APPENDIX
Serveral Organization
1,NSA(National security Agency)
2,NIST(National Institute of Standards and Technology)
3,NCSC(National Computer Security Center)
4,ISO(International Organization fro Standardization)
5,ANSI(American National Standards Institute)
6,IEEE(Institute of Electrical and Electronic Engineers)
Chapter 1 Becoming a CISSP
CISSP exam covers the ten domains
1,Access Control Systems and Methodology
2,Telecommunications and Network Security
3,Security Management Practices
4,Applications and Systems Development Security
5,Cryptography
6,Security Architecture and Models
7,Operations Security
8,Business Continuity Planning(BCP) and Disaster Recovery Planning(DRP)
9,Laws,Investigation,and Ethics
10,Physical Security
The ten domains include all the topics about CISSP,those are:
Access control security models
Identification and authentication technologies and techniques
Access control administration
OSI model and layers
LAN,MAN,and WAN technologies
Internet,intranet and extraner issues
VPNs,firewalls,routers,bridges,and repeaters
Network topologies and cabling
Data classification
Policies,procedures,standards,and guidelines
Risk assessment and management
Personnel security,training,and awareness
Data warehousing and data mining
Various development practices and their risks
System storage and processing components
Malicious code
Symmetric versus asymmetric algorithms and uses
Public key infrastructure(PKI)and hashing functions
Encryption protocols and implementation
Operating states,kernel functions,and memory mapping
Security models,architectures,and evaluations
Evaluation criteria:Trusted Computer Security Evalation Criteria(TCSEC),information Technology Security Evaluation Criteria(ITSEC),and Common Criteria
Common flaws in applications and systems
Certification and accreditation
Administrative responsibilities pertaining to personnel and job functions
Maintenance concepts of antivirus,training,auditing and resource protection activities
Preventive,detective,corrective,and recovery controls
Standards,compliance,and due care concepts
Security and fault tolerance technologies
Business resource identification and value assignment
Business impact analysis and prediction of possible losses
Unit prorities and crisis management
Plan development,implementation,and maintenance
Types of laws,regulations,and crimes
Licensing and software piracy
Export and import laws and issues
Evidence types and admissibility into court
Incident handling
Restricted areas,authorization methods,and controls
Motion detectors,sensors,and alarms
Intrusion detection
Fire detection,prevention,and suppression
Fencing security guards,and security badge types
Charpter 2 Security Trends
Examples shows that security has become an Issue,and how the security affect the Nations and Companies,which is the beginning of the charpter,
then introduction to the Internet and Web Activities
DMZ(demilitarized zones)
The architecture of web services
1,Web servers are directly connected to database
2,two-tier architecture consists of a server farm band back-end databases
3,three-tier architecture comprises a front-end server farm,middle servers running middleware software,and back-end databases
Database Roles:Operators,Accounting,Administrators
Microsoft Data Access Componets
The way of attacker communicating with database is that Attacker sends Malicious ODBC request to IIS web server.
Attacker-->IIS web server-->Microsoft Data Access Components-->Remote Data Service-->Data factory Object-->Database
The vulnerabilites lie in web-based activities:
Incorrect configurations at the firewall
Web servers that are not hardened or locked down and are open to attacks to the operating system or applicatioins
Middle-tier servers that do not provide the right combination and detailed security necessary to access back-end databases in a controlled manner
Databases and back-end servers that accept requests from any source
Databases and back-end servers that are not protected by another layer of firewalls
Failure to run IDs to watch for suspicious activity
Failure to disable unnecessary protocols and services on computers
Failure to keep the computers patched and up to date
At the end of the charpter, a layered approach is introduced. And a short list of countermeasures using layered approach to protect the vulnerabilities:
1、The firewall has packet filtering configured,which provides protection at the network layer. This combats a range of attacks,including some DoS and fragmentation hacks.
2、Proxy software configurations protect at the application layer. These combat a range of attacks,including unauthorized access and packet spoofing.
3、Network address translation(NAT) works at the network layer. This hides LAN IP addresses and topology.
4、Shieled twisted pair(STP) cabling works at the physical layer. This helps protect agaist network eavesdropping and signal interference.
5、A network intrusion detection sensor monitors network traffic at the network layer for known attack signatures. This identifies known attacks and resets TCP connections if necessary.
6、IP Security(IPSec),which works at the network layer, is configured for virtual private network(VPN) connectioins into the perimeter network. This protects aginst masquerading,data manipulation,and unauthorized access to confidential information via encryption.
7、Web server configuration provides protection whithin the application by using different sites for public versus confidential information. THis protects aginst directory hopping and unauthorized access.
8、Only necessary services and ports are enabled on all perimeter devices,which work at the network and transport layers. This reduces entry points into the network and DoS attacks.
9、The mail server uses a store-and-forward method of messaging and runs antivirus software. This protects aginst viruses and DoS attacks.
10、Secure Sockets Layer(SSL),which works at the transport layer, is configured at the web sites when customers need to access personal confidential information. This provides confidentiality and data data integrity,and protects agianst masquerading.
11、A network scanner runs a weekly probe on all perimeter network server ports at the network layer to identify new vulnerabilities. This protects against new vulnerabiliteis resulting from configuration changes or additional technologies being added.
12、A web server uses embedded cryptography within Extensible Markup Language(XML)code and Distributed Component Object Model(DCOM)security. This provides confidentiality of information and restricts components from performing risky actions.
13、Web servers require valid digital signatures from each other for proper communication. These protect agianst sessioin hijacking and masquerading.
