Upload
dinhthu
View
267
Download
1
Embed Size (px)
Citation preview
Ronald L. Krutz, Ph.D.P.E., CISSP, ISSEP
Russell Dean VinesCISSP, CISM, Security +, CCNA,
MCSE, MCNE
The CISSP® and CAPCM
Prep Guide: Platinum Edition
01_007923 ffirs.qxp 9/15/06 3:32 PM Page iii
01_007923 ffirs.qxp 9/15/06 3:32 PM Page ii
The CISSP® and CAPCM
Prep Guide: Platinum Edition
01_007923 ffirs.qxp 9/15/06 3:32 PM Page i
01_007923 ffirs.qxp 9/15/06 3:32 PM Page ii
Ronald L. Krutz, Ph.D.P.E., CISSP, ISSEP
Russell Dean VinesCISSP, CISM, Security +, CCNA,
MCSE, MCNE
The CISSP® and CAPCM
Prep Guide: Platinum Edition
01_007923 ffirs.qxp 9/15/06 3:32 PM Page iii
The CISSP® and CAPCM Prep Guide: Platinum Edition
Published byWiley Publishing, Inc.10475 Crosspoint BoulevardIndianapolis, IN 46256www.wiley.com
Copyright © 2007 by Ronald L. Krutz and Russell Dean Vines, Gibson, Pennsylvania, and White Plaines, New York
Published by Wiley Publishing, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN-13: 978-0-470-00792-1ISBN-10: 0-470-00792-3
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
3B/RY/RQ/QW/IN
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, elec-tronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment ofthe appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax(978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc.,10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTA-TIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THISWORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OFFITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMO-TIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SIT-UATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED INRENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE ISREQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUB-LISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANI-ZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OFFURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMA-TION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READ-ERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED ORDISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.
For general information on our other products and services or to obtain technical support, please contact our Customer CareDepartment within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.
Library of Congress Cataloging-in-Publication Data:Krutz, Ronald L., 1938-The CISSP prep guide : platinum edition / Ronald L. Krutz, Russell Dean Vines. — 3rd ed.
p. cm.ISBN-13: 978-0-470-00792-1 (cloth/cd-rom)ISBN-10: 0-470-00792-3 (cloth/cd-rom)1. Electronic data processing personnel—Certification. 2. Computer networks—Examinations—Study guides. 3. Com-puter networks—Security measures—Examinations—Study guides. I. Vines, Russell Dean, 1952- II. Title.QA76.3.K78 2006004.6’2—dc22
2006020712
Trademarks: Wiley, the Wiley logo, and related trade dress are are trademarks or registered trademarks of John Wiley & Sons,Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CISSP isa registered certification mark and CAP is a service mark of International Information Systems Security Certification Consor-tium, Inc. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with anyproduct or vendor mentioned in this book.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available inelectronic books.
01_007923 ffirs.qxp 10/4/06 3:31 PM Page iv
Dedicated to all the hours spent in play and new discoveries of this world through the eyes of my grandchildren
in their innocence, honesty, and lack of skepticism.
To: Emma, Aaron, Ryan, and Patrick
—R.L.K
Dedicated to all those who seek to make the Internet safe, private, and open to all.
—R.D.V.
01_007923 ffirs.qxp 9/15/06 3:32 PM Page v
01_007923 ffirs.qxp 9/15/06 3:32 PM Page vi
RONALD L. KRUTZ, Ph.D., P.E., CISSP, ISSEP. Dr. Krutz is the Chief Knowl-edge Officer of Cybrinth, LLC, a firm that provides innovative informationprotection, analysis, assurance, and management services to government andthe commercial sector. Prior to this position, Dr. Krutz was a Senior Informa-tion Security Researcher in the Advanced Technology Research Center ofLockheed Martin/Sytex, Inc. In this capacity he worked with a team responsi-ble for advancing the state of the art in information systems security. He hasmore than 40 years of experience in distributed computing systems, computerarchitectures, real-time systems, information assurance methodologies, andinformation security training.
Dr. Krutz has been an information security consultant at REALTECH Sys-tems Corporation and BAE Systems, an associate director of the Carnegie Mel-lon Research Institute (CMRI), and a professor in the Carnegie MellonUniversity Department of Electrical and Computer Engineering. Dr. Krutzfounded the CMRI Cybersecurity Center and was founder and director of theCMRI Computer, Automation, and Robotics Group. He is a former leadinstructor for the (ISC)2 CISSP Common Body of Knowledge review seminars.Dr. Krutz is also a Distinguished Special Lecturer in the Center for ForensicComputer Investigation at the University of New Haven, a part-time instruc-tor in the University of Pittsburgh Department of Electrical and ComputerEngineering, and a Registered Professional Engineer.
In addition to being a former lead instructor for the ISC2 CBK review seminarsand contributing material to the CBK, Dr. Krutz is the author of nine best-sellingpublications in the area of information systems security, and is a consulting edi-tor for John Wiley and Sons for its information security book series. Dr. Krutzholds B.S., M.S., and Ph.D. degrees in Electrical and Computer Engineering.
About the Authors
vii
01_007923 ffirs.qxp 9/15/06 3:32 PM Page vii
RUSSELL DEAN VINES, CISSP, CISM, Security +, CCNA, MCSE, MCNE.Mr. Vines is president and founder of The RDV Group Inc. (www.rdvgroup.com), a New York-based security consulting services firm. He has been activein the prevention, detection, and remediation of security vulnerabilities forinternational corporations, including government, finance, and new mediaorganizations, for many years.
Mr. Vines holds high-level certifications in Cisco, 3Com, Ascend, Microsoft,and Novell technologies and is trained in the National Security Agency’s ISSOInformation Assessment Methodology. He has headed computer securitydepartments and managed worldwide information systems networks forprominent technology, entertainment, and nonprofit corporations based inNew York. He is the author of nine best-selling information system securitypublications, and is a consulting editor for John Wiley and Sons for its infor-mation security book series.
Mr. Vines’s early professional years were illuminated not by the flicker of acomputer monitor but by the bright lights of Nevada casino show rooms. Afterreceiving a Down Beat magazine scholarship to Boston’s Berklee College ofMusic, Mr. Vines performed as a sideman for a variety of well-known enter-tainers, including George Benson, John Denver, Sammy Davis Jr., and DeanMartin. Mr. Vines composed and arranged hundreds of pieces of jazz and con-temporary music, recorded and performed by his own big band and others.He also founded and managed a scholastic music publishing company andworked as an artist-in-residence for the National Endowment for the Arts(NEA) in communities throughout the West. He still performs and teachesmusic in the New York City area and is a member of the American Federationof Musicians Local 802 and the International Association for Jazz Education.You can find Mr. Vines’s blog at http://rdvgroup.blogspot.com.
viii About the Authors
01_007923 ffirs.qxp 9/15/06 3:32 PM Page viii
Credits
ix
Executive EditorCarol Long
Development EditorRosanne Koneval
Production EditorWilliam A. Barton
Copy EditorPublication Services, Inc.
Editorial ManagerMary Beth Wakefield
Production ManagerTim Tate
Vice President and Executive Group PublisherRichard Swadley
Vice President and Executive PublisherJoseph B. Wikert
Project CoordinatorRyan Steffen
Graphics and Production SpecialistsLauren GoddardStephanie JumperJennifer MayberryLynsey Osborn
Quality Control TechniciansJohn GreenoughJessica Kramer
Media Development SpecialistsAngela DennyKit MaloneTravis Silvers
ProofreadingNancy L. Reinhardt
IndexingTechbooks
01_007923 ffirs.qxp 9/15/06 3:32 PM Page ix
01_007923 ffirs.qxp 9/15/06 3:32 PM Page x
About the Authors vii
Foreword xxiii
Acknowledgments xxv
Introduction xxvii
Part 1 Focused Review of the CISSP Ten Domains 1
Chapter 1 Information Security and Risk Management 3Our Approach 4Security Management Concepts 5
System Security Life Cycle 5The Three Fundamentals 6Other Important Concepts 7Objectives of Security Controls 10
Information Classification Process 12Information Classification Objectives 12Information Classification Benefits 13Information Classification Concepts 13Information Classification Roles 16
Security Policy Implementation 20Policies, Standards, Guidelines, and Procedures 20
Roles and Responsibilities 25Risk Management and Assessment 27
Principles of Risk Management 27RM Roles 30Overview of Risk Analysis 30Security Posture Assessment Methodologies 39
Contents
xi
02_007923 ftoc.qxp 9/15/06 3:37 PM Page xi
Security Awareness 42Awareness 44Training and Education 45
Assessment Questions 46
Chapter 2 Access Control 55Rationale 55Controls 56Models for Controlling Access 57
Control Combinations 59Access Control Attacks 61
Denial of Service/Distributed Denial of Service (DoS/DDoS) 61Back Door 62Spoofing 62Man-in-the-Middle 63Replay 63TCP Hijacking 63Social Engineering 64Dumpster Diving 64Password Guessing 65Software Exploitation 65Mobile Code 66Trojan Horses 66Logic Bomb 67System Scanning 67
Penetration Testing 68Identification and Authentication 69
Passwords 70Biometrics 72
Single Sign-On (SSO) 74Kerberos 75Kerberos Operation 76SESAME 79KryptoKnight 79
Access Control Methodologies 79Centralized Access Control 80Decentralized/Distributed Access Control 81Intrusion Detection 86Some Access Control Issues 88
Assessment Questions 89
Chapter 3 Telecommunications and Network Security 95The C.I.A. Triad 96
Confidentiality 96Integrity 96Availability 97
xii Contents
02_007923 ftoc.qxp 9/15/06 3:37 PM Page xii
Protocols 98The Layered Architecture Concept 98Open Systems Interconnect (OSI) Model 99Transmission Control Protocol/Internet Protocol (TCP/IP) 103
LAN Technologies 110Ethernet 110ARCnet 112Token Ring 112Fiber Distributed Data Interface (FDDI) 113
Cabling Types 113Coaxial Cable (Coax) 113Twisted Pair 114Fiber-Optic Cable 116Cabling Vulnerabilities 116Transmission Types 117
Network Topologies 118Bus 118Ring 118Star 118Tree 120Mesh 120
LAN Transmission Protocols 121Carrier-Sense Multiple Access (CSMA) 121Polling 122Token Passing 122Unicast, Multicast, Broadcast 123
Networking Devices 123Hubs and Repeaters 123Bridges 124Spanning Tree 125Switches 125Transparent Bridging 125Routers 126VLANs 129Gateways 130LAN Extenders 130
Firewall Types 130Packet-Filtering Firewalls 131Application-Level Firewalls 132Circuit-Level Firewalls 133Stateful Inspection Firewalls 133
Firewall Architectures 133Packet-Filtering Routers 134Screened-Host Firewalls 134Dual-Homed Host Firewalls 134Screened-Subnet Firewalls 135SOCKS 137
Contents xiii
02_007923 ftoc.qxp 9/15/06 3:37 PM Page xiii
Common Data Network Services 137File Transfer Services 138SFTP 139SSH/SSH-2 139TFTP 140
Data Network Types 140Wide Area Networks 141Internet 141Intranet 142Extranet 142
WAN Technologies 142Dedicated Lines 142T-carriers 143WAN Switching 143Circuit-Switched Networks 143Packet-Switched Networks 144Other WAN Protocols 146Common WAN Devices 146Network Address Translation (NAT) 147
Remote Access Technologies 149Remote Access Types 149Remote Access Security Methods 151Virtual Private Networking (VPN) 151RADIUS and TACACS 160
Network Availability 162High Availability and Fault Tolerance 162
Wireless Technologies 164IEEE Wireless Standards 164Bluetooth 170Wireless Application Protocol (WAP) 171
Wireless Security 174Wireless Transport Layer Security Protocol 174WEP Encryption 175Wireless Vulnerabilities 175
Intrusion Detection and Response 183Types of Intrusion Detection Systems 183IDS Approaches 184Honey Pots 186Computer Incident Response Team 187IDS and a Layered Security Approach 188IDS and Switches 188IDS Performance 190
Network Attacks and Abuses 190Logon Abuse 190Inappropriate System Use 190Eavesdropping 191Network Intrusion 191
xiv Contents
02_007923 ftoc.qxp 9/15/06 3:37 PM Page xiv
Denial of Service (DoS) Attacks 192Session Hijacking Attacks 192Fragmentation Attacks 193Dial-Up Attacks 193
Probing and Scanning 194Vulnerability Scanning 194Port Scanning 195Issues with Vulnerability Scanning 201
Malicious Code 202Viruses 202Spyware 204Trojan Horses 210Remote Access Trojans (RATs) 211Logic Bombs 212Worms 212Malicious Code Prevention 212
Web Security 214Phishing 214Browser Hijacking 214SSL/TLS 215S-HTTP 217Instant Messaging Security 2178.3 Naming Conventions 221
Assessment Questions 222
Chapter 4 Cryptography 233Introduction 233Definitions 234Background 238Cryptographic Technologies 241Classical Ciphers 241
Substitution 241Transposition (Permutation) 244Vernam Cipher (One-Time Pad) 244Book or Running-Key Cipher 245Codes 245Steganography 245
Secret-Key Cryptography (Symmetric-Key) 246Data Encryption Standard (DES) 247Triple DES 251The Advanced Encryption Standard (AES) 252The Rijndael Block Cipher 253The Twofish Algorithm 254The IDEA Cipher 255RC5/RC6 255
Public-Key (Asymmetric) Cryptosystems 255One-Way Functions 256Public-Key Algorithms 256
Contents xv
02_007923 ftoc.qxp 9/15/06 3:37 PM Page xv
Public-Key Cryptosystem Algorithm Categories 260Asymmetric and Symmetric Key Length Strength
Comparisons 260Digital Signatures 260Digital Signature Standard (DSS) and Secure Hash
Standard (SHS) 261MD5 262Sending a Message with a Digital Signature 263Hashed Message Authentication Code (HMAC) 263Hash Function Characteristics 264
Cryptographic Attacks 264Public-Key Certification Systems 266
Digital Certificates 266Public-Key Infrastructure (PKI) 267
Approaches to Escrowed Encryption 273The Escrowed Encryption Standard 273Key Escrow Approaches Using Public-Key Cryptography 275
Identity-Based Encryption 275Cryptographic Export Issues 277
Quantum Computing 278E-mail Security Issues and Approaches 279
Secure Multi-Purpose Internet Mail Extensions (S/MIME) 279MIME Object Security Services (MOSS) 279Privacy Enhanced Mail (PEM) 279Pretty Good Privacy (PGP) 280
Internet Security Applications 281Message Authentication Code (MAC) or the Financial
Institution Message Authentication Standard (FIMAS) 281Secure Electronic Transaction (SET) 281Secure Sockets Layer (SSL)/Transaction Layer Security (TLS) 281Internet Open Trading Protocol (IOTP) 282MONDEX 282IPSec 282Secure Hypertext Transfer Protocol (S-HTTP) 283Secure Shell (SSH-2) 284
Wireless Security 284Wireless Application Protocol (WAP) 284The IEEE 802.11 Wireless Standard 286
Assessment Questions 289
Chapter 5 Security Architecture and Design 297Computer Architecture 298
Memory 299Instruction Execution Cycle 302Input/Output Structures 304Software 305Open and Closed Systems 307Distributed Architecture 307
xvi Contents
02_007923 ftoc.qxp 9/15/06 3:37 PM Page xvi
Protection Mechanisms 309Rings 310Logical Security Guard 311Enterprise Architecture Issues 311Security Labels 312Security Modes 312Additional Security Considerations 313Recovery Procedures 314
Assurance 314Evaluation Criteria 315Certification and Accreditation 317DITSCAP and NIACAP 317The Systems Security Engineering Capability Maturity
Model (SSE-CMM) 319Information Security Models 322Access Control Models 322Integrity Models 327Information Flow Models 329
Assessment Questions 332
Chapter 6 Operations Security 339Operations Security Concepts 340
Triples 340C.I.A. 340
Controls and Protections 341Categories of Controls 341Orange Book Controls 342Operations Controls 358
Monitoring and Auditing 365Monitoring 365Auditing 369
Threats and Vulnerabilities 373Threats 373Vulnerabilities and Attacks 375
Maintaining Resource Availability 376RAID 376RAID Levels 377Backup Concepts 378
Operational E-Mail Security 382E-Mail Phishing 383Fax Security 387Assessment Questions 388
Chapter 7 Application Security 397Systems Engineering 398The System Life Cycle or System Development Life
Cycle (SDLC) 398
Contents xvii
02_007923 ftoc.qxp 9/15/06 3:37 PM Page xvii
The Software Life Cycle Development Process 399The Waterfall Model 400The Spiral Model 403Cost Estimation Models 406Information Security and the Life Cycle Model 407Testing Issues 408The Software Maintenance Phase and the Change Control
Process 408Configuration Management 409
The Software Capability Maturity Model (CMM) 410Agile Methodology 412Object-Oriented Systems 413Artificial Intelligence Systems 417
Expert Systems 417Neural Networks 419Genetic Algorithms 421Knowledge Management 421
Database Systems 421Database Security Issues 422Data Warehouse and Data Mining 422Data Dictionaries 423
Application Controls 423Distributed Systems 425Centralized Architecture 426Real-Time Systems 426
Assessment Questions 427
Chapter 8 Business Continuity Planning and Disaster Recovery Planning 433Business Continuity Planning 435
Continuity Disruptive Events 436The Four Prime Elements of BCP 437
Disaster Recovery Planning (DRP) 446Goals and Objectives of DRP 446The Disaster Recovery Planning Process 447Testing the Disaster Recovery Plan 455Disaster Recovery Procedures 459Other Recovery Issues 461
Assessment Questions 464
Chapter 9 Legal, Regulations, Compliance, and Investigations 473Types of Computer Crime 473Examples of Computer Crime 475Law 477
Example: The United States 477Common Law System Categories 478Computer Security, Privacy, and Crime Laws 489
xviii Contents
02_007923 ftoc.qxp 9/15/06 3:37 PM Page xviii
Investigation 496Computer Investigation Issues 496Export Issues and Technology 502
Liability 502Ethics 504
(ISC)2 Code of Ethics 506The Computer Ethics Institute’s Ten Commandments of
Computer Ethics 506The Internet Architecture Board (IAB) Ethics and the
Internet (RFC 1087) 507The U.S. Department of Health and Human Services Code
of Fair Information Practices 507The Organization for Economic Cooperation and
Development (OECD) 508Assessment Questions 510
Chapter 10 Physical (Environmental) Security 517Threats to Physical Security 518Controls for Physical Security 520
Administrative Controls 520Environmental and Life Safety Controls 524Physical and Technical Controls 534
Assessment Questions 550
Part 2 The Certification and Accreditation Professional (CAP) Credential 557
Chapter 11 Understanding Certification and Accreditation 559System Authorization 559
A Select History of Systems Authorization 560More and More Standards 572
What Is Certification and Accreditation? 572NIST C&A Documents 573C&A Roles and Responsibilities 573C&A Phases 577DIACAP Phases 578
Assessment Questions 580
Chapter 12 Initiation of the System Authorization Process 585Security Categorization 586
Identification of Information Types 588Potential Harmful Impact Levels 589Assignment of Impact Level Scores 590Assignment of System Impact Level 592
Initial Risk Estimation 593Threat-Source Identification 594Threat Likelihood of Occurrence 597Analyzing for Vulnerabilities 597System Accreditation Boundary 601Legal and Regulatory Requirements 603
Contents xix
02_007923 ftoc.qxp 9/15/06 3:37 PM Page xix
Selection of Security Controls 603The Control Section 606The Supplemental Guidance Section 606The Control Enhancements Section 606Assurance 607Common and System-Specific Security Controls 608Security Controls and the Management of Organizational Risk 608
Documenting Security Controls in the System Security Plan 610Assessment Questions 613
Chapter 13 The Certification Phase 621Security Control Assessment 622
Prepare for the Assessment 622Conduct the Security Assessment 624Prepare the Security Assessment Report 624
Security Certification Documentation 625Provide the Findings and Recommendations 625Update the System Security Plan 625Prepare the Plan of Action 626Assemble the Accreditation Package 626
DITSCAP Certification Phases 627Phase 1: Definition 627The System Security Authorization Agreement (SSAA) 630SSAA Outline 630SSAA Additional Material 632The Requirements Traceability Matrix (RTM) 633Phase 2: Verification 635Key DITSCAP Roles 638
DIACAP Certification Phases 639End of the Certification Phase 640Assessment Questions 641
Chapter 14 The Accreditation Phase 645Security Accreditation Decision 646
Final Risk Assessment 646Accreditation Decision 647
Security Accreditation Documentation 648Accreditation Package Transmission 648System Security Plan Update 649
DITSCAP Accreditation Phases 649Phase 3: Validation 649Phase 4: Post Accreditation 653
DIACAP Accreditation Phases 656End of the Accreditation Phase 657Assessment Questions 658
xx Contents
02_007923 ftoc.qxp 9/15/06 3:37 PM Page xx
Chapter 15 Continuous Monitoring Process 663Continuous Monitoring 664
Monitoring Security Controls 665Configuration Management and Control 669Environment Monitoring 670Documentation and Reporting 671
Assessment Questions 673
Appendix A Answers to Assessment Questions 681
Appendix B Glossary of Terms and Acronyms 881
Appendix C The Information System Security Architecture Professional (ISSAP) Certification 945
Appendix D The Information System Security Engineering Professional (ISSEP) Certification 951
Appendix E The Information System Security Management Professional (ISSMP) Certification 1039
Appendix F Security Control Catalog 1075
Appendix G Control Baselines 1185
Index 1193
Contents xxi
02_007923 ftoc.qxp 9/15/06 3:37 PM Page xxi
02_007923 ftoc.qxp 9/15/06 3:37 PM Page xxii
In the years since its first edition, the CISSP Prep Guide has become a mostvaluable resource for people interested in pursuing the CISSP credential. Italso has that rare quality of having withstood the test of time and continues toappear on bookshelves for reference purposes even for those who have earnedthe CISSP. We are happy and proud to be associated with the CISSP Prep Guidefrom the start.
We have been involved with dozens of situations in which the CISSP skillset has been at the core of what is needed in “security” events. The holisticbody of knowledge mastered by a CISSP is designed to ensure that you willnot suffer from a focus that is too narrow, yet it is oriented to detail in the crit-ical areas. Today more than ever, IT professionals need credentials and exper-tise with the sophisticated tools that can be used to scour their companies’computers for signs of covert network connections, evidence showing unau-thorized insider access to system resources, remnants from Web-based emailsessions, or files that may have been used in unauthorized ways.
Many security issues today draw heavily from legal considerations thathave to be taken into account before a company will make a decision. It hasbeen our experience that advice and guidance from a person having the CISSPis reassuring because the credential serves as a badge of credibility in reassur-ing lawyers who advise companies. Many of the professionals we work within industry and in government, including the FBI, have either obtained or arepursuing their CISSP.
As with other professional services, the CISSP makes his or her companystronger by the actions he or she takes day-to-day. However, sometimes eventscan escalate is some situations where there are indications of intentional
Foreword
xxiii
03_007923 flast.qxp 9/15/06 3:37 PM Page xxiii
wrongdoing. Those situations, when they arise, almost always cause legaloptions to be explored. The CISSP brings great credibility to those discussions.
The actions taken each day by CISSPs to maintain and keep current the secu-rity of the systems they oversee are vitally important and will help avoid everhaving to confront such a disruptive event. We encourage you to draw fromthe CISSP and CAP Prep Guide as you prepare for the CISSP test, and thereafteras you improve the security of the organizations you serve.
Edward M. Stroz is Managing Partner of Stroz Friedberg, LLC, a consultingand professional services firm dedicated to expertise in computer forensics,computer crimes investigations, and security. Before founding the firm in2000, he spent 16 years with the FBI, where he formed and supervised the com-puter crime squad in the New York field office.
Aaron Stanley, CISSP, is Director of Information Technology at Stroz Fried-berg, LLC. An accomplished investigator, security consultant, and IT manager,he led many of the initiatives discussed in the case study above.
xxiv Foreword
03_007923 flast.qxp 9/15/06 3:37 PM Page xxiv
I want to thank my wife, Hilda, for her continuous support and guidanceduring this project.
—R.L.K.
I would like to thank Dr. David Altcheck and Dr. Lawrence Levin, who havebrought the joy of mobility back into my life. And to all my friends, and espe-cially my wife, Elzy, for their continual support.
—R.D.V.
Both authors would like to express a special thanks to Carol Long andRosanne Koneval of John Wiley and Sons for their support and assistance indeveloping this text.
Acknowledgments
xxv
03_007923 flast.qxp 9/15/06 3:37 PM Page xxv
03_007923 flast.qxp 9/15/06 3:37 PM Page xxvi
The need to protect information resources has produced a demand for infor-mation systems security professionals. Along with this demand came a needto ensure that these professionals possess the knowledge to perform therequired job functions. To address this need, the Certified Information SystemsSecurity Professional (CISSP) certification emerged. This certification guaran-tees to all parties that the certified individual meets the standard criteria ofknowledge and continues to upgrade that knowledge in the field of informa-tion systems security. The CISSP initiative also serves to enhance the recogni-tion and reputation of the field of information security.
Realizing the importance of certification and accreditation to the globalsecurity effort, the U.S. Department of State’s Office of Information Assuranceand (ISC)_ have collaborated to develop a credential for the Certification andAccreditation Professional (CAP). The CAP credential is an objective measureof the knowledge, skills and abilities required for personnel involved in theCertification and Accreditation process. Specifically, the credential applies toprofessionals responsible for formalizing processes used to assess risk andestablish security requirements, as well as ensure information systems possesssecurity commensurate with the level of exposure to potential risk. CAP is afully independent credential, meaning that it is on the same level as the CISSPand SSCP credentials. It does not require CISSP certification as the advancedconcentrations do (ISSAP, ISSEP, and ISSMP). The reader for the CAP portionof the book, as defined by (ISC)2, should have some experience in one or moreof a number of areas, including:
■■ IT security
■■ Information assurance
Introduction
xxvii
03_007923 flast.qxp 9/15/06 3:37 PM Page xxvii
■■ Certification
■■ Information risk management
■■ 1–2 years of general technical experience
■■ System administration
■■ Information security policy
■■ Technical or auditing experience
■■ Familiarity with NIST documentation
For the CISSP who wishes to concentrate in information systems security forU. S. federal information systems, the CISSP Information System SecurityEngineering Professional (ISSEPCM) concentration certification has been estab-lished. This certification is particularly relevant for efforts in conjunction withthe National Security Agency (NSA) and with other U.S. government agencies.The ISSEP concentration address four additional areas related to U.S. Govern-ment information assurance, particularly NSA information assurance. Thesefour areas are:
■■ Systems Security Engineering
■■ Certification and Accreditation
■■ Technical Management
■■ U.S. Government Information Assurance Regulations
The ISSAP Certification is defined by (ISC)2 as the CISSP concentration areathat is designed to denote competence and expertise in information securityarchitecture, telecommunications, preservation of business operations, andrelated security issues. To qualify for and obtain the ISSAP certification, thecandidate must possess the CISSP credential, sit for and pass the ISSAP exam-ination, and maintain the ISSAP credential in good standing.
The ISSMP Certification is defined by (ISC)2 as the CISSP concentration areathat is designed to denote competence and expertise in information securitymanagement. The ISSMP certification and examination cover enterprise secu-rity management, enterprisewide systems development, compliance of opera-tions security, business continuity planning (BCP), disaster recovery planning(DRP), continuity of operations planning (COOP), and law, investigation,forensics, and ethics.
The material relevant to the ISSEP, ISSAP, and ISSMP certifications are pre-sented in Appendices C, D, and E of this text.
The primary audience for the material in this book includes:
■■ Professionals working in the fields of information technology or infor-mation system security
■■ Computer forensics professionals
xxviii Introduction
03_007923 flast.qxp 9/15/06 3:37 PM Page xxviii