CISSP - Certified Information Systems Security Professional Study Guide, 2nd Edition (2004)

Exam Essentials 121

replaced the Serial Line Internet Protocol (SLIP). SLIP offered no authentication, supported only half-duplex communications, had no error detection capabilities, and required manual link establishment and teardown.

Understand common characteristics of security controls. Security controls should be transparent to users. Hash totals and CRC checks can be used to verify message integrity. Record sequences are used to ensure sequence integrity of a transmission. Transmission logging helps detect communication abuses.

Understand how e-mail security works. Internet e-mail is based on SMTP, POP3, and IMAP. It is inherently insecure. It can be secured, but the methods used must be addressed in a security policy. E-mail security solutions include using S/MIME, MOSS, PEM, or PGP.

Know how fax security works. Fax security is primarily based on using encrypted transmissions or encrypted communication lines to protect the faxed materials. The primary goal is to prevent interception. Activity logs and exception reports can be used to detect anomalies in fax activity that could be symptoms of attack.

Know the threats associated with PBX systems and the countermeasures to PBX fraud.

Countermeasures to PBX fraud and abuse include many of the same precautions you would employ to protect a typical computer network: logical or technical controls, administrative controls, and physical controls.

Recognize what a phreaker is. Phreaking is a specific type of hacking or cracking in which various types of technology are used to circumvent the telephone system to make free longdistance calls, to alter the function of telephone service, to steal specialized services, or even to cause service disruptions. Common tools of phreakers include black, red, blue, and white boxes.

Understand voice communications security. Voice communications are vulnerable to many attacks, especially as voice communications become an important part of network services. Confidentiality can be obtained through the use of encrypted communications. Countermeasures must be deployed to protect against interception, eavesdropping, tapping, and other types of exploitation.

Be able to explain what social engineering is. Social engineering is a means by which an unknown person gains the trust of someone inside of your organization by convincing employees that they are, for example, associated with upper management, technical support, or the help desk. The victim is often encouraged to make a change to their user account on the system, such as reset their password. The primary countermeasure for this sort of attack is user training.

Explain the concept of security boundaries. A security boundary can be the division between one secured area and another secured area. It can also be the division between a secured area and an unsecured area. Both must be addressed in a security policy.

Understand the various attacks and countermeasures associated with communications security.

Communication systems are vulnerable to many attacks, including eavesdropping, impersonation, replay, modification, and ARP attacks. Be able to list effective countermeasures for each.

122 Chapter 4 Communications Security and Countermeasures

Review Questions

1.Which of the following is not true?

A.Tunneling employs encapsulation.

B.All tunneling uses encryption.

C.Tunneling is used to transmit data over an intermediary network.

D.Tunneling can be used to bypass firewalls, gateways, proxies, or other traffic control devices.

2.Tunnel connections can be established over all except for which of the following?

A.WAN links

B.LAN pathways

C.Dial-up connections

D.Stand-alone systems

3.What do most VPNs use to protect transmitted data?

A.Obscurity

B.Encryption

C.Encapsulation

D.Transmission logging

4.Which of the following is not an essential element of a VPN link?

A.Tunneling

B.Encapsulation

C.Protocols

D.Encryption

5.Which of the following cannot be linked over a VPN?

A.Two distant LANs

B.Two systems on the same LAN

C.A system connected to the Internet and a LAN connected to the Internet

D.Two systems without an intermediary network connection

6.Which of the following is not a VPN protocol?

A.PPTP

B.L2F

C.SLIP

D.IPSec

7.Which of the following VPN protocols do not offer encryption? (Choose all that apply.)

A.L2F

B.L2TP

C.IPSec

D.PPTP

8.At which OSI model layer does the IPSec protocol function?

A.Data Link

B.Transport

C.Session

D.Network

9.Which of the following is not defined in RFC 1918 as one of the private IP address ranges that are not routed on the Internet?

A.169.172.0.0–169.191.255.255

B.192.168.0.0–192.168.255.255

C.10.0.0.0–10.255.255.255

D.172.16.0.0–172.31.255.255

10.Which of the following is not a benefit of NAT?

A.Hiding the internal IP addressing scheme

B.Sharing a few public Internet addresses with a large number of internal clients

C.Using the private IP addresses from RFC 1918 on an internal network

D.Filtering network traffic to prevent brute force attacks

11.A significant benefit of a security control is when it goes unnoticed by users. What is this called?

A.Invisibility

B.Transparency

C.Diversion

D.Hiding in plain sight

12.When you’re designing a security system for Internet-delivered e-mail, which of the following is least important?

A.Nonrepudiation

B.Availability

C.Message integrity

D.Access restriction

124 Chapter 4 Communications Security and Countermeasures

13.Which of the following is typically not an element that must be discussed with end users in regard to e-mail retention policies?

A.Privacy

B.Auditor review

C.Length of retainer

D.Backup method

14.What is it called when e-mail itself is used as an attack mechanism?

A.Masquerading

B.Mailbombing

C.Spoofing

D.Smurf attack

15.Why is spam so difficult to stop?

A.Filters are ineffective at blocking inbound messages.

B.The source address is usually spoofed.

C.It is an attack requiring little expertise.

D.Spam can cause denial of service attacks.

16.Which of the following security mechanisms for e-mail can provide two types of messages: signed and enveloped?

A.PEM

B.PGP

C.S/MIME

D.MOSS

17.In addition to maintaining an updated system and controlling physical access, which of the following is the most effective countermeasure against PBX fraud and abuse?

A.Encrypting communications

B.Changing default passwords

C.Using transmission logs

D.Taping and archiving all conversations

18.Which of the following can be used to bypass even the best physical and logical security mechanisms to gain access to a system?

A.Brute force attacks

B.Denial of service

C.Social engineering

D.Port scanning

19.Which of the following is not a denial of service attack?

A.Exploiting a flaw in a program to consume 100 percent of the CPU

B.Sending malformed packets to a system, causing it to freeze

C.Performing a brute force attack against a known user account

D.Sending thousands of e-mails to a single address

20.Which of the following is not a direct preventative countermeasure against impersonation?

A.Kerberos

B.One-time pads

C.Transaction logging

D.Session sequencing

126 Chapter 4 Communications Security and Countermeasures

Answers to Review Questions

1.B. Tunneling does not always use encryption. It does, however, employ encapsulation, is used to transmit data over an intermediary network, and is able to bypass firewalls, gateways, proxies, or other traffic control devices.

2.D. A stand-alone system has no need for tunneling because no communications between systems are occurring and no intermediary network is present.

3.B. Most VPNs use encryption to protect transmitted data. In and of themselves, obscurity, encapsulation, and transmission logging do not protect data as it is transmitted.

4.D. Encryption is not necessary for the connection to be considered a VPN, but it is recommended for the protection of that data.

5.D. An intermediary network connection is required for a VPN link to be established.

6.C. SLIP is a dial-up connection protocol, a forerunner of PPP. It is not a VPN protocol.

7.A, B. Layer 2 Forwarding (L2F) was developed by Cisco as a mutual authentication tunneling mechanism. However, L2F does not offer encryption. L2TP also lacks built-in encryption.

8.D. IPSec operates at the Network layer (layer 3).

9.A. The address range 169.172.0.0–169.191.255.255 is not listed in RFC 1918 as a public IP address range.

10.D. NAT does not protect against nor prevent brute force attacks.

11.B. When transparency is a characteristic of a service, security control, or access mechanism, it is unseen by users.

12.B. Although availability is a key aspect of security in general, it is the least important aspect of security systems for Internet-delivered e-mail.

13.D. The backup method is not an important factor to discuss with end users regarding e-mail retention.

14.B. Mailbombing is the use of e-mail as an attack mechanism. Flooding a system with messages causes a denial of service.

15.B. It is often difficult to stop spam because the source of the messages is usually spoofed.

16.C. Two types of messages can be formed using S/MIME: signed messages and enveloped messages. A signed message provides integrity and sender authentication. An enveloped message provides integrity, sender authentication, and confidentiality.

17.B. Changing default passwords on PBX systems provides the most effective increase in security.

18.C. Social engineering can often be used to bypass even the most effective physical and logical controls. Whatever the actual activity is that the attacker convinces the victim to perform, it is usually directed toward opening a back door that the attacker can use to gain access to the network.

19.C. A brute force attack is not considered a DoS.

20.C. Transaction logging is a detective countermeasure, not a preventative one.

The Security Management Practices domain of the Common Body of Knowledge (CBK) for the CISSP certification exam deals with the common elements of security solutions. These include

elements essential to the design, implementation, and administration of security mechanisms. This domain is discussed in this chapter and in Chapter 6, “Asset Value, Policies, and Roles.” Be sure to read and study the materials from both chapters to ensure complete coverage of the

essential material for the CISSP certification exam.

Security Management Concepts and

Principles

Security management concepts and principles are inherent elements in a security policy and solution deployment. They define the basic parameters needed for a secure environment. They also define the goals and objectives that both policy designers and system implementers must achieve to create a secure solution. It is important for real-world security professionals, as well as CISSP exam students, to understand these items thoroughly.

The primary goals and objectives of security are contained within the CIA Triad. The CIA Triad is the name given to the three primary security principles: confidentiality, integrity, and availability. Security controls must address one or more of these three principles. Security controls are typically evaluated on whether or not they address all three of these core information security tenets. Vulnerabilities and risks are also evaluated based on the threat they pose against one or more of the CIA Triad principles. Thus, it is a good idea to be familiar with these principles and use them as guidelines and measuring sticks against which to judge all things related to security.

These three principles are considered the most important within the realm of security. However, how important each is to a specific organization depends upon the organization’s security goals and requirements and on the extent to which its security might be threatened.

Confidentiality

The first principle from the CIA Triad is confidentiality. If a security mechanism offers confidentiality, it offers a high level of assurance that data, objects, or resources are not exposed to unauthorized subjects. If a threat exists against confidentiality, there is the possibility that unauthorized disclosure could take place.