The SSCP prep guide: Mastering the seven key areas of system security

91–93 firewall functions, 91 firewall platform access, 88–89 firewall platform builds, 89–99 firewall policy, 93–97 guidelines, 68 information classifica- tion, 69–71 logging functionality, 90 mechanism implementa- tion, 80–88 multilevel mode, 72 OSI layer model, 74–75 494 Index administration (continued) partitioned security mode, 72 plan of action and mile- stones (POA&M) document, 80 policy input resources, 78–79 procedures, 68–69 process isolation, 74 production/mainte- nance phase, 58–59 programming (building) phase, 57–58 reference monitor, 74 requirement statement, 80, 82–83 risk management, 54 roadmap building, 77–88 security development life cycle, 56–59 security equation, 54 security kernel, 73 security operation modes, 72–73 security policies, 65–67 standards, 67 system design phase, 57 system high mode, 72 system life cycle, 54–59 system-level policy, 66 task types, 88 test phase, 58 traffic analysis, 74 TRIAD objectives, 53 trusted computing base (TCB), 73–74 administrative security, 15 administrators, Web sites, 416 Advanced Encryption Standard (AES), 217, 238, 245 AH (authentication header), IPSec, 246 Alberti wheel cipher, 223–224 ALE (annual loss expectancy), 160 The American Black Cham- ber (Herbert O. Yardley), 228 American National Stan- dards Institute (ANSI), 282, 284 analog signals, 263–264 analysis, 157, 159 analysis tools, security review, 130 annual loss expectancy (ALE), 160 annual rate of occurrence (ARO), 160 ANSI (American National Standards Institute) 282, 284 anti-virus software, updating, 357–358 application gateway, fire- wall technique, 81 Application Layer (Layer 7), 75, 289 application-level access control, 351 applications, stripping from firewall, 98 ARO (annual rate of occurrence), 160 ARPANET, Internet devel- opment, 273 assessment, versus analy- sis, 159 asset protection, 22–23 assets, 153–155 asymmetric (key pairs) cryptography, 239, 241 attachments, 28, 94, 341 attack scripts, 340 audio/data communica- tions, 207 audit logs, 40 audit reduction tools, security reviews, 130 audit reports, vulnerabil- ity source, 175 auditing, 11, 13, 110–132 capturing current activ- ity, 110 characteristics, 111–112 data types, 126 data/information man- agement, 127–128 defined, 110 external/internal net- work boundary, 112–118 firewalls, 112–118 information security sys- tem meanings, 111 internal/subnet bound- ary, 118–119 layered security protec- tion element, 11–13 methods, 111 Network Time Protocol (NTP), 113 reasons for, 111 rule set for a boundary router, 117–118 security reviews, 128–132 servers, 119–120 standard metrics, 111 system security policy implementation, 114–115 UNIX syslog, 112–113 user workstations, 120–125 authentication data origin, 275 firewall management methods, 89 OSI model, 290 peer, 276–277 authentication systems, Kerberos, 245 authentication header (AH), IPSec, 246 authenticity, security objective, 5 automated risk assess- ment, 161–162 automated tools, 129, 162, 168, 175–176 auxiliary storage. See mass storage avoiding, risk handling method, 162 Index 495 B B2B (business-to-business) extranets, 274 B2E (business-to- employee) extranets, 274 back doors, brute force attack target, 27 backups, 69, 201–202, 356–357 bandwidth, 270–271 banner grabbing, 298, 304 Barr, Thomas (Invitation to Cryptography), 252 Basic Input Output Sys- tem (BIOS), 343–344 Basic Security Module (BSM), 90 bastion hosts, DMZ uses, 85 BCPs (business continuity plans), 198 BIA (Business Impact Analysis), 71, 181 biometrics, 32–36 block ciphers, 217, 220, 237–238 blue teaming, penetration testing, 302–303 books, references, 413–415 boundary router, 86, 117–118 broadband optical tele- point networks, 269 broadband, versus nar- rowband, 270–271 broadcast transmissions, 270 brute force attack, 27, 236, 309 BSM (Basic Security Module), 90 buffer overflows, penetra- tion testing, 305 building (programming) phase, 57–58 bus topology, 280, 281 business continuity plans (BCPs), 198 business function loss, 207 Business Impact Analysis (BIA), 71, 181 business-to-business (B2B), extranets, 274 business-to-employee (B2E), extranets, 274 C C&A (certification and accreditation), 292 CA (certificate authority), PKI, 249 cable modems, 276 cable/DSL routers, 276 cabling, 67, 265–266 Caesar shift cipher, 222–223, 236 Carrier Sense Multiple Access (CSMA), 280 CAST-128 algorithm, 217 CAUCE (Coalition Against Unsolicited Commercial Email), 27 CBC (cipher block chain- ing), 244 CBK (common body of knowledge), 151 CCB (Configuration Con- trol Board), 76 CCITT V.35 standard, 67 CCR (configuration change request), 76–77 CD R/W (Compact Disk R/W), 69 cell phones, during disas- ter, 207 central processing unit (CPU), 60, 262 CERC/CERT development history, 188 security administrator strategies, 25–26 certificate authority (CA), 249 certification and accredita- tion (C&A), 292 CFM (cipher feedback mode), 244 change process, 76–77 checklist test, contingency plan (CP), 205 chief information officer (CIO), 294 CIA (confidentiality/ integrity/availability), 3, 5 cipher block chaining (CBC), 244 cipher feedback mode (CFM), 244 ciphers. See individual ciphers ciphertext, 217 circuit-level gateway, 81 classifications, informa- tion, 69–71 clipper chip, 232–233 closeout, contingency plan (CP), 205 CM (configuration man- agement), 76–77 Coalition Against Unso- licited Commercial Email (CAUCE), 27 coaxial cable, conducted media, 266 code talkers, described 232 cold site, recovery loca- tion, 204 common body of knowl- edge (CBK), 151 Common Criteria’s pro- tection profiles, 14 communications security, 14–15 communications site (data), 207 communications. See data communications Compact Disk (CD) R/W, 69 compartmented mode, 73 computer forensics, 140–143 computer security, 14 Computer-Related Risks (Peter G. Neuman), 152 conceptual analysis phase, 56–57 conducted media, 265–266 496 Index confidentiality access control sup- port, 22 cryptology objectives, 234 information security ele- ment, 3, 5 loss consequences, 158, 181–182 OSI model security ser- vice, 290 VPN protection, 275 configuration change request (CCR), 76–77 Configuration Control Board (CCB), 76 configuration manage- ment (CM), 76–77 confusion, block cipher property, 237–238 connection sniffing, 348, 352 connectionless integrity, 275 contingency plans (CPs), 198, 204–207 continuity of operations plans (COOPs), 198 controls, 156 copper wire, conducted media, 265–266 corrective controls, 156 countermeasures, 156–157 CPU (central processing unit), 60, 262 crackers, 334–336 CRC (Cyclic Redundancy Check), file integrity checking, 311 cryptanalysis, 215, 217, 251–253 cryptography. See also encryption Alberti wheel cipher, 223–223 algorithms, 217 asymmetric (key pairs), 239, 241 Caesar shift cipher (mono-alphabetic substitution), 222–223 ciphers, 217 ciphertext, 217 code talkers, 232 deciphering, 219 defined, 215, 217 digital certificates, 219 Digital Encryption Stan- dard (DES), 232 digital signatures, 219 e-commerce, 247–248 e-mail, 247 enciphering, 219 Enigma machine cipher, 230–231 Internet Protocol Secu- rity (IPSec), 246 Jefferson’s wheel cipher, 226–227 Kerberos, 36, 245 keys, 219 one-time pad, 219 plaintext, 219 Public Key Infrastruc- ture (PKI), 248–250 public-key, 232, 239, 241–242 Purple machine cipher, 231 rotor machines, 229–231 secure hash function, 220 Secure HyperText Trans- port Protocol (S-HTTP), 246–247 Secure Socket Layer (SSL), 246 steganography, 220 symmetric (same-key), 239–240 trap door, 220 U.S. federal government encryption, 253 Vernam cipher, 226–228 Vigenere square, 224–226 watermark, 220–221 Cryptography and Network Security (William Stallings), 235 cryptology, 218, 221–232, 234–242. See also cryp- tography and encryp- tion cryptosecurity, 14 Crystal Reports, security review, 129 CSMA (Carrier Sense Multiple Access), 280 Cyber Cop, 130, 134 Cyclic Redundancy Check (CRC), 311 D DAC (Discretionary Access Control), 33–34 data communications analog signals, 263–264 ANSI standards, 284 asset types, 155 bandwidth, 270–271 broadband bandwidth, 270–271 broadcast transmissions, 270 bus topology, 280, 281 central processing unit (CPU), 262 coaxial cable, 266 conducted media types, 265–266 copper wire, 265–266 defined, 262 digital signals, 264 802.X standards, 282 Ethernet standards, 282 extranets, 274 gigabit Ethernet stan- dard, 283 Internet, 273–274 intranets, 273 ISO standards, 283 ITU standards, 284 local area networks (LANs), 272 logical topologies, 281–282 man-in-the-middle attack target, 28 metropolitan area net- works (MANs), 272 minimum versus com- prehensive, 317 multicast transmissions, 270 Index 497 narrowband bandwidth, 270–271 network models, 288–291 network security testing, 292–294 network testing reasons, 291–292 OSI model, 288–291 physical topologies, 279 protocols, 284–288 radiated media types, 267–269 remote access protocols, 286 ring topology, 280–282 security prioritization process, 321–323 standards, 282–284 star topology, 279 system development life cycle, 292–294 TCP/IP network model, 291 transmission methods, 270 unicast transmissions, 270 virtual private networks (VPNs), 275–279 wide area networks (WANs), 272 World Wide Web (WWW), 274 data confidentiality, 290 Data Encryption Standard (DES, 238, 243 data integrity, 5, 290 Data Link Layer (Layer 2), 74–75, 289 data origin authentication, 275 data requirements, 9–10 data security, navigational tools, 14 data sensitivity, impact analysis, 181–182 data separation, 351 data types, auditing, 126 database administra- tion, 35 database management systems (DBMS), 40 data/information man- agement, 127–128 data/information storage, 59–63 data-level access controls, 40–44 DDoS (distributed denial of service), 24–26 deciphering, 219 dedicated security mode, 72 degaussers, magnetic media, 42, 44 demilitarized zone (DMZ), 31, 85–88 denial of service (DoS), 5, 24–28, 87, 300 DES (Data Encryption Standard), 238, 243 detection, malicious code, 353–355 detective controls, 56, 179 dictionary attack, pass- word cracking, 309 diffusion, block cipher property, 238 digital certificates, 219 Digital Encryption Stan- dard (DES), 232 digital services, CCITT V.35 standard, 67 digital signals, 264 Digital Signature Stan- dard (DSS), 247 digital signatures, 11, 13, 219, 290 Digital Video Disk (DVD), 69 direct sequence imple- mentation, 271 disaster recover plans (DRPs), 198 discovery (network map- ping), 297–299 discovery tools, security reviews, 129–130 Discretionary Access Con- trol (DAC), 33–34 distributed denial of ser- vice (DDoS), 24–26 Distributed Reflection Denial of Service (DRDoS) attack, 24 DMZ (demilitarized zone), 31, 85–88 document reviews, 168 documentation, 154, 186–187, 294 documentation tools, security reviews, 130 documents, 41, 80 domain name service (DNS), 11, 13 Domain Name System (DNS), 304 door keycards, 32 DoS (denial of service), 5, 24–28, 87, 300 DRDoS (Distributed Reflection Denial of Service), 24 DRPs (disaster recovery plans), 198 DSS (Digital Signature Standard), 247 DVD (Digital Video Disk), 69 E ECB (electronic code- book), 244 ECC (elliptic curve cryp- tography), 245 e-commerce, 248 EDP (electronic data pro- cessing), 1 EES (Escrowed Encryp- tion Standard), 232–233 EF (exposure factor), 161 EFF (Electronic Frontier Foundation), 232 EIA RS-232-C standard, 67 802.X standards, 282 electrically erasable programmable read-only memory (EEPROM), 61 498 Index electronic codebook (ECB), DES/Triple DES mode, 244 electronic data processing (EDP), 1 Electronic Frontier Foun- dation (EFF), 232 electronic security, 351 elevator keys, 32 elliptic curve cryptogra- phy (ECC), 245 e-mail, 27–28, 94, 247, 332, 340–341, 352 emergency response, 199–202 emission security, 14 employment policies, 63–64 encapsulating security payload (ESP), 246 enciphering, 219 encipherment, 290 encryption. See also cryp- tography Advanced Encryption Standard (AES), 217, 245 algorithms, 217 Caesar shift cipher, 236 ciphers, 217 ciphertext, 217 clipper chip, 232–233 code talkers, 232 cryptographic system divisions, 235–242 Data Encryption Stan- dard (DES) algo- rithm, 243 data-level access control, 40–41 deciphering, 219 digital certificates, 219 Digital Encryption Stan- dard (DES), 232 digital signatures, 219 elliptic curve cryptogra- phy (ECC), 245 enciphering, 219 IDEA algorithm, 245 Kerberos protocol, 36 key concepts, 239–242 keys, 219 layered security protec- tion, 11, 13 malicious code counter- measures, 352 man-in-the-middle attack prevention, 28 mono-alphabetic substi- tution, 222–223 one-time pad, 219 plaintext, 219, 237–238 public-key cryptography, 239, 241–242 RSA algorithm, 244 secure hash function, 220 Secure Sockets Layer (SSL), 89 steganography, 220 substitution ciphers, 236 transposition ciphers, 236–237 trap door, 220 Triple DES algorithm, 243–244 U.S. federal government types, 253 use methods, 236–237 Vigenere Square cipher, 236 watermark, 220–221 encryption algorithms, 278 end-to-end layers, 76 Enigma machine cipher, 230–231 environment, firewall, 91–93 environmental systems, asset types, 154 environmental threats, types, 170 erasable programmable read-only memory (EPROM), 61 errors, threat type, 155 Escrowed Encryption Standard (EES), 232–233 escrowed keys, 233 ESP (encapsulating secu- rity payload), 246 espionage, threat type, 155 Ethernet standards, 282 evaluation reports, 175 Event Viewer, 122 events, auditing data types, 126 evidence protection, 140–141 Exclude All-Include by Exception principle, access controls, 29 executable file attach- ments, e-mail, 94 executives, security awareness, 101 exposure factor (EF), 161 exposure, 157 external network bound- ary, 112–118 external penetration test- ing, networks, 303 extranets, 85, 274 F facial recognition, 32 Fast Ethernet standards, 283 FedCIRC (Federal Com- puter Incident Response Center), 173 FEMA (Federal Emer- gency Management Agency), 173 fence post, transposition cipher, 236–237 fiber distributed data interface (FDDI), 74–75 fiber optics, conducted media, 266 file descriptor attacks, 305 file integrity checkers, 387–388, 399–406 File Transfer Protocol (FTP), 332 file/directory permis- sions, 306 filters, packet, 81 Finger Image Identifier Record, 32 Index 499 finger imaging system, 32 fingerprint imaging, 32 firewalls application gateway, 81 auditing, 112–118 authentication methods, 89 blockable ports, 95–97 blockable protocols, 95–97 boundary router, 86 circuit-level gateway, 81 demilitarized zone (DMZ), 85–88 described, 81 environmental consider- ations, 91–93 external penetration test- ing, 303 function types, 91 host-to-gateway VPN operation, 276 hot fix application importance, 90 layered security bound- ary element, 11–13 logging functionality, 90 logical control, 31 Network Time Protocol (NTP), 98 packet characteristics, 91 packet filters, 81 platform access adminis- tration, 88–89 platform build adminis- tration, 89–99 policy administration, 93–97 policy auditing timeline, 94 proxy operations, 91 proxy server, 81 removing unused accounts, 90 removing unused net- work protocols, 89 removing unused net- work services, 90 service leg implementa- tion, 87 stripping unnecessary applications, 98 system patch application importance, 90 system security policy, 114–115 transaction-level data access control, 40 virtual private networks (VPNs), 81, 84 VPN server placement, 98–99 flooding, DoS attack method, 24 floppy disks, 32, 69 forensic analysis, 24 fortezza cards, 32 frequency analysis attack, 236 frequency-hopping imple- mentation, 271 FTP (File Transfer Proto- col), 332 full-interruption test, 207 functions, secure hash, 220 G Gateways, 67, 81, 276–277, 332, 361–362 gateway-to-gateway, VPN operation, 276 gigabit Ethernet stan- dards, 283 government (industrial) espionage, 155 group identification, 35–36 guidelines, security administration, 68 guns, gates, and guards concept, 30 H hackers, 334–336 hand geometry, 32 hard disks, mass storage device, 69 hardware, 129, 153 heuristic analysis, infec- tion detection, 360 hoaxes, virus, 341–342 host scanners, vulnerabil- ity scanning, 300 host-based IDS, 135 host-to-gateway, VPN operation mode, 276 host-to-host, VPN opera- tion mode, 276 hot fixes, firewall applica- tion, 90 hot site, recovery location, 203 human threats, types, 170–172 hybrid attacks, password cracking, 309 Hypertext Transport Pro- tocol (HTTP), 90, 332 I IAVA (Information Assur- ance Vulnerability Alerts), 175 Ice-Pick, security analysis tool, 130 IDEA algorithm, 245 identification and autho- rization (I&A) mecha- nism, 27, 31, 35–36 identification, threat source, 169–170 IDS sensors, reviewing network logs, 310 IDSs (intrusion detection systems), 31, 134–135, 310 IEC (International Elec- trotechnical Commis- sion), 283 IEEE (Institute of Electri- cal and Electronics Engineers), 67, 282–283 IETF (Internet Engineer- ing Task Force), 247 incident response, 188, 190–198, 354 individuals, access con- trols, 35–36 industrial (government) espionage, 155 infection prevention, 358–360 Information Assurance Technology Frame- work, 331 500 Index Information Assurance Vulnerability Alerts (IAVA), 175 information classification, 69–71 information gathering, 167–168 information security, 1–18 information systems secu- rity officers (ISSOs), 295 information systems secu- rity policy, 157 information systems secu- rity program managers (ISSMs), 295 information technology (IT), 5 information/data, asset types, 154–155 infrared light, 269 insider attacks, malicious code, 348 Institute of Electrical and Electronics Engineers (IEEE), 67, 282–283 integrity access control sup- port, 22 connectionless, 275 cryptology objectives, 234–235 information security ele- ment, 3, 5 loss consequences, 157, 181 message authentication code (MAC), 275 OSI model, 290 transaction-level data access controls, 40 integrity checking, net- work files, 311–312 internal boundary, audit- ing, 118–119 internal network bound- ary, 112–118 internal penetration test- ing, networks, 303 International Electrotech- nical Commission (IEC), 283 International Standards Organization (ISO), 282, 283 International Telecommu- nication Union (ITU), 284 Internet, 273–274 Internet Engineering Task Force (IETF), 247 Internet Protocol (IP) addresses, 74–75, 289 Internet Protocol Security (IPSec), 84, 246, 286–287 Internet Scanner, security analysis tool, 130 InterNIC (whois) queries, 304 interviews, 15, 167–168 intranets, 85, 273 intrusion detection sys- tems (IDSs), 31, 134–135, 310 investigations, personnel security, 15 Invitation to Cryptography (Thomas Barr), 252 IP (Internet Protocol addresses), 74–75, 289 IPSec (Internet Protocol Security), 84, 246, 286–287 iris scanning access control, 32 ISO (International Stan- dards Organization), 282, 283 ISS Internet Scanner, 129 ISSMs (information sys- tems program man- agers), 295 ISSOs (information sys- tems security officers), 295 IT (information technol- ogy), 5 ITU (International Telecommunication Union), 284 J Jefferson’s wheel cipher, 226–227 K Kerberos, 36, 245 kernel flaws, penetration testing, 305 key management, 35, 249 keys Alberti wheel cipher, 223–224 asymmetric (key pairs) cryptography, 239, 241 cryptology concepts, 239–242 defined, 219 symmetric (same-key) cryptography, 239–240 Vernam cipher, 226–228 Vigenere square cipher, 224–226 keystroke monitoring, 134 Knapsack algorithm, 232 L L2TP (Layer 2 Tunneling Protocol), 84, 287 languages, code talkers, 232 LANguard file integrity checker, 399–400 LANs (local area net- works), 272 laptops, security review requirements, 129 law enforcement access field (LEAF), 233 law enforcement responsi- bility, 27 Layer 1 (Link), TCP/IP network, 291 Layer 2 (Network), TCP/IP network, 291 TE AM FL Y Team-Fly® Index 501 Layer 2 Tunneling Proto- col (L2TP), 84, 287 Layer 3 (Transport), TCP/IP network, 291 Layer 4 (Application), TCP/IP network, 291 layered protection, 11–13 layers, 74–77 LEAF (law enforcement access field), 233 least privilege concept, 64, 156 Lightweight Directory Access Protocol (LDAP), penetration testing, 304 likelihood determinations, 180 line of sight, infrared com- munications, 269 Linux systems, 36 LLC (Logical Link Control), 289 local area networks (LANs), 272 local disk storage infec- tion, 355 local memory infection, 355 Local Security Policy, 122–124 log reviews, network test- ing, 310–311 logging functionality, 90, 112–113 logging, OSI model secu- rity service, 290 logic bombs, 343–344 logical access controls, 156 logical controls, 30–3 Logical Link Control (LLC), 289 logical topologies, 281–282 logon notification, 39–40 logons, multiple, 39 LOpht Crack, password cracker, 398–399 Lucifer algorithm, 243 M MAC (Mandatory Access Control), 33–34 MAC (Media Access Con- trol), 289 MAC (message authenti- cation code), 275, 278 MAC protocols, 40 macro viruses, 338–339, 363–365 magnetic media, 42, 44 magnetic tapes, mass stor- age device, 69 mail filters, 27 mainframes, 11, 13 malicious code administrative counter- measures, 356–357 attack mechanisms, 347–350 configuration manage- ment requirements, 346–347 connection sniffing countermeasures, 352 connection/password sniffing, 348 countermeasures, 351–355 crackers, 334–336 defined, 333 detection mechanisms, 353–355 detection system requirements, 345–346 ever-increasing threat, 331 example cases, 363–369 gateway protection, 361–362 hackers, 334–336 heuristic analysis, 360 importance of staying current, 331–332 Information Assurance Technology Frame- work, 331 insider attacks, 348 interoperability con- cerns, 360–361 logic bombs, 343–344 macro virus attack exam- ple, 363–365 mobile code, 348–350 network attacks, 347 Online Hacker Jargon File, The, 334–336 password sniffing coun- termeasures, 352 phreaks, 334–336 physical security, 353 polymorphic virus attack, 365–367 pre-infection/preven- tion, 358–361 protection points, 332 scanners, 351 snapshot techniques, 359 spectral analysis, 359–360 system backups, 356–357 system statistics, 334 trapdoors, 347 Trojan Horse attack example, 368–369 Trojan horses, 342–343 updating anti-virus soft- ware, 357–358 vaccination programs, 359 viruses, 336–342 workstation protection, 361 worms, 342 malware. See malicious code management, 100–101 management security, 15 management support/ commitment, 157 managers, 296 Mandatory Access Con- trol (MAC), 33–34 man-in-the-middle attack, 28 MANs (metropolitan area networks), 272 masquerade attack, 27–28 mass storage, 50, 59 502 Index MD4 (Message Digest 4), 220 MD5 (Message Digest 5), 220 Media Access Control (MAC), 289 media, 41–44, 265–266 memory, 59–62 Merkle-Hellman algo- rithm, 232 message authentication code (MAC), 275, 278 Message Digest 4 (MD4), 220 Message Digest 5 (MD5), 220 metro passes access con- trols, 32 metropolitan area net- works (MANs), 272 Microsoft Excel, macro viruses, 338–339 Microsoft, password con- ventions, 37 Microsoft Windows 2000, 122–124, 136–139 Microsoft Word, 129, 338–339 microwaves, 267 mission statement, 157 mobile code, malicious code, 348–350 modem usage, logical con- trol, 31 modems, war dialing, 313–314 monitoring, 110, 133–135, 290 monoalphabetic substitu- tion cipher, 236 mono-alphabetic substitu- tion, 222–223 motivation, threat identifi- cation, 170–173 Mstream, DoS tool, 24 multicast transmissions, 270 multilevel mode, 72 multipartite viruses, 340 multiple logons, access control, 39 N narrowband, versus broadband, 270–271 NAT (Network Address Translation), 74–75 National Institute of Stan- dards and Technology (NIST), 36, 54, 163–164 National Security Agency, 331 natural threats, types, 170 navigational tools, secu- rity, 13–16 Nessus, security analysis tool, 129–130 NetBEUI, 285 NetBIOS enumeration, 304 NetRanger. See Secure Intrusion Detection Network Address Transla- tion (NAT), 74–75 network administration, 35 network administrators, 295–296 network attacks, mali- cious code, 347 network backups, mali- cious code, 357 Network Information Sys- tem (NIS), 304 Network Layer (Layer 3), 74–75, 289 network mapping (discov- ery), 297–299 network mapping utili- ties, 129 network monitoring, 133 network protocols, 90 network scanners, 300 network security, 14–15, 352 network services, remov- ing unused, 90 network sniffers, testing tools, 388–389 Network Time Protocol (NTP), 98, 113 network-based IDS (NIDS), 134–135 networks defined, 263 file integrity checking, 311–312 log reviews, 310–311 logical topologies, 281–282 minimum versus com- prehensive testing, 317 network mapping (dis- covery), 297–299 password cracking, 308–310 penetration testing, 293, 301–307 physical topologies, 279–281 reasons for testing, 291–292 security management staff, 294–296 security prioritization process, 321–323 Security Test and Evalu- ation (ST&E), 307–308 security testing, 292–294 testing category evalua- tions, 318–320 testing documentation, 294 testing technique com- parisons, 314–317 virus detectors, 312–313 vulnerability scanning, 299–301 war dialing, 313–314 Neuman, Peter G. (Computer-Related Risks), 152 NFR HID, host-based IDS, 134–135 NIS (Network Informa- tion System), 304 NIST (National Institute of Standards and Tech- nology), 36, 54, 163–164 Nmap port scanner, 129, 297, 392–398 Index 503 NOAA (National Oceano- graphic and Atmos- pheric Association), 173 non-repudiation, 5, 290 Norton Personal Firewall, 135 Notarization, security mechanism, 291 NT servers, security pro- tection, 11, 13 NTP (Network Time Pro- tocol), 98, 113 O occurrence, contingency plan (CP), 204 OFM (output feedback mode), 244 one-time pad, 219 One-Time Passwords (OTPs), 36, 217 One-Time Passwords in Everything (OPIE), 36 ongoing activities, 204 The Online Hacker Jargon File, 334–336 on-site interviews, 167–168 Open System Interconnec- tion (OSI) model, 74–75, 288–291 operating systems, 129 operations security (OPSEC), 16 OPIE (One-Time Passwords in Every- thing), 36 optical disks, mass storage device, 69 optical media, handling/ destroying, 43 organizational policy, 65 OTPs (One-Time Pass- words), 36, 217 output feedback mode (OFM), 244 output, handling/ destroying, 41–44 owners, security responsi- bilities, 296 P packet captures, penetra- tion testing, 304 packet filters, 81, 86 padding, 237, 291 parallel test, contingency plan (CP), 206 partitioned security mode, 72 password checkers, test- ing tools, 389 password cracking, 308–310, 398–399 password policy, 65 password sniffing, 348, 352 passwords, 11, 13, 27–28, 35–39, 89, 277, 308–310 patches, firewall applica- tion, 90 PBX (Private Branch Exchange), 313 peer authentication, VPNs, 276–277 PEM (Privacy Enhanced Mail), 247 penetration testing, 175–176, 293, 301–307 people, information secu- rity resource, 16 personal identification number (PIN), 277 personnel, asset types, 154 personnel security, navi- gational tools, 15 PGP (Pretty Good Pri- vacy), 41, 217, 247, 352 phreaks, 334–336 physical access controls, 157 physical controls, 29–31 physical facility loss, 207 Physical Layer (Layer 1), 74–75, 288–289 physical security, 14, 253 PIN (personal identifica- tion number), 277 ping, security review soft- ware, 129 PKI (public key infrastruc- ture), 11, 13, 248–250 plain old telephone sys- tem (POTS), 263–264 plaintext, 219, 237–238 plan of action and mile- stones (POA&M), 80 point (technology) solu- tions, 20 Point-to-Point Tunneling Protocol (PPTP), 84, 288 policies, 17, 63–66, 78–83, 93–97, 129, 277–278 polyalphabetic ciphers, 223–224 polyalphabetic substitu- tion cipher, 224–226, 236 polymorphic viruses, 339–340, 365–367 port scanners, 129, 297–299, 303, 392–398 ports, firewall blocking, 95–97 posing, masquerade attacks, 27–28 position definition, 64 POTS (plain old telephone system), 263–264 PPTP (Point-to-Point Tun- neling Protocol), 84, 288 practitioners, Web sites, 415 preparedness, contin- gency plan (CP), 204 Presentation Layer (Layer 6), 75, 289 Pretty Good Privacy (PGP), 41, 217, 247, 352 preventive controls, 156, 179 primary storage, 60 Privacy Enhanced Mail (PEM), 247 privacy, VPN protection, 275 Private Branch Exchange (PBX), 313 privilege escalation/back door tools, 389–390 privileged accounts, 35 504 Index procedures, 15, 68–69 process for change, 76–77 process isolation, 74 processes, information security, 17 production/maintenance phase, 58–59 programmable read-only memory (PROM), 61 programming (building) phase, 57–58 protection rings, 11–13, 29–31 protocols, 90, 95–97, 284–288, 332 proxy, man-in-the-middle attack target, 28 proxy servers, 81, 156 public key certificates, VPN, 276–277 public key cryptography, 232, 239, 241–242 Public Key Infrastructure (PKI), 11, 13, 248–250 Purple machine cipher, 231 Q qualitative analysis, 159, 161–162, 182 quantitative analysis, risks, 159–161, 182 questionnaires, informa- tion gathering, 167 R RA (registration author- ity), 249 race conditions, penetra- tion testing, 306 radiated media, 267–269 radio waves, 267 RADIUS (Remote Authen- tication Dial-In User Service), 89, 285 random access, informa- tion storage, 63 random-access memory (RAM), 60 RAS (Remote Access Ser- vices), 286 RBACs (role-based access controls), 39 RC (Rivest’s Cipher) algo- rithm, 217, 219–220 RC2, stream cipher, 219 RC4 algorithm, 220, 237 RC5, block cipher, 220 read-only memory (ROM), 61, 343–344 real (physical) memory, 60 Real Secure, NIDS, 134 record checks, personnel security, 15 recovery business continuity plans (BCPs), 198 cold site, 204 contingency plans (CPs), 198–199, 204–207 continuity of operations plans (COOPs), 198 disaster recovery plans (DRPs), 198 emergency response, 199–202 hot site, 203 malicious code element, 354–355 restoration after catastro- phy, 203–204 scenarios, 200–202 warm site, 204 red teaming, penetration testing, 302–303 reference monitor, 34, 74 references, 413–416 reflective networks, 269 registration authority (RA), 249 relationships, objectives/services/ mechanisms, 6–7 Remote Access Services (RAS), 286 Remote Authentication Dial-In User Service (RADIUS), 89, 285 replication, virus lifecycle phase, 337 reporting software, 129 reports, security review, 130–131 requirement statement, 80, 82–83 resource protection, 22–23 response. See incident response restitution, contingency plan (CP), 205 retinal scanning, 32 return on investment (ROI), 160 Rijndael algorithm, 217 ring topology, 280–282 risk, 152–163, 181–182 risk assessment, 157, 164–187, 292 risk identification, 157 risk management, 54, 163 Risk Management Guide for Information Tech- nology Systems (NIST), 54 risk scale, risk determina- tion, 184–185 risk-level matrix, determi- nation, 183–184 Rivest’s Cipher (RC) algo- rithm, 217, 219–220 roadmap, 2–10, 77–88 ROI (return on invest- ment), 160 role-based access controls (RBACs), 39 ROM (read-only mem- ory), 61, 343–344 rotor machines, 229–231 routers, 67, 86 routing control, 291 RSA algorithm, develop- ment history, 244 rsh, security review soft- ware, 129 rules of engagement, 302 S S/MIME (Secure Multi- purpose Internet Mail Extensions), 247, 352 sabotage, threat type, 155 Index 505 safeguards, 156 SATAN, security analysis tool, 130 satellites, 267 scanners, 32–33, 129, 297–301, 351 scanning and enumera- tion tools, 390–391 scanning tools, 168, 176 scatter networks, 269 scripts, attack, 340 SDLC (software develop- ment life cycle), 164 secondary storage, 60 secrecy objective, confi- dentiality, 5 Secure Electronic Transac- tion (SET), 248 Secure Hash Algorithm 1 (SHA-1), 220 secure hash function, 220 Secure HyperText Trans- port Protocol (S-HTTP), 246–247 Secure Intrusion Detec- tion, NIDS, 134 Secure Multipurpose Internet Mail Exten- sions (S/MIME), 247, 352 secure shell (ssh), tunnel- ing uses, 89 Secure Socket Layer (SSL) data communications, 287 firewall management, 89 handshake transmission, 246 malicious code counter- measure, 352 RC4 algorithm, 237 stream cipher, 237 security administrators, 25–26, 416 security advisories, 175 security architecture, 10–13 security awareness train- ing, 99–101 security development life cycle, 56–59 security education and training, 157 security equation, risk management, 54 security kernel, 34, 73 security management staff, 294–296 security mechanisms, 6–8 security monitoring, 133 security objectives, 3–7 security operation modes, 72–73 security policies, adminis- tration, 65–67 security practitioners, 415 security requirements checklist, 176–178 security review reports, 175 security reviews, 129–132 security services, 6–10 Security Test and Evalua- tion (ST&E) network testing, 293, 307–308 password violations, 35 vulnerability identifica- tion, 175–176 security testing, networks, 292–294 security TRIAD, 3, 5, 52–53 selective protection, VPN policy, 278 self-inflicted DoS attack, 28 senior IT management, 294 sensitive information, access controls, 33 separation of duties, 64 sequential access, data/information, 62–63 serial cabling, EIA RS-232- C standard, 67 servers auditing, 119–120 authentication, 89 backup procedures, 69 layered security protec- tion, 11–13 proxy, 81 RADIUS, 89 TACACS/TACACS+, 89 VPN/firewall place- ment, 98–99 service leg, demilitarized zone (DMZ), 87 services, removing unused, 90 Session Layer (Layer 5), 75, 289 session-level access con- trols, 39–40 SET (Secure Electronic Transaction), 248 SHA-1 (Secure Hash Algo- rithm 1), 220 shadow files, UNIX sys- tem, 27 shared file system infec- tion, 355 shielded twisted pair (STP), 265–266 shredders, types/security levels, 41 S-HTTP (Secure Hyper- Text Transport Proto- col), 246–247 Simple Mail Transfer Pro- tocol (SMTP), 332 simulation test, contin- gency plan (CP), 206 single loss expectancy (SLE), 160 Single Sign-On (SSO), 36 SkipJack algorithm, 217, 233 smart cards, 32, 35–36 SMTP (Simple Mail Trans- fer Protocol), 332 snapshot programs, 359 sniffers, security review requirement, 129 Snort, 134, 136–139, 310, 406–412 social engineering, pene- tration testing, 306 506 Index software, 129, 253 software development life cycle (SDLC), 164 Solaris, Basic Security Module (BSM), 90 SOPs (standard operating procedures), 193 spamming attack, 26–27 spectral analysis, 359–360 speech patterns, 33 spoofing, 27–28 spread spectrum, 271 SSCP, security responsibil- ities, 18 ssh (secure shell), 89 SSL (Secure Socket Layer) data communications, 287 firewall management, 89 handshake transmission, 246 malicious code counter- measure, 352 RC4 algorithm, 237 stream cipher, 237 SSO (Single Sign-On), 36 ST&E (Security Test and Evaluation) network testing, 293, 307–308 password violations, 35 vulnerability identifica- tion, 175–176 Stallings, William (Cryp- tography and Network Security), 235 standard operating proce- dures (SOPs), 193 standards auditing metrics, 111 data communications, 282–284 security administration element, 67 star topology, 279 stealth viruses, 340 steganography defined, 220, 250 watermarks, 251 storage, 59 storage media, handling/ destroying, 41–44 STP (shielded twisted pair), 265–266 stream ciphers defined, 217 plaintext processing method, 237–238 RC2, 219 RC4, 220 Secure Socket Layer (SSL), 237 structured walkthrough (table top) test, contin- gency plan (CP), 205–206 subnet boundary, audit- ing, 118–119 substitution ciphers, 236 supervisory controls, 15 supplies, asset type, 154 switches, demilitarized zone (DMZ), 87 symbolic links, penetra- tion testing, 305 symmetric (same-key) cryptography, 239–240 system administration, 16 system administrators, 28, 35, 38–39, 295–296 system anomaly reports, 175 system audits, 292 system backups, 356–357 system characterization, 164–168 system components, 43 system design phase, 57 system development life cycle, 292–294 system high mode, 72 system level access con- trols, 33–34 system level, 11, 13 system life cycle, 54–59 system patches, 90 system security auditing, 111 system security staff, 157 system security testing, 175–176 system sensitivity, 181–182 system software security analyses, 175 system test reports, 175 system-level policy, 66 system-related informa- tion, 166–167 system-wide removable media infection, 355 T table top (structured walkthrough) test, con- tingency plan (CP), 205–206 TACACS/TACACS+, authentication servers, 89 tape, destroying, 42, 44 TCB (trusted computing base), 34, 73–74 TCP (Transmission Con- trol Protocol), 289 TCP/IP (Transmission Control Protocol/Inter- net Protocol), 285 TCP/IP network model, 291 TCPWrappers, host-based IDS, 135 TCSEC’s orange book, 14 technology (point) solu- tions, 20 telecommuters, 276–277 Telnet, security review requirement, 129 test phase, 58 testing tools, 387–412 theft, threat type, 155 threat identification, 168–173 threat source identifica- tion, 169–170 threats, 155, 158–159, 169–172, 174 thumbprint imaging, 32 time, information security element, 18 timelines, 38–39, 54–59, 94, 337–338 TLS (Transaction Layer Security), 248 TLS (Transport Layer Security), 287 Index 507 token-based access con- trols, types, 32 tokens, logical control, 31 topologies, 279–282 total protection, VPN pol- icy configuration, 278 traceroute, security review software, 129 traffic analysis, 74, 275 traffic padding, OSI model security mecha- nism, 291 training, security aware- ness, 99–101 Transaction Layer Security (TLS), 248 transaction logs, transac- tion-level data access control, 40 transaction processing, operations security (OPSEC) element, 16 transaction-level access controls, 40 transference, risk han- dling method, 162 Transmission Control Pro- tocol (TCP), 289 Transmission Control Pro- tocol/Internet Protocol (TCP/IP), 285 transmission security, 14 transmissions, data types, 270–271 Transport Layer (Layer 4), OSI model, 75, 289 Transport Layer Security (TLS), 287 transposition ciphers, encryption, 236–237 trap door, 220, 347 trapdoor access, malicious code, 351 Triple DES, 238, 243–244 Tripwire, Unix file integrity checker, 400–406 Trojan horse, 306, 342–343, 368–369 trusted computing base (TCB), 34, 73–74 U U.S. federal government, encryption, 253 UDP (User Datagram Pro- tocol), 285, 289 unauthorized access, 23–28 unicast transmissions, 270 Uniform Resource Loca- tors (URLs), 91 UNIX servers, 11, 13 UNIX syslog, 90, 112–113 UNIX systems, 27, 36 unshielded twisted pair (UTP), 265–266 updates, anti-virus soft- ware, 357–358 URLs (Uniform Resource Locators), 91 User Datagram Protocol (UDP), 285, 289 user IDs, 35–36, 89 user inactivity, 39 user training, 65 user workstations, audit- ing, 120–125 users, 35, 39, 99–100 UTP (unshielded twisted pair), 265–266 V vaccination programs, 359 VBA (Visual BASIC for Applications), 338–339 vendor advisories, 175 vendor back doors, 27 Vernam cipher, 219, 226–228 Very Large-Scale Integra- tion (VLSI), 233 video systems, facial recognition, 32 Vigenere square cipher, 224–226, 236 virtual memory, 61–62 virtual private networks (VPNs), 11, 13, 81, 84, 98–99, 273, 275–279 virus detectors, network testing, 312–313 viruses, 336–342, 363–369 Visual BASIC for Applica- tions (VBA), 338–339 VLSI (Very Large-Scale Integration), 233 voice verification, 33 volatile memory, 60–61 VPNs (virtual private net- works), 11, 13, 81, 84, 98–99, 273, 275–279 vulnerability defined, 155, 173 threat associations, 156, 174 versus threats, 158–159 vulnerability identifica- tion, 173–178 vulnerability scanner, 129, 299–303, 391–392 vulnerability sources, identified, 175 W WANs (wide area net- works), 272 WAP (Wireless Access Protocol), 285 war dialing, 313–314, 392 warm site, recovery loca- tion, 204 watermark, 220–221, 251 Web administration, 35 Web servers, logical con- trol, 31 Web sites Axent, 130 Computer Security Act of 1987, 178 Cyber Cop, 135 Dragon Sensor, 135 Dragon Squire, 135 Federal Computer Inci- dent Response Cen- ter (FedCIRC), 173 Federal Emergency Man- agement Agency (FEMA), 173 Glossary of Risk Analy- sis Terms, 152 international incident response organiza- tions, 188–189 508 Index Web sites (continued) Internet Security Systems, Inc., 130 National Infrastructure Protection Center, 173 National Oceanographic and Atmospheric Association (NOAA), 173 Nessus, 130 Network Associates, 130 NFR NID, 134 NIST I-CAT vulnerabil- ity database, 175 Norton Personal Fire- wall, 135 Real Secure, 134 RSAsecurity.com, 219 SAINT Corporation, 130 SANS.org, 173 Secure Intrusion Detec- tion System, 134 security administrators, 416 security practitioner, 415 SecurityFocus.com, 173 SecurityPatrol.com, 173 SecurityWatch.com, 173 Snort, 134 TCPWrappers, 135 United States incident response organiza- tions, 189 WhatsUp, security review software, 129 wide area networks (WANs), 272 wired LANs, 272 Wireless Access Protocol (WAP), 285 wireless LANS, 272 wireless network scanner, security, 129 Wireless Transport Layer Security (WTLS) proto- col, 285 workstation backups, malicious code, 356 workstations auditing, 120–125 layered security protec- tion, 11–13 malicious code protec- tion point, 332, 361 World Wide Web (WWW), 274 worms, 342 WTLS (Wireless Transport Layer Security) proto- col, 285 X X.25 protocol, 285 X.400 protocol, 284 X.500 protocol, 285 X.509 protocol, 247, 285 Y Yardley, Herbert O. (The American Black Chamber), 228 Wiley Publishing, Inc. End-User License Agreement READ THIS. You should carefully read these terms and conditions before opening the software packet(s) included with this book “Book”. This is a license agreement “Agreement” between you and Wiley Publishing, Inc. “WPI”. By opening the accompanying software packet(s), you acknowledge that you have read and accept the following terms and conditions. If you do not agree and do not want to be bound by such terms and conditions, promptly return the Book and the unopened software packet(s) to the place you obtained them for a full refund. 1. License Grant. WPI grants to you (either an individual or entity) a nonexclusive license to use one copy of the enclosed software program(s) (collectively, the “Software” solely for your own personal or business purposes on a single computer (whether a standard computer or a workstation component of a multi-user network). The Software is in use on a computer when it is loaded into temporary memory (RAM) or installed into perma- nent memory (hard disk, CD-ROM, or other storage device). WPI reserves all rights not expressly granted herein. 2. Ownership. WPI is the owner of all right, title, and interest, including copyright, in and to the compilation of the Software recorded on the disk(s) or CD-ROM “Software Media”. Copyright to the individual programs recorded on the Software Media is owned by the author or other authorized copyright owner of each program. Ownership of the Software and all proprietary rights relating thereto remain with WPI and its licensers. 3. Restrictions On Use and Transfer. (a) You may only (i) make one copy of the Software for backup or archival purposes, or (ii) transfer the Software to a single hard disk, provided that you keep the original for backup or archival purposes. You may not (i) rent or lease the Software, (ii) copy or reproduce the Software through a LAN or other network system or through any computer subscriber system or bulletin- board system, or (iii) modify, adapt, or cre- ate derivative works based on the Software. (b) You may not reverse engineer, decompile, or disassemble the Software. You may transfer the Software and user documentation on a permanent basis, provided that the transferee agrees to accept the terms and conditions of this Agreement and you retain no copies. If the Software is an update or has been updated, any transfer must include the most recent update and all prior versions. 4. Restrictions on Use of Individual Programs. You must follow the individual require- ments and restrictions detailed for each individual program in the About the CD-ROM appendix of this Book. These limitations are also contained in the individual license agreements recorded on the Software Media. These limitations may include a require- ment that after using the program for a specified period of time, the user must pay a reg- istration fee or discontinue use. By opening the Software packet(s), you will be agreeing to abide by the licenses and restrictions for these individual programs that are detailed in the About the CD-ROM appendix and on the Software Media. None of the material on this Software Media or listed in this Book may ever be redistributed, in original or modi- fied form, for commercial purposes. 5. Limited Warranty. (a) WPI warrants that the Software and Software Media are free from defects in materi- als and workmanship under normal use for a period of sixty (60) days from the date of purchase of this Book. If WPI receives notification within the warranty period of defects in materials or workmanship, WPI will replace the defective Software Media. (b) WPI AND THE AUTHOR OF THE BOOK DISCLAIM ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION IMPLIED WAR- RANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PUR- POSE, WITH RESPECT TO THE SOFTWARE, THE PROGRAMS, THE SOURCE CODE CONTAINED THEREIN, AND/OR THE TECHNIQUES DESCRIBED IN THIS BOOK. WPI DOES NOT WARRANT THAT THE FUNCTIONS CONTAINED IN THE SOFTWARE WILL MEET YOUR REQUIREMENTS OR THAT THE OPERA- TION OF THE SOFTWARE WILL BE ERROR FREE. (c) This limited warranty gives you specific legal rights, and you may have other rights that vary from jurisdiction to jurisdiction. 6. Remedies. (a) WPI’s entire liability and your exclusive remedy for defects in materials and work- manship shall be limited to replacement of the Software Media, which may be returned to WPI with a copy of your receipt at the following address: Software Media Fulfillment Department, Attn.: The SSCP Prep Guide: Mastering the Seven Key Areas of System Security, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indi- anapolis, IN 46256, or call 1-800-762-2974. Please allow four to six weeks for deliv- ery. This Limited Warranty is void if failure of the Software Media has resulted from accident, abuse, or misapplication. Any replacement Software Media will be war- ranted for the remainder of the original warranty period or thirty (30) days, whichever is longer. (b) In no event shall WPI or the author be liable for any damages whatsoever (including without limitation damages for loss of business profits, business interruption, loss of business information, or any other pecuniary loss) arising from the use of or inabil- ity to use the Book or the Software, even if WPI has been advised of the possibility of such damages. (c) Because some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation or exclusion may not apply to you. 7. U.S. Government Restricted Rights. Use, duplication, or disclosure of the Software for or on behalf of the United States of America, its agencies and/or instrumentalities “U.S. Government” is subject to restrictions as stated in paragraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause of DFARS 252.227-7013, or subparagraphs (c) (1) and (2) of the Commercial Computer Software - Restricted Rights clause at FAR 52.227-19, and in similar clauses in the NASA FAR supplement, as applicable. 8. General. This Agreement constitutes the entire understanding of the parties and revokes and supersedes all prior agreements, oral or written, between them and may not be modified or amended except in a writing signed by both parties hereto that specifically refers to this Agreement. This Agreement shall take precedence over any other docu- ments that may be in conflict herewith. If any one or more provisions contained in this Agreement are held by any court or tribunal to be invalid, illegal, or otherwise unen- forceable, each and every other provision shall remain in full force and effect. TE AM FL Y Team-Fly®