
End-to-End Encryption encrypts date from source to the destination.
Substitution Cipher replaces character in the plain text with other characters or numbers. It
may also be done by shifting character right or left in the sequence.
Transposition Cipher uses permutation to convert plain text to cipher text.
Digital Signature is a mechanism to detect any unauthorized modification to text and non-
repudiation. It is not encryption.
3.2 Introduction1. Encryption is used for the many purposes, including:
a. Protection of confidentiality of data
b. Ensuring data integrity
c. Non repudiation
2. Typical key lengths are 64 bit, 128 bit, 256 bits, and so on.
3. Longer keys usually provide stronger encryption.
4. Encryption is performed using open or public algorithms as well as proprietary
algorithms
5. Open algorithms are considered as more standard and more secure.
6. For encryption to be reliable, the security of encrypted data should depend only on
secrecy of the encryption key and not on the process of encryption (encryption
algorithm).
-
7/28/2019 A quick guide to CISSP certification
35/93
Chapter Three: Cryptography
Copyright 2009 Rafeeq Rehman Page: 35 of 93
3.3 Alogrithms1. There are two main types of algorithms: symmetric and asymmetric.
2. Symmetric encryption algorithms are also called private key or shared key
algorithms.
3. Symmetric algorithms use that same key for encryption and decryption. This key is also
called a shared key. DES, 3DES, AES, etc are examples of symmetric algorithms.
4. Asymmetric algorithms use two keys: public and private. Data encrypted by one key can
be decrypted only by the other key. RSA is an example of asymmetric algorithm.
5. Symmetric algorithms are usually faster than asymmetric algorithms as for as execution
time is concerned.
6.
In many cases, asymmetric algorithms are used to transfer shared key in the initial phaseof communication between two parties. After that shared key is used for encryption. This
is done to make the encryption faster.
3.3.1 Digital Encryption Standard (DES)1. Developed by IBM
2. Provides block mode symmetric encryption. A single key is used for both encryption and
decryption.
3.
Uses 56 bit key length with 8 parity bits making the key a total of 64 bit long.
4. It uses 16 rounds of substitutions and transpositions.
5. The detailed information is available athttp://www.itl.nist.gov/fipspubs/fip46-2.htm
6. Can be implemented in hardware and software and provides efficient encryption.
3.3.2 Triple Digital Encryption Standard (3DES6)1. More secure than simple DES algorithm. Written as 3DES or TDES.
2. It is symmetric encryption algorithm.
3. Uses three steps to encrypt data with effective key length of 192 bits (64x3). If parity bits
are taken off, the key length is 168 bits (56x3).
6 Standard document available athttp://csrc.nist.gov/publications/nistpubs/800-67/SP800-67.pdf
http://www.itl.nist.gov/fipspubs/fip46-2.htmhttp://www.itl.nist.gov/fipspubs/fip46-2.htmhttp://www.itl.nist.gov/fipspubs/fip46-2.htmhttp://csrc.nist.gov/publications/nistpubs/800-67/SP800-67.pdfhttp://csrc.nist.gov/publications/nistpubs/800-67/SP800-67.pdfhttp://csrc.nist.gov/publications/nistpubs/800-67/SP800-67.pdfhttp://csrc.nist.gov/publications/nistpubs/800-67/SP800-67.pdfhttp://www.itl.nist.gov/fipspubs/fip46-2.htm -
7/28/2019 A quick guide to CISSP certification
36/93
Chapter Three: Cryptography
Copyright 2009 Rafeeq Rehman Page: 36 of 93
4. Another algorithm, Advanced Encryption Standard (AES) is preferred now over 3DES.
3.3.3 Advanced Encryption Standard or AES AES1. AES is a US government standard for information encryption.
2. AES used Rijndael block cipher algorithm.
3. AES can have key length as 128, 192, or 256 bits.
4. It is fast and can be easily implemented in hardware.
5. Another characteristic of AES is that it is resistant against currently known attacks.
3.4 Public Key Cryptography1.
Public key cryptography is a mechanism where two keys are used for encryption anddecryption: A public key and a private key.
2. A person with the key pair (public and private) makes his/her public key available to
everyone while keeps the private key secret.
3. Data encrypted with public key can be decrypted by private key only and vice versa.
4. If a person Bob wants to send a secure data to another person Alice, Bob will use Alices
public key to encrypt the data. Now only Alice can decrypt it because only Alice has the
private key.
5. To ensure that the data is coming from Bob, Bob will use his private key to encrypt it.
When Alice receives it, she will use Bobs public key to decrypt it. If the decryption is
successful, it is guaranteed that Bob sent it because Bob is the only person who has the
private key. If someone else pretended to be Bob and sent a message to Alice, Alice will
not be able to decrypt the data using Bobs public key. Sometimes this is also called
signing the data and is used for non-repudiation.
6. Digital Signature may be added to a digital message (like email) to ensure the source of
message. Digital signature is usually hash code of the message which is encrypted using
senders private key. The recipient can decrypt the signature (get hash code), create anew hash code and compare the two. If both match, it ensure that the message was not
altered on its way and it was sent by the real sender.
7. In many cases both encryption and digital signature are used to:
a. Ensure confidentiality of data
-
7/28/2019 A quick guide to CISSP certification
37/93
Chapter Three: Cryptography
Copyright 2009 Rafeeq Rehman Page: 37 of 93
b. Integrity of data (the data was not altered)
c. Non-repudiation (the data was sent by the real sender)
8. Many systems are developed using public key cryptography. The most commonly known
system is PGP (Pretty Good Privacy)
9. Key Rings are electronic storage of digital keys. In many cases, key rings are simple
files.
3.4.1 RSA Algorithm1. RSA is the most commonly used asymmetric algorithm in PKC Public Key Cryptography.
2. The name of the algorithm is composed of first characters of last names of its inventors
(Rivest, Shamir, Addleman).
3. The algorithm is based upon large prime numbers that are used to generate public and
private key pair.
4. The larger the prime numbers, the difficult it is to factor their product.
3.5 PGPPGP is now a standard encryption mechanism defined by Internet Engineering Task Force
(IETF) RFC 48807 and used a public/private key pair for data encryption.
1. Free version of PGP is available fromhttp://www.gnupg.org
2. PGP can be used for multiple purposes including file and disk encryption, secure email,
digital signatures and so on.
3.6 Hashing1. Hashing is a used to ensure integrity of data. It is not used for encryption.
2. There are many popular hashing algorithms including MD5 (Message Digest 5), SHA-1
(Secure Hash Algorithm), etc.
3. MD5 produces 128 hash code and was developed by Ron Rivest. MD5 is IETF standard
defined by RFC 13218.
7 http://www.ietf.org/rfc/rfc4880.txt
http://www.gnupg.org/http://www.gnupg.org/http://www.gnupg.org/http://www.gnupg.org/ -
7/28/2019 A quick guide to CISSP certification
38/93
Chapter Three: Cryptography
Copyright 2009 Rafeeq Rehman Page: 38 of 93
4. MD4 is older than MD5 and is not used much.
5. SHA-1 produces 160 bit hash code and was developed by NIST.
6. Output of a hash function is the same, no matter how long the input data is.
7. CRC or Cyclic Redundancy Check is a type of hash.
8. Message Authentication Code or MAC is a checksum calculated for a message before
sending it out. MAC is then calculated at the recipient side to ensure that the message is
not changes on its way.
9. Hashed Message Authentication Code or HMAC uses a key to generate MAC.
3.7 Encrypting Data-At-Rest1. Data needs to be encrypted when it is in transit (on the network) and when it is at rest
or stored on disk.
2. Data is stored on disk usually in two broad categories: flat files or databases.
3.8 Public Key Infrastructure (PKI)1. PKI is a framework with many components including but not limited to X.509 standard,
cryptography, trusted parties, certificate authority, key management, etc.
2. Both symmetric and asymmetric encryption algorithms are used in PKI. Note that public
key cryptography uses only asymmetric algorithms like RSA.
3. PKI is a framework and not a particular technology or product.
4. Each entity (persons, servers) participating in PKI has an X.509 certificate.
5. A certificate authority (CA) issues and signs certificates to entities (or subjects) in PKI.
6. CA is a trusted third party. By signing a certificate, it ensures that the certificate is valid.
Signed certificates can't be modified.
7. When an entity needs to verify a certificate authenticity, it will decrypt signature hash of
a certificate using public key from CA and match it with the actual hash of the public key
in the certificate.
8 http://www.faqs.org/rfcs/rfc1321.html
-
7/28/2019 A quick guide to CISSP certification
39/93
Chapter Three: Cryptography
Copyright 2009 Rafeeq Rehman Page: 39 of 93
8. Certificates can also be validates using On-line Certificate Status Protocol (OSCP) OSCP
which checks the validity of a certificate using CRLs
9. Two or more CA can trust each other by the process of cross certification cross
certification
10.PKI is used for many purposes including authentication, non-repudiation, access control,
two factor authentication, etc.
11.A certificate authority is an integral and central part for PKI.
12.Major functions of PKI are confidentiality, integrity, and authentication.
13.PKI is useful when two parties don't know (or trust) each other but trust a Trusted Third
Party.
3.8.1 Digital Certificates1. Digital certificate, also called X.509 certificates are used to package public key associated
with an entity (person, server, device)
2. Digital certificates are used for multiple purposes. A sample certificate is shown in Figure
below.
Figure: X.509 Certificate general information
3. Figure show the same certificate. The General' TAB in Figure shows the general
information about the certificate. The Detail TAB in Figure shows detail about the same
certificate in Firefox web browser. When you are looking at a real certificate, you can
scroll down to see more information as well.
Figure : X.509 Certificate detail
4. Digital certificate is a file that follows the X.509 standard. A certificate is usually signed
by a certificate authority (CA)
5. A certificate may contain many fields, including, but not limited to:
a. Certificate issuer information
b. Version number
-
7/28/2019 A quick guide to CISSP certification
40/93
Chapter Three: Cryptography
Copyright 2009 Rafeeq Rehman Page: 40 of 93
c. Serial number
d. Signature algorithm
e. Issuer name
f. Issue date and Expiration date
g. Public key
h. Name of owner/entity
6. The certificate shown in Figures are self-signed certificates. Anybody can create self-
signed certificates. However, they don't provide the trusted third party (certificate
authority) assuring.
7. The certificate shown in Figures are examples of certificates signed by a certificate
authority. In Figure, you can see the certificate is signed by Verisign (certificate
authority) and is issued to google.com
X.509 Certificate general information, issued by a certificate authority
8. Figures xxx xxx show ``General'' and ``Detail'' parts of the same certificate as viewed in
Firefox web browser.
X.509 Certificate detail, issued by a certificate authority
9. Certificates are most commonly used by web sites to ensure authenticity of a web site. In
the browser, you can click on the security lock button to view certificate detail.
10.Certificates are also used for secure email transfer from sender to recipient.
11. Certificate Revocation List or CRL is published by certificate authority to publish list of
certificates that are revoked.
12.Certificates may be revoked before expiration date for a number of reasons, including
compromise of private keys. CRL is a means for informing the certificate consumers that
a certificate is not valid. CRL contains serial number of revoked certificates.
13.The URL for the location of CRL is included in the certificate itself.
14.Registration Authority or RA registration authority is a broker between the certificate
owner and the certificate authority. RA gets user information, verifies it, and then sends
it to CA to issue certificate. In most cases RA and CA roles are combined in a single
entity. A certificate has public key of the owner. The owner keeps the private key
-
7/28/2019 A quick guide to CISSP certification
41/93
Chapter Three: Cryptography
Copyright 2009 Rafeeq Rehman Page: 41 of 93
15. Certificates are used for many purposes including authentication, mutual authorization,
secure web traffic, secure email, and so on.
16.Digital certificates can be stored in multiple file formats including:
a.
Base-64 or DER encoded files ending with .CER
b. PKCS-7 files ending with .P7B
c. PKCS-12 files ending with .PFX
17.When exporting certificates to a file, the file can be password protected.
3.8.2 Certificate and Key Management Key Management1. Security of keys used for encryption/decryption is essential for modern cryptography
because encryption algorithms are open and well-known.
2. Key management includes many tasks, including:
a. Key generation
b. Delivery and distribution of key to key owner in a secure way
c. Storing keys in a secure way
d. Using keys in a secure way
e. Destroying keys when no longer needed
f. Recovering keys from backup store or archive
3. Keys can be delivered by courier, secure servers, or some other mechanism that ensures
that only the owner of a key receives it.
4. There are many automated key delivery systems. for example, Kerberos uses key
distribution center or KDC to distribute keys.
5. In many modern communication protocols, keys are changed automatically and very
frequently
6. An organization should always maintain backup copy of keys, also called a key escrow,
in case a key is lost. If a key is needed for data decryption and becomes unavailable, there
is no way to recover the data.
-
7/28/2019 A quick guide to CISSP certification
42/93
Chapter Three: Cryptography
Copyright 2009 Rafeeq Rehman Page: 42 of 93
7. NIST (National Institute of Standards and Technology\footnote\urlhttp://www.nist.gov)
has published a standard for key escrow known as Escrowed Encryption Standard or
ESS.
8. In ESS, a key is split into two (or more parts) that are kept by different parties.
9. Keys length should be determined depending upon the sensitivity of the data encrypted
by the key, the frequency of key usage.
10.Hardware Security Module or HSM is a hardware module used to generate and store
keys. HSM provides a very high level of security in key management.
11. In many cases a backend directory like LDAP or Active Directory is used for storing keys
and certificates.
12.Key Encryption Key or KEK is a key used to encrypt other keys.
3.9 Attacks and Vulnerabilities1. Man in the middle attacks may happen if a trusted third party, like CA, is not used in
encryption.
2. Brute force att