InCert Network Security Professional Certificate Description for Candidates

Transcription

1 TUT / T. Kelo, J. Koskinen / InCert The 2nd handbook Version 1.5 InCert Network Security Professional Certificate Description for Candidates Introduction InCert Network Security Professional is a certification awarded by the InCert consortium to individuals who pass a demanding examination. An InCert Network Security Professional, or ICNSP for short, is capable of taking responsibility of the security of a computer network that is connected to the Internet. In particular this means that if you are already able to (i) design, or (ii) build, or (iii) maintain technically, or (iv) administer a computer network, your ICNSP examination will assure your current or future employer that you have the knowledge and skills necessary for carrying out the corresponding task in a secure way. The certification exam is vendor neutral and computer based, but enters such practical levels, that an ICNSP can quickly adapt to the specialities of the products in a new working place. This document describes knowledge and skills required for passing the ICNSP certification exam. For a more general description about the tasks in enterprises that ICNSPs are capable of handling, see the document InCert Network Security Professional Competences of the Certificate Possessors and Their Role in a Company. For more details on the requirements see sample exam questions at Consult this site also for administrative procedures for enrolment and for examination locations and dates. Overview of the required competence There are some prerequisites that are not directly assessed in the exam: 1. Basics of networking: IP addressing, routing, LAN, WAN, VLAN, WLAN 2. Basics of information security: concepts, technologies, management issues 3. Basic English language comprehension skills. In principle, with a lot of luck and extensive learning by rote it could be possible to pass the examination without satisfying the prerequisites 1 and 2. There are two other InCert certificates that would serve well the purpose of these two areas, namely Intranet/Internet technology and Information security (cf. These prerequisites do not require work experience and they can of course be achieved also otherwise than through certification. There are broadly six kinds of work that a network security professional needs to be familiar with. These task areas are: 1. Preparations for defence: plan, define policies, measure, analyze, make contracts, rehearse, 2. Building countermeasures: procure, install, configure, test, 3. Daily operations: update, monitor, tune, administer, 4. Reacting to incidents: fight, recover, trace, 1

2 5. Learning and growing, not only from incidents, but generally: attacks, tools, methods, efficiency, ethics, 6. Various communicative tasks within all other task areas: documentation; with managers, team, users, outside interest groups; educational tasks, Your preparedness to deal with these tasks will be examined rather evenly with slight emphasis on the areas 1 and 2. This will happen within the following five concrete competence areas that form the main categories of the examination questions. I. Security threats in networks (20 %) II. Using, applying and evaluating the defence arsenal (30 %) III. Good practices in network security design (21 %) IV. Administrative and organizational defences of network security (21 %) V. Legislation of network security related issues (8 %) There will be altogether 200 questions divided among these categories according to the percentages mentioned in the list. So, for instance, the category II is the largest one and it will be represented by 60 questions, and among them there will be roughly 10 questions for each of the task areas 1 6. The questions are either MCQs or VSQs: The MCQs are multiple choice questions with four options, out of which one is correct. The VSQs are value submission questions, where you are supposed to answer with a numeric or textual value. A vast majority of the questions are MCQs. Details of the required competence This section presents a long but rather condensed listing of topics that are included in the examination. You can expect about two questions for each of the lowest level bullets (either o or ). Some of these are further divided to show the variety of topics that can appear in the questions. Still, a list of this length cannot be exhaustive. For instance terms ESP, AH, and SA are not shown even if they are essential parts of IPsec and will appear in exam questions. A categorization like this somewhat simplifies the requirements, because it hides many essential logical connections. To mitigate this, some terms (like PKI, VPN, IDS) are repeated in several contexts. I Security threats in networks The ICNSP must be able to protect a computer network against a wide spectrum of security threats. The first category in the examination concentrates on the foundation of this task, the threats and their targets. The other categories of course revisit them when dealing with various protections and addressing more concretely what is being protected. There is, however, a large body of general knowledge about threats that the ICNSP must possess before the more specific knowledge and skills are really useful. So, the questions in this category mainly require you to recognize threat models inner and outer threats attack types (authentication failures protocol failures information leakage denial of service stealing passwords social engineering bugs and back doors ) 2

3 attackers (hackers spies terrorists corporate raiders professional criminals vandals script kiddies saboteurs hactivists...) administrative and personnel threats and understand attack techniques o reconnaissance (site reconnaissance Internet reconnaissance IP/network reconnaissance DNS reconnaissance social engineering ) o mapping targets (war dialling network mapping (ICMP) port scanning vulnerability scanning researching and probing vulnerabilities ) o system/network penetration (file system hacking DNS attacks cache exploits application attacks account (password) cracking hostile and self replicating code programming tactics process manipulation shell hacking session hijacking spoofing XSS statebased hacking traffic capture (sniffing) trust relationship exploitation relay consolidation ) o denial of service (DoS Distributed DoS) II Using, applying and evaluating the defence arsenal The ICNSP has extensive skills in proper usage and evaluation of the defence arsenal of network security. By using these principles and tools effectively the ICNSP can substantially enhance the overall security of a network. In this category you are required to understand how to design, implement and evaluate access control, to (automatically) let the right people and only them to use the information and other resources of your network: o system access control (privilege management firewalls ) o network access control (routers and switches LAN WLAN WAN VLAN access lists device hardening proxies remote access firewalls ) authentication, the essential precursor to access control: o static schemes (username/password IP/MAC centralized key based biometrics ) o dynamic schemes (key based session token based PKI ) auditing and logging, to know how access control has worked and enable investigative and corrective actions if something has gone wrong: o centralized auditing and logging o operating system auditing facilities o forensics resource controls, a more technology oriented aspect to similar goals as auditing and logging: o operating system resource controls (process memory ) 3

4 o network resource controls o bandwidth controls o ingress filtering and access controls o cache controls confidentiality (privacy), you must know a lot about this goal already from the prerequisites and now proceed into network security specialities: o file and storage privacy o session and protocol encryption (SSH SSL) o VPN, Virtual Private Network (IPsec PPTP L2TP SSL) o PKI, Public Key Infrastructure o electronic mail o VoIP, Voice over Internet Protocol data integrity (the same comment holds here as with confidentiality): o programming (input/output validation controls web/cgi techniques bounds checking ) o network (proxies VPN PKI application / file system content assurance cryptographic controls file system integrity checkers ) o platform integrity (system/device hardening system/device access controls system/device account management system/device maintenance patching procedures ) non repudiation, usage of digital signatures in networks intrusion detection and prevention (IDS/IPS): o characteristics (signatures anomalies) o network based (network management systems security information management) o host based (auditing and logging controls file system integrity checkers) malware control, basic knowledge belongs to the prerequisites; now this is a specific area of network intrusion prevention incidence response and recovery, how to act when something has gone wrong, especially when your network has been attacked: o practices and procedures o devices o tools o resource allocation 4

5 Physical and Link layer issues (cabling, interference, crosstalk, manageability, Address Resolution Protocol,...) IPv6 issues (neighbour discovery, multicast, IPsec, filtering,...) III Good practices in network security design The ICNSP is well aware of the good practices of network security design. The ICNSP knows how to design, implement and evaluate a network in such way that the security of the network is assured. The questions in this category require you to understand design principles: o appreciation of a complete view of a security landscape o architectural security controls o defence in depth / layered defence (purpose of applying defences at the perimeter evaluation of) o least privileges (management access control need to know) o incidence response and recovery firewall and secure router design, installation and maintenance: o network baseline o firewall design and architectures (host based centralized DMZ DHCP rule sets access lists) o VLAN, Virtual Local Area Network (segmentation access lists) o NAT, Network Address Translation & PAT, Port Address Translation o SNMP, Simple Network Management Protocol o wireless access o remote access o maintenance issues common AAA implementations, for authentication, authorization and accounting: o Tacacs+ o Radius o proxy authentication o service authentication secure VPN implementation, to enable remote working in a way that the assets of an organization are properly protected: 5

6 o remote access VPN o site to site VPN o CA, Certificate Authority in a VPN o web VPN secure procedures of providing services: o electronic mail o WWW o tele systems (traditional VoIP) security related routing issues with o BGP, Border Gateway Protocol o OSPF, Open Shortest Path First o RIP, Routing Information Protocol o EIGRP, Enhanced Interior Gateway Routing Protocol physical security issues (access control protectables) the need, design and implementation of testing, to prevent unexpected losses due to inaccurate configurations, incompatibility, etc. One way how all this happens is that you are required to analyze example networks IV Administrative and organizational defences of network security The ICNSP understands the business wise value of network security and thus can keep the defence mechanisms always in line with the business goals. The ICNSP understands the value of administrative defences and knows how to implement and evaluate the defences in an enterprise. In this category you are required to show ability to apply information risk management (IRM) in an enterprise, to enable efficient use of security resources: o concepts (ALE SLE ARO EF information asset safeguard effectiveness) o business needs (purpose of networking performance resources acceptable risk level) o risk assessment (threat analysis asset identification and valuation vulnerability analysis threat/vulnerability/asset mapping risk mitigation analysis) o return on (information) security investment (ROSI/ROISI) (calculation schemes resourcing) 6

7 design, apply and evaluate security policies, to ensure that security is acknowledged as an asset of an organization and that the security activities are supported by the management: o purpose of policies o levels and types of policies o design, implementation and maintenance of policies (enforceability of a policy administrative controls) o turning high level policies to firewall rules (justification effectiveness perimeter policy models shortcomings of technical implementations) o procedures for abuse situations design, apply and evaluate personnel security: o role in network security (weakest link strongest link) o awareness (security awareness programs education) o policies (hiring firing non tiring) o teams (response forensics watch) apply identity and access management, to enable efficient access control: o authentication (identity management password management trust relationship) o authorization (privacy role based, mandatory and discretionary access control: RBAC, MAC, DAC) understand security design, maintenance and development: o processes o assurance (incl. audits), metrics, communication o incidence response o network security projects o standards and guidelines (ISO/IEC and Common Criteria COBIT X.800 X.805 OECD: Guidelines for the Security of Information Systems and Networks ISF: The Standard of Good Practice for Information Security ITIL BSI: The IT Baseline Protection Manual) o outsourcing issues V Legislation of network security related issues The ICNSP is aware of the legislation related to network security. Responsibilities and the lawfulness of activities done in defending the network security in an enterprise are known by the ICNSP. However, legislation varies within Europe, and an international certificate cannot contain as much detail at this point as working life will require. 7

8 In this category you are required to prove that you know what kinds of responsibilities, laws and other regulations there can be in the areas of o intrusion handling o privacy (voice mail electronic mail tele & VoIP) o copyrights o contracts (NDA SLA...) o digital signatures o certificates 8