University of Nairobi Emerging Threats & Countermeasures Discussion

User Generated

penmlebpxfgne

Writing

University of Nairobi

Question Description

I’m stuck on a Writing question and need an explanation.

Topic: Emerging Threats & Countermeasures

Question:

Internet-related crime occurs every minute. Cybercriminals steal millions of dollars with near impunity. For everyone that is captured nearly 10,000 or not captured. For every one successful prosecuted in a court of law, 100 get off without punishment or with a warning. Why is it so difficult to prosecute cybercriminals?

Unformatted Attachment Preview

(ISC)2 CISSP® Certified Information Systems Security Professional Official Study Guide Eighth Edition Mike Chapple James Michael Stewart Darril Gibson Development Editor: Kelly Talbot Technical Editors: Jeff Parker, Bob Sipes, and David Seidl Copy Editor: Kim Wimpsett Editorial Manager: Pete Gaughan Production Manager: Kathleen Wisor Executive Editor: Jim Minatel Proofreader: Amy Schneider Indexer: Johnna VanHoose Dinse Project Coordinator, Cover: Brent Savage Cover Designer: Wiley Cover Image: @Jeremy Woodhouse/Getty Images, Inc. Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-1-119-47593-4 ISBN: 978-1-119-47595-8 (ebk.) ISBN: 978-1-119-47587-3 (ebk.) Manufactured in the United States of America No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read. For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002. Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com. Library of Congress Control Number: 2018933561 TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CISSP is a registered trademark of (ISC)², Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book. To Dewitt Latimer, my mentor, friend, and colleague. I miss you dearly. —Mike Chapple To Cathy, your perspective on the world and life often surprises me, challenges me, and makes me love you even more. —James Michael Stewart To Nimfa, thanks for sharing your life with me for the past 26 years and letting me share mine with you. —Darril Gibson Dear Future (ISC)2 Member, Congratulations on starting your journey to CISSP® certification. Earning your CISSP is an exciting and rewarding milestone in your cybersecurity career. Not only does it demonstrate your ability to develop and manage nearly all aspects of an organization’s cybersecurity operations, but you also signal to employers your commitment to life-long learning and taking an active role in fulfilling the (ISC)² vision of inspiring a safe and secure cyber world. The material in this study guide is based upon the (ISC)² CISSP Common Body of Knowledge. It will help you prepare for the exam that will assess your competency in the following eight domains: Security and Risk Management Asset Security Security Architecture and Engineering Communication and Network Security Identity and Access Management (IAM) Security Assessment and Testing Security Operations Software Development Security While this study guide will help you prepare, passing the CISSP exam depends on your mastery of the domains combined with your ability to apply those concepts using your real-world experience. I wish you the best of luck as you continue on your path to become a CISSP and certified member of (ISC)2. Sincerely, David Shearer, CISSP CEO (ISC)2 Acknowledgments We’d like to express our thanks to Sybex for continuing to support this project. Extra thanks to the eighth edition developmental editor, Kelly Talbot, and technical editors, Jeff Parker, Bob Sipes, and David Seidl, who performed amazing feats in guiding us to improve this book. Thanks as well to our agent, Carole Jelen, for continuing to assist in nailing down these projects. —Mike, James, and Darril Special thanks go to the information security team at the University of Notre Dame, who provided hours of interesting conversation and debate on security issues that inspired and informed much of the material in this book. I would like to thank the team at Wiley who provided invaluable assistance throughout the book development process. I also owe a debt of gratitude to my literary agent, Carole Jelen of Waterside Productions. My coauthors, James Michael Stewart and Darril Gibson, were great collaborators. Jeff Parker, Bob Sipes, and David Seidl, our diligent and knowledgeable technical editors, provided valuable insight as we brought this edition to press. I’d also like to thank the many people who participated in the production of this book but whom I never had the chance to meet: the graphics team, the production staff, and all of those involved in bringing this book to press. —Mike Chapple Thanks to Mike Chapple and Darril Gibson for continuing to contribute to this project. Thanks also to all my CISSP course students who have provided their insight and input to improve my training courseware and ultimately this tome. To my adoring wife, Cathy: Building a life and a family together has been more wonderful than I could have ever imagined. To Slayde and Remi: You are growing up so fast and learning at an outstanding pace, and you continue to delight and impress me daily. You are both growing into amazing individuals. To my mom, Johnnie: It is wonderful to have you close by. To Mark: No matter how much time has passed or how little we see each other, I have been and always will be your friend. And finally, as always, to Elvis: You were way ahead of the current bacon obsession with your peanut butter/banana/bacon sandwich; I think that’s proof you traveled through time! —James Michael Stewart Thanks to Jim Minatel and Carole Jelen for helping get this update in place before (ISC)2 released the objectives. This helped us get a head start on this new edition, and we appreciate your efforts. It’s been a pleasure working with talented people like James Michael Stewart and Mike Chapple. Thanks to both of you for all your work and collaborative efforts on this project. The technical editors, Jeff Parker, Bob Sipes, and David Seidl, provided us with some outstanding feedback, and this book is better because of their efforts. Thanks to the team at Sybex (including project managers, editors, and graphics artists) for all the work you did helping us get this book to print. Last, thanks to my wife, Nimfa, for putting up with my odd hours as I worked on this book. —Darril Gibson About the Authors Mike Chapple, CISSP, PhD, Security+, CISA, CySA+, is an associate teaching professor of IT, analytics, and operations at the University of Notre Dame. In the past, he was chief information officer of Brand Institute and an information security researcher with the National Security Agency and the U.S. Air Force. His primary areas of expertise include network intrusion detection and access controls. Mike is a frequent contributor to TechTarget’s SearchSecurity site and the author of more than 25 books including the companion book to this study guide: CISSP Official (ISC)2 Practice Tests, the CompTIA CSA+ Study Guide, and Cyberwarfare: Information Operations in a Connected World. Mike offers study groups for the CISSP, SSCP, Security+, and CSA+ certifications on his website at www.certmike.com. James Michael Stewart, CISSP, CEH, ECSA, CHFI, Security+, Network+, has been writing and training for more than 20 years, with a current focus on security. He has been teaching CISSP training courses since 2002, not to mention other courses on Internet security and ethical hacking/penetration testing. He is the author of and contributor to more than 75 books and numerous courseware sets on security certification, Microsoft topics, and network administration, including the Security+ (SY0-501) Review Guide. More information about Michael can be found at his website at www.impactonline.com. Darril Gibson, CISSP, Security+, CASP, is the CEO of YCDA (short for You Can Do Anything), and he has authored or coauthored more than 40 books. Darril regularly writes, consults, and teaches on a wide variety of technical and security topics and holds several certifications. He regularly posts blog articles at http://blogs.getcertifiedgetahead.com/ about certification topics and uses that site to help people stay abreast of changes in certification exams. He loves hearing from readers, especially when they pass an exam after using one of his books, and you can contact him through the blogging site. About the Technical Editors Jeff T. Parker, CISSP, is a technical editor and reviewer across many focuses of information security. Jeff regularly contributes to books, adding experience and practical know-how where needed. Jeff’s experience comes from 10 years of consulting with Hewlett-Packard in Boston and from 4 years with Deutsche-Post in Prague, Czech Republic. Now residing in Canada, Jeff teaches his and other middleschool kids about building (and destroying) a home lab. He recently coauthored Wireshark for Security Professionals and is now authoring CySA+ Practice Exams. Keep learning! Bob Sipes, CISSP, is an enterprise security architect and account security officer at DXC Technology providing tactical and strategic leadership for DXC clients. He holds several certifications, is actively involved in security organizations including ISSA and Infragard, and is an experienced public speaker on topics including cybersecurity, communications, and leadership. In his spare time, Bob is an avid antiquarian book collector with an extensive library of 19th and early 20th century boys’ literature. You can follow Bob on Twitter at @bobsipes. David Seidl, CISSP, is the senior director for Campus Technology Services at the University of Notre Dame, where he has also taught cybersecurity and networking in the Mendoza College of Business. David has written multiple books on cybersecurity certification and cyberwarfare, and he has served as the technical editor for the sixth, seventh, and eighth editions of CISSP Study Guide. David holds a master’s degree in information security and a bachelor’s degree in communication technology from Eastern Michigan University, as well as CISSP, GPEN, GCIH, and CySA+ certifications. Contents Introduction Overview of the CISSP Exam Notes on This Book’s Organization Assessment Test Answers to Assessment Test Chapter 1 Security Governance Through Principles and Policies Understand and Apply Concepts of Confidentiality, Integrity, and Availability Evaluate and Apply Security Governance Principles Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines Understand and Apply Threat Modeling Concepts and Methodologies Apply Risk-Based Management Concepts to the Supply Chain Summary Exam Essentials Written Lab Review Questions Chapter 2 Personnel Security and Risk Management Concepts Personnel Security Policies and Procedures Security Governance Understand and Apply Risk Management Concepts Establish and Maintain a Security Awareness, Education, and Training Program Manage the Security Function Summary Exam Essentials Written Lab Review Questions Chapter 3 Business Continuity Planning Planning for Business Continuity Project Scope and Planning Business Impact Assessment Continuity Planning Plan Approval and Implementation Summary Exam Essentials Written Lab Review Questions Chapter 4 Laws, Regulations, and Compliance Categories of Laws Laws Compliance Contracting and Procurement Summary Exam Essentials Written Lab Review Questions Chapter 5 Protecting Security of Assets Identify and Classify Assets Determining Ownership Using Security Baselines Summary Exam Essentials Written Lab Review Questions Chapter 6 Cryptography and Symmetric Key Algorithms Historical Milestones in Cryptography Cryptographic Basics Modern Cryptography Symmetric Cryptography Cryptographic Lifecycle Summary Exam Essentials Written Lab Review Questions Chapter 7 PKI and Cryptographic Applications Asymmetric Cryptography Hash Functions Digital Signatures Public Key Infrastructure Asymmetric Key Management Applied Cryptography Cryptographic Attacks Summary Exam Essentials Written Lab Review Questions Chapter 8 Principles of Security Models, Design, and Capabilities Implement and Manage Engineering Processes Using Secure Design Principles Understand the Fundamental Concepts of Security Models Select Controls Based On Systems Security Requirements Understand Security Capabilities of Information Systems Summary Exam Essentials Written Lab Review Questions Chapter 9 Security Vulnerabilities, Threats, and Countermeasures Assess and Mitigate Security Vulnerabilities Client-Based Systems Server-Based Systems Database Systems Security Distributed Systems and Endpoint Security Internet of Things Industrial Control Systems Assess and Mitigate Vulnerabilities in Web-Based Systems Assess and Mitigate Vulnerabilities in Mobile Systems Assess and Mitigate Vulnerabilities in Embedded Devices and Cyber-Physical Systems Essential Security Protection Mechanisms Common Architecture Flaws and Security Issues Summary Exam Essentials Written Lab Review Questions Chapter 10 Physical Security Requirements Apply Security Principles to Site and Facility Design Implement Site and Facility Security Controls Implement and Manage Physical Security Summary Exam Essentials Written Lab Review Questions Chapter 11 Secure Network Architecture and Securing Network Components OSI Model TCP/IP Model Converged Protocols Wireless Networks Secure Network Components Cabling, Wireless, Topology, Communications, and Transmission Media Technology Summary Exam Essentials Written Lab Review Questions Chapter 12 Secure Communications and Network Attacks Network and Protocol Security Mechanisms Secure Voice Communications Multimedia Collaboration Manage Email Security Remote Access Security Management Virtual Private Network Virtualization Network Address Translation Switching Technologies WAN Technologies Miscellaneous Security Control Characteristics Security Boundaries Prevent or Mitigate Network Attacks Summary Exam Essentials Written Lab Review Questions Chapter 13 Managing Identity and Authentication Controlling Access to Assets Comparing Identification and Authentication Implementing Identity Management Managing the Identity and Access Provisioning Lifecycle Summary Exam Essentials Written Lab Review Questions Chapter 14 Controlling and Monitoring Access Comparing Access Control Models Understanding Access Control Attacks Summary Exam Essentials Written Lab Review Questions Chapter 15 Security Assessment and Testing Building a Security Assessment and Testing Program Performing Vulnerability Assessments Testing Your Software Implementing Security Management Processes Summary Exam Essentials Written Lab Review Questions Chapter 16 Managing Security Operations Applying Security Operations Concepts Securely Provisioning Resources Managing Configuration Managing Change Managing Patches and Reducing Vulnerabilities Summary Exam Essentials Written Lab Review Questions Chapter 17 Preventing and Responding to Incidents Managing Incident Response Implementing Detective and Preventive Measures Logging, Monitoring, and Auditing Summary Exam Essentials Written Lab Review Questions Chapter 18 Disaster Recovery Planning The Nature of Disaster Understand System Resilience and Fault Tolerance Recovery Strategy Recovery Plan Development Training, Awareness, and Documentation Testing and Maintenance Summary Exam Essentials Written Lab Review Questions Chapter 19 Investigations and Ethics Investigations Major Categories of Computer Crime Ethics Summary Exam Essentials Written Lab Review Questions Chapter 20 Software Development Security Introducing Systems Development Controls Establishing Databases and Data Warehousing Storing Data and Information Understanding Knowledge-Based Systems Summary Exam Essentials Written Lab Review Questions Chapter 21 Malicious Code and Application Attacks Malicious Code Password Attacks Application Attacks Web Application Security Reconnaissance Attacks Masquerading Attacks Summary Exam Essentials Written Lab Review Questions Appendix A Answers to Review Questions Chapter 1: Security Governance Through Principles and Policies Chapter 2: Personnel Security and Risk Management Concepts Chapter 3: Business Continuity Planning Chapter 4: Laws, Regulations, and Compliance Chapter 5: Protecting Security of Assets Chapter 6: Cryptography and Symmetric Key Algorithms Chapter 7: PKI and Cryptographic Applications Chapter 8: Principles of Security Models, Design, and Capabilities Chapter 9: Security Vulnerabilities, Threats, and Countermeasures Chapter 10: Physical Security Requirements Chapter 11: Secure Network Architecture and Securing Network Components Chapter 12: Secure Communications and Network Attacks Chapter 13: Managing Identity and Authentication Chapter 14: Controlling and Monitoring Access Chapter 15: Security Assessment and Testing Chapter 16: Managing Security Operations Chapter 17: Preventing and Responding to Incidents Chapter 18: Disaster Recovery Planning Chapter 19: Investigations and Ethics Chapter 20: Software Development Security Chapter 21: Malicious Code and Application Attacks Appendix B Answers to Written Labs Chapter 1: Security Governance Through Principles and Policies Chapter 2: Personnel Security and Risk Management Concepts Chapter 3: Business Continuity Planning Chapter 4: Laws, Regulations, and Compliance Chapter 5: Protecting Security of Assets Chapter 6: Cryptography and Symmetric Key Algorithms Chapter 7: PKI and Cryptographic Applications Chapter 8: Principles of Security Models, Design, and Capabilities Chapter 9: Security Vulnerabilities, Threats, and Countermeasures Chapter 10: Physical Security Requirements Chapter 11: Secure Network Architecture and Securing Network Components Chapter 12: Secure Communications and Network Attacks Chapter 13: Managing Identity and Authentication Chapter 14: Controlling and Monitoring Access Chapter 15: Security Assessment and Testing Chapter 16: Managing Security Operations Chapter 17: Preventing and Responding to Incidents Chapter 18: Disaster Recovery Planning Chapter 19: Investigations and Ethics Chapter 20: Software Development Security Chapter 21: Malicious Code and Application Attacks Advert EULA List of Tables Chapter 2 Table 2.1 Table 2.2 Chapter 5 Table 5.1 Table 5.2 Table 5.3 Chapter 6 Table 6.1 Table 6.2 Chapter 7 Table 7.1 Chapter 8 Table 8.1 Table 8.2 Table 8.3 Table 8.4 Chapter 9 Table 9.1 Chapter 10 Table 10.1 Table 10.2 Chapter 11 Table 11.1 Table 11.2 Table 11.3 Table 11.4 Table 11.5 Table 11.6 Table 11.7 Table 11.8 Table 11.9 Table 11.10 Table 11.11 Chapter 12 Table 12.1 Table 12.2 Table 12.3 Table 12.4 Chapter 18 Table 18.1 List of Illustrations Chapter 1 FIGURE 1.1 The CIA Triad FIGURE 1.2 The five elements of AAA services FIGURE 1.3 Strategic, tactical, and operational plan timeline comparison FIGURE 1.4 Levels of government/military classification FIGURE 1.5 Commercial business/private sector classification levels FIGURE 1.6 The comparative relationships of security policy components FIGURE 1.7 An example of diagramming to reveal threat concerns FIGURE 1.8 An example of diagramming to reveal threat concerns Chapter 2 FIGURE 2.1 An example of separation of duties related to five admin tasks and seven administrators FIGURE 2.2 An example of job rotation among management positions FIGURE 2.3 Ex-employees must return all company property FIGURE 2.4 The elements of risk FIGURE 2.5 The six major elements of quantitative risk analysis FIGURE 2.6 The categories of security controls in a defensein-depth implementation FIGURE 2.7 The six steps of the risk management framework Chapter 3 FIGURE 3.1 Earthquake hazard map of the United States Chapter 5 FIGURE 5.1 Data classifications FIGURE 5.2 Clearing a hard drive Chapter 6 FIGURE 6.1 Challenge-response authentication protocol FIGURE 6.2 The magic door FIGURE 6.3 Symmetric key cryptography FIGURE 6.4 Asymmetric key cryptography Chapter 7 FIGURE 7.1 Asymmetric key cryptography FIGURE 7.2 Steganography tool FIGURE 7.3 Image with embedded message Chapter 8 FIGURE 8.1 The TCB, security perimeter, and reference monitor FIGURE 8.2 The Take-Grant model’s directed graph FIGURE 8.3 The Bell-LaPadula model FIGURE 8.4 The Biba model FIGURE 8.5 The Clark-Wilson model FIGURE 8.6 The levels of TCSEC Chapter 9 FIGURE 9.1 In the commonly used four-ring model, protection rings segregate the operating system into kernel, components, and drivers in rings 0 through 2 and applications and programs run at ring 3. FIGURE 9.2 The process scheduler Chapter 10 FIGURE 10.1 A typical wiring closet FIGURE 10.2 The fire triangle FIGURE 10.3 The four primary stages of fire FIGURE 10.4 A secure physical boundary with a mantrap and a turnstile Chapter 11 FIGURE 11.1 Representation of the OSI model FIGURE 11.2 Representation of OSI model encapsulation FIGURE 11.3 Representation of the OSI model peer layer logical channels FIGURE 11.4 OSI model data names FIGURE 11.5 Comparing the OSI model with the TCP/IP model FIGURE 11.6 The four layers of TCP/IP and its component protocols FIGURE 11.7 The TCP three-way handshake FIGURE 11.8 Single-, two-, and three-tier firewall deployment architectures FIGURE 11.9 A ring topology FIGURE 11.10 A linear bus topology and a tree bus topology FIGURE 11.11 A star topology FIGURE 11.12 A mesh topology Chapter 13 FIGURE 13.1 Graph of FRR and FAR errors indicating the CER point Chapter 14 FIGURE 14.1 Defense in depth with layered security FIGURE 14.2 Role Based Access Control FIGURE 14.3 A representation of the boundaries provided by lattice-based access controls FIGURE 14.4 Wireshark capture Chapter 15 FIGURE 15.1 Nmap scan of a web server run from a Linux system FIGURE 15.2 Default Apache server page running on the server scanned in Figure 15.1 FIGURE 15.3 Nmap scan of a large network run from a Mac system using the Terminal utility FIGURE 15.4 Network vulnerability scan of the same web server that was port scanned in Figure 15.1 FIGURE 15.5 Web application vulnerability scan of the same web server that was port scanned in Figure 15.1 and network vulnerability scanned in Figure 15.2. FIGURE 15.6 Scanning a database-backed application with sqlmap FIGURE 15.7 Penetration testing process FIGURE 15.8 The Metasploit automated system exploitation tool allows attackers to quickly execute common attacks against target systems. FIGURE 15.9 Fagan inspections follow a rigid formal process, with defined entry and exit criteria that must be met before transitioning between stages. FIGURE 15.10 Prefuzzing input file containing a series of 1s FIGURE 15.11 The input file from Figure 15.10 after being run through the zzuf mutation fuzzing tool Chapter 16 FIGURE 16.1 A segregation of duties control matrix FIGURE 16.2 Creating and deploying images FIGURE 16.3 Web server and database server Chapter 17 FIGURE 17.1 Incident response FIGURE 17.2 SYN flood attack FIGURE 17.3 A man-in-the-middle attack FIGURE 17.4 Intrusion prevention system FIGURE 17.5 Viewing a log entry Chapter 18 FIGURE 18.1 Flood hazard map for Miami–Dade County, Florida FIGURE 18.2 Failover cluster with network load balancing Chapter 20 FIGURE 20.1 Security vs. user-friendliness vs. functionality FIGURE 20.2 The waterfall lifecycle model FIGURE 20.3 The spiral lifecycle mode FIGURE 20.4 The IDEAL model FIGURE 20.5 Gantt chart FIGURE 20.6 The DevOps model FIGURE 20.7 Hierarchical data model FIGURE 20.8 Customers table from a relational database FIGURE 20.9 ODBC as the interface between applications and a backend database system Chapter 21 FIGURE 21.1 Social Security phishing message FIGURE 21.2 Typical database-driven website architecture Introduction The (ISC)2 CISSP: Certified Information Systems Security Professional Official Study Guide, Eighth Edition, offers you a solid foundation for the Certified Information Systems Security Professional (CISSP) exam. By purchasing this book, you’ve shown a willingness to learn and a desire to develop the skills you need to achieve this certification. This introduction provides you with a basic overview of this book and the CISSP exam. This book is designed for readers and students who want to study for the CISSP certification exam. If your goal is to become a certified security professional, then the CISSP certification and this study guide are for you. The purpose of this book is to adequately prepare you to take the CISSP exam. Before you dive into this book, you need to have accomplished a few tasks on your own. You need to have a general understanding of IT and of security. You should have the necessary five years of full-time paid work experience (or four years if you have a college degree) in two or more of the eight domains covered by the CISSP exam. If you are qualified to take the CISSP exam according to (ISC)2, then you are sufficiently prepared to use this book to study for it. For more information on (ISC)2, see the next section. (ISC)2 also allows for a one-year reduction of the five-year experience requirement if you have earned one of the approved certifications from the (ISC)2 prerequisite pathway. These include certifications such as CAP, CISM, CISA, CCNA Security, Security+, MCSA, MCSE, and many of the GIAC certifications. For a complete list of qualifying certifications, visit https://www.isc2.org/Certifications/CISSP/Prerequisite-Pathway. Note: You can use only one of the experience reduction measures, either a college degree or a certification, not both. (ISC)2 The CISSP exam is governed by the International Information Systems Security Certification Consortium (ISC)2. (ISC)2 is a global not-forprofit organization. It has four primary mission goals: Maintain the Common Body of Knowledge (CBK) for the field of information systems security. Provide certification for information systems security professionals and practitioners. Conduct certification training and administer the certification exams. Oversee the ongoing accreditation of qualified certification candidates through continued education. The (ISC)2 is operated by a board of directors elected from the ranks of its certified practitioners. (ISC)2 supports and provides a wide variety of certifications, including CISSP, SSCP, CAP, CSSLP, CCFP, HCISPP, and CCSP. These certifications are designed to verify the knowledge and skills of IT security professionals across all industries. You can obtain more information about (ISC)2 and its other certifications from its website at www.isc2.org. The Certified Information Systems Security Professional (CISSP) credential is for security professionals responsible for designing and maintaining security infrastructure within an organization. Topical Domains The CISSP certification covers material from the eight topical domains. These eight domains are as follows: Security and Risk Management Asset Security Security Architecture and Engineering Communication and Network Security Identity and Access Management (IAM) Security Assessment and Testing Security Operations Software Development Security These eight domains provide a vendor-independent overview of a common security framework. This framework is the basis for a discussion on security practices that can be supported in all types of organizations worldwide. The most recent revision of the topical domains will be reflected in exams starting April 15, 2018. For a complete view of the breadth of topics covered on the CISSP exam from the eight domain groupings, visit the (ISC)2 website at www.isc2.org to request a copy of the Candidate Information Bulletin. This document includes a complete exam outline as well as other relevant facts about the certification. Prequalifications (ISC)2 has defined the qualification requirements you must meet to become a CISSP. First, you must be a practicing security professional with at least five years’ full-time paid work experience or with four years’ experience and a recent IT or IS degree. Professional experience is defined as security work performed for salary or commission within two or more of the eight CBK domains. Second, you must agree to adhere to a formal code of ethics. The CISSP Code of Ethics is a set of guidelines the (ISC)2 wants all CISSP candidates to follow to maintain professionalism in the field of information systems security. You can find it in the Information section on the (ISC)2 website at www.isc2.org. (ISC)2 also offers an entry program known as an Associate of (ISC)2. This program allows someone without any or enough experience to qualify as a CISSP to take the CISSP exam anyway and then obtain experience afterward. Associates are granted six years to obtain five years’ of security experience. Only after providing proof of such experience, usually by means of endorsement and a resume, can the individual be awarded CISSP certification. Overview of the CISSP Exam The CISSP exam focuses on security from a 30,000-foot view; it deals more with theory and concept than implementation and procedure. It is very broad but not very deep. To successfully complete this exam, you’ll need to be familiar with every domain but not necessarily be a master of each domain. As of December 18, 2017, the CISSP exam is in an adaptive format. (ISC)2 calls the new version CISSP-CAT (Computerized Adaptive Testing). For complete details of this new version of exam presentation, please see https://www.isc2.org/certifications/CISSP/CISSP-CAT. The CISSP-CAT exam will be a minimum of 100 questions and a maximum of 150. Not all items you are presented with count toward your score or passing status. These unscored items are called pretest questions by (ISC)2, while the scored items are called operational items. The questions are not labeled on the exam as to whether they are scored or unscored. Test candidates will receive 25 unscored items on their exam, regardless of whether they achieve a passing rank at question 100 or see all of the 150 questions. The CISSP-CAT grants a maximum of three hours to take the exam. If you run out of time before achieving a passing rank, you will automatically fail. The CISSP-CAT does not allow you to return to a previous question to change your answer. Your answer selection is final once you leave a question. The CISSP-CAT does not have a published or set score to achieve. Instead, you must demonstrate the ability to answer above the (ISC)2 bar for passing, called the passing standard (which is not disclosed), within the last 75 operational items (i.e., questions). If the computer determines that you have a less than 5 percent chance of achieving a passing standard and you have seen 75 operational items, your test will automatically end with a failure. You are not guaranteed to see any more questions than are necessary for the computer grading system to determine with 95 percent confidence your ability to achieve a passing standard or to fail to meet the passing standard. If you do not pass the CISSP exam on your first attempt, you are allowed to retake the CISSP exam under the following conditions: You can take the CISSP exam a maximum of 3 times per 12-month period. You must wait 30 days after your first attempt before trying a second time. You must wait an additional 90 days after your second attempt before trying a third time. You must wait an additional 180 days after your third attempt before trying again or as long as needed to reach 12 months from the date of your first attempt. You will need to pay full price for each additional exam attempt. It is not possible to take the previous paper-based or CBT (computer based testing) flat 250 question version of the exam. CISSP is now available only in the CBT CISSP-CAT format. The refreshed CISSP exam will be available in English, French, German, Brazilian Portuguese, Spanish, Japanese, Simplified Chinese and Korean. Effective December 18, 2017, the Certified Information Systems Security Professional (CISSP) exam (English version only) will be available exclusively via CAT through (ISC)2-authorized Pearson VUE test centers in authorized markets. CISSP exams administered in languages other than English and all other (ISC)2 certification exams will continue to be available as fixed-form, linear examinations. CISSP Exam Question Types Most of the questions on the CISSP exam are four-option, multiplechoice questions with a single correct answer. Some are straightforward, such as asking you to select a definition. Some are a bit more involved, asking you to select the appropriate concept or best practice. And some questions present you with a scenario or situation and ask you to select the best response. Here’s an example: 1. What is the most important goal and top priority of a security solution? A. Preventing disclosure B. Maintaining integrity C. Maintaining human safety D. Sustaining availability You must select the one correct or best answer and mark it. In some cases, the correct answer will be very obvious to you. In other cases, several answers may seem correct. In these instances, you must choose the best answer for the question asked. Watch for general, specific, universal, superset, and subset answer selections. In other cases, none of the answers will seem correct. In these instances, you’ll need to select the least incorrect answer. By the way, the correct answer for this sample question is C. Maintaining human safety is always your first priority. In addition to the standard multiple-choice question format, (ISC)2 has added a few advanced question formats, which it calls advanced innovative questions. These include drag-and-drop questions and hotspot questions. These types of questions require you to place topics or concepts in order of operations, in priority preference, or in relation to proper positioning for the needed solution. Specifically, the dragand-drop questions require the test taker to move labels or icons to mark items on an image. The hotspot questions require the test taker to pinpoint a location on an image with a cross-hair marker. These question concepts are easy to work with and understand, but be careful about your accuracy of dropping or marking. Advice on Taking the Exam The CISSP exam consists of two key elements. First, you need to know the material from the eight domains. Second, you must have good testtaking skills. You have a maximum of 3 hours to achieve a passing standard with the potential to see up to 150 questions. Thus, you will have on average just over a minute for each question. Thus, it is important to work quickly, without rushing but also without wasting time. It is not clear from (ISC)2’s description of the CISSP-CAT format whether guessing is a good strategy in every case, but it does seem to be a better strategy than skipping questions. We recommend you attempt to eliminate as many answer selections as possible before making a guess, and consider skipping the question instead of randomly guessing only if you are unable to eliminate any answer options. Make educated guesses from a reduced set of options to increase your chance of getting a question correct. Also note that (ISC)2 does not disclose if there is partial credit given for multiple-part questions if you get only some of the elements correct. So, pay attention to questions with check boxes instead of radio buttons, and be sure to select as many items as necessary to properly address the question. You will be provided a dry-erase board and a marker to jot down thoughts and make notes. But nothing written on that board will be used to alter your score. And that board must be returned to the test administrator prior to departing the test facility. To maximize your test-taking activities, here are some general guidelines: Read each question, then read the answer options, and then reread the question. Eliminate wrong answers before selecting the correct one. Watch for double negatives. Be sure you understand what the question is asking. Manage your time. You can take breaks during your test, but this might consume some of your test time. You might consider bringing a drink and snacks, but your food and drink will be stored for you away from the testing area, and that break time will count against your test time limit. Be sure to bring any medications or other essential items, but leave all things electronic at home or in your car. You should avoid wearing anything on your wrists, including watches, fitness trackers, and jewelry. You are not allowed to bring any form of noise-canceling headsets or ear buds, although you can use foam earplugs. We also recommend wearing comfortable clothes and taking a light jacket with you (some testing locations are a bit chilly). If English is not your first language, you can register for one of several other language versions of the exam. Or, if you choose to use the English version of the exam, a translation dictionary is allowed. (Be sure to contact your test facility to organize and arrange this beforehand.) You must be able to prove that you need such a dictionary; this is usually accomplished with your birth certificate or your passport. Occasionally, small changes are made to the exam or exam objectives. When that happens, Sybex will post updates to its website. Visit www.wiley.com/go/cissp8e before you sit for the exam to make sure you have the latest information. Study and Exam Preparation Tips We recommend planning for a month or so of nightly intensive study for the CISSP exam. Here are some suggestions to maximize your learning time; you can modify them as necessary based on your own learning habits: Take one or two evenings to read each chapter in this book and work through its review material. Answer all the review questions and take the practice exams provided in the book and in the test engine. Complete the written labs from each chapter, and use the review questions for each chapter to help guide you to topics for which more study or time spent working through key concepts and strategies might be beneficial. Review the (ISC)2’s Exam Outline: www.isc2.org. Use the flashcards included with the study tools to reinforce your understanding of concepts. We recommend spending about half of your study time reading and reviewing concepts and the other half taking practice exams. Students have reported that the more time they spent taking practice exams, the better they retained test topics. In addition to the practice tests with this Study Guide, Sybex also publishes (ISC)² CISSP Certified Information Systems Security Professional Official Practice Tests, 2nd Edition (ISBN: 978-1-11947592-7). It contains 100 or more practice questions for each domain and four additional complete practice exams. Like this Study Guide, it also comes with an online version of the questions. Completing the Certification Process Once you have been informed that you successfully passed the CISSP certification, there is one final step before you are actually awarded the CISSP certification. That final step is known as endorsement. Basically, this involves getting someone who is a CISSP, or other (ISC)2 certification holder, in good standing and familiar with your work history to submit an endorsement form on your behalf. The endorsement form is accessible through the email notifying you of your achievement in passing the exam. The endorser must review your résumé, ensure that you have sufficient experience in the eight CISSP domains, and then submit the signed form to (ISC)2 digitally or via fax or post mail. You must have submitted the endorsement files to (ISC)2 within 90 days after receiving the confirmation-of-passing email. Once (ISC)2 receives your endorsement form, the certification process will be completed and you will be sent a welcome packet via USPS. Post-CISSP Concentrations (ISC)2 has three concentrations offered only to CISSP certificate holders. The (ISC)2 has taken the concepts introduced on the CISSP exam and focused on specific areas, namely, architecture, management, and engineering. These three concentrations are as follows: Information Systems Security Architecture Professional (ISSAP) Aimed at those who specialize in information security architecture. Key domains covered here include access control systems and methodology; cryptography; physical security integration; requirements analysis and security standards, guidelines, and criteria; technology-related aspects of business continuity planning and disaster recovery planning; and telecommunications and network security. This is a credential for those who design security systems or infrastructure or for those who audit and analyze such structures. Information Systems Security Management Professional (ISSMP) Aimed at those who focus on management of information security policies, practices, principles, and procedures. Key domains covered here include enterprise security management practices; enterprise-wide system development security; law, investigations, forensics, and ethics; oversight for operations security compliance; and understanding business continuity planning, disaster recovery planning, and continuity of operations planning. This is a credential for professionals who are responsible for security infrastructures, particularly where mandated compliance comes into the picture. Information Systems Security Engineering Professional (ISSEP) Aimed at those who focus on the design and engineering of secure hardware and software information systems, components, or applications. Key domains covered include certification and accreditation, systems security engineering, technical management, and U.S. government information assurance rules and regulations. Most ISSEPs work for the U.S. government or for a government contractor that manages government security clearances. For more details about these concentration exams and certifications, please see the (ISC)2 website at www.isc2.org. Notes on This Book’s Organization This book is designed to cover each of the eight CISSP Common Body of Knowledge domains in sufficient depth to provide you with a clear understanding of the material. The main body of this book comprises 21 chapters. The domain/chapter breakdown is as follows: Chapters 1, 2, 3, and 4: Security and Risk Management Chapter 5: Asset Security Chapters 6, 7, 8, 9, and 10: Security Architecture and Engineering Chapters 11 and 12: Communication and Network Security Chapters 13 and 14: Identity and Access Management (IAM) Chapters 15: Security Assessment and Testing Chapters 16, 17, 18, and 19: Security Operations Chapters 20 and 21: Software Development Security Each chapter includes elements to help you focus your studies and test your knowledge, detailed in the following sections. Note: please see the table of contents and chapter introductions for a detailed list of domain topics covered in each chapter. The Elements of This Study Guide You’ll see many recurring elements as you read through this study guide. Here are descriptions of some of those elements: Exam Essentials The Exam Essentials highlight topics that could appear on the exam in some form. While we obviously do not know exactly what will be included in a particular exam, this section reinforces significant concepts that are key to understanding the Common Body of Knowledge (CBK) area and the test specs for the CISSP exam. Chapter Review Questions Each chapter includes practice questions that have been designed to measure your knowledge of key ideas that were discussed in the chapter. After you finish each chapter, answer the questions; if some of your answers are incorrect, it’s an indication that you need to spend some more time studying the corresponding topics. The answers to the practice questions can be found at the end of each chapter. Written Labs Each chapter includes written labs that synthesize various concepts and topics that appear in the chapter. These raise questions that are designed to help you put together various pieces you’ve encountered individually in the chapter and assemble them to propose or describe potential security strategies or solutions. Real-World Scenarios As you work through each chapter, you’ll find descriptions of typical and plausible workplace situations where an understanding of the security strategies and approaches relevant to the chapter content could play a role in fixing problems or in fending off potential difficulties. This gives readers a chance to see how specific security policies, guidelines, or practices should or may be applied to the workplace. Summaries The summary is a brief review of the chapter to sum up what was covered. What’s Included with the Additional Study Tools Readers of this book can get access to a number of additional study tools. We worked really hard to provide some essential tools to help you with your certification process. All of the following gear should be loaded on your workstation when studying for the test. Readers can get access to the following tools by visiting www.wiley.com/go/cissptestprep. The Sybex Test Preparation Software The test preparation software, made by experts at Sybex, prepares you for the CISSP exam. In this test engine, you will find all the review and assessment questions from the book plus additional bonus practice exams that are included with the study tools. You can take the assessment test, test yourself by chapter, take the practice exams, or take a randomly generated exam comprising all the questions. Electronic Flashcards Sybex’s electronic flashcards include hundreds of questions designed to challenge you further for the CISSP exam. Between the review questions, practice exams, and flashcards, you’ll have more than enough practice for the exam! Glossary of Terms in PDF Sybex offers a robust glossary of terms in PDF format. This comprehensive glossary includes all of the key terms you should understand for the CISSP, in a searchable format. Bonus Practice Exams Sybex includes bonus practice exams, each comprising questions meant to survey your understanding of key elements in the CISSP CBK. This book has six bonus exams, each comprising 150 questions to match the longest possible length of the real exam. These exams are available digitally at http://www.wiley.com/go/sybextestprep. How to Use This Book’s Study Tools This book has a number of features designed to guide your study efforts for the CISSP certification exam. It assists you by listing at the beginning of each chapter the CISSP Common Body of Knowledge domain topics covered in the chapter and by ensuring that each topic is fully discussed within the chapter. The review questions at the end of each chapter and the practice exams are designed to test your retention of the material you’ve read to make sure you are aware of areas in which you should spend additional study time. Here are some suggestions for using this book and study tools (found at www.wiley.com/go/cissptestprep): Take the assessment test before you start reading the material. This will give you an idea of the areas in which you need to spend additional study time as well as those areas in which you may just need a brief refresher. Answer the review questions after you’ve read each chapter; if you answer any incorrectly, go back to the chapter and review the topic, or utilize one of the additional resources if you need more information. Download the flashcards to your mobile device, and review them when you have a few minutes during the day. Take every opportunity to test yourself. In addition to the assessment test and review questions, there are bonus practice exams included with the additional study tools. Take these exams without referring to the chapters and see how well you’ve done—go back and review any topics you’ve missed until you fully understand and can apply the concepts. Finally, find a study partner if possible. Studying for, and taking, the exam with someone else will make the process more enjoyable, and you’ll have someone to help you understand topics that are difficult for you. You’ll also be able to reinforce your own knowledge by helping your study partner in areas where they are weak. Assessment Test 1. Which of the following types of access control seeks to discover evidence of unwanted, unauthorized, or illicit behavior or activity? A. Preventive B. Deterrent C. Detective D. Corrective 2. Define and detail the aspects of password selection that distinguish good password choices from ultimately poor password choices. A. Difficult to guess or unpredictable B. Meet minimum length requirements C. Meet specific complexity requirements D. All of the above 3. Which of the following is most likely to detect DoS attacks? A. Host-based IDS B. Network-based IDS C. Vulnerability scanner D. Penetration testing 4. Which of the following is considered a denial-of-service attack? A. Pretending to be a technical manager over the phone and asking a receptionist to change their password B. While surfing the Web, sending to a web server a malformed URL that causes the system to consume 100 percent of the CPU C. Intercepting network traffic by copying the packets as they pass through a specific subnet D. Sending message packets to a recipient who did not request them simply to be annoying 5. At which layer of the OSI model does a router operate? A. Network layer B. Layer 1 C. Transport layer D. Layer 5 6. Which type of firewall automatically adjusts its filtering rules based on the content of the traffic of existing sessions? A. Static packet filtering B. Application-level gateway C. Circuit level gateway D. Dynamic packet filtering 7. A VPN can be established over which of the following? A. Wireless LAN connection B. Remote access dial-up connection C. WAN link D. All of the above 8. What type of malware uses social engineering to trick a victim into installing it? A. Viruses B. Worms C. Trojan horse D. Logic bomb 9. The CIA Triad comprises what elements? A. Contiguousness, interoperable, arranged B. Authentication, authorization, accountability C. Capable, available, integral D. Availability, confidentiality, integrity 10. Which of the following is not a required component in the support of accountability? A. Auditing B. Privacy C. Authentication D. Authorization 11. Which of the following is not a defense against collusion? A. Separation of duties B. Restricted job responsibilities C. Group user accounts D. Job rotation 12. A data custodian is responsible for securing resources after ______________________ has assigned the resource a security label. A. Senior management B. The data owner C. An auditor D. Security staff 13. In what phase of the Capability Maturity Model for Software (SWCMM) are quantitative measures utilized to gain a detailed understanding of the software development process? A. Repeatable B. Defined C. Managed D. Optimizing 14. Which one of the following is a layer of the ring protection scheme that is not normally implemented in practice? A. Layer 0 B. Layer 1 C. Layer 3 D. Layer 4 15. What is the last phase of the TCP/IP three-way handshake sequence? A. SYN packet B. ACK packet C. NAK packet D. SYN/ACK packet 16. Which one of the following vulnerabilities would best be countered by adequate parameter checking? A. Time of check to time of use B. Buffer overflow C. SYN flood D. Distributed denial of service 17. What is the value of the logical operation shown here? X: 0 1 1 0 1 0 Y: 0 0 1 1 0 1 _________________ X ∨ Y: ? A. 0 1 1 1 1 1 B. 0 1 1 0 1 0 C. 0 0 1 0 0 0 D. 0 0 1 1 0 1 18. In what type of cipher are the letters of the plain-text message rearranged to form the cipher text? A. Substitution cipher B. Block cipher C. Transposition cipher D. Onetime pad 19. What is the length of a message digest produced by the MD5 algorithm? A. 64 bits B. 128 bits C. 256 bits D. 384 bits 20. If Renee receives a digitally signed message from Mike, what key does she use to verify that the message truly came from Mike? A. Renee’s public key B. Renee’s private key C. Mike’s public key D. Mike’s private key 21. Which of the following is not a composition theory related to security models? A. Cascading B. Feedback C. Iterative D. Hookup 22. The collection of components in the TCB that work together to implement reference monitor functions is called the ______________________ . A. Security perimeter B. Security kernel C. Access matrix D. Constrained interface 23. Which of the following statements is true? A. The less complex a system, the more vulnerabilities it has. B. The more complex a system, the less assurance it provides. C. The less complex a system, the less trust it provides. D. The more complex a system, the less attack surface it generates. 24. Ring 0, from the design architecture security mechanism known as protection rings, can also be referred to as all but which of the following? A. Privileged mode B. Supervisory mode C. System mode D. User mode 25. Audit trails, logs, CCTV, intrusion detection systems, antivirus software, penetration testing, password crackers, performance monitoring, and cyclic redundancy checks (CRCs) are examples of what? A. Directive controls B. Preventive controls C. Detective controls D. Corrective controls 26. System architecture, system integrity, covert channel analysis, trusted facility management, and trusted recovery are elements of what security criteria? A. Quality assurance B. Operational assurance C. Lifecycle assurance D. Quantity assurance 27. Which of the following is a procedure designed to test and perhaps bypass a system’s security controls? A. Logging usage data B. War dialing C. Penetration testing D. Deploying secured desktop workstations 28. Auditing is a required factor to sustain and enforce what? A. Accountability B. Confidentiality C. Accessibility D. Redundancy 29. What is the formula used to compute the ALE? A. ALE = AV * EF * ARO B. ALE = ARO * EF C. ALE = AV * ARO D. ALE = EF * ARO 30. What is the first step of the business impact assessment process? A. Identification of priorities B. Likelihood assessment C. Risk identification D. Resource prioritization 31. Which of the following represent natural events that can pose a threat or risk to an organization? A. Earthquake B. Flood C. Tornado D. All of the above 32. What kind of recovery facility enables an organization to resume operations as quickly as possible, if not immediately, upon failure of the primary facility? A. Hot site B. Warm site C. Cold site D. All of the above 33. What form of intellectual property is used to protect words, slogans, and logos? A. Patent B. Copyright C. Trademark D. Trade secret 34. What type of evidence refers to written documents that are brought into court to prove a fact? A. Best evidence B. Payroll evidence C. Documentary evidence D. Testimonial evidence 35. Why are military and intelligence attacks among the most serious computer crimes? A. The use of information obtained can have far-reaching detrimental strategic effects on national interests in an enemy’s hands. B. Military information is stored on secure machines, so a successful attack can be embarrassing. C. The long-term political use of classified information can impact a country’s leadership. D. The military and intelligence agencies have ensured that the laws protecting their information are the most severe. 36. What type of detected incident allows the most time for an investigation? A. Compromise B. Denial of service C. Malicious code D. Scanning 37. If you want to restrict access into or out of a facility, which would you choose? A. Gate B. Turnstile C. Fence D. Mantrap 38. What is the point of a secondary verification system? A. To verify the identity of a user B. To verify the activities of a user C. To verify the completeness of a system D. To verify the correctness of a system 39. Spamming attacks occur when numerous unsolicited messages are sent to a victim. Because enough data is sent to the victim to prevent legitimate activity, it is also known as what? A. Sniffing B. Denial of service C. Brute-force attack D. Buffer overflow attack 40. Which type of intrusion detection system (IDS) can be considered an expert system? A. Host-based B. Network-based C. Knowledge-based D. Behavior-based Answers to Assessment Test 1. C. Detective access controls are used to discover (and document) unwanted or unauthorized activity. 2. D. Strong password choices are difficult to guess, unpredictable, and of specified minimum lengths to ensure that password entries cannot be computationally determined. They may be randomly generated and utilize all the alphabetic, numeric, and punctuation characters; they should never be written down or shared; they should not be stored in publicly accessible or generally readable locations; and they shouldn’t be transmitted in the clear. 3. B. Network-based IDSs are usually able to detect the initiation of an attack or the ongoing attempts to perpetrate an attack (including denial of service, or DoS). They are, however, unable to provide information about whether an attack was successful or which specific systems, user accounts, files, or applications were affected. Host-based IDSs have some difficulty with detecting and tracking down DoS attacks. Vulnerability scanners don’t detect DoS attacks; they test for possible vulnerabilities. Penetration testing may cause a DoS or test for DoS vulnerabilities, but it is not a detection tool. 4. B. Not all instances of DoS are the result of a malicious attack. Errors in coding OSs, services, and applications have resulted in DoS conditions. Some examples of this include a process failing to release control of the CPU or a service consuming system resources out of proportion to the service requests it is handling. Social engineering and sniffing are typically not considered DoS attacks. 5. A. Network hardware devices, including routers, function at layer 3, the Network layer. 6. D. Dynamic packet-filtering firewalls enable the real-time modification of the filtering rules based on traffic content. 7. D. A VPN link can be established over any other network communication connection. This could be a typical LAN cable connection, a wireless LAN connection, a remote access dial-up connection, a WAN link, or even an internet connection used by a client for access to the office LAN. 8. C. A Trojan horse is a form of malware that uses social engineering tactics to trick a victim into installing it—the trick is to make the victim believe that the only thing they have downloaded or obtained is the host file, when in fact it has a malicious hidden payload. 9. D. The components of the CIA Triad are confidentiality, availability, and integrity. 10. B. Privacy is not necessary to provide accountability. 11. C. Group user accounts allow for multiple people to log in under a single user account. This allows collusion because it prevents individual accountability. 12. B. The data owner must first assign a security label to a resource before the data custodian can secure the resource appropriately. 13. C. The Managed phase of the SW-CMM involves the use of quantitative development metrics. The Software Engineering Institute (SEI) defines the key process areas for this level as Quantitative Process Management and Software Quality Management. 14. B. Layers 1 and 2 contain device drivers but are not normally implemented in practice. Layer 0 always contains the security kernel. Layer 3 contains user applications. Layer 4 does not exist. 15. B. The SYN packet is first sent from the initiating host to the destination host. The destination host then responds with a SYN/ACK packet. The initiating host sends an ACK packet, and the connection is then established. 16. B. Parameter checking is used to prevent the possibility of buffer overflow attacks. 17. A. The ~ OR symbol represents the OR function, which is true when one or both of the input bits are true. 18. C. Transposition ciphers use an encryption algorithm to rearrange the letters of the plain-text message to form a cipher text message. 19. B. The MD5 algorithm produces a 128-bit message digest for any input. 20. C. Any recipient can use Mike’s public key to verify the authenticity of the digital signature. 21. C. Iterative is not one of the composition theories related to security models. Cascading, feedback, and hookup are the three composition theories. 22. B. The collection of components in the TCB that work together to implement reference monitor functions is called the security kernel. 23. B. The more complex a system, the less assurance it provides. More complexity means more areas for vulnerabilities to exist and more areas that must be secured against threats. More vulnerabilities and more threats mean that the subsequent security provided by the system is less trustworthy. 24. D. Ring 0 has direct access to the most resources; thus user mode is not an appropriate label because user mode requires restrictions to limit access to resources. 25. C. Examples of detective controls are audit trails, logs, CCTV, intrusion detection systems, antivirus software, penetration testing, password crackers, performance monitoring, and CRCs. 26. B. Assurance is the degree of confidence you can place in the satisfaction of security needs of a computer, network, solution, and so on. Operational assurance focuses on the basic features and architecture of a system that lend themselves to supporting security. 27. C. Penetration testing is the attempt to bypass security controls to test overall system security. 28. A. Auditing is a required factor to sustain and enforce accountability. 29. A. The annualized loss expectancy (ALE) is computed as the product of the asset value (AV) times the exposure factor (EF) times the annualized rate of occurrence (ARO). This is the longer form of the formula ALE = SLE * ARO. The other formulas displayed here do not accurately reflect this calculation. 30. A. Identification of priorities is the first step of the business impact assessment process. 31. D. Natural events that can threaten organizations include earthquakes, floods, hurricanes, tornados, wildfires, and other acts of nature as well. Thus options A, B, and C are correct because they are natural and not man-made. 32. A. Hot sites provide backup facilities maintained in constant working order and fully capable of taking over business operations. Warm sites consist of preconfigured hardware and software to run the business, neither of which possesses the vital business information. Cold sites are simply facilities designed with power and environmental support systems but no configured hardware, software, or services. Disaster recovery services can facilitate and implement any of these sites on behalf of a company. 33. C. Trademarks are used to protect the words, slogans, and logos that represent a company and its products or services. 34. C. Written documents brought into court to prove the facts of a case are referred to as documentary evidence. 35. A. The purpose of a military and intelligence attack is to acquire classified information. The detrimental effect of using such information could be nearly unlimited in the hands of an enemy. Attacks of this type are launched by very sophisticated attackers. It is often very difficult to ascertain what documents were successfully obtained. So when a breach of this type occurs, you sometimes cannot know the full extent of the damage. 36. D. Scanning incidents are generally reconnaissance attacks. The real damage to a system comes in the subsequent attacks, so you may have some time to react if you detect the scanning attack early. 37. B. A turnstile is a form of gate that prevents more than one person from gaining entry at a time and often restricts movement to one direction. It is used to gain entry but not exit, or vice versa. 38. D. Secondary verification mechanisms are set in place to establish a means of verifying the correctness of detection systems and sensors. This often means combining several types of sensors or systems (CCTV, heat and motion sensors, and so on) to provide a more complete picture of detected events. 39. B. A spamming attack (sending massive amounts of unsolicited email) can be used as a type of denial-of-service attack. It doesn’t use eavesdropping methods so it isn’t sniffing. Brute-force methods attempt to crack passwords. Buffer overflow attacks send strings of data to a system in an attempt to cause it to fail. 40. D. A behavior-based IDS can be labeled an expert system or a pseudo-artificial intelligence system because it can learn and make assumptions about events. In other words, the IDS can act like a human expert by evaluating current events against known events. A knowledge-based IDS uses a database of known attack methods to detect attacks. Both host-based and network-based systems can be either knowledge-based, behavior-based, or a combination of both. Chapter 1 Security Governance Through Principles and Policies THE CISSP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE: Domain 1: Security and Risk Management 1.1 Understand and apply concepts of confidentiality, integrity and availability 1.2 Evaluate and apply security governance principles 1.2.1 Alignment of security function to business strategy, goals, mission, and objectives 1.2.2 Organizational processes 1.2.3 Organizational roles and responsibilities 1.2.4 Security control frameworks 1.2.5 Due care/due diligence 1.6 Develop, document, and implement security policy, standards, procedures, and guidelines 1.10 Understand and apply threat modeling concepts and methodologies 1.10.1 Threat modeling methodologies 1.10.2 Threat modeling concepts 1.11 Apply risk-based management concepts to the supply chain 1.11.1 Risks associated with hardware, software, and services 1.11.2 Third-party assessment and monitoring 1.11.3 Minimum security requirements 1.11.4 Service-level requirements The Security and Risk Management domain of the Common Body of Knowledge (CBK) for the CISSP certification exam deals with many of the foundational elements of security solutions. These include elements essential to the design, implementation, and administration of security mechanisms. Additional elements of this domain are discussed in various chapters: Chapter 2, “Personal Security and Risk Management Concepts”; Chapter 3, “Business Continuity Planning”; Chapter 4, “Laws, Regulations, and Compliance”; and Chapter 19, “Investigations and Ethics.” Please be sure to review all of these chapters to have a complete perspective on the topics of this domain. Understand and Apply Concepts of Confidentiality, Integrity, and Availability Security management concepts and principles are inherent elements in a security policy and solution deployment. They define the basic parameters needed for a secure environment. They also define the goals and objectives that both policy designers and system implementers must achieve to create a secure solution. It is important for real-world security professionals, as well as CISSP exam students, to understand these items thoroughly. This chapter includes a range of topics related to the governance of security for global enterprises as well as smaller businesses. Security must start somewhere. Often that somewhere is the list of most important security principles. In such a list, confidentiality, integrity, and availability (CIA) are usually present because these are typically viewed as the primary goals and objectives of a security infrastructure. They are so commonly seen as security essentials that they are referenced by the term CIA Triad (see Figure 1.1). FIGURE 1.1 The CIA Triad Security controls are typically evaluated on how well they address these three core information security tenets. Overall, a complete security solution should adequately address each of these tenets. Vulnerabilities and risks are also evaluated based on the threat they pose against one or more of the CIA Triad principles. Thus, it is a good idea to be familiar with these principles and use them as guidelines for judging all things related to security. These three principles are considered the most important within the realm of security. However important each specific principle is to a specific organization depends on the organization’s security goals and requirements and on the extent to which the organization’s security might be threatened. Confidentiality The first principle of the CIA Triad is confidentiality. Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resources. The goal of confidentiality protection is to prevent or minimize unauthorized access to data. Confidentiality focuses security measures on ensuring that no one other than the intended recipient of a message receives it or is able to read it. Confidentiality protection provides a means for authorized users to access and interact with resources, but it actively prevents unauthorized users from doing so. A wide range of security controls can provide protection for confidentiality, including, but not limited to, encryption, access controls, and steganography. If a security mechanism offers confidentiality, it offers a high level of assurance that data, objects, or resources are restricted from unauthorized subjects. If a threat exists against confidentiality, unauthorized disclosure could take place. An object is the passive element in a security relationship, such as files, computers, network connections, and applications. A subject is the active element in a security relationship, such as users, programs, and computers. A subject acts upon or against an object. The management of the relationship between subjects and objects is known as access control. In general, for confidentiality to be maintained on a network, data must be protected from unauthorized access, use, or disclosure while in storage, in process, and in transit. Unique and specific security controls are required for each of these states of data, resources, and objects to maintain confidentiality. Numerous attacks focus on the violation of confidentiality. These include capturing network traffic and stealing password files as well as social engineering, port scanning, shoulder surfing, eavesdropping, sniffing, escalation of privileges, and so on. Violations of confidentiality are not limited to directed intentional attacks. Many instances of unauthorized disclosure of sensitive or confidential information are the result of human error, oversight, or ineptitude. Events that lead to confidentiality breaches include failing to properly encrypt a transmission, failing to fully authenticate a remote system before transferring data, leaving open otherwise secured access points, accessing malicious code that opens a back door, misrouted faxes, documents left on printers, or even walking away from an access terminal while data is displayed on the monitor. Confidentiality violations can result from the actions of an end user or a system administrator. They can also occur because of an oversight in a security policy or a misconfigured security control. Numerous countermeasures can help ensure confidentiality against possible threats. These include encryption, network traffic padding, strict access control, rigorous authentication procedures, data classification, and extensive personnel training. Confidentiality and integrity depend on each other. Without object integrity (in other words, the inability of an object to be modified without permission), confidentiality cannot be maintained. Other concepts, conditions, and aspects of confidentiality include the following: Sensitivity Sensitivity refers to the quality of information, which could cause harm or damage if disclosed. Maintaining confidentiality of sensitive information helps to prevent harm or damage. Discretion Discretion is an act of decision where an operator can influence or control disclosure in order to minimize harm or damage. Criticality The level to which information is mission critical is its measure of criticality. The higher the level of criticality, the more likely the need to maintain the confidentiality of the information. High levels of criticality are essential to the operation or function of an organization. Concealment Concealment is the act of hiding or preventing disclosure. Often concealment is viewed as a means of cover, obfuscation, or distraction. A related concept to concealment is security through obscurity, which is the concept of attempting to gain protection through hiding, silence, or secrecy. While security through obscurity is typically not considered a valid security measure, it may still have value in some cases. Secrecy Secrecy is the act of keeping something a secret or preventing the disclosure of information. Privacy Privacy refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed. Seclusion Seclusion involves storing something in an out-of-the-way location. This location can also provide strict access controls. Seclusion can help enforcement of confidentiality protections. Isolation Isolation is the act of keeping something separated from others. Isolation can be used to prevent commingling of information or disclosure of information. Each organization needs to evaluate the nuances of confidentiality they wish to enforce. Tools and technology that implements one form of confidentiality might not support or allow other forms. Integrity The second principle of the CIA Triad is integrity. Integrity is the concept of protecting the reliability and correctness of data. Integrity protection prevents unauthorized alterations of data. It ensures that data remains correct, unaltered, and preserved. Properly implemented integrity protection provides a means for authorized changes while protecting against intended and malicious unauthorized activities (such as viruses and intrusions) as well as mistakes made by authorized users (such as mistakes or oversights). For integrity to be maintained, objects must retain their veracity and be intentionally modified by only authorized subjects. If a security mechanism offers integrity, it offers a high level of assurance that the data, objects, and resources are unaltered from their original protected state. Alterations should not occur while the object is in storage, in transit, or in process. Thus, maintaining integrity means the object itself is not altered and the operating system and programming entities that manage and manipulate the object are not compromised. Integrity can be examined from three perspectives: Preventing unauthorized subjects from making modifications Preventing authorized subjects from making unauthorized modifications, such as mistakes Maintaining the internal and external consistency of objects so that their data is a correct and true reflection of the real world and any relationship with any child, peer, or parent object is valid, consistent, and verifiable For integrity to be maintained on a system, controls must be in place to restrict access to data, objects, and resources. Additionally, activity logging should be employed to ensure that only authorized users are able to access their respective resources. Maintaining and validating object integrity across storage, transport, and processing requires numerous variations of controls and oversight. Numerous attacks focus on the violation of integrity. These include viruses, logic bombs, unauthorized access, errors in coding and applications, malicious modification, intentional replacement, and system back doors. As with confidentiality, integrity violations are not limited to intentional attacks. Human error, oversight, or ineptitude accounts for many instances of unauthorized alteration of sensitive information. Events that lead to integrity breaches include modifying or deleting files; entering invalid data; altering configurations, including errors in commands, codes, and scripts; introducing a virus; and executing malicious code such as a Trojan horse. Integrity violations can occur because of the actions of any user, including administrators. They can also occur because of an oversight in a security policy or a misconfigured security control. Numerous countermeasures can ensure integrity against possible threats. These include strict access control, rigorous authentication procedures, intrusion detection systems, object/data encryption, hash total verifications (see Chapter 6, “Cryptography and Symmetric Key Algorithms”), interface restrictions, input/function checks, and extensive personnel training. Integrity is dependent on confidentiality. Other concepts, conditions, and aspects of integrity include the following: Accuracy: Being correct and precise Truthfulness: Being a true reflection of reality Authenticity: Being authentic or genuine Validity: Being factually or logically sound Nonrepudiation: Not being able to deny having performed an action or activity or being able to verify the origin of a communication or event Accountability: Being responsible or obligated for actions and results Responsibility: Being in charge or having control over something or someone Completeness: Having all needed and necessary components or parts Comprehensiveness: Being complete in scope; the full inclusion of all needed elements Nonrepudiation Nonrepudiation ensures that the subject of an activity or who caused an event cannot deny that the event occurred. Nonrepudiation prevents a subject from claiming not to have sent a message, not to have performed an action, or not to have been the cause of an event. It is made possible through identification, authentication, authorization, accountability, and auditing. Nonrepudiation can be established using digital certificates, session identifiers, transaction logs, and numerous other transactional and access control mechanisms. A system built without proper enforcement of nonrepudiation does not provide verification that a specific entity performed a certain action. Nonrepudiation is an essential part of accountability. A suspect cannot be held accountable if they can repudiate the claim against them. Availability The third principle of the CIA Triad is availability, which means authorized subjects are granted timely and uninterrupted access to objects. Often, availability protection controls support sufficient bandwidth and timeliness of processing as deemed necessary by the organization or situation. If a security mechanism offers availability, it offers a high level of assurance that the data, objects, and resources are accessible to authorized subjects. Availability includes efficient uninterrupted access to objects and prevention of denial-of-service (DoS) attacks. Availability also implies that the supporting infrastructure—including network services, communications, and access control mechanisms—is functional and allows authorized users to gain authorized access. For availability to be maintained on a system, controls must be in place to ensure authorized access and an acceptable level of performance, to quickly handle interruptions, to provide for redundancy, to maintain reliable backups, and to prevent data loss or destruction. There are numerous threats to availability. These include device failure, software errors, and environmental issues (heat, static, flooding, power loss, and so on). There are also some forms of attacks that focus on the violation of availability, including DoS attacks, object destruction, and communication interruptions. As with confidentiality and integrity, violations of availability are not limited to intentional attacks. Many instances of unauthorized alteration of sensitive information are caused by human error, oversight, or ineptitude. Some events that lead to availability breaches include accidentally deleting files, overutilizing a hardware or software component, under-allocating resources, and mislabeling or incorrectly classifying objects. Availability violations can occur because of the actions of any user, including administrators. They can also occur because of an oversight in a security policy or a misconfigured security control. Numerous countermeasures can ensure availability against possible threats. These include designing intermediary delivery systems properly, using access controls effectively, monitoring performance and network traffic, using firewalls and routers to prevent DoS attacks, implementing redundancy for critical systems, and maintaining and testing backup systems. Most security policies, as well as business continuity planning (BCP), focus on the use of fault tolerance features at the various levels of access/storage/security (that is, disk, server, or site) with the goal of eliminating single points of failure to maintain availability of critical systems. Availability depends on both integrity and confidentiality. Without integrity and confidentiality, availability cannot be maintained. Other concepts, conditions, and aspects of availability include the following: Usability: The state of being easy to use or learn or being able to be understood and controlled by a subject Accessibility: The assurance that the widest range of subjects can interact with a resource regardless of their capabilities or limitations Timeliness: Being prompt, on time, within a reasonable time frame, or providing low-latency response CIA Priority Every organization has unique security requirements. On the CISSP exam, most security concepts are discussed in general terms, but in the real world, general concepts and best practices don’t get the job done. The management team and security team must work together to prioritize an organization’s security needs. This includes establishing a budget and spending plan, allocating expertise and hours, and focusing the information technology (IT) and security staff efforts. One key aspect of this effort is to prioritize the security requirements of the organization. Knowing which tenet or asset is more important than another guides the creation of a security stance and ultimately the deployment of a security solution. Often, getting started in establishing priorities is a challenge. A possible solution to this challenge is to start with prioritizing the three primary security tenets of confidentiality, integrity, and availability. Defining which of these elements is most important to the organization is essential in crafting a sufficient security solution. This establishes a pattern that can be replicated from concept through design, architecture, deployment, and finally, maintenance. Do you know the priority your organization places on each of the components of the CIA Triad? If not, find out. An interesting generalization of this concept of CIA prioritization is that in many cases military and government organizations tend to prioritize confidentiality above integrity and availability, whereas private companies tend to prioritize availability above confidentiality and integrity. Although such prioritization focuses efforts on one aspect of security over another, it does not imply that the second or third prioritized items are ignored or improperly addressed. Another perspective on this is discovered when comparing standard IT systems with Operational Technology (OT) systems such as programmable logic controllers (PLCs), supervisory control and data acquisition (SCADA), and MES (Manufacturing Execution Systems) devices and systems used on manufacturing plant floors. IT systems, even in private companies, tend to follow the CIA Triad; however, OT systems tend to follow the AIC Triad, where availability is prioritized overall and integrity is valued over confidentiality. Again, this is just a generalization but one that may serve you well in deciphering questions on the CISSP exam. Each individual organization decides its own security priorities. Other Security Concepts In addition to the CIA Triad, you need to consider a plethora of other security-related concepts and principles when designing a security policy and deploying a security solution. You may have heard of the concept of AAA services. The three A’s in this abbreviation refer to authentication, authorization, and accounting (or sometimes auditing). However, what is not as clear is that although there are three letters in the acronym, it actually refers to five elements: identification, authentication, authorization, auditing, and accounting. These five elements represent the following processes of security: Identification: Claiming to be an identity when attempting to access a secured area or system Authentication: Proving that you are that identity Authorization: Defining the permissions (i.e., allow/grant and/or deny) of a resource and object access for a specific identity Auditing: Recording a log of the events and activities related to the system and subjects Accounting (aka accountability): Reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions Although AAA is typically referenced in relation to authentication systems, it is actually a foundational concept for security. Missing any of these five elements can result in an incomplete security mechanism. The following sections discuss identification, authentication, authorization, auditing, and accountability (see Figure 1.2). FIGURE 1.2 The five elements of AAA services Identification Identification is the process by which a subject professes an identity and accountability is initiated. A subject must provide an identity to a system to start the process of authentication, authorization, and accountability (AAA). Providing an identity can involve typing in a username; swiping a smart card; waving a proximity device; speaking a phrase; or positioning your face, hand, or finger for a camera or scanning device. Providing a process ID number also represents the identification process. Without an identity, a system has no way to correlate an authentication factor with the subject. Once a subject has been identified (that is, once the subject’s identity has been recognized and verified), the identity is accountable for any further actions by that subject. IT systems track activity by identities, not by the subjects themselves. A computer doesn’t know one human from another, but it does know that your user account is different from all other user accounts. A subject’s identity is typically labeled as, or considered to be, public information. However, simply claiming an identity does not imply access or authority. The identity must be proven (authentication) or verified (ensuring nonrepudiation) before access to controlled resources is allowed (verifying authorization). That process is authentication. Authentication The process of verifying or testing that the claimed identity is valid is authentication. Authentication requires the subject to provide additional information that corresponds to the identity they are claiming. The most common form of authentication is using a password (this includes the password variations of personal identification numbers (PINs) and passphrases). Authentication verifies the identity of the subject by comparing one or more factors against the database of valid identities (that is, user accounts). The authentication factor used to verify identity is typically labeled as, or considered to be, private information. The capability of the subject and system to maintain the secrecy of the authentication factors for identities directly reflects the level of security of that system. If the process of illegitimately obtaining and using the authentication factor of a target user is relatively easy, then the authentication system is insecure. If that process is relatively difficult, then the authentication system is reasonably secure. Identification and authentication are often used together as a single two-step process. Providing an identity is the first step, and providing the authentication factors is the second step. Without both, a subject cannot gain access to a system—neither element alone is useful in terms of security. In some systems, it may seem as if you are providing only one element but gaining access, such as when keying in an ID code or a PIN. However, in these cases either the identification is handled by another means, such as physical location, or authentication is assumed by your ability to access the system physically. Both identification and authentication take place, but you might not be as aware of them as when you manually type in both a name and a password. A subject can provide several types of authentication—for example, something you know (e.g., passwords, PINs), something you have (e.g., keys, tokens, smart cards), something you are (e.g., biometrics, such as fingerprints, iris, or voice recognition), and so on. Each authentication technique or factor has its unique benefits and drawbacks. Thus, it is important to evaluate each mechanism in light of the environment in which it will be deployed to determine viability. (We discuss authentication at length in Chapter 13, “Managing Identity and Authentication.”) Authorization Once a subject is authenticated, access must be authorized. The process of authorization ensures that the requested activity or access to an object is possible given the rights and privileges assigned to the authenticated identity. In most cases, the system evaluates an access control matrix that compares the subject, the object, and the intended activity. If the specific action is allowed, the subject is authorized. If the specific action is not allowed, the subject is not authorized. Keep in mind that just because a subject has been identified and authenticated does not mean they have been authorized to perform any function or access all resources within the controlled environment. It is possible for a subject to be logged onto a network (that is, identified and authenticated) but to be blocked from accessing a file or printing to a printer (that is, by not being authorized to perform that activity). Most network users are authorized to perform only a limited number of activities on a specific collection of resources. Identification and authentication are all-or-nothing aspects of access control. Authorization has a wide range of variations between all or nothing for each object within the environment. A user may be able to read a file but not delete it, print a document but not alter the print queue, or log on to a system but not access any resources. Authorization is usually defined using one of the models of access control, such as Discretionary Access Control (DAC), Mandatory Access Control (MAC), or Role Based Access Control (RBAC or role-BAC); see Chapter 14, “Controlling and Monitoring Access.” Auditing Auditing, or monitoring, is the programmatic means by which a subject’s actions are tracked and recorded for the purpose of holding the subject accountable for their actions while authenticated on a system. It is also the process by which unauthorized or abnormal activities are detected on a system. Auditing is recording activities of a subject and its objects as well as recording the activities of core system functions that maintain the operating environment and the security mechanisms. The audit trails created by recording system events to logs can be used to evaluate the health and performance of a system. System crashes may indicate faulty programs, corrupt drivers, or intrusion attempts. The event logs leading up to a crash can often be used to discover the reason a system failed. Log files provide an audit trail for re-creating the history of an event, intrusion, or system failure. Auditing is needed to detect malicious actions by subjects, attempted intrusions, and system failures and to reconstruct events, provide evidence for prosecution, and produce problem reports and analysis. Auditing is usually a native feature of operating systems and most applications and services. Thus, configuring the system to record information about specific types of events is fairly straightforward. Monitoring is part of what is needed for audits, and audit logs are part of a monitoring system, but the two terms have different meanings. Monitoring is a type of watching or oversight, while auditing is a recording of the information into a record or file. It is possible to monitor without auditing, but you can’t audit without some form of monitoring. But even so, these terms are often used interchangeably in casual discussions of these topics. Accountability An organization’s security policy can be properly enforced only if accountability is maintained. In other words, you can maintain security only if subjects are held accountable for their actions. Effective accountability relies on the capability to prove a subject’s identity and track their activities. Accountability is established by linking a human to the activities of an online identity through the security services and mechanisms of auditing, authorization, authentication, and identification. Thus, human accountability is ultimately dependent on the strength of the authentication process. Without a strong authentication process, there is doubt that the human associated with a specific user account was the actual entity controlling that user account when the undesired action took place. To have viable accountability, you may need to be able to support your security decisions and their implementation in a court of law. If you are unable to legally support your security efforts, then you will be unlikely to be able to hold a human accountable for actions linked to a user account. With only a password as authentication, there is significant room for doubt. Passwords are the least secure form of authentication, with dozens of different methods available to compromise them. However, with the use of multifactor authentication, such as a password, smartcard, and fingerprint scan in combination, there is very little possibility that any other human could have compromised the authentication process in order to impersonate the human responsible for the user account. Legally Defensible Security The point of security is to keep bad things from happening while supporting the occurrence of good things. When bad things do happen, organizations often desire assistance from law enforcement and the legal system for compensation. To obtain legal restitution, you must demonstrate that a crime was committed, that the suspect committed that crime, and that you took reasonable efforts to prevent the crime. This means your organization’s security needs to be legally defensible. If you are unable to convince a court that your log files are accurate and that no other person other than the subject could have committed the crime, you will not obtain restitution. Ultimately, this requires a complete security solution that has strong multifactor authentication techniques, solid authorization mechanisms, and impeccable auditing systems. Additionally, you must show that the organization complied with all applicable laws and regulations, that proper warnings and notifications were posted, that both logical and physical security were not otherwise compromised, and that there are no other possible reasonable interpretations of the electronic evidence. This is a fairly challenging standard to meet. Thus, an organization should evaluate its security infrastructure and redouble its effort to design and implement legally defensible security. Protection Mechanisms Another aspect of understanding and applying concepts of confidentiality, integrity, and availability is the concept of protection mechanisms or protection controls. Protection mechanisms are common characteristics of security controls. Not all security controls must have them, but many controls offer their protection for confidentiality, integrity, and availability through the use of these mechanisms. Some common examples of these mechanisms include using multiple layers or levels of access, employing abstraction, hiding data, and using encryption. Layering Layering, also known as defense in depth, is simply the use of multiple controls in a series. No one control can protect against all possible threats. Using a multilayered solution allows for numerous, different controls to guard against whatever threats come to pass. When security solutions are designed in layers, a failed control should not result in exposure of systems or data. Using layers in a series rather than in parallel is important. Performing security restrictions in a series means to perform one after the other in a linear fashion. Only through a series configuration will each attack be scanned, evaluated, or mitigated by every security control. In a series configuration, failure of a single security control does not render the entire solution ineffective. If security controls were implemented in parallel, a threat could pass through a single checkpoint that did not address its particular malicious activity. Serial configurations are very narrow but very deep, whereas parallel configurations are very wide but very shallow. Parallel systems are useful in distributed computing applications, but parallelism is not often a useful concept in the realm of security. Think of physical entrances to buildings. A paral...
Purchase answer to see full attachment
Explanation & Answer:
250 words
Student has agreed that all tutoring, explanations, and answers provided by the tutor will be used to help in the learning process and in accordance with Studypool's honor code & terms of service.

Explanation & Answer

Attached.

1

Threats and Countermeasures

Name
Institution
Date

2
The most significant barrier to the prosecution of cybercriminals is jurisdiction (Grimes,
2016). In most cases, cybercrimes are committed remotely across the border and away from the
physical location of the system under attack. These locations are outside the legal jurisdiction,
and thus prosecutors m...

Xvfuarjg2017 (47728)
University of Maryland

Anonymous
Really helpful material, saved me a great deal of time.

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Related Tags