241_SSCP_FM.qxd 1/22/03 4:55 PM Page i Syngress knows what passing the exam means to you and to your career And we know that you are often financing your own training and certification; therefore, you need a system that is comprehensive, affordable, and effective Boasting one-of-a-kind integration of text, DVD-quality instructor-led training, and Web-based exam simulation, the Syngress Study Guide & DVD Training System guarantees 100% coverage of exam objectives The Syngress Study Guide & DVD Training System includes: ■ Study Guide with 100% coverage of exam objectives By reading this study guide and following the corresponding objective list, you can be sure that you have studied 100% of the exam objectives ■ Instructor-led DVD This DVD provides almost two hours of virtual classroom instruction ■ Web-based practice exams Just visit us at www.syngress.com/ certification to access a complete exam simulation Thank you for giving us the opportunity to serve your certification needs And be sure to let us know if there’s anything else we can to help you get the maximum value from your investment We’re listening www.syngress.com/certification 241_SSCP_FM.qxd 1/22/03 4:55 PM Page ii 241_SSCP_FM.qxd 1/22/03 Josh Jacobs Lee Clemmer Page iii SSCP, CISSP SSCP, CISSP Michael Dalton Russ Rogers 4:55 PM SSCP, CISSP CISSP Jeffrey Posluns SSCP, CISSP, Technical Editor 241_SSCP_FM.qxd 1/22/03 4:55 PM Page iv Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) not guarantee or warrant the results to be obtained from the Work There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY You may have other legal rights, which vary from state to state In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents Because some states not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc Brands and product names mentioned in this book are trademarks or service marks of their respective companies KEY 001 002 003 004 005 006 007 008 009 010 SERIAL NUMBER FG3BV9UF7Y K7QVNPV43A 5X829CT63C A947FH8HY9 Z6T7PT25NR BCE43TN8MS G6AP3SH8XK 9MQ8N42DD7 SKEUU766BH DF57ZWV24K PUBLISHED BY Syngress Publishing, Inc 800 Hingham Street Rockland, MA 02370 SSCP Study Guide & DVD Training System Copyright © 2003 by Syngress Publishing, Inc All rights reserved Printed in the United States of America Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication Printed in the United States of America ISBN: 1-931836-80-9 Technical Editor: Jeffrey Posluns Cover Designer: Michael Kavish Technical Reviewer:Tony Piltzecker Page Layout and Art by: Shannon Tozier Acquisitions Editor: Catherine B Nolan Copy Editor: Judy Eby DVD Production: Michael Donovan Indexer: Odessa&Cie Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada 241_SSCP_FM.qxd 1/22/03 4:55 PM Page v Acknowledgments We would like to acknowledge the following people for their kindness and support in making this book possible Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin Votel, Kent Anderson, Frida Yara, Jon Mayes, John Mesjak, Peg O’Donnell, Sandra Patterson, Betty Redmond, Roy Remer, Ron Shapiro, Patricia Kelly, Andrea Tetrick, Jennifer Pascal, Doug Reil, David Dahl, Janis Carpenter, and Susan Fryer of Publishers Group West for sharing their incredible marketing experience and expertise Duncan Enright, AnnHelen Lindeholm, David Burton, Febea Marinetti, and Rosie Moss of Elsevier Science for making certain that our vision remains worldwide in scope David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books Kwon Sung June at Acorn Publishing for his support Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help and enthusiasm representing our product in Canada Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at Jaguar Book Group for their help with distribution of Syngress books in Canada David Scott, Annette Scott, Geoff Ebbs, Hedley Partis, Bec Lowe, and Mark Langley of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands Winston Lim of Global Publishing for his help and support with distribution of Syngress books in the Philippines v 241_SSCP_FM.qxd 1/22/03 4:55 PM Page vi Contributors Lee Clemmer (SSCP, CISSP, RHCE, CCNA, SGCE, SGCA, MCSE, CCSA, Sun Solaris Certified Engineer) is a Founder and Chief Security Consultant with Higher Ground Networks, LLC His areas of expertise range from Internet penetration testing and security auditing to information security systems architecture Headquartered in Atlanta, GA, Higher Ground Networks delivers technical and strategic information security expertise to clients in the southeastern United States Lee’s experience with Linux and various versions of UNIX, coupled with his depth of experience with Microsoft’s offerings, make him the firm’s key resource for cross-platform security designs Lee’s background includes positions such as Senior Security Consultant with Kent Technologies, and Director of Secure Networks with Xcelerate Corp Lee holds a bachelor’s degree from the University of Georgia, and is a member of the ISSA, USENIX, and SAGE organizations Michael Dalton (SSCP, CISSP, CCNA, MCSE, CISA) is an Information Security Specialist with a Fortune 500 insurance benefits company in North America Michael works in the Information Protection practice on the Compliance Review Team His primary work responsibilities include Internet and extranet firewall reviews, Information Protection Systems Development Lifecycle (SDLC) application reviews, and external service provider security posture assessments Michael holds a bachelor’s degree from Central Connecticut State University and is an ISSA-CT and ISACA member Michael currently resides in Weatouge, CT with his incredibly supportive wife, Kimberly, and two sons, Benjamin and John Clark Joshua G Jacobs (SSCP, MCSA, MCP, A+) is the Technology Administrator for Reynolds, Bone & Griesbeck, PLC He has an extensive background in systems administration as well as Web application design and development Joshua provides support for the firm’s network as well as client networks throughout the South His specialties include security information management, Intranet development, firewall administration, vi 241_SSCP_FM.qxd 1/22/03 4:55 PM Page vii policy development, and support for various operating systems including Novell NetWare,Windows 2000 and AIX Joshua’s recent work also includes Web application development and custom software scripting to automate application deployment Joshua, his wife, Heather, and their two sons, Owen and Joshua II, live in Collierville,TN He would like to thank his wife for her love and continuous support that made it possible for him to contribute to this book Russ Rogers (CISSP, IAM) is the President of Security Horizon, Inc Security Horizon is a veteran-owned small business, based in Colorado Springs, CO, specializing in professional security services and training It is one of only two companies with a Cooperative Research and Development Agreement (CRADA) with the National Security Agency (NSA) to teach their INFOSEC Assessment Methodology (IAM) Russ’s background includes network vulnerability assessments, organizational assessments using the NSA IAM, security policy development, and training assessors on the IAM His experience spans positions in military intelligence, system administration, security administration, commercial and Department of Defense assessments, and special security project development Russ holds a master’s degree in Computer Systems Management from the University of Maryland and is a member of the Information System Security Association (ISSA), International Who’s Who in Information Technology, International Information Systems Security Certification Consortium (ISC)2, and a regular contributor to the annual Black Hat Security conference Robert J Shimonski (Security+, Sniffer SCP, Cisco CCDP, CCNP, Nortel NNCSS, MCSE, MCP+I, Master CNE, CIP, CIBS, CWP, CIW, GSEC, GCIH, Server+, Network+, i-Net+, A+, e-Biz+,TICSA, SPS) is the Lead Network Engineer and Security Analyst for Thomson Industries, a leading manufacturer and provider of linear motion products and engineering One of Robert’s responsibilities is to use multiple network analysis tools to monitor, baseline, and troubleshoot an enterprise network comprised of many protocols and media technologies Robert currently hosts an online forum for TechTarget.com and is referred to as the “Network Management Answer Man,” where he offers vii 241_SSCP_FM.qxd 1/22/03 4:55 PM Page viii daily solutions to seekers of network analysis and management advice Robert’s other specialties include network infrastructure design with the Cisco and Nortel product line for enterprise networks Robert also provides network and security analysis using Sniffer Pro, Etherpeek, the CiscoSecure Platform (including PIX Firewalls), and Norton’s AntiVirus Enterprise Software Robert has contributed to many articles, study guides and certification preparation software,Web sites, and organizations worldwide, including MCP Magazine,TechTarget.com, BrainBuzz.com, and SANS.org Robert holds a bachelor’s degree from SUNY, NY and is a part time Licensed Technical Instructor for Computer Career Center in Garden City, NY teaching Windows-based and Networking Technologies Robert is also a contributing author for Configuring and Troubleshooting Windows XP Professional (Syngress Publishing, ISBN: 1-928994-80-6), BizTalk Server 2000 Developer’s Guide for NET (Syngress, ISBN: 1-928994-40-7), Sniffer Pro Network Optimization & Troubleshooting Handbook (Syngress, ISBN: 1-931836-57-4), MCSE Implementing and Administering Security in a Windows 2000 Network Study Guide & DVD Training System (Syngress, ISBN: 1-931836-84-1) and is Technical Editor for Security+ Study Guide & DVD Training System (Syngress, ISBN: 1-931836-72-8) Norris L Johnson, Jr (Security+, MCSA, MCSE, CTT+, A+, Linux+, Network +, CCNA) is a technology trainer and owner of a consulting company in the Seattle-Tacoma area His consultancies have included deployments and security planning for local firms and public agencies, as well as providing services to other local computer firms in need of problem solving and solutions for their clients He specializes in Windows NT 4.0,Windows 2000, and Windows XP issues, providing consultation and implementation for networks, security planning, and services In addition to consulting work, Norris provides technical training for clients and teaches for area community and technical colleges He is co-author of Security+ Study Guide & DVD Training System (Syngress Publishing, ISBN: 1-931836-72-8), Configuring and Troubleshooting Windows XP Professional (Syngress, ISBN: 1-928994-80-6), and Hack Proofing Your Network, Second Edition (Syngress, ISBN: 1-928994-70-9) Norris has also performed technical edits and reviews on Hack Proofing Windows 2000 Server (Syngress, viii 241_SSCP_FM.qxd 1/22/03 4:55 PM Page ix ISBN: 1-931836-49-3) and Windows 2000 Active Directory, Second Edition (Syngress, ISBN: 1-928994-60-1) Norris holds a bachelor’s degree from Washington State University He is deeply appreciative of the support of his wife, Cindy, and three sons in helping to maintain his focus and efforts toward computer training and education Jeremy Faircloth (Security+, CCNA, MCSE, MCP+I, A+) is a Senior IT Engineer for Gateway, Inc., where he develops and maintains enterprisewide client/server and Web-based technologies He also acts as a technical resource for other IT professionals, using his expertise to help others expand their knowledge As an analyst with over 10 years of real world IT experience, he has become an expert in many areas including Web development, database administration, enterprise security, network design, and project management Jeremy is a contributor to several Syngress publications including Hack Proofing XML (ISBN: 1-931836-50-7), ASP NET Developer’s Guide (ISBN: 1-928994-51-2), and Security+ Study Guide & DVD Training System (ISBN: 1-931836-72-8) Jeremy currently resides in Dakota City, NE and wishes to thank Christina Williams and Austin Faircloth for their support in his various technical endeavors Michael Cross (Security+, MCSE, MCP+I, CNA, Network+) is an Internet Specialist and Programmer with the Niagara Regional Police Service, and has also served as their Network Administrator He performs computer forensic examinations on computers involved in criminal investigations, and has consulted and assisted in cases dealing with computerrelated/Internet crimes He is responsible for designing and maintaining their Web site at www.nrps.com, as well as their Intranet Michael programs applications used by various units of the Police Service, has been responsible for network security and administration, and continues to assist in this regard Michael is part of an Information Technology team that provides support to a user base of over 800 civilian and uniform users His theory is that when the users carry guns, you tend to be more motivated in solving their problems Michael also owns KnightWare, a company that provides Web page design and various other services In addition to this company, he has been a freelance writer for several years, and published over three dozen ix 241_SSCP_indx.qxd 1/27/03 2:45 PM Page 613 Index CAAT (Computer-Assisted Audit Tool), 179 canons, within code of ethics, Carrier Sense Multiple Access/Collision Detect protocol (CSMA/CD protocol), 418 CBC (Cipher Block Chaining), 337, 347 CBK (common body of knowledge), CCBs (Change Control Boards), 137 central logging facility (CLF), 177 centralized access control systems, 60 certificate authority (CA), 356 IPSec protocol and, 455 certificate owners, 358 certificate policies, 361 Certificate Practice Statements (CPSs), 362 certificate revocation lists (CRLs), 363 certification (computer systems), 117 certifications (levels of expertise), Certified Information Systems Auditor (CISA), 182 Certified Information Systems Security Professional (CISSP), 2, CFB (Cipher Feedback), 348 chain of custody, for evidence, 305 chain of trust, 364 Challenge Handshake Authentication Protocol (CHAP), 433 Change Control Boards (CCBs), 137 change control/change management, 135–139 maintaining documentation for, 241 Channel Service Unit (CSU), 424 CHAP protocol, 433 checklist audits, 198–201 checksums, 136 Chernobyl virus, 497 chosen plaintext attacks, 381 CIA triad See confidentiality, integrity, availability CIH/Chernobyl virus, 497 Cipher Block Chaining (CBC), 337, 347 Cipher Feedback (CFB), 348 613 ciphers, 326 ciphertext, 326 ciphertext-only attacks, 380 CISA (Certified Information Systems Auditor), 182 CISSP certification, 2, Clark-Wilson formal access control model, 68 clean desk spot checks, 149 CLF (central logging facility), 177 click kiddies, 480 coaxial (coax) cable, 398 code, 481 poor quality and, 523 slag, 491 code of ethics, Code Red worm, 498 cold sites, 279, 280 collecting data, 192–211 collisions, 328 common body of knowledge (CBK), companion viruses, 485 compartment mode, 133, 134 compartments, 134 computer forensics, 300–313 importance of careful evidence handling and, 311 Computer Security Incident and Response Team (CSIRT), 215 Computer-Assisted Audit Tool (CAAT), 179 concept virus, 505 confidential information, 142 confidentiality, 110 access controls and, 37 data communications and, 394 confidentiality, integrity, availability (CIA), 11, 110–112 auditing and, 180 encryption and, 328 configuration management, 11 confusion operations, 335 connection-oriented vs connectionless protocols, 427 241_SSCP_indx.qxd 614 1/27/03 2:45 PM Page 614 Index contact lists, 238–240 container files, 330 containment of incidents, 298 contingency plans, 268 continuous audit, 176, 211 control mechanisms/policies, 123 control types, 13, 178 controlling access See access controls copper cable, 398 copy backups, 274 corporate information security policies, 146 corrective access control policies, 57 cost/benefit analyses, 265 covert channels, 132 CPSs (Certificate Practice Statement), 362 crackers, 479 CRC errors, 436 crime scene analysis, 292 crime scene technicians, 305 CRLs (certificate revocation lists), 363 cryptanalysis, 326 crypto, 326 cryptographic attacks, 380–382 cryptography, 20–22, 325–391 specialty areas of (list), 20 standards and protocols for, 366 See also encryption cryptography domain, 20–22 cryptovariables See keys CSIRT (Computer Security Incident and Response Team), 215 CSMA/CD protocol, 418 CSU/DSU (Channel Service Unit/Data Service Unit), 424 cybercriminals, 479 cyclic redundancy check (CRC), 307 D DAC model, 63, 113 viewing on UNIX (exercise), 114 data abstraction, 141 data caches, managing, 72 data classification, 11, 142, 147 data collection, 192–211 data communications, 23–25, 393–476 specialty areas of (list), 23 Data Encryption Standard Algorithm (DES), 334 data extraction, 195 data file viruses, 486 data hiding, 142 data/information system attacks, 11 Data Link layer, 401 data protection mechanisms, 140 data recovery software, 309 data reduction and analysis facility, 194 Data Service Unit (DSU), 424 DDoS attacks, 510 decentralized access control systems, 60 decimal numbering system, 417 decryption, 326 Delta CRLs, 363 Demilitarized Zones (DMZs), 441–443 denial of service attacks (DoS attacks), 78, 510–519 SYN floods and, 460, 513 deregistering keys, 376 DES algorithm, 334 DES secret key, 331 detection of incidents, 296–298 detective access control policies, 57 developers principle of least privilege and, 108 separation of duties and, 123 development groups, involvement with, 119–121 dictionary attacks, 73 differential backups, 274 Diffie-Hellman algorithm, 331 diffusion operations, 335 digital certificates, 6, 356–363 exercise for, 361 expiration of, 373 revoking, 362 Digital Signature Algorithm (DSA), 333 Digital Signature Standard (DSS), 333 digital signatures, 136, 350 241_SSCP_indx.qxd 1/27/03 2:45 PM Page 615 Index IPSec protocol and, 455 disaster recovery plans, 15, 268, 270–282 specialty areas of (list), 17 discrete logarithms, 332 discretionary access control model (DAC model), 63, 113 viewing on UNIX (exercise), 114 Distributed DoS attacks (DDoS attacks), 510 DMZs (Demilitarized Zones), 441–443 DNS DoS attacks, 512 DNS spoofing, 521 documentation for incident investigation, 292 change control, 241 role played in security, 235–237 domains (areas of knowledge), 2, CISSP certification, SSCP, 5–27 DoS attacks See denial of service attacks dry runs, in business continuity/disaster recovery plans, 242 DSA (Digital Signature Algorithm), 333 dsniff tool, 437 DSS (Digital Signature Standard), 333 DSU (Data Service Unit), 424 dual keys, 377 dumpster diving, 478 E EBCDIC (Extended Binary-Coded Decimal Interchange Mode), 407 ECB (Electronic Code Book), 337, 349 education, role played in security, 235–237 electromagnetic interference (EMI), 400 Electronic Code Book (ECB), 337, 349 EMI (electromagnetic interference), 400 employment agreements, 145 employment policies/practices, 11, 144–148 encapsulating security payload protocol (ESP), 454 EnCase data recovery software, 310 for evidence collection (exercise), 312 615 encryption, 326, 342–379 algorithms for, 330–342 goals of, 328 link, 402 Presentation layer and, 407 sniffing attacks and, 458 See also cryptography enhanced hubs, 400, 437 enterprise authentication, 45–52 environmental risks and threats, 132, 247 eradication of incidents, 298 escrow, for keys, 371–373 ESP protocol, 454 Ethernet, 417–419 event monitoring, 215 evidence, 305–313 collecting/preserving, 307–313 exercise for, 312 importance of care when handling, 311 evidence files, 307 examinations, 2, study resources for, 27 exclusive OR (XOR), 343 exercises access control objects, 34–36 alternate sites for business operations, 281 ARO, determining, 266 ARP spoofing, 438 binary math with XOR, 343–345 brute force attacks, cracking, 74–77 DAC model, viewing on UNIX, 114 data recovery software, 312 digital certificates, 361 evidence, collecting/preserving, 312 FTP, cracking with sniffing tool, 529–531 NT password hashes, cracking, 339–341 Ping of Death attack, 515 risk management, 234, 252–254 security checklist audit, 199–201 virus reports, creating, 486–491 volatile data in memory, viewing for incident investigation, 291 wardialers, using, 207 241_SSCP_indx.qxd 616 1/27/03 2:45 PM Page 616 Index exploits, 497–525 Extended Binary-Coded Decimal Interchange Mode (EBCDIC), 407 external auditors, 185–188 F factors of authentication, 45 false positives/false negatives, 44 Fiber Distributed Data Interface (FDDI), 422–424 fiber-optic cable, 399 file formats, Presentation layer and, 407 file integrity monitors, 136 FIN scans, 405, 535 firewalls, 435, 440–447 packet filtering, 443 screened host, 444 screened subnet with DMZ, 445 first responders, 302–304 forensically sterile media, 308 forensics, 300–313 formal access control models, 67 fraggle attacks, 515 fragmentation attacks, 518 frames, 419–422 full backups, 274 G Generalized Audit Software (GAS), 179 GFI Software, 14 GFS (Grandfather-Father-Son) rotation, for backups, 275 giants (frame errors), 436 Grandfather-Father-Son (GFS) rotation, for backups, 275 gray hats, 480 guidelines, 185 H hackers, 479–481 half scans, 535 hardware-based tokens, hardware segmentation, 139 hash values, 337 hashing, 337 NT password hashes, cracking (exercise), 339–341 hashing algorithm functions, 337–339 heap overflows, 523 hexadecimal numbering, 417 high security mode, 140 hiring processes, 144 host-based IDSs, 136, 213, 451 hosting service providers (HSPs), 188 hot sites, 279 HSPs (hosting service providers), 188 HTTP over SSL protocol (HTTP/S protocol), 431 hubs, 400, 437 hybrid keys, 353 I I Love You virus, 492, 499, 503–505 IAM (INFOSEC Assessment Methodology), 129 IANA (Internet Assigned Numbers Authority), 441 ICMP floods, 515 IDEA (Integrated Development Environment Application), 179 IDEA (International Data Encryption), 179, 337 identification, as access control objective, 33 IDS See intrusion detection systems IEEE standards 802.11 (wireless networking), 397 802.3 (Ethernet), 417–419 802.5 (token ring), 419 IKE (Internet Key Exchange), 454 illegal/inappropriate activities, 14 incident investigation, 15, 282–300 specialty areas of (list), 16 steps in, 294–300 tools for, 285–294 viewing volatile data in memory (exercise), 291 241_SSCP_indx.qxd 1/27/03 2:45 PM Page 617 Index incident response policies, 287 incidents, 282 investigating See incident investigation incremental backups, 274 infected system, recognizing symptoms of, 482 information/data, 11, 394 information security (IS), INFOSEC Assessment Methodology (IAM), 129 Integrated Development Environment Application (IDEA), 179 Integrated Services Digital Network (ISDN), 426 integrity, 38, 111 audit trails and, 196–198 internal auditors, 185–188 internal validation, 243 International Data Encryption Algorithm (IDEA), 179, 337 International Information Systems Security Certification (ISC)2, International Standards Organization (ISO), 394 Internet Assigned Numbers Authority (IANA), 441 Internet Key Exchange (IKE), 454 Internet Protocol (IP), 427–429 Network layer and, 402 Internet Protocol Security See IPSec protocol Internet Worm (1988), 492 Internet, as example of WAN, 424 intrusion detection systems (IDSs), 14, 212–214, 435, 451 attacks on, 459 host-based, 136, 213, 451 network-based, 213 investigators, 302, 304 See also incident investigation IP (Internet Protocol), 427–429 Network layer and, 402 IP fragmentation, 458 IP spoofing, 520 IPCONFIG/IFCONFIG tools, 289 IPSec protocol, 454 Diffie-Hellman algorithm and, 332 Transport layer and, 405 IS (information security), (ISC)2 (International Information Systems Security Certification Consortium), (ISC)2 code of ethics, ISDN network, 426 ISO (International Standards Organization), 394 J JP Hide and Seek, 330 K KDCs (key distribution centers), 353 Kerberos, 47–50 kernel audit mechanism, 192 key distribution centers (KDCs), 353 key exchange, 331–334 key pairs, 330 lifecycle of, 368–379 multiple, 377 key revocation, 354 key space, 354 keys, 326, 352–355 destroying, 376 expiration of, 373 lifecycle of, 368–379 long, 377 managing, 353 public/private, 330, 352, 369–371 recovering from storage, 374 renewing or updating, 375 revoking, 373 selecting, problems with, 354 single vs multiple, using, 376 killer packets, 514 Klez worm, 498, 499 knowledge bases, 238 known plaintext attacks, 380 kruptos, 326 617 241_SSCP_indx.qxd 618 1/27/03 2:45 PM Page 618 Index L L2TP protocol, 453 LAND attacks, 514 LANMAN hashes, 341 LANs (Local Area Networks), 408–424 large packet pings, 514 law enforcement, 301 Layer Tunneling Protocol (L2TP), 453 layered design, for data protection, 141 layouts, 409–416 least privilege, 107–109 vs separation of duties, 122 levels of access, lifecycle of keys, 368–379 of security, 115–117 System Development Life Cycle (SDLC), 187 link encryption, 402 link viruses, 486 LLC frames, 420 Local Area Networks (LANs), 408–424 locality, 364 log analysis, 292 log watching, 214 logging, 38–40, 177 audit trails and, 196–198 logic bombs, 131, 484, 491 logical access control, 329 logical/technical access control policy implementations, 59 long keys, 377 Loose Source Record Route (LSRR), 519 Lucifer algorithm, 334 M MAC (mandatory access control), 64, 112 data classification and, 142 MAC address ARP protocol and, 402, 521 Data Link layer and, 401 NICs and, 436 MAC frames, 420 MAC layer, 422 macro viruses, 484 malicious code/malware, 25–27, 130, 477–548 specialty areas of (list), 26 malware/malware exploits, 481, 497–509 management, ensuring cooperation from, 154 mandatory access control (MAC), 64, 112 data classification and, 142 Man-in-the-Middle attacks (MITM attacks), 79, 381 sniffing and, 458 master boot record (MBR), 484 MD4 (Message Digest 4), 338 MD5 (Message Digest 5), 338 media, 24 forensically sterile, 308 retention periods for, 196 Melissa virus, 498, 499–503 mesh topology, 415 Message Digest (MD4), 338 Message Digest (MD5), 338 methods of access, Michelangelo virus, 484 MIME (Multi-Purpose Internet Mail Extensions), 429 misuse detection, 213 MITM attacks, 79, 381 sniffing and, 458 MLS mode, 133, 134 modem scanners, 206 modems, 527 modes, for block ciphers, 346 monitoring, 9, 12–14, 82–85, 175–228 event, 215 methods/mechanisms for, 211–215 specialty areas of (list), 13 See also auditing MP3Stego, 330 multi-partite viruses, 485 multifactor authentication, 104 multilevel secure (MLS) mode, 133, 134 multiple key pairs, 377 Multi-Purpose Internet Mail Extensions (MIME), 429 241_SSCP_indx.qxd 1/27/03 2:45 PM Page 619 Index N NAT (Network Address Translation), 440 National Institute of Standards and Technology (NIST), 333 Navajo code talkers, 329 NDAs (non-disclosure agreements), 146 termination policies and, 147 NETSTAT tool, 290 Network Address Translation (NAT), 440 network-based IDSs, 213, 451 network devices, 435–452 Network Interface Cards (NICs), 436 Network layer, 402 network operating systems (NOSs), 14 network protocols See protocols network resources, attacks against, 455–461 Network Security Scanner, 14 network topologies, 24 networking exploits, 509–522 social engineering and, 526 nibbles, 417 NICs (Network Interface Cards), 436 Nimda worm, 498, 505–507 NIST (National Institute of Standards and Technology), 333 Nmap port scanner, 532 non-compete/non-disclosure agreements, 146 termination policies and, 147 non-discretionary access control, 65 non-repudiation, 328 IPSec protocol and, 455 time stamps and, 49 NOSs (network operating systems), 14 NSLOOKUP tool, 290 NT password hash, cracking (exercise), 339 numbering systems, 417 O OFB mode, 350 offsite storage, for backups, 278 619 one-way hashes, 337 OOB attacks, 524 Open Systems Interconnection (OSI), 394 See also OSI model Orange Book, 190 OSI (Open Systems Interconnection), 394 OSI model, seven layers of, 394–408 out-of-band attacks (OOB attacks), 524 Output Feedback mode (OFB mode), 350 overflow attacks, 523 P packet collisions, 401 packet filtering firewalls, 443 Packet Internet Groper (PING) tool, 290 packet storms, 517 packets Network layer and, 402 reset, 405 PAP protocol, 433 parallelizing encryption operations, 347 parasitic viruses, 485 passive/active network attacks, 456 Password Authentication Protocol (PAP), 433 passwords administering, 7, 52–56 auditing, 55 authentication for, 40–42 keeping available in emergencies, 296 managing, 6, 54 selecting, 52 using to generate long keys, 377 PAT (Port Address Translation), 442 pattern recognition, 213 PDUs (Protocol Data Units), 518 penetration testing, 85–87, 201–206 auditors and, 187 tools for, 204 permissions, determining, 70 permutation operations, 335 PGP (Pretty Good Privacy), 333 PKI and, 356 phreakers, 480 241_SSCP_indx.qxd 620 1/27/03 2:45 PM Page 620 Index PHY layer, 422 physical access, 132 control policy implementation for, 59 Physical layer, 396–401 Physical Medium Dependent (PMD), 422 physical security, 328 ping floods, 515 Ping of Death attacks, 514 ping storms, 515 PING tool, 290 PKCS (Public Key Cryptography Standards), 366 PKDS (Public Key Distribution Systems), 333 PKE (Public Key Encryption), 333 PKI (public key infrastructure), 355–358 plaintext, 326 plaintext attacks, 380, 381 plans business continuity, 268–271 contingency, 268 disaster recovery, 268, 270–282 PMD (Physical Medium Dependent), 422 PMD layer, 422 points of entry, 443 Point-to-Point Protocol (PPP), 434 Point-to-Point Tunneling Protocol (PPTP), 452 policies, 144–148, 185 employment, 144–148 implementations of for access controls, 58 as tool for incident investigation, 285–289 polymorphic viruses, 484 Port Address Translation (PAT), 442 port scanning, 532–535 port scans, 403–405 ports, 532 PPP protocol, 434 PPTP protocol, 452 Presentation layer, 406 Pretty Good Privacy (PGP), 333 PKI and, 356 preventive access control policies, 56 primary data, collecting, 196 principle of least privilege, 107–109 vs separation of duties, 122 private branch exchange attacks, 460 private keys, 331, 352 protecting, 371 storing, 369–371 privilege elevation logs/audit trails, 39 processing integrity, certifying, 121 ProDiscover data recovery software, 310 products See tools program viruses, 484 programming language code, 481 poor quality and, 523 proof of concept viruses, 509 Protocol Data Units (PDUs), 518 protocols, 24, 427–435 at Application layer, 407 authentication, 433 connection-oriented vs connectionless, 427 at Network layer, 403 remote access, 434 at Session layer, 406 token ring, 419–424 at Transport layer, 403 types of, 427 proxy servers, 449 public information, 143 Public Key Cryptography Standards (PKCS), 366 Public Key Distribution Systems (PKDS), 333 public key encryption, 330–333 IPSec protocol and, 455 public key infrastructure (PKI), 355–358 public keys, 330, 352 encryption and, 455 Q QAZ Trojan horse, 495 quality assurance (QA), 119 quality of service (QoS), 120 241_SSCP_indx.qxd 1/27/03 2:45 PM Page 621 Index R RA (registration authority), 356 radio frequency interference (RFI), 400 RADIUS (Remote Authentication DialIn User Service), 51, 449 random numbers, caution with, 378 RBAC (role-based access control), 113 reconnaissance attacks, 528–535 recovery from incidents, 299 reference monitors, 140 registration authority (RA), 356 remote access authentication, 50–52 remote access protocols, 434 Remote Authentication Dial-In User Service (RADIUS), 449 removable media, securing, 72 repeaters, 401 replay, 49 reporting mechanisms, 13 research into antivirus protection, 537 into risk, 256 reset (RST) packets, 405 resources for further reading code of ethics/canons, DNS spoofing, 521 fragmentation attacks, 518 intrusion detection systems, 213 scorecards, 212 social engineering, 526 study resources, 27 Trojan horses, 497 viruses, 484, 509 white-hat hacking, 480 wireless network security, 209 restoring data backups, 276 retention periods, for media, 196 revoking digital certificates, 362 RFI (radio frequency interference), 400 rights/permissions, determining, 70 Rijndael algorithm, 336 ring purges, 421 risk assessment, 125–129 business impact assessments and, 269 621 security management planning and, 151 risk management, 15–20, 229–324 exercises for, 234, 252–254 identifying/analyzing risk, 257–266 mitigating risk, 254–268 safeguards against risks, 256, 264–266 specialty areas of (list), 16–19 steps in/cycle, 231–234 types of risks and threats, 245–254 accidental, 251 deliberate, 247–251 environmental, 247 risk, response, and recovery domain, 15–20 role-based access control (RBAC), 113 roles/responsibilities, 11 ROT-13 (Rotate 13), 327 rotating schemes for backups, 274 ROUTE tool, 290 routers, 447 Network layer and, 402 RSA algorithm, 332 RSA Security (vendor), 333 RST packets, 405 runts (frame errors), 436 S S/MIME (Secure Multi-Purpose Internet Mail Extensions), 430 SafeBack data recovery software, 309 safeguards against risks, 256, 264–266 sampling, 195 SBU (Sensitive But Unclassified), 149 scanning, 532–535 scans FIN, 405 port, 403–405 stealth port, 404 SCM applications, 137 scorecards, 212 screened host firewalls, 444 screened subnet firewalls with DMZ, 445 script kiddies, 480 241_SSCP_indx.qxd 622 1/27/03 2:45 PM Page 622 Index SDLC (System Development Life Cycle), 187 Secret classification, 142 secret key encryption, 333 algorithms for, 333–337 Secure Electronic Transaction (SET), 432 Secure Hash Algorithm (SHA), 338, 339 Secure Hash Standard (SHS), 333 Secure Multi-Purpose Internet Mail Extensions (S/MIME), 430 Secure Shell (SSH), 333, 453 Secure Socket Layer (SSL), 431 security, 110–112 education/documentation, role played in, 235–237 functionality of, certifying, 120 identifying costs, benefits, feasibility for, 153 importance of awareness and, 148–150 lifecycle of, 115–117 management planning for, 150–154 Web browsers and, 536 security administration, 9–12, 101–174 principles of, 103–109 specialty areas of (list), 10 security administrators, separation of duties and, 124 security architecture, 11 security assessments, 153 security audits, 13, 181–190 See also auditing security checklist audit (exercise), 199–201 security incidents, investigating See incident investigation security plan, developing, 152 security policies corporate information, 146 developing, 152 tools for, 139 security risks Application layer and, 408 Data Link layer and, 402 Physical layer and, 396 Transport layer and, 403 segregation of duties See separation of duties self-synchronizing stream ciphers, 346 Sensitive But Unclassified (SBU), 149 separation of duties, 68, 122–125, 144, 177 vs principle of least privilege, 122 Serial Line Interface Protocol (SLIP), 435 service identification, 532 Service Level Agreements (SLAs), 120 session hijacking, 458 Session layer, 405 SET Secure Electronic Transaction, 432 SHA (Secure Hash Algorithm), 338, 339 SHA-1, 339 shielded twisted pair (STP), 399 SHS (Secure Hash Standard), 333 SHS hashing algorithm, 333 signaling, 418 signature-based pattern recognition, 213 simple CRLs, 363 single CA models, 364 single keys, 377 Single Loss Expectancy (SLE), 263 Single Sign-On (SSO), 45–47 sites, alternates for business operations, 279 exercise for, 281 SkipJack, 337 slag code, 491 SLAs (Service Level Agreements), 120 SLE (Single Loss Expectancy), 263 SLIP protocol, 435 smart cards, SMEs (subject matter experts), 122 SMT layer, 422 smurf attacks, 516 sniffing, 80–82, 456–458, 528–531 exercise for, 529–531 SNMP exploits, 518 Snoop sniffing tool, 528 snork attacks, 517 Snort sniffing tool, 528 social engineering, 210, 249, 525–527 software configuration management (SCM) applications, 137 241_SSCP_indx.qxd 1/27/03 2:45 PM Page 623 Index software See tools something you are authentication, 43, 105 something you have authentication, 42, 105 something you know authentication, 40–42, 105 source routing attacks, 519 spamming, 81 spoofing, 49, 78, 456, 520–522 SSCP certification, 1, 3–28 examination for, 2, SSCP domains, 5–27 SSH (Secure Shell), 333, 453 SSL (Secure Socket Layer), 431 SSO (Single Sign-On), 45–47 stack overflows, 523 standards, 185 star topology, 409–411 stateful inspection, 446 stateful inspection firewalls, overflow attacks and, 524 stealth port scans (SYN scans), 404 steganalysis, 330 steganography, 329 Steganos Security Suite, 330 StegDetect, 330 STP (shielded twisted pair), 399 stream ciphers, 346 study resources, 27 subject matter experts (SMEs), 122 SubSeven trojan, 495 substitution operations, 335 switches, 400, 437 symmetric encryption, 333 symmetric encryption algorithms, 333–337 SYN attacks, 512–514 SYN floods, 459, 513 SYN scans (stealth port scans), 404 synchronization attacks (SYN attacks), 512–514 synchronous ciphers, 346 system accountability, 103 system architecture, access control modes of operation and, 133–135 623 System Development Life Cycle (SDLC), 187 system events, 195 system high mode, 133, 134 system security architecture, 139–144 Systems Security Certified Practitioner See SSCP certification T TACACS (Terminal Server Controller Access Control Systems), 51, 450 TACACS+ (Terminal Server Controller Access Control Systems Plus), 450 target enumeration locating, 532 target identification, 532 TCP protocol, 429 TCP session hijacking, 458 TCP/IP DoS attacks and, 511–519 source routing and, 519 TCPDump sniffing tool, 528 teardrop attacks, 517 Terminal Server Controller Access Control Systems (TACACS), 450 Terminal Server Controller Access Control Systems Plus (TACACS+), 450 termination policies, 147 testing by penetration attempts, 85–87 operational, 121 of plans, 241 thicknet coax cable, 398, 399 thinnet coax cable, 398 threats, 126, 151 See also attacks; incident investigation; risk management time bombs, 484 TLS (Transport Layer Security), 431 token passing, 421 token ring, 414, 419–424 tokens, 419 hardware-based, 241_SSCP_indx.qxd 624 1/27/03 2:45 PM Page 624 Index tools, antivirus software, 535–537 for auditing, 179 for data recovery, 309 for developing security policies, 139 dsniff, 437 for sniffing, 528 for penetration testing, 204 tracing, 289–291 Top Secret classification, 142 topologies, 409–416 tracert command, 402 TRACERT/TRACEROUTE tools, 291 tracing tools, 289–291 training, for security awareness, 150, 235–237 transaction logs, 38 transference of risk, 256 transitive trust, 364 Transmission Control Protocol (TCP), 429 Transport layer, 403–405 Transport Layer Security (TLS), 431 transport mode, IPSec protocol and, 455 tree topology, 412–414 trend analysis, 215 triggers, 195 Triple DES algorithm, 335 Trojan horses, 130, 493–497 prevention/response for, 508 sniffing and, 528 trust models, 364 tunnel mode, IPSec protocol and, 455 twisted-pair copper cable, 398 U UDP (User Datagram Protocol), 517 UDP bombs/UDP packet storms, 517 UDP snork attacks, 517 unclassified information, 143 UNIX, viewing DAC on (exercise), 114 unshielded twisted pair (UTP), 399 user authentication See authentication User Datagram Protocol (UDP), 517 users principle of least privilege and, 107 security awareness and, 148–150 social engineering and, 210 utilities See tools UTP (unshielded twisted pair), 399 UTP/STP, 399 V validation, 243–245 vampire taps, 399 virtual LANs (VLANs), 439 Virtual Private Networks (VPNs), 452–455 virus definition files, 484 virus hoaxes, 484 viruses, 130, 483–491 mutating, 484 prevention/response for, 508 proof of concept, 509 types/categories of, 484, 485 virus reports, creating, 486–491 VLANs (virtual LANs), 439 VPNs (Virtual Private Networks), 452–455 vulnerabilities, 126, 130–132 assessing, 242 See also risk management W WANs (Wide Area Networks), 424–427 war chalking, 209 wardialing, 206–209, 460 wardriving, 209 warm sites, 279 Web browsers, security and, 536 web sites acronyms, 22 cryptography, history of, 327 dsniff tool, 437 EnCase software, 312 (ISC)2, knowledge bases, 238 Navajo code talkers project, 329 241_SSCP_indx.qxd 1/27/03 2:45 PM Page 625 Index penetration testing tools and methodologies, 85 study resources, 27 viruses, 509 white hats, 480 Wide Area Networks (WANs), 424–427 wireless access points, 209 wireless networking, 397 wardriving and, 209 worms, 131, 491 prevention/response for, 508 X X.25 packet-switching technology, 426 X.509 standard, 50, 359 XOR, 343 binary math with (exercise), 343–345 Z zombies, 510 625 241_SSCP_indx.qxd 1/27/03 2:45 PM Page 626 SYNGRESS STUDY GUIDES & DVD TRAINING SYSTEMS AVAILABLE NOW! ORDER at www.syngress.com/certification Security+ Study Guide & DVD Training System The Security+ Study Guide & DVD Training System is a one-of-a-kind integration of text, DVD-quality instructor led training, and Web-based exam simulation and remediation This system gives you 100% coverage of the official CompTIA® Security+ exam objectives plus test preparation software for the edge you need to pass the exam on your first try ISBN: 1-931836-72-8 Price: $59.95 USA $92.95 CAN AVAILABLE NOW! ORDER at www.syngress.com/certification MCSE/MCSA Implementing & Administering Security in a Windows 2000 Network Study Guide & DVD Training System The MCSE/MCSA Implementing & Administering Security in a Windows 2000 Network Study Guide & DVD Training System (Exam 70-214) is a one-of-a-kind integration of text, DVD-quality instructor led training, and Web-based exam simulation and remediation This system gives you 100% coverage of the official Microsoft Exam 70-214 objectives plus test preparation software for the edge you need to pass the exam on your first try ISBN: 1-931836-84-1 Price: $59.95 USA $92.95 CAN Watch for our Study Guide & DVD Training Systems for Microsoft Certification! Coming… June 2003 AVAILABLE JUNE 2003! ORDER at www.syngress.com/certification MCSE Installing, Configuring, and Administering Microsoft Windows XP Professional (Exam 70-270) Study Guide & DVD Training System A fully integrated (Study Guide/Online Exam/DVD) learning system guaranteed to deliver 100% coverage of Microsoft’s learning objectives for MCSE Exam 70-270, one of the core requirements for MCSE/MCSA certification ISBN: 1-931836-95-7 Price: $59.95 USA $92.95 CAN www.syngress.com/certification Document3 4/3/02 4:04 PM Page ... Administering Security in a Windows 2000 Network Study Guide & DVD Training System (Syngress, ISBN: 1-931836-84-1) and is Technical Editor for Security+ Study Guide & DVD Training System (Syngress, ... instructor-led training, and Web-based exam simulation, the Syngress Study Guide & DVD Training System guarantees 100% coverage of exam objectives The Syngress Study Guide & DVD Training System... Security+ Study Guide & DVD Training System (Syngress, ISBN: 1-931836-72-8), and Hack Proofing Your Network, Second Edition (Syngress, ISBN: 1-928994-70-9) He is an independent security and systems