JONES
AND
BARTLETT LEARNING
LEARNING
JONES
& BARTLETT
INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES
Fundamentals
of Information
Systems Security
DAVID KIM AND MICHAEL G. SOLOMON
World Headquarters
Jones & Bartlett Learning
40 Tall Pine Drive
Sudbury, MA 01776
978-443-5000
info@jblearning.com
www.jblearning.com
Jones & Bartlett Learning Canada
6339 Ormindale Way
Mississauga, Ontario L5V 1J2
Canada
Jones & Bartlett Learning International
Barb House, Barb Mews
London W6 7PA
United Kingdom
Jones & Bartlett Learning books and products are available through most bookstores and online booksellers. To contact Jones & Bartlett
Learning directly, call 800-832-0034, fax 978-443-8000, or visit our website, www.jblearning.com.
Substantial discounts on bulk quantities of Jones & Bartlett Learning publications are available to corporations, professional
associations, and other qualified organizations. For details and specific discount information, contact the special sales department
at Jones & Bartlett Learning via the above contact information or send an email to specialsales@jblearning.com.
Copyright © 2012 by Jones & Bartlett Learning, LLC
All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form, electronic or mechanical,
including photocopying, recording, or by any information storage and retrieval system, without written permission from the copyright owner.
This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the
understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert
assistance is required, the service of a competent professional person should be sought.
Production Credits
Chief Executive Officer: Ty Field
President: James Homer
SVP, Chief Operating Officer: Don Jones, Jr.
SVP, Chief Technology Officer: Dean Fossella
SVP, Chief Marketing Officer: Alison M. Pendergast
SVP, Chief Financial Officer: Ruth Siporin
SVP, Business Development: Christopher Will
VP, Design and Production: Anne Spencer
VP, Manufacturing and Inventory Control: Therese Connell
Editorial Management: High Stakes Writing, LLC, Editor and Publisher: Lawrence J. Goodrich
Reprints and Special Projects Manager: Susan Schultz
Associate Production Editor: Tina Chen
Director of Marketing: Alisha Weisman
Senior Marketing Manager: Andrea DeFronzo
Cover Design: Anne Spencer
Composition: Mia Saunders Design
Cover Image: © ErickN/ShutterStock, Inc.
Chapter Opener Image: © Rodolfo Clix/Dreamstime.com
Printing and Binding: Malloy, Inc.
Cover Printing: Malloy, Inc.
ISBN: 978-0-7637-9025-7
6048
Printed in the United States of America
15 14 13 12 11 10 9 8 7 6 5 4 3 2 1
Contents
Letter from (ISC) 2 Executive Director W. Hord Tipton
Preface
xvii
xix
Acknowledgments
xxi
PART onE
The Need for Information Security
CHAPTER 1
Information Systems Security
Information Systems Security
1
2
3
Risks, Threats, and Vulnerabilities
6
Defining Information Systems Security
8
U.S. Compliance Laws Drive Need for Information Systems Security
Tenets of Information Systems Security
8
10
Availability
11
Integrity
12
Confidentiality
12
The Seven Domains of a Typical IT Infrastructure
15
User Domain
15
Workstation Domain
18
LAN Domain
20
LAN-to-WAN Domain
23
WAN Domain
26
Remote Access Domain
30
System/Application Domain
33
Weakest Link in the Security of an IT Infrastructure
Ethics and the Internet
37
(ISC)2: Information Systems Security Certification
SSCP Professional Certification
38
CISSP Professional Certification
39
39
(ISC)2 Code of Ethics
IT Security Policy Framework
38
40
Definitions
40
Foundational IT Security Policies
Data Classification Standards
37
41
42
iii
iv
Contents
CHAPTER SUMMARY 44
Key Concepts and TERMS
Chapter 1 ASSESSMEnT
CHAPTER 2
44
45
Changing How People and Businesses Communicate 47
Evolution of Voice Communications 48
From Analog to Digital 50
Telephony Risks, Threats, and Vulnerabilities 51
Telephony Security Best Practices 52
From Digital to Voice over IP (VoIP) 54
VoIP and SIP Risks, Threats, and Vulnerabilities 57
VoIP and SIP Security Best Practices 57
Converting to a TCP/IP World 60
How Different Groups Communicate 62
Broadband Boom of the 1990s 63
IP Transformation of Telecommunication Service Providers 64
Multimodal Communications 68
Voice over IP (VoIP) Migration 69
Unified Communications (UC) 71
Solving Business Challenges with Unified Communications 72
Evolution from Brick-and-Mortar to e-Commerce 74
Solving Business Challenges with e-Business Transformation 75
Why Businesses Today Need an Internet Marketing Strategy 76
The Web Effect on People, Businesses, and Other Organizations 77
CHAPTER SUMMARY 78
Key Concepts and TERMS
Chapter 2 ASSESSMEnT
CHAPTER 3
78
79
Malicious Attacks, Threats, and Vulnerabilities 81
Malicious Activity on the Rise 82
What Are You Trying to Protect? 83
IT and Network Infrastructure 84
Intellectual Property 84
Finances and Financial Data 85
Service Availability and Productivity 85
Reputation 87
Whom Are You Trying to Catch? 87
v
Contents
Attack Tools 88
Vulnerability Scanners 89
Port Scanners 89
Sniffers 89
Wardialers 89
Keyloggers 90
What Is a Security Breach? 90
Denial of Service Attacks 91
Distributed Denial of Service Attacks 92
Unacceptable Web Browsing 92
Wiretapping 93
Backdoor 93
Data Modifications 93
Additional Security Challenges 94
What Are Vulnerabilities and Threats? 96
Threat Targets 98
Threat Types 99
What Is a Malicious Attack? 101
Brute-Force Attacks 102
Dictionary Attacks 102
Address Spoofing 102
Hijacking 103
Replay Attacks 104
Man-in-the-Middle Attacks 104
Masquerading 104
Eavesdropping 104
Social Engineering 105
Phreaking 105
Phishing 106
Pharming 106
What Is Malicious Software? 107
Viruses 108
Worms 108
Trojan Horses 109
Rootkits 109
Spyware 110
What Are Countermeasures? 111
Countering Malware 112
Protecting Your System with Firewalls 113
CHAPTER SUMMARY 114
Key Concepts and TERMS
Chapter 3 ASSESSMEnT
115
115
vi
Contents
CHAPTER 4
The drivers of the Information Security Business
Defining Risk Management
117
118
Risk Identification
120
Risk Analysis
121
Risk-Response Planning
123
Risk Monitoring and Control
124
Implementing a BIA, a BCP, and a DRP
Business Impact Analysis
Business Continuity Plan
Disaster Recovery Plan
124
125
126
127
Assessing Risks, Threats, and Vulnerabilities
Closing the Information Security Gap
Adhering to Compliance Laws
134
Keeping Private Data Confidential
CHAPTER SUMMARY
131
133
136
138
KEY ConCEPTS And TERMS
138
CHAPTER 4 ASSESSMEnT
139
PART TWo
The Systems Security Certified Practitioner (SSCP®)
141
Professional Certification from (ISC)2
CHAPTER 5
Access Controls
142
The Four Parts of Access Control
143
The Two Types of Access Control
144
Physical Access Control
Logical Access Control
144
144
Defining an Authorization Policy
146
Identification Methods and Guidelines
Identification Methods
Identification Guidelines
146
147
147
Authentication Processes and Requirements
Authentication Types
Single Sign-On (SSO)
147
147
157
Accountability Policies and Procedures
159
Log Files
159
Data Retention, Media Disposal, and Compliance Requirements
159
vii
Contents
Formal Models of Access Control 161
Discretionary Access Control (DAC) 161
Mandatory Access Control (MAC) 164
Non-Discretionary Access Control 164
Rule-Based Access Control 165
Access Control Lists (ACLs) 166
Role Based Access Control (RBAC) 166
Content-Dependent Access Control 167
Constrained User Interface 168
Other Access Control Models 169
Effects of Breaches in Access Control 171
Threats to Access Controls 172
Effects of Access Control Violations 173
Centralized and Decentralized Access Control 174
Three Types of AAA Servers 174
Decentralized Access Control 177
Privacy 177
CHAPTER SUMMARY 179
Key Concepts and TERMS
Chapter 5 ASSESSMEnT
CHAPTER 6
179
180
Security Operations and Administration 182
Security Administration 183
Controlling Access 184
Documentation, Procedures, and Guidelines 184
Disaster Assessment and Recovery 184
Security Outsourcing 185
Compliance 186
Security Event Logs 186
Compliance Liaison 186
Remediation 186
Professional Ethics 187
Common Fallacies About Ethics 187
Codes of Ethics 188
Personnel Security Principles 189
The Infrastructure for an IT Security Policy 192
Policies 194
Standards 194
Procedures 195
Baselines 195
Guidelines 196
viii
Contents
Data Classification Standards 196
Information Classification Objectives 197
Examples of Classification 198
Classification Procedures 198
Assurance 199
Configuration Management 199
Hardware Inventory and Configuration Chart 200
The Change Management Process 201
Change Control Management 201
Change Control Committees 202
Change Control Procedures 202
Change Control Issues 203
The System Life Cycle (SLC) and System Development Life Cycle (SDLC) 204
The System Life Cycle (SLC) 204
Testing and Developing Systems 206
Software Development and Security 209
Software Development Methods 209
CHAPTER SUMMARY 211
Key Concepts and TERMS
Chapter 6 ASSESSMEnT
CHAPTER 7
211
212
Auditing, Testing, and Monitoring 214
Security Auditing and Analysis 215
Security Controls Address Risk 216
Determining What Is Acceptable 217
Permission Levels 217
Areas of Security Audits 218
Purpose of Audits 218
Customer Confidence 219
Defining Your Audit Plan 219
Defining the Scope of the Plan 220
Auditing Benchmarks 221
Audit Data–Collection Methods 222
Areas of Security Audits 223
Control Checks and Identity Management 223
Post-Audit Activities 224
Exit Interview 225
Data Analysis 225
Generation of Audit Report 225
Presentation of Findings 226
ix
Contents
Security Monitoring 226
Security Monitoring for Computer Systems 227
Monitoring Issues 227
Logging Anomalies 228
Log Management 229
Types of Log Information to Capture 230
How to Verify Security Controls 231
Intrusion Detection System (IDS) 231
Analysis Methods 232
HIDS 233
Layered Defense: Network Access Control 234
Control Checks: Intrusion Detection 234
Host Isolation 235
System Hardening 235
Review Antivirus Program 237
Monitoring and Testing Security Systems 237
Monitoring 238
Testing 238
CHAPTER SUMMARY 246
Key Concepts and TERMS
Chapter 7 ASSESSMEnT
CHAPTER 8
246
247
Risk, Response, and Recovery 248
Risk Management and Information Security 250
Definitions of Risk 250
Elements of Risk 251
Purpose of Risk Management 252
The Risk Equation 252
The Process of Risk Management 253
Risk Analysis 254
Emerging Threats 254
Two Approaches: Quantitative and Qualitative 255
Calculating Quantified Risk 255
Qualitative Risk Analysis 257
Developing a Strategy for Dealing with Risk 258
Acceptable Range of Risk/Residual Risk 259
Evaluating Countermeasures 261
Pricing/Costing a Countermeasure 261
Countermeasure Evaluation 262
x
Contents
Controls and Their Place in the Security Life Cycle 262
Planning to Survive 263
Terminology 264
Assessing Maximum Tolerable Downtime (MTD) 265
Business Impact Analysis 266
Plan Review 267
Testing the Plan 268
Backing Up Data and Applications 269
Types of Backups 270
Steps to Take in Handling an Incident 271
Notification 271
Response 272
Recovery 272
Follow-Up 272
Documentation 272
Recovery from a Disaster 273
Primary Steps to Disaster Recovery 273
Activating the Disaster Recovery Plan 273
Operating in a Reduced/Modified Environment 274
Restoring Damaged Systems 274
Disaster Recovery Issues 275
Recovery Alternatives 275
Interim or Alternate Processing Strategies 276
CHAPTER SUMMARY 278
Key Concepts and TERMS
Chapter 8 ASSESSMEnT
CHAPTER 9
278
279
Cryptography 280
What Is Cryptography? 281
Basic Cryptographic Principles 282
A Brief History of Cryptography 283
Cryptography’s Role in Information Security 284
Business and Security Requirements for Cryptography 286
Internal Security 286
Security Between Businesses 287
Security Measures That Benefit Everyone 287
Cryptographic Applications and Uses in Information System Security 287
Cryptanalysis and Public Versus Private Keys 289
xi
Contents
Cryptographic Principles, Concepts, and Terminology 291
Cryptographic Functions and Ciphers 291
Types of Ciphers 294
Symmetric and Asymmetric Key Cryptography 298
Keys, Keyspace, and Key Management 300
Digital Signatures and Hash Functions 303
Cryptographic Applications, Tools, and Resources 305
Symmetric Key Standards 306
Asymmetric Key Solutions 308
Hash Function and Integrity 309
Digital Signatures and Nonrepudiation 311
Principles of Certificates and Key Management 312
Modern Key-Management Techniques 313
CHAPTER SUMMARY 315
Key Concepts and TERMS
Chapter 9 ASSESSMEnT
CHAPTER 10
315
316
Networks and Telecommunications 317
The Open Systems Interconnection Reference Model 318
The Two Types of Networks 320
Wide Area Networks 320
Local Area Networks 323
TCP/IP and How It Works 324
TCP/IP Overview 325
IP Addressing 325
ICMP 326
Network Security Risks 327
Three Categories of Risk 327
Basic Network Security Defense Tools 329
Firewalls 329
Virtual Private Networks and Remote Access 332
Network Access Control 334
Wireless Networks 334
Wireless Access Points (WAPs) 335
Wireless Network Security Controls 335
CHAPTER SUMMARY 338
Key Concepts and TERMS
Chapter 10 ASSESSMEnT
338
338
xii
Contents
CHAPTER 11
Malicious Code and Activity 340
Characteristics, Architecture, and Operations of Malicious Software 341
The Main Types of Malware 342
Virus 342
Spam 349
Worms 350
Trojan Horses 351
Logic Bombs 352
Active Content Vulnerabilities 353
Botnets 353
Denial of Service Attacks 353
Spyware 356
Adware 356
Phishing 356
Keystroke Loggers 357
Hoaxes and Myths 358
Home-Page Hijacking 358
Web-Page Defacements 359
A Brief History of Malicious Code Threats 360
1970s and Early 1980s: Academic Research and UNIX 360
1980s: Early PC Viruses 360
1990s: Early LAN Viruses 361
Mid-1990s: Smart Applications and the Internet 361
2000 to Present 362
Threats to Business Organizations 362
Types of Threats 362
Internal Threats from Employees 363
Anatomy of an Attack 364
What Motivates Attackers? 364
The Purpose of an Attack 364
Types of Attacks 365
Phases of an Attack 367
Attack Prevention Tools and Techniques 372
Application Defenses 373
Operating System Defenses 373
Network Infrastructure Defenses 374
Safe Recovery Techniques and Practices 375
Implementing Effective Software Best Practices 375
xiii
Contents
Incident Detection Tools and Techniques
375
Antivirus Scanning Software
376
Network Monitors and Analyzers
376
Content/Context Filtering and Logging Software
Honeypots and Honeynets
377
CHAPTER SUMMARY
376
378
KEY ConCEPTS And TERMS
CHAPTER 11 ASSESSMEnT
378
379
PART THREE
Information Security Standards, Education,
381
Certifications, and Laws
CHAPTER 12
Information Security Standards
Standards Organizations
382
383
NIST
383
International Organization for Standardization (ISO)
385
International Electrotechnical Commission (IEC)
386
World Wide Web Consortium (W3C)
387
Internet Engineering Task Force (IETF)
388
IEEE
389
International Telecommunication Union Telecommunication Sector (ITU-T)
ANSI
392
ISO 17799
393
ISO/IEC 27002
PCI DSS
394
395
CHAPTER SUMMARY
397
KEY ConCEPTS And TERMS
CHAPTER 12 ASSESSMEnT
CHAPTER 13
397
398
Information Security Education and Training
Self-Study
400
Adult Continuing Education Programs
Certificate Programs
CPE Credits
404
404
Post-Secondary Degree Programs
Associate’s Degree
Bachelor’s Degree
Master’s Degree
Doctoral Degree
403
407
407
409
411
405
399
390
xiv
Contents
Information Security Training Programs 413
Security Training Requirements 413
Security Training Organizations 414
CHAPTER SUMMARY 416
Key Concepts and TERMS
Chapter 13 ASSESSMEnT
CHAPTER 14
416
417
Information Security Professional Certifications 418
Vendor-Neutral Professional Certifications 419
(ISC)2 420
GIAC/SANS Institute 421
CIW 422
CompTIA 423
SCP 423
ISACA 425
Vendor-Specific Professional Certifications 425
Cisco Systems 425
Juniper Networks 427
RSA 427
Symantec 428
Check Point 428
DoD/Military—8570.01 429
CHAPTER SUMMARY 430
Key Concepts and TERMS
Chapter 14 ASSESSMEnT
CHAPTER 15
430
431
U.S. Compliance Laws 432
Compliance and the Law 433
The Federal Information Security Management Act 435
Purpose and Main Requirements 436
The Role of the National Institute of Standards and Technology 438
National Security Systems 440
Oversight 440
The Future of FISMA 440
The Health Insurance Portability and Accountability Act 441
Purpose and Scope 441
Main Requirements of the HIPAA Privacy Rule 442
Main Requirements of the HIPAA Security Rule 445
Oversight 447
xv
Contents
The Gramm-Leach-Bliley Act 447
Purpose and Scope 448
Main Requirements of the GLBA Privacy Rule 449
Main Requirements of the GLBA Safeguards Rule 449
Oversight 450
The Sarbanes-Oxley Act 451
Purpose and Scope 451
SOX Control Certification Requirements 452
SOX Records Retention Requirements 453
Oversight 454
The Family Educational Rights and Privacy Act 454
Purpose and Scope 455
Main Requirements 455
Oversight 457
The Children’s Internet Protection Act 457
Purpose and Scope 457
Main Requirements 459
Oversight 459
Making Sense of Laws for Information Security Compliance 460
CHAPTER SUMMARY 462
Key Concepts and TERMS
Chapter 15 ASSESSMEnT
462
462
ENDNOTES 463
APPENDIX A
Answer Key 465
APPENDIX B
Standard Acronyms 467
APPENDIX C
Become an SSCP ® 469
APPENDIX D
SSCP ® Practice Exam 473
Glossary of Key Terms 477
References 493
Index 497
This book is dedicated to our readers, students, and IT professionals pursuing
a career in information systems security. May your passion for learning IT security
help you protect the information assets of the United States of America,
our businesses, and the privacy data of our citizens.
—David Kim
To God, who has richly blessed me in so many ways
—Michael G. Solomon
Letter from (ISC)2
Executive director W. Hord Tipton
Dear student,
I congratulate you on your decision to advance your knowledge in the rapidly expanding
and challenging field of information security. This is currently one of the most in-demand
industries in the world and there is an urgent need for qualified information security
professionals to secure our systems, networks, and infrastructures.
Fundamentals of Information Systems Security represents (ISC)2’s commitment to providing
guidance and support to the information security field through exciting new educational
offerings. The information provided in this book highlights the seven domains of (ISC)2’s
Systems Security Certified Practitioner (SSCP ®) certification: Access Controls; Cryptography;
Malicious Code and Activity; Monitoring and Analysis; Networks and Communications;
Risk, Response and Recovery; and Security Operations and Administration.
The SSCP is a deeply technical certification, requiring a minimum one year of technical
work experience before candidates are able to sit for the examination. Considered an
entry-level certification, the SSCP is desirable for those looking to embed the first footprint
on their information security career path. SSCPs are often considered the “go-to” practitioners in demanding technical positions such as network security engineers, security
systems analysts, and security administrators; however, they also encompass non-security
disciplines that require an understanding of security but do not have information security
as a primary part of their job description. Due to rapidly emerging technologies, the
domains of the SSCP will continue to evolve, which is why it’s important to remain
vigilant about continuing education throughout your career.
When it comes to educating and certifying information security professionals throughout
their careers, (ISC)2 is acknowledged as the global, not-for-profit leader. We have an elite
network of over 72,000 information security professionals worldwide and a reputation
built on trust and integrity which has earned our certifications and world-class educational
programs recognition as the gold standard of the industry.
Both education and certification create a framework for a successful career in this industry.
According to the 2009 Certification Magazine Salary Survey, with support from (ISC)2, SSCPs
reported earning an average annual base salary of $97,860 in the U.S. A full 96 percent
of respondents from the top five countries with the highest salaries said they were
certified. Around 47 percent said they think their most recently earned certification
played a role in them getting a raise, and more than 85 percent of respondents agreed
that since they’ve become certified, there is a greater demand for their skills.
xvii
xviii
Letter from (ISC)2 Executive Director W. Hord Tipton
In closing, let me again thank you for taking this initial step toward a very exciting
and rewarding career in information security. I invite you to look to our organization,
(ISC)2, when you are ready to validate your knowledge and experience by obtaining
the gold standard of information security certifications.
Be sure to test your knowledge by taking the SSCP practice exam at the end of the book.
A tuition grant of $1,000 toward an SSCP CBK ® Review Seminar is available to all
students who are enrolled in this course.
I wish you the best of luck in this course and in your future information security career.
Sincerely,
W. Hord Tipton, CISSP-ISSEP, CAP, CISA
Executive Director, (ISC)2
www.isc2.org
Preface
Purpose of This Book
This book is part of the Information Systems Security & Assurance Series (ISSA) from
Jones & Bartlett Learning (www.jblearning.com). Designed for courses and curriculums
in IT Security, Cybersecurity, Information Assurance, and Information Systems Security,
this series features a comprehensive, consistent treatment of the most current thinking
and trends in this critical subject area. These titles deliver fundamental information
security principles packed with real-world applications and examples. Authored by
Certified Information Systems Security Professionals (CISSPs), they deliver comprehensive
information on all aspects of information security. Reviewed word for word by leading
technical experts in the field, these books are not just current, but forward-thinking—
putting you in the position to solve the cybersecurity challenges not just of today,
but of tomorrow, as well.
Part 1 of this book on information security fundamentals focuses on new risks, threats,
and vulnerabilities associated with the transformation to a digital world. Individuals,
students, educators, businesses, organizations, and governments have changed how they
communicate and do business. Led by the integration of the Internet and broadband
communications into our everyday lives, the digital revolution has created a need for
information systems security. With recent compliance laws requiring organizations
to protect and secure privacy data and reduce liability, information systems security
has never been more recognized than it is now.
Part 2 is adapted from the Official (ISC)2 SSCP ® CBK ® Study Guide. It will present
a high-level overview of each of the seven domains within the Systems Security Certified
Practitioner certification. The SSCP ® professional certification requires mastery of
the following topics: Access Controls; Cryptography; Malicious Code and Activity;
Monitoring and Analysis; Networks and Communications; Risk, Response, and Recovery;
and Security Operations and Administration.
Part 3 of this book provides a resource for readers and students desiring more
information on information security standards, education, professional certifications,
and recent compliance laws. These resources are ideal for students and individuals
desiring additional information about educational and career opportunities in
information systems security.
xix
xx
Preface
Learning Features
The writing style of this book is practical and conversational. Step-by-step examples
of information security concepts and procedures are presented throughout the text.
Each chapter begins with a statement of learning objectives. Illustrations are used both
to clarify the material and to vary the presentation. The text is sprinkled with Notes, Tips,
FYIs, Warnings, and sidebars to alert the reader to additional helpful information related
to the subject under discussion. Chapter Assessments appear at the end of each chapter,
with solutions provided in the back of the book.
Chapter summaries are included in the text to provide a rapid review or preview
of the material and to help students understand the relative importance of the concepts
presented.
Audience
The material is suitable for undergraduate or graduate computer science majors or
information science majors, students at a two-year technical college or community college
who have a basic technical background, or readers who have a basic understanding
of IT security and want to expand their knowledge.
Acknowledgments
This is the flagship book of the Information Systems Security & Assurance Series (ISSA)
from Jones & Bartlett Learning (www.jblearning.com). The ISSA Series was designed for
IT security and information assurance curriculums and courseware for those colleges and
universities needing a hands-on approach to delivering an information systems security and
information assurance degree program whose graduates would be ready for the work force.
The entire ISSA series was developed by information systems security professionals,
consultants, and recognized leaders in the field of information systems security, all of
whom contributed to each word, sentence, paragraph, and chapter. The dedication and
perseverance displayed by those involved was driven by a single passion and common goal:
“to help educate today’s information systems security practitioner” by creating the most
up-to-date textbooks, courseware, and hands-on labs to ensure job and skill-set readiness
for information systems security practitioners.
Achieving this single passion and common goal involved a collaborative effort with
the International Information Systems Security Certification Consortium, Inc. (ISC)2,
to bring the Systems Security Certified Practitioner (SSCP ®) Common Body of Knowledge
(CBK ®) and its seven domains of information systems security responsibility into Part 2
of this book. The seven domains of the SSCP ® CBK ® encompass what information systems
security practitioners must be able to do to implement hands-on security countermeasures
in IT infrastructure.
Thank you to Jones & Bartlett Learning for having the vision and patience to underwrite and build the world’s best information systems security content and curriculum.
Thank you to (ISC)2 for recognizing that the SSCP ® professional certification is best
aligned with programs that incorporate hands-on skills-set readiness aligned to the
.
seven domains of SSCP ® CBK ®
Thank you to the many authors, subject matter experts, super subject matter experts,
copy editors, development editors, and graphic artists who contributed to this book and
entire ISSA Series during the past year of development.
And last but not least, I would like to thank my wife, MiYoung Kim, who is and always
will be by my side.
David Kim
I would like to thank Kate Shoup for providing pertinent editorial comments and for
helping to fine tune the book’s content, and Lawrence Goodrich and Ruth Walker for all
your input, work, and patience. All of you made the process so much easier and added
a lot to the book. And thanks so much to Stacey and Noah for your help in researching
the many diverse topics.
Michael G. Solomon
xxi
About the Authors
David Kim (CISSP) is president of Security Evolutions, LLC (www.SecurityEvolutions.com),
and chief technology officer for vLab Solutions, LLC (www.vLabSolutions.com), both
located in Tarpon Springs, Florida. Security Evolutions provides IT security training
and consulting services for organizations around the world. Security Evolutions has
specific expertise and experience in VoIP and SIP layered security solutions where privacy
data may encompass both data and voice communications. vLab Solutions is a leading
designer and developer of performance-outcome-based, hands-on labs for educational,
training, and professional certification requirements. vLearning Cloud,TM vLabSolution’s
hands-on online labs environment, provides students with secure browser access to
complete the lab exercise from a virtual workstation. Mr. Kim’s IT and IT security experience
encompasses more than 25 years of technical engineering, technical management, and
solutions selling and sales management. This experience includes LAN/WAN, internetworking, enterprise network management, and IT security for voice, video, and data
networking infrastructures. Previously, Mr. Kim was chief operating officer of the (ISC)2
Institute located in Vienna, Virginia, where he was responsible for content development,
educational products, and educational delivery for (ISC)2 (www.isc2.org) and its IT security
professional certifications.
Michael G. Solomon (CISSP, PMP, CISM, GSEC) is a full-time security speaker, consultant,
and author, and a former college instructor who specializes in development and
assessment security topics. As an IT professional and consultant since 1987, he has
worked on projects for more than 100 major companies and organizations. From 1998
until 2001, he was an instructor in the Kennesaw State University Computer Science
and Information Sciences (CSIS) department, where he taught courses on software
project management, C programming, computer organization and architecture,
and data communications. Solomon holds an MS in mathematics and computer science
from Emory University (1998), a BS in computer science from Kennesaw State University
(1987), and is currently pursuing a PhD in computer science and informatics at Emory
University. He has also contributed to various security certification books for LANWrights,
including TICSA Training Guide (Que, 2002) and an accompanying Instructor Resource
Kit (Que, 2002), CISSP Study Guide (Sybex, 2003), as well as Security Training Guide
(Que, 2003). Solomon coauthored Information Security Illuminated (Jones and Bartlett,
2005), Security Lab Guide (Sybex, 2005), Computer Forensics JumpStart (Sybex, 2005),
PMP ExamCram2 (Que, 2005), and authored and provided the on-camera delivery
of LearnKey’s CISSP Prep and PMP Prep e-Learning courses.
xxii
PA R T O N E
The Need for
Information Security
Information Systems Security 2
Changing How People and Businesses
Communicate 47
Malicious Attacks, Threats,
and Vulnerabilities 81
The Drivers of the Information Security
Business 117
CHAPTER
1
Information Systems Security
T
HE INTERNET HAS CHANGED DRAMATICALLY from its origins. It has grown
from a small number of universities and government agencies to a
worldwide network with more than two billion users. As it has grown,
it has changed how people communicate and do business. It has brought many
opportunities and benefits. The Internet continues to grow and expand in new
and varied ways. It supports innovation and new services. Like outer space, the
maturing Internet is a new frontier. There is no Internet government or central
authority. It is full of challenges—and questionable behavior.
The Internet as we know it today has its roots in a computer network called
the Advanced Research Projects Agency Network (ARPANET), which the U.S.
Department of Defense created in 1969. But the way people use the Internet
is new. Today, people working in cyberspace must deal with new and constantly
evolving threats. Intelligent and aggressive cybercriminals, terrorists, and scam
artists lurk in the shadows. Connecting your computers or devices to the Internet
immediately exposes them to attack. These attacks result in frustration and
hardship. Anyone whose personal information has been stolen can attest to that.
Worse, attacks on computers and networked devices are a threat to the national
economy, which depends on e-commerce. Even more important, cyberattacks
threaten national security. For example, terrorist attackers could shut down
electricity grids and disrupt military communication.
You can make a difference. The world needs people who understand
computer-systems security and who can protect computers and networks from
criminals and terrorists. To get you started, this first chapter gives an overview
of information systems security concepts and terms that you must understand
to stop these attacks.
2
1
Information
Systems Security
Chapter 1 Topics
This chapter covers the following topics and concepts:
• What information systems security is
• What the tenets of information systems security are
• What the seven domains of an IT infrastructure are
• What the weakest link in an IT infrastructure is
• How an IT security policy framework can reduce risk
• How a data classification standard affects an IT infrastructure’s security needs
Chapter 1 Goals
When you complete this chapter, you will be able to:
• Relate how availability, integrity, and confidentiality requirements affect
the seven domains of a typical IT infrastructure
• Describe the threats and vulnerabilities commonly found within the seven domains
• Identify a layered security approach throughout the seven domains
• Develop an IT security policy framework to help reduce risk from common
threats and vulnerabilities
• Relate how a data classification standard affects the seven domains
Information Systems Security
Today’s Internet is a worldwide network with more than two billion users. It includes
almost every government, business, and organization on Earth. Just having that many
users on the same network wouldn’t have been enough to make the Internet a gamechanging innovation, however. These users needed some type of mechanism to link
documents and resources across computers. In other words, a user on computer A needed
an easy way to open a document on computer B. This need gave rise to a system that
defines how documents and resources are related across network machines. The name
of this system is the World Wide Web (WWW). You may know it as cyberspace, or simply
as the Web. Think of it this way: The Internet links communication networks to one
another. The Web is the connection of Web sites, Web pages, and digital content on those
networked computers. Cyberspace is all the users, networks, Web pages, and applications
working in this worldwide electronic realm.
3
4
PART 1 | The Need for Information Security
Government
Building
FIguRE 1-1
Cyberspace:
the new frontier.
Corporate
Building
School
Home
Store
Factory
Bank
Host
Attacker
Users
H
P
Black-hat
Hackers
Perpetrators
Virus and
Malicious Code
Unfortunately, when you connect to cyberspace, you also open the door to a lot of bad
guys. They want to find you and steal your data. Every computer that connects to the
Internet is at risk. All users must defend their information from attackers. Cybersecurity
is the duty of every government that wants to ensure its national security. It’s the responsibility of every organization that needs to protect its information. And it’s the job of
each of us to protect our own data. Figure 1-1 illustrates this new frontier.
The components that make up cyberspace are not automatically secure. These include
cabling, physical networks, operating systems, and software applications that computers
use to connect to the Internet. At the heart of the problem is the lack of security in the TCP/
IP communications protocol. This protocol is the language that computers most commonly
use when communicating across the Internet. (A protocol is a list of rules and methods for
communicating.) TCP/IP is really more than just one protocol. It consists of two protocols,
Transmission Control Protocol (TCP) and Internet Protocol (IP), that work together to allow
any two computers to communicate using a network. TCP/IP, as these two protocols are
known collectively, breaks messages into chunks, or packets, to send to another networked
computer. The problem is that data is readable within the IP packet. This readable mode is
1
CHAPTER 1 | Information Systems Security
5
are in cleartext.
0
16
Version
IHL
Identification
Time to Live
31
Differentiated
Services
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source IP address
TCP/IP Applications:
E-mail
SMTP/POP3
FTP/TFTP
SNMP
Telnet
HTTP
WWW
Destination IP address
Options
Padding
Data
All Use Cleartext!
Data Is
Visible
Desktop PC
Server
Information
Systems Security
known as cleartext. That means you must hide or encrypt the data sent inside a TCP/IP packet
to make it more secure. Figure 1-2 shows the data within the TCP/IP packet structure.
All this raises the question: If the Internet is so unsafe, why did everyone connect to
it so rapidly? The answer is the huge growth of the Web from the mid 1990s to the early
2000s. Connecting to the Internet gave anyone instant access to the Web and its many
resources. The appeal of easy worldwide connectivity drove the demand to connect. This
demand and subsequent growth helped drive costs lower for high-speed communications.
Households, businesses, and governments gained affordable high-speed Internet access.
And as wireless connections have become more common and affordable, it has become
easier to stay connected no matter where you are.
Internet growth has also been driven by generational differences. Generation Y’s
culture is taking over as baby boomers begin to retire. This new generation grew up
with cell phones, smartphones, and “always on” Internet access. These devices
provide real-time communications. Today’s personal communications include
FIguRE 1-2
voice over IP (VoIP), text messaging, and instant messaging (IM), or chatting,
as well as audio and video conferencing.
TCP/IP communications
6
PART 1 | The Need for Information Security
Cyberspace is the new place to meet, socialize, and share ideas. You can chat with
friends, family, business contacts, and people from everywhere. But there’s a danger:
You don’t really know who the person at the other end is. Liars and thieves can easily
hide their identity. While cyberspace gives you fingertip access to people and information,
it also brings along many risks and threats.
An information security war is raging. The battlefield is cyberspace and the enemies
are already within the gates. To make matters worse, the enemy is everywhere—both in
the local area and around the world. Because of this, IT is in great need of proper security
controls. This need has created a great demand for information security professionals.
The goal is to both protect national security and business information from the enemy.
Risks, Threats, and Vulnerabilities
This book introduces the dangers of cyberspace and discusses how to address those
dangers. It explains how to identify and combat the dangers common in information
systems and IT infrastructures. To understand how to make computers more secure,
you first need to understand risks, threats, and vulnerabilities.
Risk is the likelihood that something bad will happen to an asset. It is the exposure
to some event that has an effect on an asset. In the context of IT security, an asset
can be a computer, a database, or a piece of information. Examples of risk include
the following:
• Losing data
• Losing business because a disaster has destroyed your building
• Failing to comply with laws and regulations
A threat is any action that could damage an asset. Information systems face both natural
and human-induced threats. The threats of flood, earthquake, or severe storms require
organizations to have plans to ensure that business operation continues and that the
organization can recover. A business continuity plan (BCP) gives priorities to the functions
an organization needs to keep going. A disaster recovery plan (DRP) defines how a business
gets back on its feet after a major disaster like a fire or hurricane. Human-caused threats
to a computer system include viruses, malicious code, and unauthorized access. A virus
is a computer program written to cause damage to a system, an application, or data.
Malicious code or malware is a computer program written to cause a specific action
to occur, such as erasing a hard drive. These threats can harm an individual, business,
or organization.
A vulnerability is a weakness that allows a threat to be realized or to have an effect
on an asset. To understand what a vulnerability is, think about lighting a fire. Lighting
a fire is not necessarily bad. If you are cooking a meal on a grill, you will need to light a
fire in the grill. The grill is designed to contain the fire and should pose no danger if used
properly. On the other hand, lighting a fire in a computer data center will likely cause
damage. A grill is not vulnerable to fire, but a computer data center is. A threat by itself
does not always cause damage; there must be a vulnerability for a threat to be realized.
1
CHAPTER 1 | Information Systems Security
EULAs are license agreements between the user and the software vendor. They protect
the software vendor from claims arising from imperfect software. EULAs typically contain
a warranty disclaimer. This limits their liability from software bugs and weaknesses that
hackers can exploit.
Here is an excerpt from Microsoft’s EULA that states the company offers only “limited”
warranties for its software. The EULA also advises that the software product is offered
“as is and with all faults.”
“DISCLAIMER OF WARRANTIES. THE LIMITED WARRANTY THAT APPEARS ABOVE IS THE
ONLY EXPRESS WARRANTY MADE TO YOU AND IS PROVIDED IN LIEU OF ANY OTHER
EXPRESS WARRANTIES (IF ANY) CREATED BY ANY DOCUMENTATION OR PACKAGING.
EXCEPT FOR THE LIMITED WARRANTY AND TO THE MAXIMUM EXTENT PERMITTED BY
APPLICABLE LAW, MICROSOFT AND ITS SUPPLIERS PROVIDE THE SOFTWARE PRODUCT
AND SUPPORT SERVICES (IF ANY) AS IS AND WITH ALL FAULTS, AND HEREBY DISCLAIM
ALL OTHER WARRANTIES AND CONDITIONS....”
Microsoft’s EULA also limits its financial liability to the cost of the software or $5 (U.S.),
whichever is greater.
“LIMITATION OF LIABILITY. ANY REMEDIES NOTWITHSTANDING ANY DAMAGES THAT
YOU MIGHT INCUR FOR ANY REASON WHATSOEVER (INCLUDING, WITHOUT LIMITATION,
ALL DAMAGES REFERENCED ABOVE AND ALL DIRECT OR GENERAL DAMAGES), THE
ENTIRE LIABILITY OF MICROSOFT AND ANY OF ITS SUPPLIERS UNDER ANY PROVISION OF
THIS EULA AND YOUR EXCLUSIVE REMEDY FOR ALL OF THE FOREGOING (EXCEPT FOR
ANY REMEDY OF REPAIR OR REPLACEMENT ELECTED BY MICROSOFT WITH RESPECT TO
ANY BREACH OF THE LIMITED WARRANTY) SHALL BE LIMITED TO THE GREATER OF THE
AMOUNT ACTUALLY PAID BY YOU FOR THE SOFTWARE PRODUCT OR U.S.$5.00. THE
FOREGOING LIMITATIONS, EXCLUSIONS AND DISCLAIMERS (INCLUDING SECTIONS 9, 10
AND 11 ABOVE) SHALL APPLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE
LAW, EVEN IF ANY REMEDY FAILS ITS ESSENTIAL PURPOSE.”
Vulnerabilities can often result in legal liabilities. Any vulnerability that allows a
threat to be realized may result in legal action. Since computers must run software to be
useful, and since humans write software, software programs have errors. Thus, software
vendors must protect themselves from the liabilities of their own vulnerabilities with an
end user licensing agreement (EULA). A EULA takes effect when the user opens the package
and installs the software.
All software vendors use EULAs. That means the burden of protecting data falls on
systems security professionals.
Information
Systems Security
End User Licensing Agreements (EULAs)
7
8
PART 1 | The Need for Information Security
Figure 1-3
What are we
securing?
Firewall
Mainframe
Application &
Web Servers
System/Application
Domain
• Privacy Data of Individuals
· Name, address, date of birth
· Social Security number
· Bank name, account number
· Credit card account number
· Utility account number
· Mortgage account number
· Insurance policy number
· Securities & brokerage account numbers
• Corporate Intellectual Property
· Trade secrets
· Product development
· Sales and marketing strategies
· Financial records
· Copyrights, patents, etc.
• Online B2C and B2B Transactions
· Online banking
· Online health care & insurance claims
· e-Commerce, e-government, services
· Online education and transcripts
• Government Intellectual Property
· National security
· Military & DoD strategies
Defining Information Systems Security
Security is easiest to define by breaking it into pieces. An information system consists
of the hardware, operating system, and application software that work together to collect,
process, and store data for individuals and organizations. Information systems security
is the collection of activities that protect the information system and the data stored
in it. Many U.S. and international laws now require this kind of security assurance.
Organizations must address this need head-on. Figure 1-3 reviews the types of information commonly found within an IT infrastructure.
U.S. Compliance Laws Drive Need for Information Systems Security
Cyberspace brings new threats to people and organizations. People need to protect their
privacy. Businesses and organizations are responsible for protecting both their intellectual
property and any personal or private data they handle. Various laws require organizations
to use security controls to protect private and confidential data. Recent U.S. laws related
to information security include the following:
• Federal Information Security Management Act (FISMA)—Passed in 2002, the
Federal Information Security Management Act (FISMA) requires federal civilian
agencies to provide security controls over resources that support federal operations.
1
CHAPTER 1 | Information Systems Security
9
• gramm-Leach-Bliley Act (gLBA)—Passed in 1999, the Gramm-Leach-Bliley Act (GLBA)
requires all types of financial institutions to protect customers’ private financial information.
• Health Insurance Portability and Accountability Act (HIPAA)—Passed in 1996,
the Health Insurance Portability and Accountability Act (HIPAA) requires health care
organizations to secure patient information.
• Children’s Internet Protection Act (CIPA)—Passed in 2000, the Children's Internet
Protection Act (CIPA) requires public schools and public libraries to use an Internet
safety policy. The policy must address the following:
• Children’s access to inappropriate matter on the Internet
• Children’s security when using e-mail, chat rooms, and other electronic
communications
• Restricting hacking and other unlawful activities by children online
• Disclosing and distributing personal information about children without
permission
• Restricting children’s access to harmful materials
• Family Educational Rights and Privacy Act (FERPA)—Passed in 1974, the Family
Educational Rights and Privacy Act (FERPA) protects the private data of students
and their school records.
You can find out more about these laws in Chapter 15. Figure 1-4 shows these laws
by industry.
Education
Government
Corporation
Health Care
Bank/Insurance
Retail
CIPA/
FERPA
FISMA/
DIACAPS
SOX
HIPAA
GLBA
PCI DSS
Individual Privacy Data Must Be Protected
Security Controls Are Required to Protect Privacy Data
Note: PCI DSS is a global standard, not a U.S. federal law. PCI DSS requires
protection of consumer privacy data with proper security controls.
FIguRE 1-4
U.S. compliance laws
drive the need for
information systems
security.
Information
Systems Security
• Sarbanes-Oxley Act (SOX)—Passed in 2002, the Sarbanes-Oxley Act (SOX) requires
publicly traded companies to submit accurate and reliable financial reporting.
This law does not require securing private information, but it does require security
controls to protect the confidentiality and integrity of the reporting itself.
10
PART 1 | The Need for Information Security
FIguRE 1-5
Co
nfi
de
n
ri ty
eg
Int
tia
lity
The three tenets
of information systems
security.
Availability
Tenets of Information Systems Security
Most people agree that private information should be secure. But what does “secure
information” really mean? Information that is secure satisfies three main tenets, or
properties, of information. If you can ensure these three tenets, you satisfy the requirements of secure information. The three tenets are as follows:
• Availability—Information is accessible by authorized users whenever
they request the information.
• Integrity—Only authorized users can change information.
• Confidentiality—Only authorized users can view information.
Figure 1-5 shows the three tenets of information systems security. When you design
and use security controls, you are addressing one or more of these tenets.
When finding solutions to security issues, you must use the A-I-C triad. You have to
define and achieve your organization’s goals for this triad in a typical IT infrastructure’s
seven domains. Once defined, these goals help you put security controls in place as
required for your different types of data.
Some systems security professionals refer to the tenets as the C-I-A triad, but that can lead
to confusion with the U.S. Central Intelligence Agency, commonly known as the CIA.
1
CHAPTER 1 | Information Systems Security
Availability is a common term in everyday life. For example, you probably pay attention to
the availability of your satellite TV service, your cell phone service, or a business colleague
for a meeting. In the context of information security, availability is generally expressed as
the amount of time users can use a system, application, and data. Common availability
time measurements include the following:
• Uptime—The total amount of time that a system, application, and data is accessible.
Uptime is typically measured in units of seconds, minutes, and hours within a given
calendar month.
• Downtime—The total amount of time that a system, application, and data is not
accessible. Downtime also is measured in units of seconds, minutes, and hours
for a calendar month.
• Availability—A math calculation where A (Total Uptime) / (Total Uptime Total
Downtime).
• Mean time to failure (MTTF)—Mean time to failure (MTTF) is the average amount
of time between failures for a particular system. Semiconductors and electronics
do not break and have a MTTF of many years (25 years, etc.). Physical parts such
as connectors, cabling, fans, and power supplies have a much lower MTTF (five years
or less) given that wear and tear can break them.
• Mean time to repair (MTTR)—Mean time to repair (MTTR) is the average amount
of time it takes to repair a system, application, or component. The goal is to bring
the system back up quickly.
• Recovery time objective (RTO)—Recovery time objective (RTO) is the amount of time
it takes to recover and make a system, application, and data available for use after
an outage. Business continuity plans typically define an RTO for mission-critical
systems, applications, and data access.
How to Measure Availability
For a given 30-day calendar month, the total amount of uptime equals:
30 days 24 hours/day 60 minutes/hour 43,200 minutes
For a 28-day calendar month (February), the total amount of uptime equals:
28 days 24 hours/day 60 minutes/hour 40,320 minutes
Using the formula Availability (Total Uptime) / (Total Uptime Total Downtime), calculate
the Availability factor for a 30-day calendar month with 30 minutes of scheduled downtime
in that calendar month:
Availability (43,200 minutes) / (43,200 minutes 30 minutes) .9993 or 99.93%
Information
Systems Security
Availability
11
12
PART 1 | The Need for Information Security
Telecommunications companies offer their customers service level agreements (SLAs).
An SLA is a contract that guarantees a minimum monthly availability of service for
wide area network (WAN) and Internet access links. SLAs accompany WAN services and
dedicated Internet access links. Availability measures a monthly uptime service level
commitment. As in the preceding example, 30 minutes of downtime in a given 30-day
calendar month equates to 99.993 percent availability. Service providers typically offer
SLAs ranging from 99.5 percent to 99.999 percent availability.
Integrity
Integrity deals with the validity and accuracy of data. Data lacking integrity—that is,
data that is not accurate or not valid—is of no use. For some organizations, data and
information are intellectual property assets. Examples include copyrights, patents, secret
formulas, and customer databases. This information can have great value. Unauthorized
changes can undermine the data’s value. This is why integrity is a tenet of systems
security. Figure 1-6 shows what is meant by data integrity and whether that data is
usable. Sabotage and corruption of data integrity is a serious threat to an organization,
especially if the data is critical to business operations.
Confidentiality
Confidentiality is a common term. It means guarding information from everyone except
those with rights to it. Confidential information includes the following:
• Private data of individuals
• Intellectual property of businesses
• National security for countries and governments
U.S. compliance laws require organizations to have controls to keep data private.
FIguRE 1-6
Data integrity.
Firewall
Data Has Integrity If:
Database
Mainframe
Application &
Web Servers
System/Application
Domain
User
1. Data is not altered
2. Data is valid
3. Data is accurate
1
CHAPTER 1 | Information Systems Security
Identity theft affects about 10 million U.S. citizens each year. It is a major threat to American
consumers. Many elements make up a person’s identity. These include but are not limited
to the following:
•
•
•
•
•
•
•
•
•
•
•
Full name
Mailing address
Date of birth
Social Security number
Bank name
Bank account number
Credit card account number
Utility account number
Mortgage account number
Insurance policy number
Securities and investment account numbers
An impostor can access your accounts with just your name, home address, and Social Security
number.
This threat extends beyond just financial loss. Identity theft can damage your FICO personal
credit rating. This would stop you from getting a bank loan, mortgage, or credit card. It can
take years to clean up your personal credit history. FICO is a publicly traded company that
provides information used by Equifax, Experian, and TransUnion, the three largest consumer
credit reporting agencies in the United States.
With the growth in e-commerce, more people are making online purchases with credit
cards. This requires people to enter private data into e-commerce Web sites. Consumers
should be careful to protect their personal identity and private data.
Laws require organizations to use security controls to protect customers’ private data.
A security control is something an organization does to help reduce risk. Examples of
controls include the following:
• Conducting annual security awareness training for employees. This helps remind
staff about proper handling of private data. It also drives awareness of the organization’s framework of security policies, standards, procedures, and guidelines.
• Putting an IT security policy framework in place. This outline is like an instruction
manual for security controls.
• Designing a layered security solution for an IT infrastructure. The more layers
or compartments that block or protect private data and intellectual property,
the more difficult it is to find and steal.
Information
Systems Security
Identity Theft
13
14
PART 1 | The Need for Information Security
• Performing periodic security assessments and penetration tests on Web sites and
IT infrastructure. This is how security professionals verify that they have installed
the controls properly.
• Enabling security monitoring at your Internet entry and exit points. This is like
using a microscope to see what is coming in and going out.
• Using automated workstation and server antivirus and malicious software
protection. This is the way to keep viruses and malicious software out of your
computer.
• Using more stringent access controls beyond a logon ID and password for sensitive
systems, applications, and data. Logon IDs with passwords are only one check
of the user. Access to more sensitive systems should have a second test to confirm
the user’s identity.
• Minimizing software weaknesses in your computers and servers by updating them
with patches and security fixes. This is the way to keep your operating system and
application software up to date.
Protecting private data is the process of ensuring data confidentiality. Organizations must
use proper security controls specific to this concern. Some examples include the following:
• Defining organization-wide policies, standards, procedures, and guidelines to protect
confidential data. These are instructions for how to handle private data.
• Adopting a data classification standard that defines how to treat data throughout
your IT infrastructure. This is the road map for identifying what controls are needed
to keep data safe.
• Limiting access to systems and applications that house confidential data to only
those authorized to use it.
• Using cryptography techniques to hide confidential data to keep it invisible
to unauthorized users.
• Encrypting data that crosses the public Internet.
! WARNING
Never enter private data in an
e-mail in cleartext. Remember,
e-mail traffic transmits through
the Internet in cleartext. Also,
never enter private data in
a Web site if it is not a trusted
host that can be checked by
telephone or other means.
Never enter private data into
a Web site or Web application
that does not use encryption.
• Encrypting data that is stored within databases and
storage devices.
Sending data to other computers using a network means
you have to take special steps to keep confidential data from
unauthorized users. Cryptography is the practice of hiding data
and keeping it away from unauthorized users. Encryption is
the process of transforming data from cleartext into ciphertext.
Cleartext data is data that anyone can read. Ciphertext is
the scrambled data that is the result of encrypting cleartext.
An example of this is in Figure 1-7.
Data privacy is so important that local and state governments
are starting to pass laws to protect it by extending federal laws.
1
CHAPTER 1 | Information Systems Security
15
Information
Systems Security
VPN Tunnel with Encryption
IP Datagram Is Encrypted
Cleartext Not Visible
Data Is
Visible
$*%
O#4s5!
Data Is
Visible
FIguRE 1-7
The Seven Domains of a Typical IT Infrastructure
Encryption of cleartext
into ciphertext.
What role do the three tenets of systems security play in a typical IT infrastructure?
First, let’s review what a typical IT infrastructure looks like. Whether in a small business,
large government body, or publicly traded corporation, most IT infrastructures consist
of the seven domains shown in Figure 1-8.
A typical IT infrastructure usually has these seven domains. Each one requires proper
security controls. These controls must meet the requirements of the A-I-C triad. The
following is an overview of the seven domains, and the risks, threats, and vulnerabilities
you will commonly find in today’s IT environments.
User Domain
The User Domain defines the people who access an organization’s information system.
User Domain Roles, Responsibilities, and Accountability
Here's an overview of what should go on in the User Domain:
• Roles and tasks—Users can access systems, applications, and data depending upon
their defined access rights. Employees must conform to the staff manual and policies.
The User Domain is where you will find an acceptable use policy (AUP). An AUP
defines what users are allowed to do with organization-owned IT assets. It’s like
a rulebook that employees must follow. Violation of these rules can be grounds for
dismissal. This is where the first layer of defense starts for a layered security strategy.
• Responsibilities—Employees are responsible for their use of IT assets. New legislation means that for most organizations it’s a best practice to introduce an AUP.
Organizations may require staff, contractors, or other third parties to sign an
agreement to keep information confidential. Some require a criminal background
check for sensitive positions. The department manager or human resources manager
is usually in charge of making sure employees sign and follow an AUP.
7-Domains
of a Typical IT Infrastructure
16
PART 1 | The Need for Information Security
LAN Domain
LAN-to-WAN Domain
Server
User
Domain
Firewall
Workstation
Domain
Computer
Hub
Router
Firewall
Remote Access Domain
Mainframe
Application &
Web Servers
Computer
Figure 1-8
The seven domains of
a typical IT infrastructure.
System/Application
Domain
• Accountability—The human resources department must verify an employee’s
identity before allowing use of the company’s computer system. HR must
do background checks of any candidate for a job with access to sensitive
computer information.
Risks, Threats, and Vulnerabilities Commonly Found in the User Domain
The User Domain is the weakest link in an IT infrastructure. Anyone responsible
for computer security must understand what motivates someone to compromise
an organization’s system, applications, or data. Table 1-1 lists the risks and threats
commonly found in the User Domain and plans you can use to prevent them.
1
CHAPTER 1 | Information Systems Security
Risks, threats, vulnerabilities, and mitigation plans for the User Domain.
Risk, Threat, or VulnerabiLITY
Mitigation
Lack of user awareness
Conduct security awareness training, display security
awareness posters, insert reminders in banner greetings,
and send e-mail reminders to employees.
User apathy toward policies
Conduct annual security awareness training, implement
acceptable use policy, update staff manual and handbook,
discuss during performance reviews.
Security policy violations
Place employee on probation, review AUP and employee
manual, discuss during performance reviews.
User inserts CDs and USB drives
with personal photos, music,
and videos.
Disable internal CD drives and USB ports. Enable automatic
antivirus scans for inserted media drives, files, and e-mail
attachments. An antivirus scanning system examines all
new files on your computer’s hard drive for viruses. Set up
antivirus scanning for e-mails with attachments.
User downloads photos, music,
and videos.
Enable content filtering and antivirus scanning for e-mail
attachments. Content-filtering network devices are
configured to permit or deny specific domain names in
accordance with AUP definition.
User destruction of systems,
applications, or data
Restrict access for users to only those systems, applications,
and data needed to perform their job. Minimize write/delete
permissions to the data owner only.
Disgruntled employee attacks
the organization or commits
sabotage.
Track and monitor abnormal employee behavior, erratic job
performance, and use of IT infrastructure during off-hours.
Begin IT access control lockout procedures based on AUP
monitoring and compliance.
Employee romance gone bad
Track and monitor abnormal employee behavior and
use of IT infrastructure during off-hours. Begin IT access
control lockout procedures based on AUP monitoring
and compliance.
Employee blackmail or extortion
Track and monitor abnormal employee behavior and use of
IT infrastructure during off-hours. Enable intrusion detection
system/intrusion prevention system (IDS/IPS) monitoring for
sensitive employee positions and access. IDS/IPS security
appliances examine the IP data streams for inbound and
outbound traffic. Alarms and alerts programmed within
an IDS/IPS help identify abnormal traffic and can block
IP traffic as per policy definition.
Information
Systems Security
Table 1-1
17
18
PART 1 | The Need for Information Security
Workstation Domain
The Workstation Domain is where most users connect to the IT infrastructure.
A workstation can be a desktop computer, laptop computer, or any other device that
connects to your network. Other devices might include a personal data assistant (PDA),
a smartphone, or a special-purpose terminal. You can find more details about mobile
devices in the “Remote Access Domain” section.
Workstation Domain Roles, Responsibilities, and Accountability
Here's an overview of what should go on in the Workstation Domain:
• Roles and tasks—An organization’s staff should have the access necessary
to be productive. Tasks include configuring hardware, hardening systems, and
verifying antivirus files. Hardening a system is the process of ensuring that controls
are in place to handle any known threats. Hardening activities include ensuring
that all computers have the latest software revisions, security patches, and system
configurations. The Workstation Domain also needs additional layers of defense.
Another common defense layer is implementing workstation logon IDs and
passwords to protect this entry into the IT infrastructure.
• Responsibilities—The desktop support group is responsible for the Workstation
Domain. Enforcing defined standards is critical to ensuring the integrity of user
workstations and data. The IT security personnel must safeguard controls within
the Workstation Domain. Human resources must define proper access controls
for workers based on their job. IT security personnel then assign access rights
to systems, applications, and data based on this definition.
• Accountability—The IT desktop manager is accountable for allowing employees
the greatest use of their Workstation Domain. The director of IT security is
in charge of ensuring that the Workstation Domain conforms to policy.
Risks, Threats, and Vulnerabilities Commonly Found in the Workstation Domain
The Workstation Domain requires tight security and access controls. This is where users
first access systems, applications, and data. The Workstation Domain requires a logon ID
and password for access. Table 1-2 lists the risks, threats, and vulnerabilities commonly
found in the Workstation Domain, along with ways to protect against them.
1
CHAPTER 1 | Information Systems Security
Risks, threats, vulnerabilities, and mitigation plans for the Workstation Domain.
Risk, Threat, or VulnerabiLITY
Mitigation
Unauthorized access to
workstation
Enable password protection on workstations for access.
Enable auto screen lockout for inactive times.
Unauthorized access to systems,
applications, and data
Define strict access control policies, standards, procedures,
and guidelines. Implement a second-level test to verify
a user’s right to gain access.
Desktop or laptop computer
operating system software
vulnerabilities
Define workstation operating system vulnerability window
policy definition. A vulnerability window is the gap in time
that you leave a computer unpatched with a security
update. Start periodic Workstation Domain vulnerability
tests to find gaps.
Desktop or laptop application
software vulnerabilities and
software patch updates
Define a workstation application software vulnerability
window policy. Update application software and
security patches according to defined policies, standards,
procedures, and guidelines.
Viruses, malicious code, or
malware infects a user’s
workstation or laptop computer.
Use workstation antivirus and malicious code policies,
standards, procedures, and guidelines. Enable an
automated antivirus protection solution that scans and
updates individual workstations with proper protection.
User inserts compact disks (CDs),
digital video disks (DVDs),
or universal serial bus (USB)
thumb drive into organization
computer.
Deactivate all CD, DVD, and USB ports. Enable automatic
antivirus scans for inserted CDs, DVDs, and USB thumb
drives that have files.
User downloads photos, music,
or videos via the Internet.
Use content filtering and antivirus scanning at Internet
entry and exit. Enable workstation auto-scans for all new
files and automatic file quarantine for unknown file types.
User violates AUP and
creates security risk for the
organization’s IT infrastructure.
Mandate annual security awareness training for all
employees. Set up security awareness campaigns and
programs throughout the year.
Information
Systems Security
Table 1-2
19
20
PART 1 | The Need for Information Security
LAN Domain
A local area network (LAN) is a collection of computers connected to one another or to
a common connection medium. Network connection mediums can include wires, fiberoptic cables, or radio waves. LANs are generally organized by function or department.
Once connected, your computer can access systems, applications, possibly the Internet,
and data. The third component in the IT infrastructure is the LAN Domain.
The physical part of the LAN Domain consists of the following:
• Network interface card (NIC)—The interface between the computer and the LAN
physical media. The network interface card (NIC) has a 6-byte Media Access Control
(MAC) layer address that serves as the NIC’s unique hardware identifier.
• Ethernet LAN—LAN solution based on the IEEE 802.3 CSMA/CD standard for
10/100/1000Mbps Ethernet networking. Ethernet is the most popular LAN standard.
Today’s LAN standard is the Institute of Electrical and Electronics Engineers (IEEE)
802.3 Carrier Sense Multiple Access/Collision Detection (CSMA/CD) specification.
Ethernet is available in 10Mbps, 100Mbps, 1Gbps, and 10Gbps speeds.
• Unshielded twisted-pair cabling—The workstation cabling that uses RJ-45
connectors and jacks to physically connect to a 100Mbps/1Gbps/10Gbps Ethernet
LAN switch.
• LAN switch—The device that connects workstations into a physical Ethernet LAN.
A switch provides dedicated Ethernet LAN connectivity for workstations and servers.
This provides maximum throughput and performance for each workstation. There
are two kinds of LAN switches. A Layer 2 switch examines the MAC layer address
and makes forwarding decisions based on MAC layer address tables. A Layer 3 switch
examines the network layer address and routes packets based on routing protocol
path determination decisions. A Layer 3 switch is the same thing as a router.
• File server and print server—High-powered computers that provide file sharing
and data storage for users within a department. Print servers support shared
printer use within a department.
• Wireless access point (WAP)—For wireless LANs (WLANs), radio transceivers are
used to transmit IP packets from a WLAN NIC to a wireless access point (WAP).
The WAP transmits WLAN signals for mobile laptops to connect. The WAP connects
back to the LAN switch using unshielded twisted-pair cabling.
Ethernet switches typically provide 100Mbps or 1Gbps connectivity for each workstation.
Ethernet switches are also equipped with modules that support 1Gbps or 10Gbps Ethernet
backbone connections. These backbone connections commonly use fiber-optic cabling.
The logical part of the LAN Domain consists of the following:
• System administration—Setup of user LAN accounts with logon ID and password
access controls (that is, user logon information).
• Design of directory and file services—The servers, directories, and folders
to which the user can gain access.
1
CHAPTER 1 | Information Systems Security
• Design of server disk storage space, backup and recovery of user data—
User can store data files on LAN disk storage areas where data is backed up and
archived daily. In the event of data loss or corruption, data files can be recovered
from the backed-up files.
• Design of virtual LANs (VLANs)—With Layer 2 and Layer 3 LAN switches, you
can configure Ethernet ports to be on the same virtual LAN (VLAN), even though
they may be connected to different physically connected LANs. This is the same
thing as configuring workstations and servers to be on the same Ethernet LAN
or broadcast Domain.
Users get access to their department’s LAN and other applications according to what
their job calls for.
LAN Domain Roles, Responsibilities, and Accountability
Here's an overview of what should go on in the LAN Domain:
• Roles and tasks—The LAN Domain includes both physical network components and
logical configuration of services for users. Management of the physical components
includes:
•
•
•
•
Cabling
NIC cards
LAN switches
Wireless access points (WAPs)
LAN system administration includes maintaining the master lists of user accounts
and access rights. In the LAN Domain, second-level authentication may be required.
Second-level proof is like a gate where the user must confirm who he or she is a
second time.
• Responsibilities—The LAN support group is in charge of the LAN Domain. This
includes both the physical component and logical elements. LAN system administrators must maintain and support departments’ file and print services and configure
access controls for users.
• Accountability—The LAN manager’s duty is to maximize use and integrity of data
within the LAN Domain. The director of IT security must ensure that the LAN
Domain conforms to policy.
Information
Systems Security
• Configuration of workstation and server TCP/IP software and communication
protocols—IP addressing, IP default gateway router, subnet mask address, etc.
The IP default gateway router acts as the entry/exit to the LAN. The subnet mask
address defines the IP network number and IP host number.
21
22
PART 1 | The Need for Information Security
Risks, Threats, and Vulnerabilities Commonly Found in the LAN Domain
The LAN Domain also needs strong security and access controls. Users can access
company-wide systems, applications, and data from the LAN Domain. This is where
the third layer of defense is required. This defense protects the IT infrastructure and the
LAN Domain. Table 1-3 lists the risks, threats, and vulnerabilities commonly found in
the LAN Domain with appropriate risk-reducing strategies.
Table 1-3
Risks, threats, vulnerabilities, and mitigation plans for the LAN Domain.
Risk, Threat, or VulnerabiLITY
Mitigation
Unauthorized access to LAN
Make sure wiring closets, data centers, and computer
rooms are secure. Do not allow anyone access without
proper ID.
Unauthorized access to systems,
applications, and data
Define strict access control policies, standards, procedures,
and guidelines. Implement second-level identity check
to gain access to sensitive systems, applications, and data.
LAN server operating system
software vulnerabilities
Define server/desktop/laptop vulnerability window policies,
standards, procedures, and guidelines. Conduct periodic
LAN Domain vulnerability assessments to find software
gaps. A vulnerability assessment is a software review that
identifies bugs or errors in software. These bugs and errors
go away when you upload software patches and fixes.
LAN server application software
vulnerabilities and software
patch updates
Define a strict software vulnerability window policy
requiring quick software patching.
Rogue users on WLANs gain
unauthorized access.
Use WLAN network keys that require a password for
wireless access. Turn off broadcasting on WAPs. Require
second-level authentication prior to granting WLAN access.
Confidentiality of data
transmissions via WLAN
connections is compromised.
Implement encryption between workstation and WAP
to maintain confidentiality.
LAN servers have different
hardware, operating systems,
and software, making it difficult
to manage and troubleshoot.
Implement LAN server and configuration standards,
procedures, and guidelines.
1
CHAPTER 1 | Information Systems Security
The LAN-to-WAN Domain is where the IT infrastructure links to a wide area network and
the Internet. Unfortunately, connecting to the Internet is like rolling out the red carpet for
bad guys. The Internet is open, public, and easily accessible by anyone. Most Internet traffic
is cleartext. That means it’s visible and not private. Network applications use two common
transport protocols: Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).
Both TCP and UDP use port numbers to identify the application or function; these port numbers
function like channels on a TV, which dictate which station you’re watching. When a packet is
sent via TCP or UDP, its port number appears in the packet header—which essentially reveals
what type of packet it is. This is like advertising to the world what you are transmitting.
Examples of common TCP and UDP port numbers include the following:
• Port 80: Hyper Text Transfer Protocol (HTTP)—Hyper Text Transfer Protocol (HTTP) is the
communications protocol between Web browsers and Web sites with data in cleartext.
• Port 20: File Transfer Protocol (FTP)—File Transfer Protocol (FTP) is a protocol for
performing file transfers. FTP uses TCP as a connection-oriented data transmission
but in cleartext. Connection-oriented means individual packets are numbered and
acknowledged as being received to increase integrity of the file transfer.
• Port 69: Trivial File Transfer Protocol (TFTP)—Trivial File Transfer Protocol (TFTP)
is a protocol for performing file transfers. TFTP utilizes UDP as a connectionless data
transmission but in cleartext. This is used for small and quick file transfers given that
it does not guarantee individual packet delivery.
• Port 23: Terminal Network (Telnet)—Telnet is a network protocol for performing remote
terminal access to another device. Telnet uses TCP and sends data in cleartext.
• Port 22: Secure Shell (SSH)—This is a network protocol for performing remote terminal
access to another device. SSH encrypts the data transmission for maintaining confidentiality of communications.
A complete list of well-known port numbers from 0 to 1023 is maintained by the Internet
Assigned Numbers Authority (IANA). The IANA helps coordinate global domain name
services, IP addressing, and other resources. Well-known port numbers are on the IANA
Web site at this location: http://www.iana.org/assignments/port-numbers.
Because the TCP/IP family of protocols lacks security, the need for security controls when
dealing with protocols in this family is greater. The LAN-to-WAN Domain represents the
fourth layer of defense for a typical IT infrastructure.
LAN-to-WAN Domain Roles, Responsibilities, and Accountability
Here's an overview of what should go on in the LAN-to-WAN Domain:
• Roles and tasks—The LAN-to-WAN Domain includes both the physical pieces and
logical design of security appliances. It is one of the most complex areas within an
IT infrastructure to secure. You need to maintain security while giving users as much
access as possible. Physical parts need to be managed to give easy access to the service.
The security appliances must be logically configured to adhere to policy definitions.
Information
Systems Security
LAN-to-WAN Domain
23
24
PART 1 | The Need for Information Security
This will get the most out of availability, ensure data integrity, and maintain confidentiality. The roles and tasks required within the LAN-to-WAN Domain include
managing and configuring the following:
• IP routers—An IP router is a network device used to transport IP packets to and
from the Internet or WAN. Path determination decisions forward IP packets.
Configuration tasks include IP routing and access control lists (ACLs). ACLs are
used to permit and deny traffic like a filter.
• IP stateful firewalls—An IP stateful firewall is a security appliance used to filter
inbound IP packets based on various ACL definitions configured for IP, TCP, and
UDP packet headers. A stateful firewall can examine IP, TCP, or UDP packet headers
for filtering.
• Demilitarized zone (DMZ)—The demilitarized zone (DMZ) is a LAN segment in the
LAN-to-WAN Domain that acts as a buffer zone for inbound and outbound IP traffic.
External servers such as Web servers, proxy servers, and e-mail servers can be placed
here for greater isolation and screening of IP traffic.
• Intrusion detection system (IDS)—This security appliance examines IP data streams
for common attack and malicious intent patterns. IDSs are passive and can be set
to trigger an alarm.
• Intrusion prevention system (IPS)—An IPS does the same thing as an IDS but can
block IP data streams identified as malicious. IPSs can end the actual communication
session, filter by source IP addresses, and block access to the targeted host.
• Proxy servers—A proxy server acts as a middleman between a workstation and the
external target. Traffic goes to the intermediary server acting as the proxy. Data can
be analyzed and properly screened before it is allowed into the IT infrastructure.
• Web content-filter—This security appliance can prevent content from entering
an IT infrastructure based on filtering of domain names or of keywords within
domain names.
• E-mail content-filter and quarantine system—This security appliance can block
content within e-mails or unknown file attachments for proper antivirus screening
and quarantining. Upon review, the e-mail and attachments can be forwarded to
the user.
• Internet entry/exit performance monitoring—This monitoring occurs where the
IT infrastructure connects to the Internet through a dedicated Internet access link
to maximize availability, and monitor performance and link utilization.
You can find more details about DMZ, IDS, IPS, firewalls, and proxy servers in
Chapter 10.
• Responsibilities—The network security group is responsible for the LAN-to-WAN
Domain. This includes both the physical components and logical elements. Group
members are responsible for applying the defined security controls.
• Accountability—Your organization’s WAN network manager has a duty to manage
the LAN-to-WAN Domain. The director of IT security ensures that the LAN-to-WAN
Domain security policies, standards, procedures, and guidelines are used.
1
CHAPTER 1 | Information Systems Security
The LAN-to-WAN Domain needs strict security controls given the risks and threats
of connecting to the Internet. This domain is where all data travels into and out of the
IT infrastructure. The LAN-to-WAN Domain provides Internet access for the entire
organization and acts as the entry/exit point for the wide area network (WAN). The
LAN-to-WAN Domain is where the fourth layer of defense is required. Table 1-4 lists
the risks, threats, and vulnerabilities commonly found in the LAN-to-WAN Domain
with appropriate risk-reduction strategies.
Table 1-4
Risks, threats, vulnerabilities, and mitigation plans for the LAN-to-WAN Domain.
Risk, Threat, or VulnerabiLITY
Mitigation
Unauthorized network probing
and port scanning
Disable ping, probing, and port scanning on all exterior
IP devices within the LAN-to-WAN Domain. Ping uses the
Internet Control Message Protocol (ICMP) echo-request
and echo-reply protocol. Disallow IP port numbers used
for probing and scanning and monitor with IDS/IPS.
Unauthorized access through
the LAN-to-WAN Domain
Apply strict security monitoring controls for intrusion
detection and prevention. Monitor for inbound IP traffic
anomalies and malicious-intent traffic. Block traffic right
away if malicious.
IP router, firewall, and network
appliance operating system
software vulnerability
Define a strict zero-day vulnerability window definition.
Update devices with security fixes and software patches
right away.
IP router, firewall, and network
appliance configuration file
errors or weaknesses
Conduct post configuration penetration tests of the
layered security solution within the LAN-to-WAN Domain.
Test inbound and outbound traffic and fix any gaps.
Remote users can access the
organization’s infrastructure and
download sensitive data
Apply and enforce the organization’s data classification
standard. Deny outbound traffic using source IP addresses
in access control lists. If remote downloading is allowed,
encrypt where necessary.
Local users download unknown
file type attachments from
unknown sources
Apply file transfer monitoring, scanning, and alarming
for unknown file types from unknown sources.
Local users receive unknown
e-mail attachments and
embedded URL links
Apply e-mail server and attachment antivirus and e-mail
quarantining for unknown file types. Stop domain-name
Web site access based on content-filtering policies.
Local users lose productivity
surfing the Web and not
focusing on work tasks.
Apply domain-name content filtering at the Internet entry/
access point.
Information
Systems Security
Risks, Threats, and Vulnerabilities Commonly Found in the LAN-to-WAN Domain
25
26
PART 1 | The Need for Information Security
WAN Domain
The Wide Area Network (WAN) Domain connects remote locations. As network costs
drop, organizations can afford faster Internet and WAN connections. Today, telecommunication service providers sell the following:
• Nationwide optical backbones—Optical backbone trunks for private optical
backbone networks.
• End-to-end IP transport—IP services and connectivity using the service provider’s
IP networking infrastructure.
• Multi-site WAN cloud services—IP services and connectivity offered for multi-site
connectivity such as multi-protocol label switching (MPLS) WAN services. MPLS
uses labels or tags to make virtual connections between endpoints in a WAN.
• Metropolitan Ethernet LAN connectivity—Ethernet LAN connectivity offered
within a city’s area network.
• Dedicated Internet access—A broadband Internet communication link usually
shared among an organization.
• Managed services—Router management and security appliance management
247365.
• Service level agreements (SLAs)—Contractual commitments for monthly service
offerings like availability, packet loss, and response time to fix problems.
The WAN Domain represents the fifth component in the IT Infrastructure. WAN services
can include dedicated Internet access and managed services for customers’ routers
and firewalls. Management agreements for availability and response time to outages
are common. Networks, routers, and equipment require continuous monitoring and
management to keep WAN service available.
WAN Domain Roles, Responsibilities, and Accountability
Here's an overview of what should go on in the WAN Domain:
• Roles and tasks—The WAN Domain includes both physical components and the
logical design of routers and communication equipment. It is the second most
complex area within an IT infrastructure to secure. Your goal is to allow users the
most access possible while making sure what goes in and out is safe. The roles and
tasks required within the WAN Domain include managing and configuring the
following:
• WAN communication links—The physical communication link provided as a
digital or optical service terminated at your facility. Broadband connection speeds
can range from the following:
• DS0 (64Kbps) to DS1 (1.544Mbps) to DS3 (45Mbps) for digital service
• OC-3 (155Mbps) to OC-12 (622Mbps) to OC-48 (2,488Mbps) for optical service
• 10/100/1000Mbps Metro Ethernet LAN connectivity depending on physical
distance
1
CHAPTER 1 | Information Systems Security
• IP stateful firewall—A security appliance that is used to filter IP packets and
block unwanted IP, TCP, and UDP packet types from entering or leaving the
network. Firewalls can be installed on workstations, routers, or as standalone
devices protecting LAN segments.
• IP router configuration—The actual router configuration information needed for
the WAN backbone and edge routers used for IP connections to remote locations.
The configuration must be based on the IP network design and addressing
schema.
• Virtual private networks (VPNs)—A virtual private network (VPN) is a dedicated
tunnel from one endpoint to another. In many applications, the VPN tunnel is
encrypted. The VPN tunnel can be created between a remote workstation using
the public Internet and a VPN router or a secure browser and SSL-VPN Web site.
• Multi-protocol label switching (MPLS)—A WAN software feature that allows
customers to maximize performance. MPLS labels IP packets for rapid transport
through virtual tunnels between designated endpoints. This is a form of Layer 2
switching and bypasses the routing path determination process.
• SNMP network monitoring and management—A simple network management
protocol (SNMP) is used for network device monitoring, alarming, and
performance.
• Router and equipment maintenance—A requirement to perform hardware and
firmware updates, upload new operating system software, and configure routers
and ACLs.
• Responsibilities—The network engineer or WAN group is responsible for the
WAN Domain. This includes both the physical components and logical elements.
Network engineers and security practitioners set up the defined security controls
according to defined policies. Note that because of the complexities of IP network
engineering, many groups now outsource management of their WAN and routers to
service providers. This service includes SLAs that ensure that the system is available
and that problems are solved quickly. In the event of a WAN connection outage,
customers call a toll-free number for their service provider’s network operations
center (NOC).
• Accountability—Your organization’s IT network manager must maintain, update,
and provide technical support for the WAN Domain. The director of IT security
ensures that the company meets WAN Domain security policies, standards, procedures, and guidelines.
Some organizations use the public Internet as their WAN infrastructure. While it is
cheaper, the Internet does not guarantee delivery or security. The following presents
Internet risks, threats, and vulnerabilities, as well as risk-mitigation strategies.
Information
Systems Security
• IP network design—The logical design of the IP network and addressing schema.
This requires network engineering, design of alternate paths, and selection of
IP routing protocol.
27
28
PART 1 | The Need for Information Security
Table 1-5
Risks, threats, vulnerabilities, and mitigation plans for the WAN Domain (Internet).
Risk, Threat, or VulnerabiLITY
Mitigation
Open, public, easily accessible
to anyone that wants to connect
Apply acceptable use policies, in accord with the
document “RFC 1087: Ethics and the Internet.” Enact new
laws regarding unauthorized access to systems, malicious
attacks on IT infrastructures, and financial loss due
to malicious outages.
Most Internet traffic is sent
in cleartext.
Prohibit using the Internet for private communications
without encryption and VPN tunnels. If you have a data
classification standard, follow the policies, procedures,
and guidelines specifically.
Vulnerable to eavesdropping
Use encryption and VPN tunnels for end-to-end secure
IP communications. If you have a data classification
standard, follow the policies, procedures, and guidelines.
Vulnerable to malicious attacks
Deploy layered LAN-to-WAN security countermeasures,
DMZ with IP stateful firewalls, IDS/IPS for security
monitoring, and quarantining of unknown e-mail file
attachments.
Vulnerable to denial of service
(DoS), distributed denial
of service (DDoS), TCP SYN
flooding, and IP spoofing
attacks
Apply filters on exterior IP stateful firewalls and IP router
WAN interfaces to block TCP SYN and ICMP (ping). Alert
your Internet service provider (ISP) to put the proper filters
on its IP router WAN interfaces in accordance with CERT
Advisory CA-1996-21.
Vulnerable to corruption
of information and data
Encrypt IP data transmissions with VPNs. Back up and store
data in off-site data vaults (online or physical data backup)
with tested recovery procedures.
TCP/IP applications are
inherently insecure
(HTTP, FTP, TFTP, etc.).
Refer to your data classification standard for proper
handling of data and use of TCP/IP applications. Never
use TCP/IP applications for confidential data without
proper encryption. Create a network-management VLAN
and isolate TFTP and SNMP traffic used for network
management.
Hackers, attackers, and
perpetrators e-mail Trojans,
worms, and malicious
software freely.
Scan all e-mail attachments for type, antivirus, and
malicious software at the LAN-to-WAN Domain. Isolate
and quarantine unknown file attachments until further
security review is conducted. Provide security awareness
training to remind employees of dangers.
1
CHAPTER 1 | Information Systems Security
29
Telecommunication service providers are in the business of providing WAN connectivity
for end-to-end communications. Service providers must take on the responsibility for securing
their network infrastructure first. Customers who sign up for WAN communication services
must review the terms, conditions, and limitations of liability within their service contract.
This is important because organizations must figure out where their duties start and end
regarding router management and security management.
The most critical aspect of a WAN services contract is how the service provider supplies
troubleshooting, network management, and security management services. The WAN Domain
is where the fifth layer of defense is required. Table 1-5 lists the risks, threats, and vulnerabilities
found in the Internet segment of the WAN Domain and appropriate risk-lowering strategies.
Telecommunication service providers sell WAN connectivity services. Some providers
now also provide security management services. The following section presents WAN
connectivity risks, threats, and vulnerabilities and risk-reducing strategies.
Risks, Threats, and Vulnerabilities Commonly Found in the WAN Domain (Connectivity)
Telecommunications companies are responsible for building and transporting customer
IP traffic. Sometimes this IP traffic is bundled with dedicated Internet access, providing
shared broadband access organization wide. If organizations outsource their WAN infrastructure, management and security must extend to the service provider. Organizations
must define security policies and needs for their managed security provider to put in place.
Table 1-6 lists the risks, threats, and vulnerabilities related to connectivity found in the
WAN Domain and appropriate risk-lowering strategies.
Table 1-6
Risks, threats, vulnerabilities, and mitigation plans for the WAN Domain (connectivity).
Risk, Threat, or VulnerabiLITY
Mitigation
Commingling of WAN IP traffic on
same service provider router and
infrastructure
Encrypt confidential data transmissions through service
provider WAN using VPN tunnels.
Maintaining high WAN service
availability
Obtain WAN service availability SLAs. Deploy redundant
Internet and WAN connections when 100 percent
availability is required.
Maximizing WAN performance
and throughput
Apply WAN-optimization and data-compression solutions
when accessing remote systems, applications, and data.
Enable access control lists (ACLs) on outbound router
WAN interfaces in keeping with policy.
Using SNMP network-management
applications and protocols maliciously
(ICMP, Telnet, SNMP, DNS, etc.)
Create separate WAN network-management VLAN. Use
strict firewall ACLs allowing SNMP manager and router
IP addresses through the LAN-to-WAN Domain.
SNMP alarms and security
monitoring 247365
Outsource security operations and monitoring.
Expand services to include managed security.
Information
Systems Security
Risks, Threats, and Vulnerabilities Commonly Found in the WAN Domain (Internet)
30
PART 1 | The Need for Information Security
Remote Access Domain
The Remote Access Domain connects remote users to the organization’s IT infrastructure.
Remote access is critical for staff members who work in the field or from home—for
example, outside sales reps, technical-support specialists, or health care professionals.
Global access makes it easy to connect to the Internet, e-mail, and other business applications anywhere you can find a Wireless Fidelity (Wi-Fi) hotspot. The Remote Access
Domain is important to have, but dangerous to use. It introduces many risks and threats
from the Internet.
Today’s mobile worker depends on the following:
• Highly available cell-phone service—Mobile workers need cell-phone service
to get in touch with office and support teams.
• Real-time access for critical communications—Use of text messaging or IM chat
on cell phones provides quick answers to short questions and does not require users
to completely interrupt what they are doing.
• Access to e-mail from a mobile device—Integration of e-mail with cell phones,
smartphones, personal data assistants (PDAs) or BlackBerry devices provides
quick response to important e-mail messages.
• Broadband Wi-Fi Internet access—Some nationwide service providers now offer
Wi-Fi broadband access cards. They allow wireless access in major metro areas.
• Local Wi-Fi hotspot—Wi-Fi hotspots are abundant, including in airports, libraries,
coffee shops, and retailers. While most are free,...
Purchase answer to see full
attachment