chapter security fundamentals - professional · pdf filechapter 1: security fundamentals 5...

chapter

1

All-In-One / SSCP® Systems Security Certified Practitioner All-in-One Exam Guide / Darril Gibson / 177156-5 / Chapter 1

1Security FundamentalsIn this chapter, you will learn about

• Requirementstoearnthe(ISC)2SystemsSecurityCertifiedPractitioner(SSCP)certification

• InternationalInformationSystemsSecurityCertificationConsortium,Inc.,(ISC)2 CodeofEthics

• Primarygoalsofsecurityrelatedtoavailability,integrity,andconfidentiality(AIC)• Fundamentalsecurityterminology

Reviewing the Requirements for SSCPThe Systems Security Certified Practitioner (SSCP) certification is one of the certifica-tions sponsored by the International Information Systems Security Certification Con-sortium, Inc., more commonly known as (ISC)2.

There are several requirements that you must complete to earn the certification:

Have one year of experience in one or more of the (ISC) ●2 SSCP domains

Legally commit to abide by the (ISC) ●2 Code of Ethics

Answer four questions regarding criminal history and related background ●

Pass the exam ●

ExAm TIp Earningthecertificationismorethanjustpassingtheexam.YoumustalsohaveoneyearofexperienceandcommittotheCodeofEthics.

The following sections explain each of these elements.

registering for the examThe exams are paper-based and often proctored in conference rooms in a hotel. This makes it convenient if you’re traveling from out of the area, because it’s easy to stay at the hotel, get a good night’s sleep, and tackle the exam first thing in the morning. The exam isn’t cheap, so it’s worth paying a few bucks for a hotel rather than getting up at 4 a.m. to drive to the exam location and arriving dead tired.

01-ch01.indd 1 10/13/11 11:46:40 AM

SSCP Systems Security Certified Practitioner All-in-One Exam Guide

2

All-In-One / SSCP® Systems Security Certified Practitioner All-in-One Exam Guide / Darril Gibson / 177156-5 / Chapter 1 All-In-One / SSCP® Systems Security Certified Practitioner All-in-One Exam Guide / Darril Gibson / 177156-5 / Chapter 1

NOTE Youcanregisterfortheexamthroughthe(ISC)²website.Thispage(http://www.isc2.org/sscp)istheprimaryportalforallSSCPinformationandincludeslinksforcurrentexampricesandexplainshowtocertify.Youcanusethispagetosearchforavailabilityofexamsinyourarea:https://webportal.isc2.org/Custom/ExamsSearch.aspx.

Registering for the exam includes three steps:

Submit the exam fee.1.

Legally commit to abide by the (ISC)2. 2 Code of Ethics.

Answer four questions on criminal history and related background.3.

Subscribing to Code of EthicsThe Code of Ethics includes a preamble and four canons describing (ISC)2’s ethical ex-pectations of its certified practitioners. Candidates must commit to and abide by them to earn and keep the SSCP certification. Members who violate any provision of the Code of Ethics may have their certification revoked based on recommendations from a peer review panel.

The following sections quote the preamble and canons exactly as they appear on the (ISC)2 page. However, I strongly encourage you to take a look at the web page (https://www.isc2.org/ethics) to review the other information such as some of the objectives of the Code of Ethics.

code of ethics preamble The preamble consists of two points:

Safety of the commonwealth, duty to our principals, and to each other requires ●

that we adhere, and be seen to adhere, to the highest ethical standards of behavior.

Therefore, strict adherence to this Code is a condition of certification. ●

code of ethics canons The canons are as follows:

Protect society, the commonwealth, and the infrastructure. ●

Act honorably, honestly, justly, responsibly, and legally. ●

Provide diligent and competent service to principals. ●

Advance and protect the profession. ●

If a situation arises resulting in a conflict between the canons, the conflicts should be resolved in the order in which the canons are listed. In other words, the first canon is more important than the second one.

ExAm TIp The(ISC)2CodeofEthicsisincludedintheSecurityOperationsandAdministrationdomainandyoucanexpecttobetestedonit.

01-ch01.indd 2 10/13/11 11:46:40 AM

Chapter 1: Security Fundamentals

3


Answering Questions Related to Criminal History and BackgroundYou’ll be asked four questions during the registration process. These questions ask about topics such as the following:

Felony convictions ●

Revocation of any licenses or certifications ●

Involvement with hackers or hacking ●

Any use of aliases or pseudonyms ●

Answering yes to any of these questions doesn’t disqualify you. However, you do need to make comments for any yes answer. Personnel at (ISC)2 will make an ultimate decision on the certification.

have One Year of experienceTo earn the SSCP certification, you need to have a minimum of at least one year of di-rect full-time security work experience in one of the (ISC)2 SSCP domains.

TIp Ifyoudon’thaveoneyearofexperience,youcanstillearntheAssociateof(ISC)2SSCPdesignation.Youstillneedtocompletetheotherrequirements,includingpassingtheexamandsubscribingtotheCodeof

Ethics.You’llthenhaveuptotwoyearstoobtaintherequiredexperienceandsubmit theendorsementformtoconvertyourstatusfromAssociateof(ISC)2SSCPtobecome afullycertifiedSSCP.

Table 1-1 lists the domains and the primary chapter or chapters where the domain is covered. There is some crossover with these domains. For example, Chapter 1 covers some basic terminology used in several of the domains and also covers the Code of Eth-ics mentioned in the Security Operations and Administration domain.

Table 1-1 SSCPDomainsandChaptersWhereTheyAreCovered

SScp Domain primary chapter(s) Where Domain Is covered

1.AccessControls Chapters2and3

2.SecurityOperationsandAdministration Chapters1,8,9,10,11,12,and13

3.MonitoringandAnalysis Chapter8

4.Risk,Response,andRecovery Chapters7,8,9,12,and13

5.Cryptography Chapters1and14

6.NetworksandCommunications Chapters3and4

7.MaliciousCodeandActivity Chapters5and6

01-ch01.indd 3 10/13/11 11:46:41 AM


4


TIp ThesedomainsrepresentthesevenmajorcategoriesofinformationintheSSCPCommonBodyofKnowledge(CBK).TheCBKisagroupoftopicsupdatedannuallybysubject-matterexperts.

When you register for the exam, you identify the number of years’ experience that you have in any one the domains. After you take and pass the exam, you’re required to submit a résumé that documents this experience. Additionally, an (ISC)2-certified individual who knows you and can vouch for your experience is required to submit an endorsement form on your behalf validating your experience. ISC2 completes periodic random audits to ensure the integrity of these documents.

passing the examYou’ll have three hours to complete the exam, which includes 125 multiple-choice questions. You may have two or three scenarios of a paragraph or more followed by two or more questions related to the scenario. For example, a scenario may explain a com-pany’s security goals and then the questions ask how to best implement those goals.

Up to 25 of these questions may be included for research purposes only. You can think of these as beta questions that are analyzed for their effectiveness. For example, if everyone gets the question right, it’s too easy. If everyone gets the question wrong,

SSCP to CISSPThe (ISC)2 Certified Information Systems Security Professional (CISSP) certifica-tion is one of the top security certifications. It requires five years of experience in two or more of the ten (ISC)2 CISSP domains. It’s highly respected and opens many doors of opportunity for those that earn it.

However, not everyone has five years of experience. The good news is that you can request a waiver of one year of experience if you have the (ISC)2 SSCP certifica-tion. In other words, if you have the SSCP and receive a waiver, you need only four years of experience to earn the CISSP. You’ll find that your experience in the SSCP domains crosses over to the CISSP domains, so if you have one year of experience in one of the SSCP domains, you have one year of experience in one of the CISSP domains.

Many people use the (ISC)2 SSCP as a stepping stone to the CISSP. By first achieving the SSCP, you gain an understanding of the (ISC)2 certification process. You can then build up experience in the different CISSP domains.

When you’re ready to start working toward the CISSP certification, check out the gold standard study source for CISSP: Shon Harris’s CISSP All-in-One Exam Guide. This book has received great reviews and helped thousands of people pass the rigorous CISSP exam.

01-ch01.indd 4 10/13/11 11:46:41 AM


5


there’s something wrong with the question. Test item analysis attempts to identify problem questions and correct them before they are actually graded.

You won’t know which questions are actual questions that are graded and which questions are research questions. In other words, you have to treat each question as though it’s a valid question.

A score of 700 out of a possible 1,000 points is required to pass the exam. However, questions aren’t weighted the same. Out of the 100 valid questions, some questions may be worth 10 points, some less, and some more. The goal is to weight the harder ques-tions with more points, but you’ll never know the actual value of any question. You’ll get the results of the exam through the mail within four to six weeks after taking the exam.

Examination questions are derived from the SSCP CBK. The SSCP Candidate Infor-mation Bulletin (CIB) is an excellent source to see what topics are tested, and it also includes a list of over 90 references. The goal of this book is to compile the relevant knowledge from these references into a single source. However, I strongly encourage you to download and review a copy of the current CIB.

TIp YoucanrequestacopyoftheSSCPCIBhere:https://www.isc2.org/cib/default.aspx.

Objectives listed in the most current CIB are listed in the Introduction of this book. This Exam Objective Map matches the objectives to the chapter where they are covered.

Maintaining Your SScp certificationAfter you’ve earned the SSCP certification, you’re required to recertify every three years. The primary method of doing this is by acquiring 60 continuing professional education (CPE) credits every three years with a minimum of 10 CPEs earned each year. Security constantly changes and you need to be constantly learning to keep abreast of current security trends.

Understanding the Main Goals of Information SecurityThree primary goals of information security are preventing the loss of availability, the loss of integrity, and the loss of confidentiality for systems and data. Most security prac-tices and controls can be traced back to preventing losses in one or more of these areas. These are often referred to as the AIC security triad, using the initials for availability, integrity, and confidentiality.

Interestingly, the 2012 SSCP objectives added privacy as an additional security con-cept right after confidentiality, integrity, and availability. Confidentiality contributes to privacy, but organizations need to know what data to keep private. Chapter 11 covers the importance of protecting personally identifiable information (PII), and Chapter 13 covers privacy issues in the context of legal issues.

01-ch01.indd 5 10/13/11 11:46:41 AM


6


NOTE TheAICsecuritytriadissometimescalledtheCIAsecuritytriad.Botharecorrectbecausetheorderoftheinitialsdoesn’tmatter.Whatyoureallyneedtoknowiswhateachletterintheacronymrepresents(availability,integrity,andconfidentiality)andwhatitmeanstopreventlossintheseareas.

Figure 1-1 shows the AIC security triad. The following sections explain each of the elements in greater detail.

ExAm TIp Thethreeprimarygoalsofaninformationsecurityprogramaretopreventthelossofavailability,thelossofintegrity,orthelossofconfidentialityforanyITsystemsanddata.

availabilityPreventing the loss of availability ensures that information technology (IT) systems and data are available when needed. Note that there isn’t a timeframe here. Some organiza-tions operate only during the daytime from Monday to Friday, so this is the only time when the systems are needed. Other organizations are operational 24/7, so the systems and data must also be available 24/7.

If users need to access data on a server and they can access it, then the data is avail-able. However, if the data becomes corrupt or the server fails, the result is a loss of availability.

Organizations protect against loss of availability using a variety of different tech-nologies. These include the following:

Backups ● Regular backups capture a copy of the data. If something happens to the original data, the backups are restored. A copy of backup data is kept in an offsite location, so even if a fire destroys the entire building, the data is still available.

Redundant disks ● A mirror (RAID 1) is one example where redundant disks are used. All the data stored on one drive is automatically stored (mirrored) on another drive. If the first drive fails, data is not lost. Many Redundant Array of Independent Disks (RAID) systems can automatically switch over to the drive holding the mirrored data without user intervention.

ProtectingInformation

Security

ConfidentialityIntegrity

Avail

abilit

y

Figure 1-1 AICsecuritytriadprotectinginformationsecurity

01-ch01.indd 6 10/13/11 11:46:41 AM


7


Redundant servers ● If a service provided by a server is critically important to an organization, you can add redundant servers. For example, failover clustering uses multiple servers and ensures that a service is still provided even if a server fails.

NOTE Chapter9coversbackups,redundancy,andfault-toleranttechniquesingreaterdepth.

Redundant connections ● Organizations often need to stay connected to the Internet or between buildings in separate locations via an intranet. When this is critical to the operation of the organization, two or more connections are used so that even if one fails, the organization sill has connectivity.

Redundant sites ● Many organizations must stay operational even if a catastrophic event destroys their building or makes it uninhabitable. For example, many locations are susceptible to earthquakes, tornadoes, floods, and hurricanes. An organization can plan for these catastrophes with a separate location. Redundant sites are known as hot sites (ready at a moment’s notice), cold sites (an empty building with electricity and running water), and warm sites (a cross between a hot site and a cold site).

ExAm TIp Availabilityensuresthatauthorizeduserscanaccessanyresourcewhenit’sneeded.Fault-tolerantandredundanttechnologiesensurethatavailabilityisnotlostevenifasystemsuffersafailure.

IntegrityIntegrity prevents any unauthorized or unwanted modification of data. It ensures that data is correct and current. Several different methods are used to protect integrity, in-cluding hashing and audit logging.

A hash is simply a number created by performing a mathematical algorithm against a file or message. As long as the file or message stays the same, the hash (the number) will always be the same.

ExAm TIp MessageDigestversion5(MD5)isacommonlyusedhashingalgorithm.Itcreatesafixed-size128-bitnumber(representedas32hexadecimalcharacters)fromanymessageorfile.

For example, imagine a military message was sent that said, “Bomb location A74,” as shown in Figure 1-2. A hash of this message is calculated as 1234. No matter how many times you calculate the hash, it will always be 1234 as long as the message is unchanged.

In Figure 1-2, the original message is sent along with the calculated hash. Some-how the message is modified in transit to “Bomb location C23.” The receiving system calculates the hash on the received message, getting a hash of 9876. It compares the calculated hash (9876) against the received hash (1234) and knows that the message is different. In other words, the message has lost integrity.

01-ch01.indd 7 10/13/11 11:46:41 AM


8


TIp Ifanattackercanchangethemessage,heorshecanalsochangethehash.Somecryptographysystemsprotectthehashbyencryptingitsothatthehashcannotbemodified.

Using hashing alone, you can’t determine how the message changed. You only know that it was changed. However, this is valuable information. If the message is different, it shouldn’t be used. In this case, you may be bombing your own people!

Audit logging is also used for integrity. An audit log tracks changes to a resource, including what was changed, who changed it, and when. This creates an audit trail. Not only are you able to verify integrity with an audit trail, but you can also identify the source of changes.

ExAm TIp Integrityensuresthatdatahasnotbeenaltered.Twocommonmethodsusedarehashingandauditlogs.

confidentialityYou protect against the loss of confidentiality by ensuring that data is not disclosed to unauthorized users. This starts with authentication, so that you can identify users. Next, access controls are implemented to control or restrict access to resources. For example, you can assign permissions to users to ensure that only authorized users can access the data.

TIp Chapter2coversauthenticationandaccesscontrolsinmoredepth.

Encryption provides another layer of protection for confidentiality. Figure 1-3 shows the overall process of encryption, where data starts as plain text, is ciphered using an encryption algorithm, and then becomes ciphered text. For example, if you’ve ever or-dered anything over the Internet using a credit card, you’ve probably used a HyperText Transfer Protocol Secure (HTTPS) connection. HTTPS encrypted your credit card infor-mation to prevent unauthorized individuals from intercepting it and using it without your permission. If someone else were to intercept it, he or she would not able to read and use your credit data.

MessageBomb location A74 Bomb location C23

Calculated Hash = 1234

Original Message

Hash 1234

Received Message

Received Hash = 1234Calculated Hash = 9876

Figure 1-2 Hashingusedtocheckintegrity

01-ch01.indd 8 10/13/11 11:46:42 AM


9


Confidentiality works only when secure encryption algorithms are implemented and sound security practices are followed. It’s important to know which algorithms are secure and which algorithms have been compromised and shouldn’t be used anymore. For example, the Wired Equivalent Privacy (WEP) protocol created for wireless trans-missions has long been known to be insecure, but some people still use it and believe that it protects their data.

You can encrypt data at rest (while it’s stored on any type of media such as a hard disk or universal serial bus [USB] flash drive) and when it’s transmitted.

ExAm TIp Confidentialityensuresthatdataisnotdisclosedtounauthorizedusers.Youensureconfidentialitybyauthenticatingusersandimplementingaccesscontrolstoensurethatonlyauthorizeduserscanaccessthedata.Youcanalso

encryptdatatoensurethatevenifthedatafallsintothewronghands,it’slesslikelythatunauthorizeduserscanreadit.

Exploring Fundamentals of SecurityIn addition to knowing the main goals of security (the AIC security triad), you also need to understand some basic terms and concepts. The following sections in this chap-ter cover these concepts and some of the terminology.

Defense in DepthOne of the primary tenets of security is that you’re never done. You can’t just write a security policy, install antivirus software, or enable firewalls and say, “There. We’re safe and secure now.” Instead, IT security uses the principle of defense in depth.

Consider Figure 1-4. It shows network resources protected through several layers of security. Chapter 9 covers security controls in greater depth, but in short, a security con-trol attempts to reduce risk by either reducing vulnerabilities or the impact of a threat. One of the primary benefits of a defense-in-depth strategy is that even if a single control fails, other controls still provide protection.

Plain TextEncryptionAlgorithm

CipheredText

Credit Card Data1234-5678-9123

Exp: 07/2012Code: 159

Plain Text Data Ciphered Text

12ab98fe03cb971ace2358a8b8e8cd12ef59231d3090abc83a10d083e8412ef59231d3090abc83a10d0b8e8cd12ef59231c

Figure 1-3 Encryptionusedtoprovideconfidentiality

01-ch01.indd 9 10/13/11 11:46:42 AM


10


NOTE Thearrowsinthefigurearenotmeanttoimplyatwhichlayeranyofthecontrolsareimplemented.Instead,themessageisthatmultiplemethodsofsecurityareappliedatmultiplelayers.

For example, you may combine access controls with a principle of least privilege to restrict access to data within your organization. You may also have some research and development data that you want to ensure remains confidential. In addition to access controls and least privilege, you can use cryptography methods to add an extra layer of security for this research and development data. Even if someone is able to bypass the access controls, he or she will not be able to decrypt the data easily.

ExAm TIp Adefense-in-depthstrategyprovidesalayeredapproachtosecurity.

aaas of SecurityThe AAAs of security are authentication, authorization, and accounting. Combined, they help to ensure that only authorized entities have access to resources and that their access is recorded. Figure 1-5 shows the AAAs of security.

Authentication ● A user provides credentials (such as a username and password) that are checked against a database to prove the user’s identity. The authentication system verifies the credentials.

Figure 1-4 Defenseindepthincludesseverallayersofsecurity

Firewalls

Antivirus Software

Backups

SecurityPolicy

Training

Vulnerability Scans

Penetration Tests

Strong Authentication

IntrusionDetection Systems

Cryptography

Access Controls

PhysicalSecurity

Auditing

RiskManagement

RiskAssessment

Incident Response

Configuration Control

ChangeManagement

Warning Banners

01-ch01.indd 10 10/13/11 11:46:44 AM


11


ExAm TIp Therearethreetypesorfactorsofauthenticationknown,as(1)somethingyouknow(suchasausernameandpassword),(2)somethingyouhave(suchasasmartcard),and(3)somethingyouare(usingbiometrics).Chapter2coversauthenticationingreaterdepth.

Authorization ● Based on who the user is, authorization is granted to different resources. Some users will have administrator access and thus are authorized to access any resources. Other users will have limited access and are authorized access only to limited resources.

Accounting ● Logging tracks activity of a user through monitoring. A basic accounting mechanism is an audit log, such as the Security log in Windows systems. Audit logs create an audit trail.

For example, consider an IT administrator named Dawn who needs access to re-sources throughout a network. First, she needs a user account. When she logs on, her credentials are checked against a user database, and if they match, she is authenticated. Next, authorization to the network resources is granted to her user account. Last, each time she accesses any audited resource, the audit logs record her activity, providing accounting.

Note that you cannot restrict authorization unless users have authenticated. If all us-ers have the same account, you can either authorize access to everyone or block access to everyone. Similarly, without authentication, you can’t have accounting. If everyone used the same account, you can log when a resource was accessed, but you’ll have no way of knowing who accessed it.

ExAm TIp TheAAAsofsecurityareauthentication,authorization, andaccounting.

accountabilityOne of the underlying goals of the AAAs of security is accountability. If a system can identify individual users, track their actions, and monitor their behavior, it provides accountability.

Authentication

Authorization

AccountingAAAsof Security

Proving Identity

Granting Access

Tracking Activity

Figure 1-5 AAAsofsecurity

01-ch01.indd 11 10/13/11 11:46:44 AM


12


Authentication provides identification for users, and accounting tracks their activi-ties in audit logs. If users are not required to authenticate or audit trails are not created, then a system does not provide accountability.

It’s worthwhile noting that you don’t have to track every single action of a user to provide accountability. For example, your network may have proprietary data stored in a folder named Research and publicly available information in a folder named Public. You may want to track each time any single user accesses any single file within the Research folder. This includes any time someone viewed, modified, or deleted a file. However, it’s not important to know who viewed any of the data in the Public folder; instead, you only want to know who modified it. In this situation, you would track all activity in the Research folder, but only some of the activity in the Public folder.

ExAm TIp Ifasystemcantrackactivityofanindividualonasystem,itprovidesaccountability.

NonrepudiationNonrepudiation ensures that a party cannot believably deny (or repudiate) taking an action. Nonrepudiation is enforced through audit logging and with digital signatures.

Consider a system that has audit logging enabled for a specific folder. If any user reads, modifies, or deletes data in the folder, the activity is written to an audit log. The log includes who performed the activity, when they did it, and what they did. If Joe logs on to a computer with his credentials and deletes some files, the audit log holds a record of his actions. Because the log recorded information from Joe’s credentials, you know that Joe did it.

NOTE AremotepossibilityisthatsomeoneelseisusingJoe’scredentials.Thispossibilityincreasesiftheorganizationusesweakauthenticationorhaspoorsecuritypractices.However,ifJoelogsonwithstrongauthentication(suchaswithasmartcardorbiometrics),it’shighlyunlikelysomeoneisimpersonatinghim.

Digital signatures also provide nonrepudiation. For example, if Sally sends an e-mail to Bob and signs it with a digital signature, Sally can’t later deny that she sent the e-mail. Digital signatures use certificates and public/private key encryption. They also provide authentication, giving assurances of who sent the e-mail.

Another example of nonrepudiation is related to commerce and e-commerce trans-actions. If you use a credit card to purchase a product and sign the credit card bill, the company can use your signature to prove you are the person who made the purchase. You couldn’t later deny it, because your signature verifies that you purchased it. Simi-larly, e-commerce transactions require you to enter additional information such as the expiration date and the security code on the card. The idea is that only someone with the card in his or her possession knows this additional information.

01-ch01.indd 12 10/13/11 11:46:44 AM


13


ExAm TIp Nonrepudiationpreventsapartyfromdenyingthatheorshetookanaction.Thesenderofadigitallysignede-mailcannotbelievablydenysendingit.Ifasystemhasaccountabilityandanaudittrailshowstheusertookanaction,itcannotberepudiated.

Least privilegeAn important security principle is the principle of least privilege. In short, this means that you grant users access to what they need to perform their job, and no more. This includes access to resources such as files as well as rights to perform actions such as modifying system configurations.

For example, consider a group of project managers and project team members who all access a folder named Project Data. The team members need to be able to read the data, but not to modify the data, and the managers need full control over the folder.

Figure 1-6 shows the New Technology File System (NTFS) permissions for a Win-dows Server 2008 system with appropriate permissions assigned. Notice, on the left, the G_ProjectManagers group is assigned full control. On the right, the G_ProjectTeam group is assigned the NTFS permissions related to Read.

If you instead gave the project team members full control permission on the folder, they would still be able to read the files, but they could also modify them or even delete

Figure 1-6 Grantingtheminimumaccessneededtoperformthejob

01-ch01.indd 13 10/13/11 11:46:45 AM


14


them. Consider what could happen if the team had full control and any of the team members became a disgruntled employee. That user could deliberately modify or de-lete data on the server. Even the best employees can accidentally modify or delete files, but not if they don’t have permission. By assigning only the permissions needed, you reduce the risk to the data.

Similarly, network administrators need the rights to modify network and server con-figuration settings. Regular users are not granted these rights. This reduces the pos-sibility of a regular user accidentally making a change that affects the availability of a system.

ExAm TIp Theprincipleofleastprivilegeensuresthatusersaregrantedonlyenoughaccessneededtoperformtheirjob,andnomore.

Separation of DutiesSeparation of duties is a security principle that ensures that no single person has com-plete control over a process. When properly implemented, it significantly reduces the risk of fraud within an organization.

Consider the process of approving and paying invoices. If a single person controlled the entire process, he or she could create invoices for his or her own fictitious company, approve the invoice, and then make a payment to his or her own bank account. Of course, the loser in this scenario is the company.

However, if the payment process is separated into two steps, the risk of fraud is re-duced. Figure 1-7 shows how one person approves the invoice, while another person pays the invoice. Because neither person has full control of the process, neither person can defraud the company without involving the other person.

This doesn’t totally eliminate the possibility fraud because the two employees could choose to collude or scheme with each other to defraud the company. Many companies also use job rotation and mandatory vacations to reduce the risks of collusion. Both of these concepts are covered in Chapter 13 in the context of fraud and embezzlement.

ExAm TIp Separationofdutieshelpspreventfraudbyensuringthatnosinglepersonhascompletecontroloveraprocess.

Figure 1-7 Separationofduties

PaymentProcess

ApproveInvoices

PayInvoices

01-ch01.indd 14 10/13/11 11:46:45 AM


15


Due DiligenceDue diligence refers to the investigative steps that an organization takes prior to taking on something new, such as signing a contract or making a major purchase. In the IT world, an organization has an obligation to exercise due diligence to discover risks as-sociated with a large purchase.

For example, if an organization is planning to purchase a software development com-pany, that organization is obligated to exercise due diligence to determine as much as it can about the company and determine whether the purchase is a sound decision. The company may claim it earns about $100 million in revenue a year. Assume for a moment that you’re responsible for the outcome of this purchase. You could ignore due diligence and simply say, “OK,” and believe the company, and possibly learn later that it overesti-mated its revenue by about $99.99 million and instead only make about $10,000 a year. A better choice is to exercise due diligence and investigate to validate the claims.

By investigating, you discover problems before the purchase. If the purchase is com-pleted without any due diligence, you can bet that someone will soon have an opportu-nity to update his or her résumé. That person will be looking for another job.

From an IT security perspective, an organization has a responsibility to exercise due diligence to discover risks. The goal is to identify risks that can result in the loss of avail-ability, integrity, or confidentiality of any data or IT systems. Risks can’t be eliminated, but an organization can take steps to mitigate or reduce the risks by exercising due care.

Due careDue care is the practice of implementing security policies and practices to protect re-sources. It ensures that a certain level of protection is applied to protect against losses from known risks. The goal is to reduce the risk to the resources to a manageable level.

ExAm TIp Youcannoteliminaterisk.Managementdecideswhatriskstomitigate,andtheriskthatremainsisresidualrisk.Managementisresponsibleforanylossesthatoccurasaresultofresidualrisk.

Because you can’t eliminate risks, an organization is likely to experience losses. If these losses are due to negligence, then the organization may face legal action against it. However, if the organization took due care to protect the resources but still suffered the loss, it’s less likely that it will be found negligent.

For example, imagine that a company holds customer data—including names, ad-dresses, birth dates, and credit card data—in clear text in a database hosted on a web server. The company uses this information when customers make purchases through a website. A hacker checks out the website, discovers the database, and realizes that he can easily retrieve all the data. He steals the data and sells it to identity thieves, who proceed to steal millions of dollars.

TIp Severallawsmandatetheprotectionofanindividual’spersonallyidentifiableinformation(PII).OrganizationshavearequirementtoexerciseduecaretoprotectPII.

Did the company take due care? Many would say no.

01-ch01.indd 15 10/13/11 11:46:45 AM


16


A web server accessible by users on the Internet will be attacked. It’s not a matter of if it will happen, but when. Further, if valuable data is on the server and it’s not protected, it will be discovered. Even if it does have some protection, it’s still at risk if it’s accessible from the Internet.

Taking due care, the organization would store the customer information on a differ-ent server that isn’t accessible from the Internet, but is accessible from the web server. Further, sensitive data such as credit card data should be encrypted to protect against the loss of confidentiality.

ExAm TIp Ifacompanydoesn’ttakeduecaretoprotectprivatedata,itcanbesuedforprivacyviolations.

Chapter ReviewThere are several requirements to earn the (ISC)2 System Security Certified Practitioner (SSCP) certification. Individuals must have at least one year of experience in one of the seven domains defined by the (ISC)2 for the SSCP exam. Prior to registering for the exam, candidates must subscribe to the (ISC)2 Code of Ethics and answer four ques-tions related to their background.

The exam includes 125 questions, with some ungraded questions included for re-search only. You must score a minimum of 700 on a scale of 1,000 to pass the exam. It’s a paper-based exam, so you won’t know right away whether you’ve passed or not; however, you will be notified within four to six weeks.

Three primary goals of information security are to prevent the loss of availability, the loss of integrity, and the loss of confidentiality. Preventing loss of availability en-sures that systems and data are operational and available when needed. Availability is ensured with backups, fault tolerance, and redundant systems. Integrity ensures that unauthorized users have not altered data. Hashing (such as MD5 algorithms) provides assurance that data, such as messages or files, have not been altered. Audit logs provide an audit trail identifying whether data has been modified, who modified it, and when. Confidentiality protects against the disclosure of information to unauthorized indi-viduals. You can ensure confidentiality with access controls and encryption.

Several fundamental security terms are important to understand:

Defense in depth provides a layered approach to security and protects an orga- ●

nization even if one or more security elements fail.

The AAAs of security are authentication, authorization, and accounting. Authen- ●

tication identifies users, authorization defines what the users can access, and accounting tracks a user’s activities.

If a system has accountability, it can identify and track the activity of a user. ●

Nonrepudiation prevents an individual from denying that he or she took an ●

action. For example, if a user sends a digitally signed message, he or she cannot later deny sending it because a digital signature provides nonrepudiation.

01-ch01.indd 16 10/13/11 11:46:45 AM


17


The principle of least privilege ensures that users are granted only the access ●

they need to perform their job, and no more.

Separation of duties helps prevent fraud by ensuring that no single individual ●

has complete control over a process.

Due diligence refers to the investigative steps that an organization takes prior to ●

making a major purchase or taking on an obligation.

Due care refers to the steps that an organization takes to protect resources. If an ●

organization doesn’t take due care to protect resources, such as any individual’s private data, it can be susceptible to legal action.

Questions

If an individual is involved in an ethical dilemma where there is conflict 1. between the (ISC)2 canons, how should the conflict be resolved?

A. It is not possible to have a conflict between the canons.

B. The preamble should take precedence.

C. The (ISC)2 peer review panel should be queried.

D. Conflicts between the canons should be resolved in the order of the canons.

Members who violate any provision of the (ISC)2. 2 Code of Ethics may be subject to revocation of certification. Who makes this determination?

A. The (ISC)2 board of trustees

B. The (ISC)2 Code of Ethics review board

C. A peer review panel

D. A court of law

What are three main goals of any information security program?3.

A. Preventing losses in accounting, integrity, and confidentiality

B. Preventing losses in availability, identification, and confidentiality

C. Preventing losses in availability, integrity, and due care

D. Preventing losses in availability, integrity, and confidentiality

An organization wants to ensure that authorized employees are able to access 4. resources during normal business hours. What security concept is this?

A. Authentication

B. Availability

C. Integrity

D. Confidentiality

01-ch01.indd 17 10/13/11 11:46:45 AM


18


Which of the following is used to ensure integrity?5.

A. MD5

B. Authentication

C. AES

D. Encryption

Which of the following describes preventing the loss of confidentiality?6.

A. Protecting disclosure of data from unauthorized users

B. Protecting disclosure of data from authorized users

C. Ensuring that the data hasn’t been modified

D. Ensuring that users can access the data when it’s needed

Which one of the following provides a layered approach to security?7.

A. Security triad

B. Nonrepudiation

C. AAAs

D. Defense in depth

What are three A’s (AAA) of information security?8.

A. Authentication, availability, and authorization

B. Accounting, authentication, and availability

C. Authentication, authorization, and accounting

D. Availability, availability, and authorization

You want to ensure that a system can identify individual users, track their 9. activity, and log their actions. What does this provide?

A. Accountability

B. Availability

C. Authentication

D. Authorization

You want to ensure that users sending e-mail are not able to deny sending it. 10. What is this called?

A. Authentication

B. Audit logging

C. Due care

D. Nonrepudiation

01-ch01.indd 18 10/13/11 11:46:45 AM


19


Which of the following is used to validate an e-commerce transaction?11.

A. Nonrepudiation

B. Least privilege

C. Identification

D. Signature

An organization grants users access only to system resources that they need to 12. perform their job. What principle is this?

A. Least privilege

B. Separation of duties

C. Defense in depth

D. Due care

Which of the following is a security principle designed to prevent fraud by 13. ensuring that job responsibilities are divided?

A. Nonrepudiation

B. Least privilege

C. Defense in depth

D. Separation of duties

An organization has a responsibility to investigate risks associated with new 14. purchases. What is this?

A. Due care

B. Due diligence

C. Due process

D. Paying your dues

Which of the following statements accurately describes due care?15.

A. It is the practice of implementing security policies and procedures to protect resources.

B. Due care eliminates risk.

C. A company is not responsible for exercising due care over PII.

D. Organizations cannot be sued if they fail to exercise due care over resources such as customer data.

01-ch01.indd 19 10/13/11 11:46:45 AM


20


answers

D.1. Conflicts between the canons should be resolved in the order of the canons. It is possible to face an ethical dilemma where each canon cannot be upheld. The preamble does not take precedence over the canons. An (ISC)2 peer review panel investigates possible violations by members.

C.2. Members who violate any provision of the Code of Ethics are subject to action by a peer review panel, as stated here: https://www.isc2.org/ethics/Default.aspx.

D.3. The AIC security triad includes the three primary goals of preventing losses in availability, integrity, and confidentiality to information systems. Accounting is one of the AAAs of security, but not part of the AIC security triad. Identification is part of the authentication process. Due care is the practice of implementing security policies and practices to protect resources.

B.4. Availability ensures that IT systems and data are available when needed. Authentication allows individuals to prove who they are. Integrity ensures that data is not modified. Confidentiality protects the unauthorized disclosure of data to unauthorized users.

A.5. MD5 is a message digest hashing algorithm and is commonly used to ensure integrity. Authentication helps provide confidentiality by first ensuring that users are accurately identified. AES is a strong form of encryption and can also be used to ensure confidentiality.

A.6. Confidentiality protects the unauthorized disclosure of data to unauthorized users. Authorized users can access the data. Integrity ensures that the data hasn’t been modified. Availability ensures that data is available when needed.

D. 7. Defense in depth provides a layered approach to security by implementing several different security practices simultaneously. The security triad (availability, integrity, and confidentiality) identify the main goals of security. Nonrepudiation prevents an individual from denying that he or she took an action. The AAAs of security are authentication, authorization, and accounting.

C.8. The three A’s (AAA) of information security are authentication, authorization, and accounting. Availability is part of the AIC security triad (availability, integrity, and confidentiality), but it is not part of AAAs of information security.

A. 9. If a system can identify individual users, track their activity, and log their actions, it provides accountability. Availability ensures the system is operational when needed. Authentication identifies the individual using credentials. Authorization identifies resources that a user can access.

D.10. Nonrepudiation ensures that parties are not able to deny taking an action, such as sending an e-mail. Authentication proves who someone is, but doesn’t prove an action. Audit logging can provide nonrepudiation of actions taken on resources, but audit logging isn’t used as a nonrepudiation method for e-mail messages. Due care is the practice of implementing security policies and practices to protect resources.

01-ch01.indd 20 10/13/11 11:46:46 AM


21


A. 11. Nonrepudiation is used in e-commerce to validate transactions. Least privilege ensures that users are granted access only to the resources they need to perform their job. Identification is used to verify a person’s identity prior to issuing credentials. A written signature is not used in e-commerce.

A. 12. The principle of least privilege ensures that users are granted access only to the resources they need to perform their job, and no more. Separation of duties helps prevent fraud by ensuring that no single person has complete control over an entire process. Defense in depth provides a layered approach to security. Due care refers to the steps that an organization takes to protect resources.

D.13. Separation of duties helps prevent fraud by ensuring that no single person has complete control over an entire process. Nonrepudiation ensures that parties are not able to deny taking an action. Least privilege ensures that users are granted only enough access to resources needed to perform their job, and no more. Defense in depth provides a layered approach to security.

B. 14. Due diligence refers to the investigative steps that an organization takes prior to taking on a new obligation to discover associated risks. Due care refers to the steps an organization takes to protect resources such a customer’s private data. Due process refers to legal searches and prohibits searches and seizures without cause. Paying your dues isn’t a security term.

A.15. Due care is the practice of implementing security policies and procedures to protect resources. You cannot eliminate risk. A company is responsible for exercising due care over PII and can be sued if it fails to exercise due care.

01-ch01.indd 21 10/13/11 11:46:46 AM

chapter security fundamentals - professional · pdf filechapter 1: security fundamentals 5...

Documents