Certification for Information System Security Professional (CISSP)

Transcription

1 Certification for Information System Security Professional (CISSP) The Art of Service

2 Copyright Notice of rights All rights reserved. No part of this book may be reproduced or transmitted in any form by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Notice of Liability The information in this book is distributed on an As Is basis without warranty. While every precaution has been taken in the preparation of the book, neither the author nor the publisher shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the instructions contained in this book or by the products described in it. Trademarks Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations appear as requested by the owner of the trademark. All other product names and services identified throughout this book are used in editorial fashion only and for the benefit of such companies with no intention of infringement of the trademark. No such use, or the use of any trade name, is intended to convey endorsement or other affiliation with this book. The Art of Service

3 TABLE OF CONTENTS 1 INTRODUCTION INTRODUCTION TO CISSP WHERE DID CISSP COME FROM? WHAT IS CISSP? HISTORY OF INFORMATION SECURITY WHAT IS INFORMATION SECURITY? UNDERSTANDING THE CIA TRIAD CONFIDENTIALITY INTEGRITY AVAILABILITY LIMITATIONS TO CIA TRIAD WHY CERTIFY FOR CISSP? COMPANIES USING CISSP 23 2 DOMAIN ONE INFORMATION SECURITY AND RISK MANAGEMENT EXPECTATIONS FOR CISSP UNDERSTANDING SECURITY POLICIES, PROCEDURES, STANDARDS, GUIDELINES AND BASELINES WHAT ARE THE COMPLIANCE FRAMEWORKS? COSO ITIL COBIT ISO / BS CHANGING ORGANIZATIONAL BEHAVIOR RESPONSIBILITIES OF THE INFORMATION SECURITY OFFICER CREATING AN ENTERPRISE SECURITY OVERSIGHT 3

4 COMMITTEE WHY SECURITY AWARENESS TRAINING? UNDERSTANDING RISK MANAGEMENT 43 3 DOMAIN TWO ACCESS CONTROL PRINCIPLES OF ACCESS CONTROL INFORMATION CLASSIFICATION CREATING A DATA CLASSIFICATION PROGRAM UNDERSTANDING CATEGORIES TO ACCESS CONTROL UNDERSTANDING ACCESS CONTROL TYPES LOOKING MORE AT ADMINISTRATION ACCESS CONTROLS UNDERSTANDING CHANGE CONTROL UNDERSTANDING BUSINESS CONTINUITY AND DISASTER RECOVERY UNDERSTANDING THE PERFORMANCE MANAGEMENT, CONFIGURATION MANAGEMENT, LIFECYCLE MANAGEMENT AND NETWORK MANAGEMENT UNDERSTANDING VULNERABILITY MANAGEMENT UNDERSTANDING USER MANAGEMENT UNDERSTANDING PRIVILEGE MANAGEMENT UNDERSTANDING TECHNICAL CONTROLS UNDERSTANDING ACCESS CONTROL THREATS EMPLOYING DIFFERENT TYPES OF IDENTIFICATION EMPLOYING DIFFERENT TYPES OF AUTHENTICATION UNDERSTANDING MEMORY CARDS AND SMART CARDS USING BIOMETRICS PERFORMING AUDITS 87 4

5 4 DOMAIN THREE - CRYPTOGRAPHY HISTORY OF CRYPTOGRAPHY METHODS OF CRYPTOGRAPHY TYPES OF CIPHERS UNDERSTANDING ENCRYPTION MANAGEMENT USING PUBLIC KEY INFRASTRUCTURES (PKI) IDENTIFYING ATTACKS TO CRYPTOGRAPHY 99 5 DOMAIN 4 PHYSICAL (ENVIRONMENT) SECURITY IDENTIFYING THREATS AND VULNERABILITIES TO PHYSICAL SECURITY USING THE LAYERED DEFENCE MODEL IMPLEMENTING A LAYERED DEFENCE MODEL UNDERSTANDING INFORMATION PROTECTION AND MANAGEMENT DOMAIN FIVE SECURITY ARCHITECTURE AND DESIGN UNDERSTANDING DESIGN PRINCIPLES HARDWARE SOFTWARE SECURITY MODELS AND ARCHITECTURE THEORY SECURITY PRODUCT EVALUATION METHODS AND CRITERIA DOMAIN SIX BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING CONCERNS OF CONTINUITY PLANNING 129 5

6 7.2 PROJECT INITIATION PHASE CURRENT STATE ASSESSMENT PHASE DEVELOPMENT PHASE IMPLEMENTATION AND MANAGEMENT PHASES DOMAIN SEVEN TELECOMMUNICATIONS AND NETWORK SECURITY LAYER 1 PHYSICAL LAYER LAYER 2 DATA-LINK LAYER LAYER 3 NETWORK LAYER LAYER 4 TRANSPORT LAYER LAYER 5 SESSION LAYER LAYERS 6 & 7 PRESENTATION AND APPLICATION LAYERS149 9 DOMAIN EIGHT APPLICATION SECURITY USING PROGRAMMING EFFECTIVELY PROTECTING THE SOFTWARE ENVIRONMENT ENFORCING SECURITY PROTECTION AND CONTROLS IDENTIFYING MALWARE DATABASE MANAGEMENT SYSTEM (DBMS) ARCHITECTURE DOMAIN NINE OPERATIONS SECURITY MANAGING THREATS TO OPERATIONS DOMAIN TEN LEGAL, REGULATIONS, COMPLIANCE AND INVESTIGATIONS INFORMATION TECHNOLOGY LAWS AND REGULATIONS 171 6

7 11.2 UNDERSTANDING COMPUTER CRIMES, PRIVACY AND LIABILITY REFERENCES 175 7

8 8

9 1 Introduction 1.1 Introduction to CISSP Today s businesses are faced with security threats which are becoming more complex. The use of mobile devices is becoming more widespread; the more mobile the populace, the harder to manage assets and the information on those assets. As a result, companies are increasingly concerned with the security surrounding those assets and information. In addition, the implementation of Sarbanes-Oxley is the U.S. has required focused attention on the security of financial information for companies. And finally, the worldwide scrutiny on security across the board has increased due to global concerns. Because of these reasons, companies are placing more focus on their Information Technology (IT). The IT Governance Global Status Report-200b, compiled by the IT Governance Institute (ITGI), showed 93 percent of corporate executives believed that IT was somewhat to very important to their overall corporate strategy or vision. This was a 6 percent increase from ITGI s 2005 survey. IT, telecom, and financial service-based companies are much more concerned with IT than other business sectors with 71% and 77% respectively. The bottom line: companies are putting more attention on their IT solutions. Security management and the processes supporting security 9

10 management is one of the top concerns of this increasing attention. Information Security Certifications are becoming more valuable for IT security professionals and companies concerned with IT. According to the 2008 (ISC) 2 Global Information Security Workforce Study, compiled by (ISC) 2, 78% of respondents involved in the hiring process claim certifications are either Very Important or Somewhat Important. This is a diverse change from twenty, even ten years ago when securing a network was a new discipline and not well-understood. According to the 2008 survey, 15 different security certifications were available, which is in contrast to the 40 vendor-neutral and more than 25 vendorspecific certifications available in the marketplace. Of all these certifications, the Certification for Information System Security Professional (CISSP) has become highly recognized. 1.2 Where did CISSP come from? The Certification for Information System Security Professional is administered by the International Information Systems Security Certification Consortium (ISC) 2. First available in 1989, the certification demonstrates the qualifications of information systems security practitioners. 10

11 The CISSP is accredited by the American National Standards Institute (ANSI). The ANSU has been coordinating a voluntary standardization system in the United States since It is a private, non-profit membership organization representing the interests of over 125,000 companies and 3.5 million professionals. The ANSI does not develop standards; rather they facilitate the development of American National Standards (ANS). They also assist in ensuring that ANS complement the standards used internationally, allowing American products to be recognized and used in the global market. Accreditation means that the standard complies with the ANSI Essential Requirements, a set of requirements or procedures used by standard developers. These requirements focus on: Openness Lack of dominance Balance Coordination and harmonization Notification of standards development Consideration of views and objections Consensus vote Appeals Written procedures Compliance with normative American National Standards policies and procedures. 11

12 The ANSI accredits CISSP to ISO/IEC Standard 17024:2003. The purpose of the standard is for organizations and entities wishing international recognition for certifying the competence of individuals through education, knowledge, skills, and experience. It was developed by the International Organization of Standardization (ISO) and the International Electrotechnical Commission (IEC). Fully enacted on April 2003, 17024:2003 is considered a benchmark for organizations responsible for certifying personnel. In short, the CISSP has become a globally recognized standard of achievement for the Information Systems Security Professional. CISSP is the baseline for the U.S. National Security Agency s ISSEP (Information Systems Security Engineering Professional) program. The U.S. Department of Defence Directive requires every defence worker, military or civilian, with privileged access to a DoD system to obtain a certification credential, of which CISSP is fully accepted. 1.3 What is CISSP? CISSP is a credential for persons working in the field of information security. It requires at least five years experience in information security. A person can take an exam based on the CISSP Common Book of Knowledge (CBK), a common framework of information security terms and principles. 12

13 The CISSP CBK is based on the CIA triad, the core information security and assurance tenets: confidentiality, integrity, and availability. It works with ten areas of interest, or domains. Those domains are: Access control Application Security Business Continuity and Disaster Recovery Planning Cyptography Information Security and Risk Management Legal, regulations, compliance and Investigations Operations Security Physical (Environmental) Security Security Architecture and Design Telecommunications and Network Security For CISSP credential, professional experience must be in two or more of the domains listed above. Fortunately for those lacking the experience required for the certification, the certification administrator, (ISC)2, has a program for those who pass the exam, called Associate of (ISC)2. Each certification is valid for three years and a professional must be recertified at the end of that period. In addition, a CISSP credential holder in good standing is also completing the minimum annual number of Continuing Professional Education credits (CPEs). 13

14 As information security continues to evolve, additional credentials have been developed beyond the foundational CISSP to meet the specific needs of the business. These credentials concentrate on key areas of information security: Architecture (ISSAP) appropriate for persons who develop, design, or analyze a business overall security plan, such as Chief Security Architects and Analysts. Engineering (ISSEP) developed in conjunction with the U.S. National Security Agency, this Concentration serves as a guide for integrating security into all areas of operations. Management (ISSMP) provides deeper elements into managing security policies and procedures that support the overall goals of a business. Each Concentration has its own (CBK) domains. Of course additional experience must be proven as well as the successful passing of the examination for each Concentration. 1.4 History of Information Security Before moving forward, it would be wise to understand the discipline of information security, what it is and how it evolved. Since the invention of writing, messages from heads of state and military leaders have been intercepted or stolen, even forged. Julius Caesar used the Caesar cipher to ensure that his messages did not fall into enemy 14

15 hands, one of the earliest known encryption techniques. To ensure authenticity of a message, persons of importance would use a wax seal with their families crest on messages. Throughout the ages, different techniques were used to maintain the security of information. However, the professional field of information security started during World War II, where information, both physical and intellectual, needed protection. A formalized classification of data was introduced that described the sensitivity of the information and identified those individuals who had access to it. Background checks started to be conducted during WWII. The years after WWII, particularly the McCarthy era, showed governments increased concern with the protection of intelligence, information concerning the workings, military build-ups, and technological advancements of government and the country, both domestic and foreign. The Cold War struggle between the United States and the Soviet Union perpetuated the need for information security. But even then, the number of professionals who were dedicated to the tenets of this disciplined were few. Not until the widespread emergence of the Internet did information security have such a strong presence in our society. With the rapid advancements of telecommunications and computers, the availability of smaller, more powerful equipment became less expensive. Now the small business owner, the home owner, and the 15

16 underage computer geek had access to information from every area of the world. Electronic data processing and electronic business is rapidly growing because of the Internet, along with more occurrences of global terrorism. As a result, information security is now an academic discipline designed to insure the security and reliability of information security. But information security is not just a concern for the business owner, but everyone. The rise of ID theft has required more attention on the security of information on the individual, as well. Currently every software package being released, specifically office productivity software, has to be concerned with providing features for securing information. 1.5 What is Information Security? Information security is simply the methods used to protect information and information systems. Using the tenets of the CIA triad, information security is concerned with protecting data regardless of form: electronic, print, film, or any other form. Information is being collected everywhere by everyone. An individual is compiling information about themselves and others nearly every moment. And information, such as credit ratings, police records, financial holdings, and trivial facts are being collected on every individual over time. As individuals connect or forced together into a network, such 16

17 as a business, the amount of data being collected increases exponentially. Most of this information is being collected, processed, and stored electronically and transmitted across networks to other computers. Some information is so sensitive, that unauthorized access to it could result in financial loss, loss in credibility, and legal problems. For businesses, protecting sensitive information is a requirement, in many cases an ethical or legal requirement. Several concerns are presented to the information security professional dealing with the protection of data. The foremost concern is ensuring the appropriate access to data by authorized personnel, while restricting all or part of the information from unauthorized persons. While some information may not be confidential, disclosure of the information must be regulated. How data is used or even modified has been a concern for information security professionals. The disruption of data transmissions from one computer to another, even one network to another, has had increasing concerns with the growth of the Internet. And finally, even the proper disposal or destruction of information, or prevention against destruction, is a concern for the information security professional. 17

18 1.6 Understanding the CIA Triad Information security is based on three fundamental tenets, called the CIA triad. Those tenets are confidentiality, integrity, and availability. As a security model, the CIA triad has been used to identify possible problems in a system and discover appropriate solutions for information security Confidentiality Whether the information is considered confidential, or a person would simply like it to be private requires systems and processes to be put into place preventing unauthorized access and use. For this reason, one leg of the CIA triad model is confidentiality. The first step in this area is to provide an ability to identify a specific piece of data as confidential. Not all information is confidential, and not all information has the same level of confidentiality. Therefore, a simple task of identifying the level of privacy data should have can become a rather complex project. However, once the information has been declared confidential appropriately, the next step is to identify who has access to that information. File permissions, access control lists, and encryption methods are all means by which to control access to data. A information security professional is concerned with managing, monitoring, and 18

19 verifying those means constantly, enforcing access based on policies given from management Integrity One of the most important concerns in data control is the integrity of the data; that is, the ability of the data to be accurate, reliable, and available at any given time. In order to maintain a world class business, it is a necessity to have a solid ability to modify the data available to the business, whether that data is customer and employee records, intellectual property, company policies and procedures, press releases, or the like. At the same time, it is important to ensure that the data isn t changed by unauthorized personnel. The CIA triad leg of integrity focuses on these concerns. Sarbanes-Oxley forced the business community into understanding the need for integrity within financial records, requiring the need to track financial transactions in detail to understand exactly where money was coming and where it was going. As businesses started adapting to those requirements, they also started recognizing the value this commitment to integrity had on other information groups used in the business. The concerns became apparent. A) The slightest change in the most sensitive information could result in service disruptions or breaches in security. 19

20 B) Unapproved changes to policy information could pose concerns to customer relations and possible loss of business. C) Possible deletion of information, through accident or malicious conduct, could render a business paralyzed in its ability to conduct business. These are just a few examples of the important concerns for information security. The more popular techniques for managing integrity of data is version control systems, backups, and file permissions Availability When information is not available, it might as well be useless. This is the concern of the third leg of the CIA triad: availability. In this area, the information security professional is focused on creating and maintaining a computer architecture that allows for the greater availability to the information housed on the system. One major concern is to manage the computer infrastructure from possible threats, such as malicious viruses, power outages, and failures in hardware. The second major concern is ensuring that components are maintained appropriately, providing the required health checks, and making upgrades to hardware and software as required. Approaches to maintaining availability include, but not limited to, clustering, redundancy systems and capabilities 20