Sybex Cissp

Security guards, supervising users, incident investigations, IDS's

Guards, fences, motion detectors locked doors, sealed windows, lights, backups, cable protections, laptop locks, swipe cards,dogs, CCTV, mantraps alarms

What you: Have, Know, Are

Series of ?'s about facts or predefined responses that only the subject should know (ex. What's your birthday...etc.)

Fingerprints, face scans, iris scans, retina scans, palm topography, palm geography, heart/pulse pattern, voice pattern, signature dynamics, keystroke patterns

Enrollment times longer than two minutes are unacceptable; subjects will typically accept a throughput rate of about six seconds or faster

Mandatory Access Controls

Bell-LaPadula protects confidentiality, Biba and Clark-Wilson protect integrity

The user access objects on a system to perform a work task, the owner is liable for protection of data, the data custodian is assigned to classify and protect data

It prevents any single subject from being able to circumvent or disable security mechanisms

Subjects should be granted only the amount of access to objects that is required to accomplish their assigned work tasks.

Identification, Authentication, Authorization, Accountability (IAAA)

A domain is a realm of trust that shares a common security policy. This is a form of decentralized access control

It's used to watch for security policy violations and to detect unauthorized or abnormal activities

To automate the inspection of audit logs, and real time system events, detects intrusion attempts, and watches for violations of confidentiality, integrity, and availability

Can: Pinpoint resources compromised by a malicious user Can't: Detect network only attacks or on other systems, has difficulty detecting DoS attacks, and can be detected by intruders

Can: Montior a large network, can be hardened against attack. Can't: handle large data flows, doesn't work well on switched networks, can't pinpoint compromised resources

Knowledge based uses a signature database and tries to match monitored events to that database. Behavior based learns about the normal activities on your system through watching and learning

Honey pots are face networks used to lure intruders in order to create sufficient audit trails for tracking them down and prosecuting.

Penetration testing is a good way to accurately judge the security mechanisms deployed by an org.

An attack that prevents the system from receiving, processing, or responding to legitimate traffic or requests for resources and objects

The attacker pretends to be someone or something other than whom or what they are. They often replace the valid source and/or dest. IP address with node numbers with false ones.

Patching the OS and Software, enabling source/dest. verification on routers, and employing IDS to detect and block attacks

An attack in which a malicious user is positioned between the two endpoints of a communication link

It is similar to hijacking. A malicious user records the traffic between a client and a server and then retransmits them to the server with slight variations of the time stamp and source IP address

Any activity that results in a malicious user obtaining information about a network or the traffic over that network

Directing floods of messages to a victim's email inboxes or other messaging system. Such attacks cause DoS issues by filling up storage space and preventing legitimate messages from being delivered.

Patching software, reconfiguring security, employing Firewalls, updating filters, using IDSs improving security policy, using traffic filters, improving physical access control, using system monitoring/auditing

Application(7), Presentation(6),Session(5),Transport(4), Network(3), Data Link(2), Physical(1) (APSTNDP)

The Network Layer (Layer 3) offers confidentiality, authentication and integrity

Throughput = 10MBps Distance = 185 Meters

Ethernet, Token Ring, FDDI

Ring, bus, star, and mesh

The four layers of TCP/IP are application (layers 5-7 of OSI) Host to Host (layer 4 of OSI) Internet (layer 3 of OSI) and Network Access (layers 1 and 2 of OSI)

Static packet filtering, application level gateway, stateful inspection, dynamic packet filtering, and kernel proxy

Routers, switches, hubs, repeaters, bridges, gateways, proxies

Any system that performs a function or requests a service on behalf of another system. Proxies are most often used to provide clie3nts with Internet access while protecting their identity

IPSec, SKIP, SWIPE,SSL,S/MIME, SET,PEM,PGP,PPP,SLIP,PPTP,L2TP,CHAP,PAP,RADIUS, TACACS,S-RPC

Frame Relay, SMDS,X.25,ATM,HSSI,SDLC,HDLC,ISDN

Frame relay requires the use of DTE and a DCE at each connection point. PVC is always available; SVC is established using the best paths currently available

RADIUS, TACACS, S-RPC

A process that protects the contents of packets by encapsulating them in another protocol. This creates the logical illusion of communications tunnel through an untrusted intermediary network.

A communication tunnel that provides point to Point transmission of both authentication and data traffic over an intermediary network.

PPTP,L2F,L2TP,and IPSec

Transport mode, the IP packet data is encrypted but the header is not. Tunnel mode the entire IP packet is encrypted and a new header is added to govern transmission through the tunnel.

Network Address Translation allows the private IP addresses defined in RFC 1918 to be used in a private network while still being able to communicate with the Internet

A characteristic of a service, security control, or access mechanism that ensures it is unseen by users.

Nonrepudiation, access control, message integrity, source authentication, verified delivery, acceptable use policies, privacy , management, and backup and retention policies

Email is the most common delivery mechanism for viruses, worms, Trojans, documents with destructive macros, and other malicious code

S/MIME, MOSS, PEM, and PGP

Always err toward caution whenever communications are odd or unexpected. Always request proof of identity. Classify information for voice communications. Never change passwords over the phone.

DoS, eavesdropping, impersonation, replay, and modification

Maintaining physical access security, using encryption, employing one-time authentication methods

The modification of ARP mappings. WHen ARP mappings are falsified, packets are not sent to their proper dest. ARP mappings can be attacked through spoofing. Spoofing provides false MAC's for requested IP's.

Prevention of unauthorized intrusion, knowledge that information deemed personal or confidential won't be sheared with unauthorized entities, freedom from being observed without consent

Identification, authentication, authorization and auditing

It prevents a subject from claiming not to have sent a message, not to have performed an action, or not to have been the cause of an event.

Layering is simply the use of multiple controls in a series. The use of a multi-layered solution allows for numerous controls to be brought to bear against whatever threats come to pass.

Abstraction is used to collect similar elements into groups, classes, or roles that are assigned security controls, restrictions, or permissions.

Data hiding is preventing data from being known by a subject. Keeping a database from being accessed by unauthorized visitors is a form of data hiding.

A mechanism used to systematically manage change. Typically, it involves extensive logging, auditing, and monitoring of activities related to security controls and security solutions

Changes implemented in orderly manner, formalized testing, changes can be reversed, users informed of changes, changes systematically analyzed, negative impact of changes minimized.

The primary means by which data is protected based on categories of secrecy, sensitivity, or confidentiality

Usefulness, timeliness, value or cost, maturity or age, lifetime or expiration period, disclosure damage assessment, modification damage assessment, national security implications, storage

TS,S,C,SBU,U

Confidential, private, sensitive, public

CIA Triad, confidentiality, integrity, availability, privacy, identification, authentication, authorization, auditing, accountability, and nonrepudiation

Have at least one witness; escort terminated employee off the premisses immediately; collect identification, access, or security devices; perform exit interview; disable network account

Classifying information for protection within the security solutions

Implementing the prescribed protection defined by the security policy and upper mgmt.

For testing and verifying that security policy is properly implemented and the derived security solutions are adequate.

Policies, standards, baselines, guidelines, and procedures

Analyzing an environment for risks, evaluating each risk as to its likelihood and damage, assessing the cost of countermeasures, and creating a cost/benefit report to present to upper mgmt.

Cost of purchase, development, maintenance, acquisition, and protection; value to owners/users/competitors; equity value; market valuation; liability of asset loss; and usefulness

Viruses; buffer overflows; coding errors; user errors; intruders; natural disasters; equipment failure; misuse of data, resources, or services; loss of data; physical theft

The cost associated with a single realized risk against a specific asset. SLE = asset value (AV)(exposure factor (EF)). The SLE is expressed in a dollar value.

the possible yearly cost of all instance of a specific realized threat against a specific asset ALE = single loss expectancy (SLE) (annualized rate of occurence(ARO))

Quantitative assigns real dollar figures to the loss of an asset. Qualitative assigns subjective and intangible values to the loss of and asset.

Reduce/mitigate, assign/transfer, accept, or reject/deny

Once countermeasures are implemented, the risk that remains is resiudal risk. It's the risk that mgmt has chosen to accept rather than mitigate

The amount of risk an org. would face if no safeguards were implemented. A formula for total risk is (threats)(vulnerabilities)(asset value) = total risk

The diff between total risk and residual risk. The amount of risk that is reduced by implementing safeguards.

Awareness, training, education.

A strategic plan is a long term plan that is fairly stable, the tactical plan is a midterm plan that provides more details, operational plans are short term and highly detailed.

One.

Viruses

Agent

Applet

Java

A foreign key.

Polyinstantiation

Certification and Accreditation

Site accreditation

Initial

Layer 3

Dedicated security mode.

Boot sector.

Macro Virus

Delete, disinfect or quarantine.

Polymorphic Virus