1、Eleventh Hour CISSPEleventh Hour CISSPStudy GuideSecond EditionEric ConradSeth MisenarJoshua FeldmanKevin Riggins,Technical EditorAMSTERDAM BOSTON HEIDELBERG LONDONNEW YORK OXFORD PARIS SAN DIEGOSAN FRANCISCO SINGAPORE SYDNEY TOKYOSyngress is an Imprint of ElsevierAcquiring Editor:Chris Katsaropoulo
2、sEditorial Project Manager:Benjamin RearickProject Manager:Mohana NatarajanDesigner:Alan StudholmeSyngress is an imprint of Elsevier225 Wyman Street,Waltham,MA 02451,USASecond edition 2014Copyright#2014,2011 Elsevier Inc.All rights reserved.No part of this publication may bereproduced,storedin a ret
3、rievalsystem or transmitted in any form orbyany means electronic,mechanical,photocopying,recording or otherwise without the prior writtenpermission of the publisher.Permissions may be sought directly from Elseviers Science&Technology Rights Department in Oxford,UK:phone(44)(0)1865 843830;fax(44)(0)1
4、865 853333;email:.Alternatively you can submit your request online by visiting the Elsevier web site at http:/ selecting Obtaining permission to use Elsevier material.NoticeNo responsibility is assumed by the publisher for any injury and/or damage to persons or property as amatter of products liabil
5、ity,negligence or otherwise,or from any use or operation of any methods,products,instructions or ideas contained in the material herein.Because of rapid advances in the medicalsciences,in particular,independent verification of diagnoses and drug dosages should be made.Library of Congress Cataloging-
6、in-Publication DataApplication SubmittedBritish Library Cataloguing in Publication DataA catalogue record for this book is available from the British LibraryFor information on all Syngress publications,visit our web site at and bound in USA141516171810987654321Author biographySeth Misenar(CISSP,GIAC
7、 GSE,CompTIA CASP,GPEN,GCIH,GCIA,GCFA,GWAPT,GCWN,GSEC,MCSE,and MCDBA)is a Certified Instructor with theSANS Institute and coauthor of the SANS SEC528:SANS Training Program forthe CompTIA Advanced Security Practitioner(CASP)Certification.Seth also servesasleadconsultant for Jackson,Mississippi-based
8、ContextSecurity.Seths backgroundincludes security research,network and Web application penetration testing,vulnera-bility assessment,regulatorycomplianceefforts,securityarchitecturedesign,andgen-eral security consulting.He has previously served as a physical and network securityconsultant for Fortun
9、e 100 companies as well as the HIPAA and information securityofficer for a state government agency.Seth teaches a variety of courses for the SANSInstitute,including Security Essentials,Advanced Web Application PenetrationTesting,Hacker Techniques,and the CISSPand CASPcourses.Seth is pursuing a Maste
10、r of Science degree in information security engineeringfrom the SANS Technology Institute and holds a Bachelor of Science degree fromMillsaps College.Seth resides in Jackson,Mississippi,with his family,Rachel,Jude,and Hazel.Eric Conrad(CISSP,GIACGSE,GPEN,GCIH,GCIA,GCFA,GAWN,GSEC,GISP,CompTIA CASP,an
11、d Security)is a partner with Backshore Communica-tions,which provides information warfare,penetration testing,incident handling,and intrusion detection consulting services.He is also a Certified Instructor withthe SANS Institute and coauthor of SANS Security 528:SANS Training Programfor the CompTIA
12、Advanced Security Practitioner(CASP)Certification.Erics professional career began in 1991 as a UNIX systems administrator for asmall oceanographic communications company.He gained information securityexperience in a variety of industries,including research,education,power,Internet,and healthcare,in
13、roles ranging from systems programmer to security engineer toHIPAA security officer and ISSO.He has taught thousands of students in coursesincluding SANS Management 414:CISSP,Security 560:Network PenetrationTestingandEthicalHacking,Security504HackerTechniques,ExploitsandIncidentHandling,and others.E
14、ric is a graduate of the SANS Technology Institute with a Master of Sciencedegree in information security engineering.Eric currently lives in Peaks Island,Maine,with his family,Melissa,Eric,and Emma.Joshua Feldman(CISSP,NSA IAM)has supported the Department of DefenseInformation Systems Agency(DISA),
15、as a contractor working for SAIC,Inc.,since2002.He is a subject matter expert and training developer for DISAs cyber securitymission.During his tenure,he has contributed to the DoD 8500 series,specificallyconducting research and authoring sections of the DoD 8570.01-M,also known asthe DoD IA Workfor
16、ce Improvement Program.He is the program manager forDISAs Computer Network Defense training initiative(entitled,“RaD-X”)andhas instructed well over 1000 students.He also is a subject matter expert for thexvWeb-based Information Assurance awareness training every DoD user is required totake each year
17、 as part of their security awareness curriculum.He is a regular pre-senter and panel member at the Information Assurance Symposium,hosted by bothDISA and NSA.Before joining the support team at DoD/DISA,Joshua spent time as an IT Secengineer working for the Department of State,Diplomatic Security.The
18、re,he trav-eled to embassies worldwide to conduct Tiger Team assessments of the security ofeach embassy.Joshua got his start in the IT Security field when he left his positionteaching science for Montgomery County Public Schools,Maryland,and went toworkforNFRSecuritySoftware.Atthetime,NFRwasoneofthe
19、leadingcompaniesproducing Network Intrusion Detection systems.xviAuthor biographyCHAPTERDomain 1:Access Control1EXAM OBJECTIVES IN THIS CHAPTERCornerstone Access Control ConceptsAccess Control ModelsAccess Control Defensive Categories and TypesAuthentication MethodsAccess Control TechnologiesAssessi
20、ng Access ControlINTRODUCTIONThe purpose of access control is to allow authorized users access to appropriate dataanddenyaccesstounauthorizedusers.Accesscontrolsprotectagainstthreatssuchasunauthorized access,inappropriate modification of data,and loss of confidentiality.CORNERSTONE INFORMATION SECUR
21、ITY CONCEPTSBefore we can explain access control,we must define cornerstone information secu-rity concepts.These concepts provide the foundation upon which the 10 domains ofthe Common Body of Knowledge are built.Confidentiality,integrity,and availabilityConfidentiality,Integrity,and Availability are
22、 the“CIA triad,”the cornerstone con-cept of information security.The triad,shown in Figure 1.1,forms the three-leggedstool information security is built upon.The order of the acronym may change(someprefer“AIC,”perhaps to avoid association with a certain intelligence agency),butthe concepts are essen
23、tial.This book will use the“CIA”acronym.ConfidentialityConfidentiality seeks to prevent the unauthorized disclosure of information:it keepsdata secret.In other words,confidentiality seeks to prevent unauthorized read accessto data.An example of a confidentiality attack would be the theft of Personal
24、ly Iden-tifiable Information(PII),such as credit card information.1IntegrityIntegrity seeks to prevent unauthorized modification of information.In other words,integrity seeks to prevent unauthorized write access to data.CRUNCH TIMEThere are two types of integrity:data integrity and system integrity.
25、Data integrity seeks toprotect information against unauthorized modification;system integrity seeks to protect asystem,such as a Windows 2012 server operating system,from unauthorized modification.AvailabilityAvailability ensures that information is available when needed.Systems need to beusable(ava
26、ilable)for normal business use.An example of attack on availabilitywouldbeaDenial-of-Service(DoS)attack,whichseekstodenyservice(oravailabil-ity)of a system.Disclosure,alteration,and destructionThe CIA triad may also be described by its opposite:Disclosure,Alteration,andDestruction(DAD).Disclosure is
27、 the unauthorized disclosure of information;alter-ation is the unauthorized modification of data,and destruction is making systemsunavailable.While the CIA acronym sometimes changes,the DAD acronym isshown in that order.Identity and authentication,authorization,and accountabilityThe term“AAA”is ofte
28、n used,describing cornerstone concepts Authentication,Authorization,and Accountability.Left out of the AAA acronym is Identification,which is required before the three“As”can follow.IntegrityConfidentialityAvailabilityFIGURE 1.1The CIA triad.2CHAPTER 1 Domain 1:Access ControlIdentity and authenticat
29、ionIdentity is a claim:if your name is“Person X,”you identify yourself by saying“I amPerson X.”Identity alone is weak because there is no proof.You can also identifyyourself by saying“I am Person Y.”Proving an identity claim is called authentica-tion:you authenticate the identity claim,usually by su
30、pplying a piece of informationor an object that only you posses,such as a password or your passport.AuthorizationAuthorizationdescribestheactionsyoucanperformonasystemonceyouhaveiden-tified and authenticated.Actions may include reading,writing,or executing files orprograms.AccountabilityAccountabili
31、ty holds users accountable for their actions.This is typically accom-plished by logging and analyzing audit data.Enforcing accountability helps keep“honest people honest.”For some users,knowing that data is logged is not enoughtoprovideaccountability:theymustknowthatthedataisloggedandauditedandthats
32、anctions may result from violation of policy.NonrepudiationNonrepudiation means a user cannot deny(repudiate)having performed a transac-tion.It combines authentication and integrity:nonrepudiation authenticates the iden-tity of a user who performs a transaction and ensures the integrity of that tran
33、saction.Youmusthavebothauthenticationandintegritytohavenonrepudiation:provingyousigned a contract to buy a car(authenticating your identity as the purchaser)is notuseful if the car dealer can change the price from$20,000 to$40,000(violate theintegrity of the contract).Least privilege and need to kno
34、wLeast privilege means users should be granted the minimum amount of access(authorization)required to do their jobs,but no more.Least privilege is applied togroups of objects.Need to know is more granular than least privilege:the user mustneed to know that specific piece of information before access
35、ing it.Subjects and objectsA subject is an active entity on a data system.Most examples of subjects involvepeople accessing data files.However,running computer programs are subjectsas well.Anobjectisanypassivedatawithinthesystem.Objectscanrangefromdatabasesto text files.The important thing to rememb
36、er about objects is that they are passivewithin the system.They do not manipulate other objects.3Cornerstone Information Security ConceptsDefense-in-depthDefense-in-depth(also called layered defenses)applies multiple safeguards(alsocalledcontrols:measurestakentoreducerisk)toprotectanasset.Anysingles
37、ecuritycontrol may fail;by deploying multiple controls,you improve the confidentiality,integrity,and availability of your data.ACCESS CONTROL MODELSNow that we have reviewed the cornerstone access control concepts,we can discussthe different access control models:the primary models are Discretionary
38、 AccessControl(DAC),Mandatory Access Control(MAC),and nondiscretionary accesscontrol.Discretionary access controlsDiscretionary Access Control(DAC)gives subjects full control of objects they havebeen given access to,including sharing the objects with other subjects.Subjects areempowered and control
39、their data.Standard UNIX and Windows operating systemsuse DAC for file systems:subjects can grant other subjects access to their files,change their attributes,alter them,or delete them.Mandatory access controlsMandatory Access Control(MAC)is system-enforced access control based on sub-jects clearanc
40、e and objects labels.Subjects and objects have clearances andlabels,respectively,such as confidential,secret,and top secret.A subject mayaccess an object only if the subjects clearance is equal to or greater than theobjects label.Subjects cannot share objects with other subjects who lack theproper c
41、learance or“write down”objects to a lower classification level(suchas from top secret to secret).MAC systems are usually focused on preservingthe confidentiality of data.Nondiscretionary access controlRole-Based Access Control(RBAC)defineshow informationisaccessed onasystembased on the role of the s
42、ubject.A role could be a nurse,a backup administrator,ahelp desk technician,etc.Subjects are grouped into roles and each defined role hasaccess permissions based upon the role,not the individual.RBAC is a type of nondiscretionary access control because users do not havediscretion regarding the group
43、s of objects they are allowed to access and are unableto transfer objects to other subjects.Task-based access control is another nondiscretionary access control model,related to RBAC.Task-based access control is based on the tasks each subject must4CHAPTER 1 Domain 1:Access Controlperform,such as wr
44、iting prescriptions,restoring data from a backup tape,or openinga help desk ticket.It attempts to solve the same problem that RBAC solves,focusingon specific tasks,instead of roles.Rule-based access controlsA rule-based access control system uses a series of defined rules,restrictions,and filters fo
45、r accessing objects within a system.The rules are in the form of“if/then”statements.An example of a rule-based access control device is a proxyfirewall that allows users to surf the Web with predefined approved content only(If the user is authorized to surf the Web and the site is on the approved li
46、st,then allow access).Other sites are prohibited and this rule is enforced acrossall authenticated users.Centralized access controlCentralized access control concentrates access control in one logical point for asystem or organization.Instead of using local access control databases,systemsauthentica
47、te via third-party authentication servers.Centralized access controlcan be used to provide Single Sign-On(SSO),where a subject may authenticateonce,and then access multiple systems.Centralized access control can centrallyprovide the three“As”of access control:Authentication,Authorization,andAccounta
48、bility.Access control listsAccess control lists(ACLs)are used throughout many IT security policies,proce-dures,andtechnologies.Anaccesscontrollistisalistofobjects;eachentrydescribesthe subjects that may access that object.Any access attempt by a subject to an objectthat does not have a matching entr
49、y on the ACL will be denied.Access provisioning lifecycleOnce the proper access control model has been chosen and deployed,the access pro-visioning lifecycle must be maintained and secured.While many organizations fol-low best practices for issuing access,many lack formal processes for ensuring thee
50、ntire lifetime of access is kept secure as employees and contractors move withinan organization.IBM describes the following identity lifecycle rules:“Password policy compliance checkingNotifying users to change their passwords before they expireIdentifying life cycle changes such as accounts that ar