Home > Guides > Security > General Security and Privacy

Security Reference Guide

Hosted by

Common Body of Knowledge (CBK) Definitions

Last updated May 23, 2003.

When security is viewed from an operational standpoint, it becomes obvious that there are several domains or operational categories into which security practices fall, known as the Common Body of Knowledge (CBK). Security can therefore be defined as the domains or elements that make up the CBK. In many ways, these domains could reflect the organizational departments that a large company would use to manage security-related issues. The CBK is currently the most popular method of defining security, as is reflected in many of the top security-related certifications. The Certified Information Systems Security Professional (CISSP) certification of the International Information Systems Security Certification Consortium, Inc. (known as (ISC)2) requires its candidates to understand security in the following domains:

  • Access Control Systems and Methodology

  • Telecommunications and Network Security

  • Security Management Practices

  • Applications and Systems Development Security

  • Cryptography

  • Security Architecture and Models

  • Operations Security

  • Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)

  • Law, Investigations, and Ethics

  • Physical Security

Access Control Systems and Methodology

"Access control is the collection of mechanisms that permits managers of a system to exercise a directing or restraining influence over the behavior, use, and content of a system." —Common Body of Knowledge study guide

Access control is the part of a system used to determine what a user can access. The related concept of accountability ensures that a user's actions can be monitored. These two areas together form a system that not only keeps the authenticated user connected, with controls over what resources he or she can use, but also keeps the user accountable for his or her actions.

There are two main types of access-control methods used to define what resources a user can access:

  • Discretionary access control (DAC) is a subjective method, based on a decision made by an individual user. For example, when a user creates a resource such as a file, he or she can define an access control list (ACL) that regulates who can have access to the resource, and how much access they can have (read, write, delete).

  • Mandatory access control (MAC), on the other hand, is a standardized method of categorizing resources and users based on a predetermined set of criteria overseen by an authority figure, such as a system administrator. For example, military and government organizations have long used the levels classified, confidential, secret, etc.

While these two access-control categories provide a good starting point for defining access controls, they don't represent a comprehensive system. As a result, several other methods of access control have been built using MAC and DAC as a foundation. The following list provides some examples:

  • Lattice-based. Defines relationships within a MAC system by which control flows from one grouping to another based on rules.

  • Rule-based. Another MAC-based system using a strict set of rules similar to a "need to know" basis. However, this type of access control requires a lot of management and administrator work.

  • Role-based. This DAC system is based on the user's job. Using a predefined set of permissions based on job title (marketing, advertising, etc.), a user is granted access to resources without the need to individually assign rights to every specific user.

  • Access control list (ACL). This rule-based system defines access based on a target, such as an IP address. It's often used in firewalls and routers.

Access-control systems include two further concepts that work together: identification and authentication. In other words, it's not just who you say you are, but whether you can supply the credentials to support your identification. This is most commonly done through the use of some kind of password—whether that's the standard character-based password, or some form of biometrics or smart card.

InformIT Articles and Sample Chapters

"'Open Sesame' or Not? Use the Right Access Controls" is an excerpt from The CERT® Guide to System and Network Security Practices (Addison-Wesley, 2001, ISBN 020173723X), by CERT's own Julia H Allen. The book provides a comprehensive look at proper security practices. The article lists the steps to determine the right access controls.

Books and e-Books

In Writing Information Security Policies (New Riders, 2001, ISBN 157870264X), Scott Barman describes the proper procedures and methods for writing comprehensive security policies, one part of which is the definition of all access controls and the duties and responsibilities required to maintain the controls. (Preview this book on Safari)

Telecommunications and Network Security

"[The] Telecommunications and Network Security domain encompasses the structures, transmission methods, transport formats, and security measures used to provide integrity, availability, authentication, and confidentiality for transmissions over private and public communications networks and media." —Common Body of Knowledge study guide

This domain is one of the largest and most technical within the CBK. It includes the Open Systems Interconnection (OSI) model that defines how networked hardware and software communicate. The OSI model's approach splits communication into seven distinct layers, each with a defined purpose, and each designed to interface with its neighboring layer(s), as shown in the following figure. For more information about the OSI model, and TCP/IP in general, see Sams Teach Yourself TCP/IP in 24 Hours (Sams, 2001, ISBN 0672320851), by Joe Casad.

Figure 1Figure OSI Reference Model layers.


In addition to networking models, the Telecommunications and Network Security domain deals with the actual hardware used to connect information systems to each other—whether that's coax cable used for 10Base-2 or 10Base-5 wiring; the more commonly known categorized cabling schemes (Cat3, Cat5, Cat6, etc.) used for most Ethernet LANs; fiber lines that use light pulses; or a wireless network. Knowing each of these types of connectors and understanding where and how they can be used is important.

Once you know the foundation of networking, you can start looking at the many types of network topologies, including the ring, tree, mesh, star, and linear. While some of these types have been phased out in recent years (ring networks, for example), new technologies are redefining existing types and creating new networking concepts. For example, with the recent development of the WLAN (wireless local area network), networking often becomes a dynamic situation as users move from one type of network to another seamlessly and without a break in communications.

The Telecommunications and Network Security domain is best known by the actual devices and technologies used to support our increasingly networked world—the hubs, routers, switches, firewalls, and more that keep the data flowing. Degrees, certifications, and whole careers are built on understanding how these devices work together to pass a packet from one information system to another.

As a result, this domain also deals with the many safeguards and communications protocols that an administrator must employ to keep the data safe, secure, and error-free while it's in transport. This runs the gamut from the well-known Transmission Control Protocol/Internet Protocol (TCP/IP) to the encrypted IP Security Protocol (IPSec) used to secure many remote-access connections.

InformIT Articles and Sample Chapters

"Going on the Defensive: Intrusion-Detection Systems," by Seth Fogie and Cyrus Peikari, teaches you how to tighten your defenses against intrusion-detection attacks by learning about the inherent weaknesses in intrusion-detection systems. This article provide a hands-on look at IDS, and what makes such systems so important.

Books and e-Books

Sams Teach Yourself TCP/IP in 24 Hours (Sams, 2001, ISBN 0672320851), by Joe Casad, is an excellent starting place for any professional who wants to understand networks and network security, due to the integral part that TCP/IP plays in any network. The 24 Hours series is easy for the beginner to understand and can be useful as a reference guide for the experienced. Since this book is freely available at InformIT, there's no excuse not to read it!

Maximum Security, Third Edition (Sams, 2001, ISBN 0672318717), by Anonymous, is one of the icons of information security books. Within its covers, you'll find comprehensive description of network security issues from both an attacker's and a defender's point of view, plus much more. Administrators, security professionals, and even those curious about security will find a wealth of valuable demonstrations of how hackers attack, and how administrators protect information systems. (Preview this book on Safari)

Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses (Prentice Hall PTR, 2001, ISBN 0130332739), by Ed Skoudis, provides an excellent general overview of network security for the beginner-to-intermediate administrator. Ed Skoudis is a recognized leader in information security and has even spoken before the U.S. Senate to educate U.S. leaders on security issues.

Hackers Beware: The Ultimate Guide to Network Security (New Riders, 2001, ISBN 0735710090), by Eric Cole, provides a wealth of tips and advice on how a network falls prey to an attack. This book not only shows you how the attacks are perpetrated, but describes how to protect your system against such attacks. (Preview this book on Safari)

Maximum Wireless Security (Sams, 2002, ISBN 0672324881), by Cyrus Peikari and Seth Fogie, delves into the security issues surrounding the setup and operation of a wireless network. This book provides hands-on illustrations of the tools and techniques used by hackers to exploit the latest in networking technology.

Security Management Practices

"Security management entails the identification of an organization's information assets and the development, documentation, and implementation of policies, standards, procedures, and guidelines that ensure confidentiality, integrity, and availability. Management tools such as data classification, risk assessment, and risk analysis are used to identify the threats, classify assets, and rate their vulnerabilities so that effective security controls can be implemented." —Common Body of Knowledge study guide

This domain is the part of the CBK that defines information security policies and practices. Included in it are all the tools and concepts that a user needs to know and understand to provide a reason for security in business terms. In other words, it describes how you can know whether a firewall or intrusion-detection system is required—or more importantly, how you can show it has real value.

Confidentiality, Integrity, Availability (CIA)

One key part of this domain that bleeds to all the others is the concept of CIA—the acronym for Confidentiality, Integrity, and Availability. These three concepts are at the core of almost every security program—if not by name, at least in practice. They're most commonly described as a triangular view of security, with each side directly related to the other two (see the following figure).

Figure 2Figure The CIA relationship.


Confidentiality is the measure of the secrecy of information. In other words, a company determines how and where data can be used, and then assigns a confidentiality value to it. The level of availability is the ability of users to access information. Typically this is done through the use of access-control systems as well as redundant links and servers, and considers natural threats such as fire or flood in addition to the infamous hacker. Finally, integrity ensures that the information is accurate and reliable. Whether in transmission or in storage, the data must be verified as complete and uncorrupted. Without the key aspect of integrity, it would be difficult to support any security system because there is no assurance that the data is real, and thus of value.

Much of the Security Management Practices domain defines the methods and practices used by management to determine the value and efficiency of a security system. Starting with planning, a security system must be well thought out and have widespread support. This process often starts with the creation of policies used to define the standards, guidelines, and procedures used by the company. In addition, the management of an information system should include the preparation of an initial risk analysis to determine the critical systems, the risks to those systems, and the cost associated with repairing or replacing the systems. Finally, management needs to ensure that the users are educated about the importance of security, to facilitate a security-conscious workplace.

It's crucial to include with all of this the underlying assumption that managers understand their responsibilities in the security and operation of an information system—from active involvement in policy creation to handling an incident or a disaster. An information system manager must have a "big picture" view with "small picture" comprehension. Whether hiring/firing, technical reports, ROI assessments, project-management skills, or another of the many jobs under the security-management umbrella, this domain provides solid insights for the type of person who makes a good manager.

InformIT Articles and Sample Chapters

CISSP Training Guide (Que, 2002, ISBN 078972801X), by Roberta Bragg, is meant to do one thing: prepare you for the CISSP test. Included in the book is a good discussion on the 10 domains of the CBK and an extensive set of practice questions. Highly recommended.

Online References

The CISSP Prep Guide, Gold Edition (Wiley, 2002), by Ronald L. Krutz and Russell Dean Vines, provides a close look at the 10 security domains defined by the CBK, with an emphasis on the CISSP test. The book also includes software and hundreds of test questions to help you practice.

CISSP Certification All In One (McGraw, 2001), by Shon Harris, offers a fairly comprehensive discussion and treatment of the 10 domains of the CBK.

Applications and Systems Development Security

"Applications and systems development security refers to the controls that are included within systems and applications software and the steps used in their development. Applications refer to agents, applets, software, databases, data warehouses, and knowledge-based systems. These applications may be used in distributed or centralized environments." —Common Body of Knowledge study guide

Application development is currently one of the hottest subjects within the security sector. Buffer overflow attacks, cross-site scripting (XSS) attacks, SQL injection, and other vulnerabilities have dominated the bug tracking and vulnerability lists lately. As a result, significant pressure has recently been placed on software vendors—redefining how software development is performed, including the creation of several organizations (such as the Open Web Application Security Project, or OWASP) that deal with nothing but software security testing.

This pressure has been ongoing for a very long time. Carnegie Mellon University's Software Engineering Institute (SEI) tried to establish development maturity and capability models back in the 1980s—and tried to get people to think about secure coding—but they were pretty much ignored outside of academia and a handful of hardcore software development shops.

Over the years, several types of information systems have evolved, including the centralized, distributed, data warehouse, knowledge base, and web-based systems, each of which has its own associated vulnerabilities and methods of attack. This domain covers the security components that are required when creating software, and the practices required to keep these systems secure.

There are several main components to developing secure software. They include the use of software development models that define the lifecycle by which software is planned, created, tested, corrected, and maintained. Several popular models are in use, from the waterfall to the spiral, each providing a different view of how to develop software. Regardless of the method, it should define some form of security training and testing. This includes the knowledge required to ensure that processes and hardware are isolated, memory is protected, account controls and accountability are in place, and more. In short, a developer must understand how to produce secure, stable, and efficient software that's not vulnerable to the many known methods of attack.

Additionally, the process of secure programming is very difficult due to the many third-party components used in production, very tight budgets that allocate minimal resources to training, and the extra time required to include secure coding practices. As a result, many security issues are discovered only in testing, when new code is merged with previously created code, or by the public after the software has been formally released. For example, more than 50% of the security advisories deal with some form of buffer overflow, which is a simple memory-management oversight. If developers were encouraged to write code in which all the input and output values were properly validated (including data sent to and received from connected components and programs) and memory sizes were carefully tested, buffer overflow attacks would become a thing of the past. However, on behalf of the programmers, completely securing code is a complex task due to the many interdependencies and possible inputs a user could enter, not to mention that many programs are so vast that it's difficult to know when enough testing has been done. In addition, many companies fail to implement security practices during the initial design process, if it's even considered at all. With the enormous pressure to be first to market, security gets placed on the back burner, and software is buggy at best and downright insecure at worst. (For example, Bugtraq is constantly full of buggy PHP programs written by small shops and hobbyists.) However, software companies and programmers are starting to feel a new pressure as consumers demand accountability for the products they purchase.

InformIT Articles and Sample Chapters

"SQL Server Attacks: Hacking, Cracking, and Protection Techniques," by Seth Fogie and Cyrus Peikari, takes a close look at the many risks associated with operating a database server, focusing on web applications. See firsthand how programming errors and misconfiguration can result in lost data or the complete compromise of a system.

Books and e-Books

Hack I.T.: Security Through Penetration Testing (Addison-Wesley, 2002, ISBN 0201719568), by T. J. Klevinsky, Scott Laliberte, and Ajay Gupta, is an excellent book covering many of the aspects of penetration testing and security testing of information systems. This book offers not only a glimpse into how hackers abuse applications, but how you can protect and defend yourself from attack. (Preview this book on Safari)

Online References

"Advanced SQL Injection in SQL Server Applications," by Chris Anley, is an NGSSoftware Insight Security Research (NISR) publication. This paper is a must-read for any developer using a SQL server. While it assumes prior knowledge of SQL commands, it sets the standard for understanding SQL injection attacks. NGSSoftware is one of the top security companies dealing with SQL-related attacks and has discovered numerous SQL vulnerabilities.

"Unauthenticated Remote Compromise in MS SQL Server 2000," by David Litchfield, discusses the details of the SQL Slammer worm that made headlines early in 2003 with its infection of 200,000 computers in a few hours.

"Smashing the Stack for Fun and Profit" is credited with bringing buffer-overflow attacks into the limelight. In this technical and detailed article, Phrack again provides an enlightening view into the world of the underground hacker as the concept of the buffer overflow is explained and illustrated in unparalleled detail.

Cryptography/Cryptology

"The Cryptography domain addresses the principles, means, and methods of disguising information to ensure its integrity, confidentiality, and authenticity." —Common Body of Knowledge study guide

Cryptography is one of the core domains that's directly related to the CBK. Using one of several available methods, information can be encrypted and validated to ensure that it remains secure and complete, and that only authorized persons can access the encrypted data. In addition to these two functions (encryption and data validation), cryptography also helps provide non-repudiation (irrefutable proof that a message was created by a given individual) when used with an asymmetric key that can only belong to one person, which is similar to a digital signature. This adds security by ensuring that a message is not forged.

There are two main types of encryption:

  • Symmetric encryption uses a shared key to encrypt the data. This is the oldest and simplest form of encryption. (Manufacturers of kids' cereals use this method for their decoder rings.) While symmetric encryption is easy to use, many implementations are easy to crack. In addition, because the key is shared with everyone who needs access to the data, there's no method of ensuring non-repudiation.

  • Asymmetric encryption requires the use of two keys: a public key and a corresponding private key. When a message needs to be encrypted, the public key of the recipient is used to encrypt the data. Once this occurs, the only key that will decipher the message is the private key, which only the recipient holds. This method, though a bit more complicated, is much more secure and also maintains non-repudiation because only one person has the private key.

Regardless of the encryption method you choose, you should understand several encryption properties before attempting to use encryption:

  • Key length is one of the core aspects that define the strength of the encryption.

  • Redundancy checks ensure data integrity.

  • Hash functions take a large amount of data and create a small fingerprint based on that data.

  • Digital signatures are used for authenticating the source of a message and for non-repudiation.

Encryption is one of the core parts of any secure information system. However, encryption is not technically 100% secure; in other words, all encryption is breakable. While breaking it might take years, if not centuries (with current technologies, until after the universe is expected to collapse), encryption techniques can be subverted using many methods of attack. Attacks using brute force guessing, known and chosen plaintext, and more can be used to deduce the key of the encryption scheme. Ironically, the ease with which encryption is used appears to be inversely proportional to how breakable it is. One-time pads (encryption algorithms that use enormous keys only once) are theoretically unbreakable but are such a pain to use that they have been compromised in practice by users who have "cut corners" with them.

In fact, one recent well-publicized attack against the WEP protection used in wireless networks allowed an attacker to capture the pre-shared password right out of the air.

In addition to attacking the encryption scheme, it's also possible to attack the implementation structure of an encryption scheme. For example, if an attacker sets up an SSL server between the target and an online company, he or she could trick the target into thinking that a secure connection was established to the online company, when in reality the connection was established to the attacker's computer. (This is known as a "man in the middle" attack.) This would allow the attacker to have access to all the data in transmission, with the target and the online company none the wiser.

Cryptography is an important asset to any secure system; however, as we've indicated, the security provided by cryptography relies on several factors. As a result, it's often implemented incorrectly. In addition, many people fail to realize that once a piece of data is encrypted, the only way it can be accessed is with the correct password, decryption device, or decryption algorithm. If the decryption method is lost, damaged, or forgotten, the data will remain safely locked away until computing has advanced to the point where the encryption can be cracked.

InformIT Articles and Sample Chapters

"Cracking WEP," by Seth Fogie, describes an excellent example of cryptography gone wrong. While it's technical, this article breaks the encryption process down so the reader can understand the weaknesses within the WEP protection scheme.

Books and e-Books

Java Cryptography (O'Reilly, 1998), by Jonathan Knudsen, describes how Cryptography is implemented in technology. While this book discusses Cryptography in reference to Java, the principles it discusses are standard for information system security. (Preview this book on Safari)

Making, Breaking Codes: Introduction to Cryptology (Prentice Hall, 2000, ISBN 0130303690), by Paul Garrett, is one of the top-selling books in the field. While it assumes some math experience, this book attempts to illustrate cryptology to any reader interested in the subject.

Security Architecture and Models

"The Security Architecture and Models domain contains the concepts, principles, structures, and standards used to design, implement, monitor, and secure operating systems, equipment, networks, applications, and those controls used to enforce various levels of confidentiality, integrity, and availability." —Common Body of Knowledge study guide

What is a security architecture? Is it

  • products that keep out attackers?

  • practices and policies that control a company's employees?

  • a concept used to create confidence in a service or product?

The real answer is all of the above, which is why an entire domain of the CBK is devoted to this subject.

Several architectures are used to define how information is secured:

  • The Bell-laPadula model basically defines security through confidentiality. Designed using the no write down, no read up model, security is maintained if a classified resource is accessed only by subjects with a clearance at that level or higher. This method works, but it relies on the assurance that access to the object is closely controlled.

  • The Biba model focuses on integrity more than confidentiality. This model is built around two rules—no write up and no read down—which refer to the trust relationships that exist between subjects and objects. In short, no subject can depend on a less-trusted object, which restricts an unauthorized subject from changing or even accessing an object.

  • The Clark-Wilson model emphasizes data integrity by restricting unauthorized access or improper modifications by authorized users, and by maintaining internal and external consistency. This model is most often used to ensure that data modifications are made with their integrity and consistency in mind. For example, if a computer crashes in the middle of a data change, the whole system should have the ability to role back to a pre-transition state, thus ensuring that nothing has changed.

  • The most common model is based on the access control list (ACL), which is prevalent in most enterprise operating systems. This model uses a preexisting list of approved subjects, associated with objects. If a user wants access to a folder or file, the user's identification is checked against the ACL for that resource, and access is granted as appropriate. While this works well, it can become complicated when making large changes or moving data from one system to another.

In addition to models, this domain also defines components of secure system architectures, including reference monitors, covert data channels, open versus closed systems, and various security principles and modes. Using combinations of these components, principles, and modes, a solid architecture can be designed and implemented that ensures the security of a company's data.

When a security system is designed, it should be evaluated using some form of security standard. The most common and well-known standards are described in the following list:

  • Trusted Computer System Evaluation Criteria (TCSEC). TCSEC is more commonly known as the orange book, which is part of the famous Rainbow series. It's a U.S. government-founded security standard that critiques a system by its ability to separate users and data, the granularity of access control, and the trust or overall assurance of the system. Using these concepts, it then assigns a grade to the system.

  • Information Technology Security Evaluation Criteria (ITSEC). This European standard focuses on loss of integrity, confidentiality, and availability. It's similar to TCSEC in many ways, with slight variations on how systems are evaluated and what's included in the evaluation.

  • Common Criteria. This system evaluates products by version/environment and is not guaranteed against vulnerabilities. That said, this standard is replacing ITSEC and TCSEC as an internationally agreed-upon method of evaluation. It's divided into three main parts: Introduction and General Model, Security Functional Requirements, and Security Assurance. These all work together to critique a system and give it a grade or certification based on how it meets predefined requirements.

  • One final standard that's growing in popularity is IP Security Protocol (IPSec), which is a communications standard found in firewalls, VPNs, and other communication devices/software. It controls what data can flow and how that data is transmitted, using a two-phase connection initialization process.

Security models and architecture should be at the foundation of how an information system is designed. Through the use of these concepts, a company can build a strong and reliable system that they can be confident using. However, it should be noted that no information system is 100% secure.

InformIT Articles and Sample Chapters

"IPSec Overview Part One - General IPSec Standards," by Andrew Mason, is one of several articles provided to InformIT by Cisco Press, which is one of the leaders of the technology industry. While this article deals mainly with Cisco hardware, the information presented is valuable to any professional who wants to understand what IPSec is used for and how it works.

Books and e-Books

Designing Network Security (Cisco Press, 1999, ISBN 1578700434), by Merike Kaeo, offers a practical approach to designing and implementing a secure network. From Cisco routers to a secure policy, setting up a secure architecture is a complex subject; this book helps to fill the gaps and provides good ideas on meeting this goal. (Preview this book on Safari)

Online References

Security Architecture for the Internet Protocol (RFC 2401) is the standard defining the IPSec protocol, security services offered by this protocol, and how these protocols are employed.

Operations Security

"Operations Security is used to identify the controls over hardware, media, and the operators with access privileges to any of these resources. Audit and monitoring is the mechanisms, tools, and facilities that permit the identification of security events and subsequent actions to identify the key elements and report the pertinent information to the appropriate individual, group, or process." —Common Body of Knowledge study guide

Operations security (OPSEC) is the practice of putting yourself in your opponent's shoes, and then building a defensive system based on what you discover. The first step is to determine what resources you want to protect. This includes all hardware devices (routers, switches, printers, etc.), software applications, and, most importantly, the users. The second step is to identify the privileges that need to be restricted, and the third step is to identify the available controls that can prevent misuse and abuse of the allotted privileges.

The operations security process takes into consideration the following five key principles:

  • Identifying critical information
  • Analyzing threats
  • Assessing vulnerabilities
  • Assessing risks
  • Applying countermeasures

To apply these principles, operations security uses indicators collected via log files, auditing, and other forms of monitoring and observation. (In fact, these same indicators are often used by attackers to gain an insight into a potential target.)

While logs are an excellent source of information, another popular method of information-gathering is through the use of intrusion-detection programs. These are devices that sit on a network and monitor all the traffic, looking for anomalies. Using sniffer technology, an administrator can detect potentially threatening activities and take action.

NOTE

A sniffer is a program that captures network data. It can be used by network or system administrators to help troubleshoot problems. Used by an attacker, a sniffer can collect sensitive information (such as passwords) that can be used to gain unauthorized access.

Another tool is penetration testing. This involves playing attacker and attempting to find a way into your own system. Once a penetration test is complete, the information collected is assessed for potential risks, and countermeasures are put in place. The whole process then starts over again, with new policies and more testing.

In addition to the more hands-on and hackerish processes, operations security also includes proper administrative and management processes that define how employees are hired/fired, how a system is safeguarded against internal attack, and how a successful attack is handled. This includes protecting sensitive media, and ensuring that simple measures such as antivirus software are installed on all the key systems. It also includes the procedures used to update system parameters and configurations, and even covers disaster recovery plans. In short, this part of operations security is responsible for creating a comprehensive system to handle both day-to-day and emergency operations as required in the information security world.

While much of OPSEC consists of the fun and exciting cyber war games often associated with information security, it's actually a complete package that covers every operational process, from the first employee hire to a total natural disaster.

InformIT Articles and Sample Chapters

"Implementing Security, Part II: Hardening Your UNIX/Linux Servers," by Joseph Dries, describes several methods for securing your *nix system and the applications that run on it. In particular, this article looks at Internet services, sendmail, tcp_wrappers, DNS services, and proper logging techniques.

In "Intrusion Detection Systems," an article provided by Cisco Press, Earl Carter discusses intrusion-detection systems and their role in the daily operations of a business. The author covers the triggering mechanisms, monitoring methods, and types of intrusion-detection systems available to information system professionals.

Books and e-Books

Hack I.T.: Security Through Penetration Testing (Addison-Wesley, 2002, ISBN 0201719568), by T. J. Klevinsky, Scott Laliberte, and Ajay Gupta, is an excellent book covering many of the aspects of penetration testing and security testing of information systems. This book offers not only a glimpse into how hackers abuse applications, but how you can protect and defend yourself from attack. (Preview this book on Safari)

Halting the Hacker: A Practical Guide to Computer Security (Prentice Hall, 2002, ISBN 0130464163), by Donald L. Pipkin, combines unique insight into the mind of the hacker with practical, step-by-step countermeasures for protecting any HP-UX, Linux, or UNIX system. With dozens of real-world examples, you can learn how to protect yourself against many of the attacks of today—and tomorrow. (Preview this book on Safari)

Maximum Windows 2000 Security (Sams, 2001, ISBN 0672319659), by Anonymous, is designed for system administrators who need an in-depth look at the tools and techniques used by hackers to gain unauthorized access to information systems. This book also provides information on finding holes and vulnerabilities, and discusses how to fix them. (Preview this book on Safari)

Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)

"The Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) domain addresses the preservation of the business in the face of major disruptions to normal business operations. BCP and DRP involve the preparation, testing, and updating of specific actions to protect critical business processes from the effect of major system and network failures." —Common Body of Knowledge study guide

When a natural disaster strikes a home, recovery is a lifelong process. Photo albums, important documentation, heirlooms, and more can be destroyed. It can take years before the loss is even fully realized. While this is a horrible thing, imagine the loss that can occur when a business is hit with the same type of disaster. The entire company's resources could be gone in the blink of an eye. How a company prepares for this type of calamity helps determine whether it survives.

The first step in recovering from such a calamity is having a disaster recovery plan. This plan takes a look at what's required to keep the business functioning (backups, contact numbers, etc.), and then takes steps to ensure that these items are prepared ahead of time in case a disaster occurs. The disaster recovery plan also includes the procedures required to get necessary data back online and available to those who need it. While this could include switching all data processing to a remote backup site, for example, or just defining what procedures need to occur to alert clients to changes in scheduled meetings, the disaster recovery plan is the short-term plan.

The business continuity plan, on the other hand, is the long-term plan that takes a look at recovery from beginning to end. Typically, the business continuity plan incorporates the disaster recovery plan, but then takes over once immediate threats are dealt with. This plan includes keeping recovery plans up to date, monitoring critical assets, procedures for processing insurance claims, and more.

A key part of the business continuity plan is the business impact assessment (BIA). The BIA identifies time-critical components of the business, key resources used by the business, maximum downtime (MDT) that any business component can withstand, and all associated reports created as a result of the BIA.

While having a plan is a very important step, many companies stop after that point. Unfortunately, when disaster strikes, these companies find out that their plan is missing parts, and doesn't work as expected. To eliminate some of the surprises, the disaster recovery plan and business continuity plan should be tested to ensure that they work. This includes everything from restoring the entire information system to testing emergency evacuation procedures.

Obviously, a disaster that can destroy a whole business is not a likely event. However, as of 9/11, many more companies are realizing that their business is one step away from a calamity. Having a disaster recovery plan and a business continuity plan in place won't prevent a disaster from occurring; however, it can reduce the damage in the long run.

InformIT Articles and Sample Chapters

This sample chapter from Disaster Recovery Planning: Preparing For The Unthinkable (Prentice Hall PTR, 2002, ISBN 0130462829), by Jon Toigo, gives the reader a look into the methods and procedures required to design and implement a comprehensive disaster recovery plan. This chapter alone is enough to serve as an eye opener for many IT managers and professionals who could face a total loss if disaster strikes.

"Secure Backup: Protecting Your Data" is a sample chapter from White-Hat Security Arsenal: Tackling the Threats (Addison-Wesley, 2001, ISBN 0201711141), by Aviel D. Rubin. In this chapter, the author discusses the issues surrounding a backup with respect to security and privacy. He looks at physical security issues, methods of secure backups, storage procedures, and even deletion issues to ensure that your backups are secure.

Books and e-Books

While primarily for Sun administrators, Backup and Restore Practices for Sun Enterprise Servers (Prentice Hall PTR, 2000, ISBN 013089401X), by Stan Stringfellow and Miroslav Klivansky, provides valuable information for any information system professional. Over half the book is devoted to practices and planning techniques that can be used with Sun, Microsoft, or even Macintosh operating systems. The book addresses issues such as scalability and performance of the backup/restore architecture, criteria for selecting tools and technologies, and tradeoffs that must be considered. It provides technical guidelines for planning the architecture to meet service levels, as well as general advice and guidance. (Preview this book on Safari)

Law, Investigations, and Ethics

"The Law, Investigations, and Ethics domain addresses computer crime laws and regulations, the investigative measures and techniques [that] can be used to determine if a crime has been committed, methods to gather evidence if it has, as well as the ethical issues and code of conduct for the security professional." —Common Body of Knowledge study guide

Computers have had an undeniable positive impact on this world. However, the benefits of information systems come with a price: computer crime. Using computers, criminals can access private information, destroy data, steal intellectual property, and more. When these situations occur, it's up to the owner of the system to properly report the crime and ensure that no evidence is destroyed or lost. Unfortunately, the law is often considered a complex body of obscure rules that only lawyers can understand. In addition, the stigma of legal authorities and their overall unpopularity may make users uncomfortable with the prospect of reporting a criminal incident. Others are concerned with the unwanted publicity that might be associated with a public computer crime case. Regardless of what fears or issues a user has, however, every information-systems professional should be familiar with certain techniques and practices to ensure that evidence is not damaged or lost in the case of an intrusion.

Before any crime is investigated, it's important to understand the applicable law(s). This includes knowing the type of crime involved, and under whose jurisdiction the crime falls. For example, a simple web-page defacement many be both a federal and state crime if the attacker lives across a state line from the victim. In addition, the laws vary depending on who is pressing charges. If the government is seeking retribution, criminal law prevails. On the other hand, if a company is suing for damages as a result of a malicious act by an employee, that falls under civil law. Each of these areas has its own regulations and guidelines.

Once the crime has been identified, the victim should not simply take action and try to catch the attacker. By doing so, the victim could corrupt or destroy key evidence that could have been used to prove guilt. Instead, a plan should be formulated to specify who needs to be called and what actions should be taken (such as how critical data should be preserved).

Part of the key to collecting evidence is found in forensics, which is the technical and scientific collection and analysis of evidence. For example, one of the first steps in the investigation of a computer crime is to make a duplicate of all data on a victim's or suspect's hard drive. This way, authorities maintain an untouched copy of evidence while they systematically look at the data on the hard drive. If they damage the data, they still have the original information.

The best thing to do when you become the victim of an attack is to call the local authorities. While the concept of computer crime is still new, many police forces have a trained staff member, or at least can put you in contact with someone who can provide you with proper advice.

InformIT Articles and Sample Chapters

In "What to Do After the Break-in: Preparing an Incident Report for Law Enforcement," Kyle Cassidy walks you through the steps to take to ensure your best chance of a successful case. In short, this article discusses what to do when an intrusion is detected, how to contact authorities, and how to stay involved with local law-enforcement groups.

"The Art and Practice of Testifying as an Expert Technical Witness" is a sample chapter from A Guide to Forensic Testimony: The Art and Practice of Presenting Testimony As An Expert Technical Witness (Addison-Wesley, 2002, ISBN 0201752794), by Fred Chris Smith and Rebecca Gurley Bace. In this chapter, the author provides a look at the importance of serving as a witness. Using Bill Gates' testimony as an example, this chapter illustrates what to do and what not to do when in court.

Books and e-Books

Protect Your Digital Privacy! Survival Skills for the Information Age (Que, 2001, ISBN 0789726041), by Glee Harrah Cady and Pat McGregor, provides a clear discussion of legal issues surrounding the use of digital devices. Focused on the user's legal rights, this book includes a complete section on laws as they apply to privacy and what that means in today's world. (Preview this book on Safari)

Incident Response: A Strategic Guide to Handling System and Network Security Breaches (New Riders, 2001, ISBN 1578702569), by Eugene E. Schultz and Russell Shumway, provides a look at what to do when information system security is breached. From the legal responsibilities of the business to the forensics involved in collecting evidence, this book gives you the information you need to build an effective incident-response strategy. (Preview this book on Safari)

Physical Security

"The Physical Security domain addresses threats, vulnerabilities, and countermeasures that can be utilized to physically protect an enterprise's resources and sensitive information. These resources include people; the facility in which they work; and the data, equipment, support systems, media, and supplies they utilize." —Common Body of Knowledge study guide

Too often, information systems are protected only from remote attackers. In other words, a company feels safe if it installs a firewall and intrusion-detection system, and monitors the log files of local network users. What administrators often forget is that an information system is a physical device that can be accessed directly—without a computer or network connection. This is where physical security policies come into play.

In many ways, physical security is very similar to information security. You have to assess the items that need protection, determine how they can be accessed, create protections and controls for these access methods, and then enforce and audit users as they operate the devices.

There are five main assets that need protection:

  • Facility

  • Supporting infrastructure (power, water, etc.)

  • Physical hardware

  • Supplies and consumables

  • People

Each of these items has its own set of threats—some global (such as fire) and some related directly to the asset (such as theft). Using these threats as a guideline, a physical site should be selected and built according to a proper design.

There are many parts to a secure site. These include the actual location that should be free of natural threats such as floods, fire, hurricanes, and so on (to the extent possible for a given geographic location). In addition, it's best to choose a location that is set apart from a violent community, where theft or rioting could impact security. Building type, age, location, size, material, and door/window count are also important. Each offers its own risk to the security equation, and must be addressed to ensure maximum threat reduction (for example, more doors equal more locks that have to be checked). The supporting infrastructure must be augmented with uninterruptible power supplies, fire extinguishers, air conditioning, and more as required to minimize assessed risks.

Once the basic structure is selected, the proper controls need to be installed. These include identification screening using swipe cards, pin numbers, biometrics, or a human guard (to name a few options). In addition, proper controls must be placed on all components that leave a site. More than one business has fallen prey to attack as a result of what an attacker found in a trash can. Finally, a site should have some form of physical intrusion-detection to keep dishonest people from having direct access to the information-system hardware or supporting equipment. Unfortunately, even with all the proper precautions and controls in place, a site's physical security can never be 100% guaranteed—think about natural disaster or a corrupt system administrator.

NOTE

A major consideration in deploying physical security mechanisms is user acceptance of those measures. If the people won't go along with it, it's not going to work.

InformIT Articles and Sample Chapters

In "Security Issues and Solutions Part 4: Physical Security and Auditing," Mark Walla and Robert Williams provide a good overview of the many aspects of physical security. From backup security to prevention of physical access to core systems, this article chapter provides many informative tips.

The sample chapter "Physical Security" from Sams Teach Yourself Linux Security Basics in 24 Hours (Sams, 2001, ISBN 0672320916), by Aron Hsiao, discusses the realm of security that lies outsides the direct control of the information system. It provides a look at why physical security is important, the importance of location, auditing, and more.

Books and e-Books

Designing Network Security (Cisco Press, 1999, ISBN 1578700434), by Merike Kaeo, offers a practical approach to the implementation of secure network design. While not dedicated to the sole subject of physical security, this book does include a section that discusses physical security issues and how to implement them. (Preview this book on Safari)

Summary of CBK Definitions

This short overview of information security as defined by the CBK is only the beginning of the subject. Many books are available that go much deeper into the domain method of defining security, but even these barely scratch the surface. You can find book upon book relating to other aspects of security—wireless networking (part of the telecommunication domain), proper program procedures (part of the application domain), and so on.

Many certifications also test the professional's level of knowledge. The most popular security certification, the CISSP, focuses on the CBK and tests the professional's level of understanding of information security. Another popular certification is the Global Information Assurance Certification (GIAC), which is backed by SANS and is recognized as one of the more prestigious training organizations in the infosec community.

However, there are other methods of defining security, which brings us to the next section of this overview.