The CISSP and CAP Prep Guide: Platinum Edition · CISSP, CISM, Security +, CCNA, MCSE, MCNE The CISSP® and CAP CM Prep Guide: Platinum Edition ... Objectives of Security Controls

Ronald L. Krutz, Ph.D.P.E., CISSP, ISSEP

Russell Dean VinesCISSP, CISM, Security +, CCNA,

MCSE, MCNE

The CISSP® and CAPCM

Prep Guide: Platinum Edition

01_007923 ffirs.qxp 9/15/06 3:32 PM Page iii

01_007923 ffirs.qxp 9/15/06 3:32 PM Page ii



01_007923 ffirs.qxp 9/15/06 3:32 PM Page i

01_007923 ffirs.qxp 9/15/06 3:32 PM Page ii

Ronald L. Krutz, Ph.D.P.E., CISSP, ISSEP

Russell Dean VinesCISSP, CISM, Security +, CCNA,

MCSE, MCNE



01_007923 ffirs.qxp 9/15/06 3:32 PM Page iii

The CISSP® and CAPCM Prep Guide: Platinum Edition

Published byWiley Publishing, Inc.10475 Crosspoint BoulevardIndianapolis, IN 46256www.wiley.com

Copyright © 2007 by Ronald L. Krutz and Russell Dean Vines, Gibson, Pennsylvania, and White Plaines, New York

Published by Wiley Publishing, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN-13: 978-0-470-00792-1ISBN-10: 0-470-00792-3

Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1

3B/RY/RQ/QW/IN

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, elec-tronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment ofthe appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax(978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc.,10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTA-TIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THISWORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OFFITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMO-TIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SIT-UATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED INRENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE ISREQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUB-LISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANI-ZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OFFURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMA-TION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READ-ERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED ORDISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.

For general information on our other products and services or to obtain technical support, please contact our Customer CareDepartment within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Library of Congress Cataloging-in-Publication Data:Krutz, Ronald L., 1938-The CISSP prep guide : platinum edition / Ronald L. Krutz, Russell Dean Vines. — 3rd ed.

p. cm.ISBN-13: 978-0-470-00792-1 (cloth/cd-rom)ISBN-10: 0-470-00792-3 (cloth/cd-rom)1. Electronic data processing personnel—Certification. 2. Computer networks—Examinations—Study guides. 3. Com-puter networks—Security measures—Examinations—Study guides. I. Vines, Russell Dean, 1952- II. Title.QA76.3.K78 2006004.6’2—dc22

2006020712

Trademarks: Wiley, the Wiley logo, and related trade dress are are trademarks or registered trademarks of John Wiley & Sons,Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CISSP isa registered certification mark and CAP is a service mark of International Information Systems Security Certification Consor-tium, Inc. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with anyproduct or vendor mentioned in this book.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available inelectronic books.

01_007923 ffirs.qxp 10/4/06 3:31 PM Page iv

www.wiley.com

Dedicated to all the hours spent in play and new discoveries of this world through the eyes of my grandchildren

in their innocence, honesty, and lack of skepticism.

To: Emma, Aaron, Ryan, and Patrick

—R.L.K

Dedicated to all those who seek to make the Internet safe, private, and open to all.

—R.D.V.

01_007923 ffirs.qxp 9/15/06 3:32 PM Page v

01_007923 ffirs.qxp 9/15/06 3:32 PM Page vi

RONALD L. KRUTZ, Ph.D., P.E., CISSP, ISSEP. Dr. Krutz is the Chief Knowl-edge Officer of Cybrinth, LLC, a firm that provides innovative informationprotection, analysis, assurance, and management services to government andthe commercial sector. Prior to this position, Dr. Krutz was a Senior Informa-tion Security Researcher in the Advanced Technology Research Center ofLockheed Martin/Sytex, Inc. In this capacity he worked with a team responsi-ble for advancing the state of the art in information systems security. He hasmore than 40 years of experience in distributed computing systems, computerarchitectures, real-time systems, information assurance methodologies, andinformation security training.

Dr. Krutz has been an information security consultant at REALTECH Sys-tems Corporation and BAE Systems, an associate director of the Carnegie Mel-lon Research Institute (CMRI), and a professor in the Carnegie MellonUniversity Department of Electrical and Computer Engineering. Dr. Krutzfounded the CMRI Cybersecurity Center and was founder and director of theCMRI Computer, Automation, and Robotics Group. He is a former leadinstructor for the (ISC)2 CISSP Common Body of Knowledge review seminars.Dr. Krutz is also a Distinguished Special Lecturer in the Center for ForensicComputer Investigation at the University of New Haven, a part-time instruc-tor in the University of Pittsburgh Department of Electrical and ComputerEngineering, and a Registered Professional Engineer.

In addition to being a former lead instructor for the ISC2 CBK review seminarsand contributing material to the CBK, Dr. Krutz is the author of nine best-sellingpublications in the area of information systems security, and is a consulting edi-tor for John Wiley and Sons for its information security book series. Dr. Krutzholds B.S., M.S., and Ph.D. degrees in Electrical and Computer Engineering.

About the Authors

vii

01_007923 ffirs.qxp 9/15/06 3:32 PM Page vii

RUSSELL DEAN VINES, CISSP, CISM, Security +, CCNA, MCSE, MCNE.Mr. Vines is president and founder of The RDV Group Inc. (www.rdvgroup.com), a New York-based security consulting services firm. He has been activein the prevention, detection, and remediation of security vulnerabilities forinternational corporations, including government, finance, and new mediaorganizations, for many years.

Mr. Vines holds high-level certifications in Cisco, 3Com, Ascend, Microsoft,and Novell technologies and is trained in the National Security Agency’s ISSOInformation Assessment Methodology. He has headed computer securitydepartments and managed worldwide information systems networks forprominent technology, entertainment, and nonprofit corporations based inNew York. He is the author of nine best-selling information system securitypublications, and is a consulting editor for John Wiley and Sons for its infor-mation security book series.

Mr. Vines’s early professional years were illuminated not by the flicker of acomputer monitor but by the bright lights of Nevada casino show rooms. Afterreceiving a Down Beat magazine scholarship to Boston’s Berklee College ofMusic, Mr. Vines performed as a sideman for a variety of well-known enter-tainers, including George Benson, John Denver, Sammy Davis Jr., and DeanMartin. Mr. Vines composed and arranged hundreds of pieces of jazz and con-temporary music, recorded and performed by his own big band and others.He also founded and managed a scholastic music publishing company andworked as an artist-in-residence for the National Endowment for the Arts(NEA) in communities throughout the West. He still performs and teachesmusic in the New York City area and is a member of the American Federationof Musicians Local 802 and the International Association for Jazz Education.You can find Mr. Vines’s blog at http://rdvgroup.blogspot.com.

viii About the Authors

01_007923 ffirs.qxp 9/15/06 3:32 PM Page viii

Credits

ix

Executive EditorCarol Long

Development EditorRosanne Koneval

Production EditorWilliam A. Barton

Copy EditorPublication Services, Inc.

Editorial ManagerMary Beth Wakefield

Production ManagerTim Tate

Vice President and Executive Group PublisherRichard Swadley

Vice President and Executive PublisherJoseph B. Wikert

Project CoordinatorRyan Steffen

Graphics and Production SpecialistsLauren GoddardStephanie JumperJennifer MayberryLynsey Osborn

Quality Control TechniciansJohn GreenoughJessica Kramer

Media Development SpecialistsAngela DennyKit MaloneTravis Silvers

ProofreadingNancy L. Reinhardt

IndexingTechbooks

01_007923 ffirs.qxp 9/15/06 3:32 PM Page ix

01_007923 ffirs.qxp 9/15/06 3:32 PM Page x

About the Authors vii

Foreword xxiii

Acknowledgments xxv

Introduction xxvii

Part 1 Focused Review of the CISSP Ten Domains 1

Chapter 1 Information Security and Risk Management 3Our Approach 4Security Management Concepts 5

System Security Life Cycle 5The Three Fundamentals 6Other Important Concepts 7Objectives of Security Controls 10

Information Classification Process 12Information Classification Objectives 12Information Classification Benefits 13Information Classification Concepts 13Information Classification Roles 16

Security Policy Implementation 20Policies, Standards, Guidelines, and Procedures 20

Roles and Responsibilities 25Risk Management and Assessment 27

Principles of Risk Management 27RM Roles 30Overview of Risk Analysis 30Security Posture Assessment Methodologies 39

Contents

xi

02_007923 ftoc.qxp 9/15/06 3:37 PM Page xi

Security Awareness 42Awareness 44Training and Education 45

Assessment Questions 46

Chapter 2 Access Control 55Rationale 55Controls 56Models for Controlling Access 57

Control Combinations 59Access Control Attacks 61

Denial of Service/Distributed Denial of Service (DoS/DDoS) 61Back Door 62Spoofing 62Man-in-the-Middle 63Replay 63TCP Hijacking 63Social Engineering 64Dumpster Diving 64Password Guessing 65Software Exploitation 65Mobile Code 66Trojan Horses 66Logic Bomb 67System Scanning 67

Penetration Testing 68Identification and Authentication 69

Passwords 70Biometrics 72

Single Sign-On (SSO) 74Kerberos 75Kerberos Operation 76SESAME 79KryptoKnight 79

Access Control Methodologies 79Centralized Access Control 80Decentralized/Distributed Access Control 81Intrusion Detection 86Some Access Control Issues 88


Chapter 3 Telecommunications and Network Security 95The C.I.A. Triad 96

Confidentiality 96Integrity 96Availability 97

xii Contents

02_007923 ftoc.qxp 9/15/06 3:37 PM Page xii

Protocols 98The Layered Architecture Concept 98Open Systems Interconnect (OSI) Model 99Transmission Control Protocol/Internet Protocol (TCP/IP) 103

LAN Technologies 110Ethernet 110ARCnet 112Token Ring 112Fiber Distributed Data Interface (FDDI) 113

Cabling Types 113Coaxial Cable (Coax) 113Twisted Pair 114Fiber-Optic Cable 116Cabling Vulnerabilities 116Transmission Types 117

Network Topologies 118Bus 118Ring 118Star 118Tree 120Mesh 120

LAN Transmission Protocols 121Carrier-Sense Multiple Access (CSMA) 121Polling 122Token Passing 122Unicast, Multicast, Broadcast 123

Networking Devices 123Hubs and Repeaters 123Bridges 124Spanning Tree 125Switches 125Transparent Bridging 125Routers 126VLANs 129Gateways 130LAN Extenders 130

Firewall Types 130Packet-Filtering Firewalls 131Application-Level Firewalls 132Circuit-Level Firewalls 133Stateful Inspection Firewalls 133

Firewall Architectures 133Packet-Filtering Routers 134Screened-Host Firewalls 134Dual-Homed Host Firewalls 134Screened-Subnet Firewalls 135SOCKS 137

Contents xiii

02_007923 ftoc.qxp 9/15/06 3:37 PM Page xiii

Common Data Network Services 137File Transfer Services 138SFTP 139SSH/SSH-2 139TFTP 140

Data Network Types 140Wide Area Networks 141Internet 141Intranet 142Extranet 142

WAN Technologies 142Dedicated Lines 142T-carriers 143WAN Switching 143Circuit-Switched Networks 143Packet-Switched Networks 144Other WAN Protocols 146Common WAN Devices 146Network Address Translation (NAT) 147

Remote Access Technologies 149Remote Access Types 149Remote Access Security Methods 151Virtual Private Networking (VPN) 151RADIUS and TACACS 160

Network Availability 162High Availability and Fault Tolerance 162

Wireless Technologies 164IEEE Wireless Standards 164Bluetooth 170Wireless Application Protocol (WAP) 171

Wireless Security 174Wireless Transport Layer Security Protocol 174WEP Encryption 175Wireless Vulnerabilities 175

Intrusion Detection and Response 183Types of Intrusion Detection Systems 183IDS Approaches 184Honey Pots 186Computer Incident Response Team 187IDS and a Layered Security Approach 188IDS and Switches 188IDS Performance 190

Network Attacks and Abuses 190Logon Abuse 190Inappropriate System Use 190Eavesdropping 191Network Intrusion 191

xiv Contents

02_007923 ftoc.qxp 9/15/06 3:37 PM Page xiv

Denial of Service (DoS) Attacks 192Session Hijacking Attacks 192Fragmentation Attacks 193Dial-Up Attacks 193

Probing and Scanning 194Vulnerability Scanning 194Port Scanning 195Issues with Vulnerability Scanning 201

Malicious Code 202Viruses 202Spyware 204Trojan Horses 210Remote Access Trojans (RATs) 211Logic Bombs 212Worms 212Malicious Code Prevention 212

Web Security 214Phishing 214Browser Hijacking 214SSL/TLS 215S-HTTP 217Instant Messaging Security 2178.3 Naming Conventions 221


Chapter 4 Cryptography 233Introduction 233Definitions 234Background 238Cryptographic Technologies 241Classical Ciphers 241

Substitution 241Transposition (Permutation) 244Vernam Cipher (One-Time Pad) 244Book or Running-Key Cipher 245Codes 245Steganography 245

Secret-Key Cryptography (Symmetric-Key) 246Data Encryption Standard (DES) 247Triple DES 251The Advanced Encryption Standard (AES) 252The Rijndael Block Cipher 253The Twofish Algorithm 254The IDEA Cipher 255RC5/RC6 255

Public-Key (Asymmetric) Cryptosystems 255One-Way Functions 256Public-Key Algorithms 256

Contents xv

02_007923 ftoc.qxp 9/15/06 3:37 PM Page xv

Public-Key Cryptosystem Algorithm Categories 260Asymmetric and Symmetric Key Length Strength

Comparisons 260Digital Signatures 260Digital Signature Standard (DSS) and Secure Hash

Standard (SHS) 261MD5 262Sending a Message with a Digital Signature 263Hashed Message Authentication Code (HMAC) 263Hash Function Characteristics 264

Cryptographic Attacks 264Public-Key Certification Systems 266

Digital Certificates 266Public-Key Infrastructure (PKI) 267

Approaches to Escrowed Encryption 273The Escrowed Encryption Standard 273Key Escrow Approaches Using Public-Key Cryptography 275

Identity-Based Encryption 275Cryptographic Export Issues 277

Quantum Computing 278E-mail Security Issues and Approaches 279

Secure Multi-Purpose Internet Mail Extensions (S/MIME) 279MIME Object Security Services (MOSS) 279Privacy Enhanced Mail (PEM) 279Pretty Good Privacy (PGP) 280

Internet Security Applications 281Message Authentication Code (MAC) or the Financial

Institution Message Authentication Standard (FIMAS) 281Secure Electronic Transaction (SET) 281Secure Sockets Layer (SSL)/Transaction Layer Security (TLS) 281Internet Open Trading Protocol (IOTP) 282MONDEX 282IPSec 282Secure Hypertext Transfer Protocol (S-HTTP) 283Secure Shell (SSH-2) 284

Wireless Security 284Wireless Application Protocol (WAP) 284The IEEE 802.11 Wireless Standard 286


Chapter 5 Security Architecture and Design 297Computer Architecture 298

Memory 299Instruction Execution Cycle 302Input/Output Structures 304Software 305Open and Closed Systems 307Distributed Architecture 307

xvi Contents

02_007923 ftoc.qxp 9/15/06 3:37 PM Page xvi

Protection Mechanisms 309Rings 310Logical Security Guard 311Enterprise Architecture Issues 311Security Labels 312Security Modes 312Additional Security Considerations 313Recovery Procedures 314

Assurance 314Evaluation Criteria 315Certification and Accreditation 317DITSCAP and NIACAP 317The Systems Security Engineering Capability Maturity

Model (SSE-CMM) 319Information Security Models 322Access Control Models 322Integrity Models 327Information Flow Models 329


Chapter 6 Operations Security 339Operations Security Concepts 340

Triples 340C.I.A. 340

Controls and Protections 341Categories of Controls 341Orange Book Controls 342Operations Controls 358

Monitoring and Auditing 365Monitoring 365Auditing 369

Threats and Vulnerabilities 373Threats 373Vulnerabilities and Attacks 375

Maintaining Resource Availability 376RAID 376RAID Levels 377Backup Concepts 378

Operational E-Mail Security 382E-Mail Phishing 383Fax Security 387Assessment Questions 388

Chapter 7 Application Security 397Systems Engineering 398The System Life Cycle or System Development Life

Cycle (SDLC) 398

Contents xvii

02_007923 ftoc.qxp 9/15/06 3:37 PM Page xvii

The Software Life Cycle Development Process 399The Waterfall Model 400The Spiral Model 403Cost Estimation Models 406Information Security and the Life Cycle Model 407Testing Issues 408The Software Maintenance Phase and the Change Control

Process 408Configuration Management 409

The Software Capability Maturity Model (CMM) 410Agile Methodology 412Object-Oriented Systems 413Artificial Intelligence Systems 417

Expert Systems 417Neural Networks 419Genetic Algorithms 421Knowledge Management 421

Database Systems 421Database Security Issues 422Data Warehouse and Data Mining 422Data Dictionaries 423

Application Controls 423Distributed Systems 425Centralized Architecture 426Real-Time Systems 426


Chapter 8 Business Continuity Planning and Disaster Recovery Planning 433Business Continuity Planning 435

Continuity Disruptive Events 436The Four Prime Elements of BCP 437

Disaster Recovery Planning (DRP) 446Goals and Objectives of DRP 446The Disaster Recovery Planning Process 447Testing the Disaster Recovery Plan 455Disaster Recovery Procedures 459Other Recovery Issues 461


Chapter 9 Legal, Regulations, Compliance, and Investigations 473Types of Computer Crime 473Examples of Computer Crime 475Law 477

Example: The United States 477Common Law System Categories 478Computer Security, Privacy, and Crime Laws 489

xviii Contents

02_007923 ftoc.qxp 9/15/06 3:37 PM Page xviii

Investigation 496Computer Investigation Issues 496Export Issues and Technology 502

Liability 502Ethics 504

(ISC)2 Code of Ethics 506The Computer Ethics Institute’s Ten Commandments of

Computer Ethics 506The Internet Architecture Board (IAB) Ethics and the

Internet (RFC 1087) 507The U.S. Department of Health and Human Services Code

of Fair Information Practices 507The Organization for Economic Cooperation and

Development (OECD) 508Assessment Questions 510

Chapter 10 Physical (Environmental) Security 517Threats to Physical Security 518Controls for Physical Security 520

Administrative Controls 520Environmental and Life Safety Controls 524Physical and Technical Controls 534


Part 2 The Certification and Accreditation Professional (CAP) Credential 557

Chapter 11 Understanding Certification and Accreditation 559System Authorization 559

A Select History of Systems Authorization 560More and More Standards 572

What Is Certification and Accreditation? 572NIST C&A Documents 573C&A Roles and Responsibilities 573C&A Phases 577DIACAP Phases 578


Chapter 12 Initiation of the System Authorization Process 585Security Categorization 586

Identification of Information Types 588Potential Harmful Impact Levels 589Assignment of Impact Level Scores 590Assignment of System Impact Level 592

Initial Risk Estimation 593Threat-Source Identification 594Threat Likelihood of Occurrence 597Analyzing for Vulnerabilities 597System Accreditation Boundary 601Legal and Regulatory Requirements 603

Contents xix

02_007923 ftoc.qxp 9/15/06 3:37 PM Page xix

Selection of Security Controls 603The Control Section 606The Supplemental Guidance Section 606The Control Enhancements Section 606Assurance 607Common and System-Specific Security Controls 608Security Controls and the Management of Organizational Risk 608

Documenting Security Controls in the System Security Plan 610Assessment Questions 613

Chapter 13 The Certification Phase 621Security Control Assessment 622

Prepare for the Assessment 622Conduct the Security Assessment 624Prepare the Security Assessment Report 624

Security Certification Documentation 625Provide the Findings and Recommendations 625Update the System Security Plan 625Prepare the Plan of Action 626Assemble the Accreditation Package 626

DITSCAP Certification Phases 627Phase 1: Definition 627The System Security Authorization Agreement (SSAA) 630SSAA Outline 630SSAA Additional Material 632The Requirements Traceability Matrix (RTM) 633Phase 2: Verification 635Key DITSCAP Roles 638

DIACAP Certification Phases 639End of the Certification Phase 640Assessment Questions 641

Chapter 14 The Accreditation Phase 645Security Accreditation Decision 646

Final Risk Assessment 646Accreditation Decision 647

Security Accreditation Documentation 648Accreditation Package Transmission 648System Security Plan Update 649

DITSCAP Accreditation Phases 649Phase 3: Validation 649Phase 4: Post Accreditation 653

DIACAP Accreditation Phases 656End of the Accreditation Phase 657Assessment Questions 658

xx Contents

02_007923 ftoc.qxp 9/15/06 3:37 PM Page xx

Chapter 15 Continuous Monitoring Process 663Continuous Monitoring 664

Monitoring Security Controls 665Configuration Management and Control 669Environment Monitoring 670Documentation and Reporting 671


Appendix A Answers to Assessment Questions 681

Appendix B Glossary of Terms and Acronyms 881

Appendix C The Information System Security Architecture Professional (ISSAP) Certification 945

Appendix D The Information System Security Engineering Professional (ISSEP) Certification 951

Appendix E The Information System Security Management Professional (ISSMP) Certification 1039

Appendix F Security Control Catalog 1075

Appendix G Control Baselines 1185

Index 1193

Contents xxi

02_007923 ftoc.qxp 9/15/06 3:37 PM Page xxi

02_007923 ftoc.qxp 9/15/06 3:37 PM Page xxii

In the years since its first edition, the CISSP Prep Guide has become a mostvaluable resource for people interested in pursuing the CISSP credential. Italso has that rare quality of having withstood the test of time and continues toappear on bookshelves for reference purposes even for those who have earnedthe CISSP. We are happy and proud to be associated with the CISSP Prep Guidefrom the start.

We have been involved with dozens of situations in which the CISSP skillset has been at the core of what is needed in “security” events. The holisticbody of knowledge mastered by a CISSP is designed to ensure that you willnot suffer from a focus that is too narrow, yet it is oriented to detail in the crit-ical areas. Today more than ever, IT professionals need credentials and exper-tise with the sophisticated tools that can be used to scour their companies’computers for signs of covert network connections, evidence showing unau-thorized insider access to system resources, remnants from Web-based emailsessions, or files that may have been used in unauthorized ways.

Many security issues today draw heavily from legal considerations thathave to be taken into account before a company will make a decision. It hasbeen our experience that advice and guidance from a person having the CISSPis reassuring because the credential serves as a badge of credibility in reassur-ing lawyers who advise companies. Many of the professionals we work within industry and in government, including the FBI, have either obtained or arepursuing their CISSP.

As with other professional services, the CISSP makes his or her companystronger by the actions he or she takes day-to-day. However, sometimes eventscan escalate is some situations where there are indications of intentional

Foreword

xxiii

03_007923 flast.qxp 9/15/06 3:37 PM Page xxiii

wrongdoing. Those situations, when they arise, almost always cause legaloptions to be explored. The CISSP brings great credibility to those discussions.

The actions taken each day by CISSPs to maintain and keep current the secu-rity of the systems they oversee are vitally important and will help avoid everhaving to confront such a disruptive event. We encourage you to draw fromthe CISSP and CAP Prep Guide as you prepare for the CISSP test, and thereafteras you improve the security of the organizations you serve.

Edward M. Stroz is Managing Partner of Stroz Friedberg, LLC, a consultingand professional services firm dedicated to expertise in computer forensics,computer crimes investigations, and security. Before founding the firm in2000, he spent 16 years with the FBI, where he formed and supervised the com-puter crime squad in the New York field office.

Aaron Stanley, CISSP, is Director of Information Technology at Stroz Fried-berg, LLC. An accomplished investigator, security consultant, and IT manager,he led many of the initiatives discussed in the case study above.

xxiv Foreword

03_007923 flast.qxp 9/15/06 3:37 PM Page xxiv

I want to thank my wife, Hilda, for her continuous support and guidanceduring this project.

—R.L.K.

I would like to thank Dr. David Altcheck and Dr. Lawrence Levin, who havebrought the joy of mobility back into my life. And to all my friends, and espe-cially my wife, Elzy, for their continual support.

—R.D.V.

Both authors would like to express a special thanks to Carol Long andRosanne Koneval of John Wiley and Sons for their support and assistance indeveloping this text.

Acknowledgments

xxv

03_007923 flast.qxp 9/15/06 3:37 PM Page xxv

03_007923 flast.qxp 9/15/06 3:37 PM Page xxvi

The need to protect information resources has produced a demand for infor-mation systems security professionals. Along with this demand came a needto ensure that these professionals possess the knowledge to perform therequired job functions. To address this need, the Certified Information SystemsSecurity Professional (CISSP) certification emerged. This certification guaran-tees to all parties that the certified individual meets the standard criteria ofknowledge and continues to upgrade that knowledge in the field of informa-tion systems security. The CISSP initiative also serves to enhance the recogni-tion and reputation of the field of information security.

Realizing the importance of certification and accreditation to the globalsecurity effort, the U.S. Department of State’s Office of Information Assuranceand (ISC)_ have collaborated to develop a credential for the Certification andAccreditation Professional (CAP). The CAP credential is an objective measureof the knowledge, skills and abilities required for personnel involved in theCertification and Accreditation process. Specifically, the credential applies toprofessionals responsible for formalizing processes used to assess risk andestablish security requirements, as well as ensure information systems possesssecurity commensurate with the level of exposure to potential risk. CAP is afully independent credential, meaning that it is on the same level as the CISSPand SSCP credentials. It does not require CISSP certification as the advancedconcentrations do (ISSAP, ISSEP, and ISSMP). The reader for the CAP portionof the book, as defined by (ISC)2, should have some experience in one or moreof a number of areas, including:

■■ IT security

■■ Information assurance

Introduction

xxvii

03_007923 flast.qxp 9/15/06 3:37 PM Page xxvii

■■ Certification

■■ Information risk management

■■ 1–2 years of general technical experience

■■ System administration

■■ Information security policy

■■ Technical or auditing experience

■■ Familiarity with NIST documentation

For the CISSP who wishes to concentrate in information systems security forU. S. federal information systems, the CISSP Information System SecurityEngineering Professional (ISSEPCM) concentration certification has been estab-lished. This certification is particularly relevant for efforts in conjunction withthe National Security Agency (NSA) and with other U.S. government agencies.The ISSEP concentration address four additional areas related to U.S. Govern-ment information assurance, particularly NSA information assurance. Thesefour areas are:

■■ Systems Security Engineering

■■ Certification and Accreditation

■■ Technical Management

■■ U.S. Government Information Assurance Regulations

The ISSAP Certification is defined by (ISC)2 as the CISSP concentration areathat is designed to denote competence and expertise in information securityarchitecture, telecommunications, preservation of business operations, andrelated security issues. To qualify for and obtain the ISSAP certification, thecandidate must possess the CISSP credential, sit for and pass the ISSAP exam-ination, and maintain the ISSAP credential in good standing.

The ISSMP Certification is defined by (ISC)2 as the CISSP concentration areathat is designed to denote competence and expertise in information securitymanagement. The ISSMP certification and examination cover enterprise secu-rity management, enterprisewide systems development, compliance of opera-tions security, business continuity planning (BCP), disaster recovery planning(DRP), continuity of operations planning (COOP), and law, investigation,forensics, and ethics.

The material relevant to the ISSEP, ISSAP, and ISSMP certifications are pre-sented in Appendices C, D, and E of this text.

The primary audience for the material in this book includes:

■■ Professionals working in the fields of information technology or infor-mation system security

■■ Computer forensics professionals

xxviii Introduction

03_007923 flast.qxp 9/15/06 3:37 PM Page xxviii