CISSP Security Certification:
A Slightly Skeptical View

News Coverage Recommended Links Recommended Books Recommended Articles Sample Tests Lists
CISSP-speak" Refreshing your networking skills          
Reference  Access Control Security Models Cryptography  Network Security  Applications & Systems Development  Operations Security (Computer)
Security Policy and  Standards    Disaster Recovery Security Management Practices Physical Security Law, Investigation & Ethics Multipler choice questions strategies Etc

CISSP stands for Certified Information Systems Security Professional. The certification is from the International Information Systems Security Certification Consortium, (ISC)2 (www.isc2.org).

This is "one inch deep and a mile wide" type of exams: 250 multiple-choice questions for 6 hours. Than means a little bit less than 1.5 minute per question. But I think that for those three areas where you really feel strong a rational approximation would be 10 seconds per question.  As for another a difficult question can take up to 5 minutes to make an educated guess. As many multiple choices exams in a dynamic field CISSP is by definition a very immature exam. I do not know about exam itself, I never tried it, but one reviewer on Amazon claims that they are improving (see a review to the All-in-one CISSP Certicication Exam book for more information ). But a priory you can expect a lot of question that are "strange" as well as "normal" question that might have  really strange "right" answers.

That means that you need to develop a right exam strategy. You need to work on it and there is no substitute to the planning how you take the exam. I will give just a couple of tips:

A dozen books exists to prepare for this exam. See Recommended Books. You probably need two-three books to prepare for the exam, although many people who wrote revirew to the CISSP-related books on Amazon claimed that for them one was enough. Almost any will introduce you to to ISC2's unique vocabulary (Which is perhaps the most important aspect of the test). Over 80% of the terms and concepts you need to learn are presented in Recommended Books.

Make appointments with yourself for study time (i.e., in your daytimer) so that it is clear to you when you're doing well or shirking your study responsibilities. Study appointments may be among the most important that you ever make and keep since they very much determine your career. The key is to focus you efforts. You have only so much time and there is a lot of partially dull partially useless staff. Motivate yourself taking as many tests as possible. Use our FREE CISSP Diagnostic Tests to determine areas where you need to work, if any...

All in-all this is a typical multiple choice style exam, although a long one. No news here.

Exam covers 10 main domains of knowledge.  Each domain includes a dozen or so subtopics. Some topics are artificially divided (for example, access control and security models) some are pretty eclectic. The core topic is operational security. Like one reader put in in amazon review "I should have studied operational security more than I did."

A lot of subtopics are based on outdated contents and while omitting vital information pay undue attention to obscure, useless, but perfectly suitable for multiple choice questions subtopics :-). Security Architecture & Model is a good example here:

As one can easily guess the networking part of the exam pays pretty high level of attention to obsolete ISO/OSI Model :-).  Be prepared to review all those partially meaningless levels and understand the difference.  

Still those guys were the first and despite new entries to the field CISSP still remains the most influential security certification brand name.  Some weaknesses of the exam are generic. Not only this one, but most such exams are questionable and often deteriorate to an exercise in memorizing obscure things. But at least they check the ability to memorize those obscure and useless things so that complete dummies and PHBs might have some difficulties in passing that test ;-) Also security certification should not be the end but only the beginning of your security education. Like is the case with Microsoft certifications and CISCO certifications, there always will be quite a lot completely clueless CISSP professionals around ;-)

Like one of Amazon Reviewers of the CISSP All-in-One Exam Guide aptly put it:

The CISSP exam is immature; that is, many of the questions appear convoluted for the sake of being obtuse. I doubt seriously if your score on this exam correlates to your true ability. That said, it is a necessary benchmark of a very broad subject.

Please be aware that a lot of questions are connected not with computer security, but with physical security issues, and Security Management Practices. As far as I can tell CISSP is loosely modeled on CPA but they still are afraid to add the second day :-). For more information visit the AICPA's CPA exam section here or here.

ISC offers a draft Study Guide which contains just updated descriptions of the ten test domains. You need to get it to understand the scope of the exam better. It is available from www.isc2.org (you need to register).

To become a CISSP, you also must subscribe to ISC Code of Ethics, and have already three years of direct work experience in the field. The exam currently costs $450...

You need to pay annual membership fee to maintain CISSP. A CISSP can only maintain certification by earning 120 CPE (continuing professional education) credits over a three-year recertification period. If we are talking about educational courses this is impossible (counting 2 credit per 5-days course and two courses per year you can expect around 4*3=12 credits) but there is a loophole of  conference attendance. Two-thirds (80 CPEs) must be earned in activities directly related to the information systems security profession and up to one third (40 CPEs) may be earned in other educational activities that enhance the CISSP’s overall professional skills, knowledge, and competency.  

In addition to paying an annual maintenance fee and subscribing to the Code of Ethics, a CISSP or SSCP must earn continuing professional education credits every three years - or retake their certification examinations. CPE credits are earned by performing activities largely related to the information systems security profession including, but not limited to, the following:

Old News

A Comment on the "Basic Security Theorem" of Bell and LaPadula- nice critique

Coverage

Exam covers almost a dozen topics:

Security Management Practices

Security management entails the identification of an organization's information assets and the development, documentation, and implementation of policies, standards, procedures, and guidelines.

Management tools such as data classification and risk assessment/analysis are used to identify threats, classify assets, and to rate system vulnerabilities so that effective controls can be implemented.

Security Architecture and Models

The Security Architecture and Models domain contains the concepts, principles, structures, and standards used to design, monitor, and secure operating systems, equipment, networks, applications and those controls used to enforce various levels of availability, integrity, and confidentiality.

Access Control Systems and Methodology

Access controls are a collection of mechanisms that work together to create a security architecture to protect the assets of the information system.

Application Development Security

This domain addresses the important security concepts that apply to application software development. It outlines the environment where software is designed and developed and explains the critical role software plays in providing information system security.

Operations Security

Operations Security is used to identify the controls over hardware, media, and the operators and administrators with access privileges to any of these resources. Audit and monitoring are the mechanisms, tools, and facilities that permit the identification of security events and subsequent actions to identify the key elements and report the pertinent information to the appropriate individual, group, or process.

Physical Security

The physical security domain provides protection techniques for the entire facility, from the outside perimeter to the inside office space, including all of the information system resources.

Cryptography

The cryptography domain addresses the principles, means, and methods of disguising information to ensure its integrity, confidentiality and authenticity.

Telecommunications, Network, and Internet Security

The telecommunications, network, and Internet security domain discusses the:

Business Continuity Planning

The Business Continuity Plan (BCP) domain addresses the preservation and recovery of business operations in the event of outages.

Law, Investigations, and Ethics

The Law, Investigations, and Ethics domain addresses:

Even though the curriculum and CBK were developed in the United States, the material does not boast a definite US flavor. In fact, the material, as well as the exam, focuses on international issues.

CISSP Speak

Jusding from the content of CISSP preparation books tests a log the questions on the CISSP test your vocabulary (how well you understand the meaning of words) in some form. Correspondingly, there is no quicker way to improve your CISSP scores than to improve your vocabulary.  I know that's boring and have little or know practival value, but this is the way the game is played.

Refreshing your networking skills

 

Recommended Links

CCCure -- a very nice site with a lot of useful material and several tests.

(ISC)2CERTIFICATION ONLINE STUDY GUIDES -- here you can submit a request for the study guide.

CS4601 Computer Security -- excellent set of slides

Introduction to Computer Security -- nice set of lectures

Lectures

NIAP - NATIONAL INFORMATION ASSURANCE PARTNERSHIP ®

SC-80 Security Home Page The mission of the Security Management Program in the Office of Science is to assure the adequate protection of information and assets while maintaining the openness and integrity that is necessary to foster the advancement of basic science and technological innovation.

Cissp.com The web portal for the certified information systems security professionals -- almost no useful info except resource page and (questionable :-) 15 question exam practice. The book that they sell is definitely overpriced ;-)

Boson Software Practice Tests for Certified Information Security Systems Professional (CISSP) Test #1, #2 & #3

Each Demo includes 12 sample questions ...
Cert21.com - available practice exams -- free test. Registration requered

CISSP CISSP
 		   40 questions

Reference

INCITS, InterNational Committee for Information Technology Standards

TECS The Encyclopedia of Computer Security

Recommended Articles

CHACS PUBLICATIONS

Landwehr, C.E., C. L. Heitmeyer, and J. D. McLean, "A security model for military message systems: retrospective," Proceedings 17th Annual Computer Security Applications Conference (ACSAC '01), pp. 174-190, 10-14 Dec 2001. PDF

Originally published in the 1984 ACM Transactions on Computer Systems, this paper was republished in 2001 as a "classic paper" in computer security. The Introduction to the Classic Papers by Dan Thomsen of Secure Computing Corporation (ACSAC '01 Proceedings, p. 161) states that because computer security is a "relatively new field that spans a wide range of topics", the question is how to sort through computer security history to find the data needed by computer security practitioners when they are "swamped with just the data published in the past year." The answer, according to Thomsen, is "to dust off papers that influenced security thought and print them again." In addition to republishing their papers, the authors of the three selected papers were asked to update their papers, place them in historical perspective, and describe what happened to the work after publication. This paper deals with a basic component of computer security: application-specific security policies.

Generally Accepted System Security Principles Ver 1.0 (GASSP)

Handbook of Information Security Management Access Control

Preparing for the CISSP exam, Part 1 , 03-21-01

" How does the CISSP compare to the [Systems Security Certified Practitioner] in terms of the exam itself and the relative weight/importance of the certification? "

Both are useful stages in professional development. Visit the International Information Systems Security Certification Consortium (ISC)╡ Web site - http://www.isc2.org/ - where you will find a wealth of material about the CISSP and the SSCP.

The SSCP is more hands-on and limited to technical issues. According to the description at https://www.isc2.org/sscp_examover.html: "The International Information Systems Security Certification Consortium, or (ISC)╡, working with a professional testing service, has developed a certification examination based on the SSCP Common Body of Knowledge (CBK). Candidates have up to 3 hours to complete the examination which consists of multiple-choice questions that address the seven topical test domains of the CBK. The information systems security test domains are:

* Access Control.

* Administration.

* Audit and Monitoring.

* Risk, Response, and Recovery.

* Cryptography.

* Data Communications.

* Malicious Code."

In contrast, the CISSP is deliberately designed to cover a wide range of topics that distinguish information security experts from other kinds of IT experts. As described at https://www.isc2.org/cissp_examover.html: "Candidates have up to 6 hours to complete the examination which consists of 250 multiple-choice questions that address the [10] topical test domains of the CBK. The information systems security test domains are:

* Access Control Systems & Methodology.

* {Computer} Operations Security.

* Cryptography.

* Application & Systems Development.

* Business Continuity & Disaster Recovery Planning.

* Telecommunications & Network Security.

* Security Architecture & Models.

* Physical Security.

* Security Management Practices.

* Law, Investigations & Ethics."

Pritsky also asked:

" What can you tell me about the exam itself? A lot of questions? Evenly distributed amongst the 10 domains? Multiple choice? Hands-on? I don't really know what to expect. "

CISSPs and all who take the exam are under nondisclosure agreement not to divulge the detailed content. See sample questions on the (ISC)2 Web site.

In the next segment of this three-part series, I will look at useful reading for future CISSPs

Sample Questions

Should you take the CISSP exam?  By Richard Power "Reprinted from the March 1997 issue of Computer Security Institute's monthly newsletter, Computer Security Alert.

Do you consider yourself an information security professional? Have you been working as an information security practitioner for at least three years? Are you going to attempt to make a career out of information security? You should seriously consider seeking certification as a Certified Information Systems Security Professional (CISSP). Even if information security is only part of your overall job description or career path, you should probably seek certification. CISSP certification is only available to those qualified candidates who successfully pass the examination created by the International Information Systems Security Certification Consortium (ISC)2. The consortium is supported by Computer Security Institute (CSI), Information Systems Security Association (ISSA), Canadian Information Processing Society (CIPS), and other reputable industry presences. The CISSP exam is built from a pool of 1,200 multiple choice questions based on a Common Body of Knowledge (CBK), consisting of ten test domains, for example, access control, risk management, application program security, etc.

Information security has reached center stage. The "1997 Information Security Staffing Levels and the Standard of Due Care" study conducted by CSI and Charles Cresson Wood of Baseline Software indicates that budgets for information security staffing are expected to rise 17.8% over the next year and that information security as a percentage of total employment has increased nearly 100% over the last seven years. Information security is rapidly gaining ground relative to related organizational functions like EDP audit, physical security and information systems. There are other strong indicators. Consider the remarks of Tracy A. Lenzner (Williamsville, NY), an independent executive search consultant who recently managed an aggressive recruitment campaign for one of the Big Six firms. "The information security market is very hot. I have never seen people going after one area so aggressively. It's because there are so few infosec professionals with real expertise. If you find people who really know what they're doing, they are worth their weight in gold. One week, I'm talking to candidates, the next week they have been contacted by four companies. And these aren't just little companies, these are the big guns going after everybody and anybody."

But there is also significant evidence that those who want to cash in on the information security Gold Rush will greatly benefit from having a CISSP designation on their resumes. CISSP is starting to show up in more and more job listings, and is typically listed as either "minimum requirement" or "a definite plus."

Does CISSP give you a competitive edge in the job market?

Will CISSP be more of a factor in the future? According to Lenzner, yes. "In the years ahead, there will be a greater demand for IT security as an integral part of corporate success. And therefore, there will be a greater demand for highly skilled, knowledge based expertise in security. CISSP certification is a distinctive indication of both technical and theoretical security expertise. Thus, CISSP certification will become an increasingly important factor in the near future."

Although certification is clearly an advantage on the job market, there are still only a handful of CISSP holders, as Lenzner explains. "As an executive recruiter engaging heavily in security recruitment, I do encounter CISSP holders. But I would say only 20% of the security professionals I speak with are CISSP-certified at this time."

What kind of difference could a CISSP certification make for job candidates?

Could it give them a significant edge over other candidates who don't have a CISSP certification?

"Absolutely! CISSP certification could potentially be a huge plus for candidates. Like many advanced degrees and certifications, CISSP is an additional asset that a candidate can possess, both from a competitive standpoint and in added value to the hiring company."

Consider the remarks of Satnam Purewal. Until recently, she was an information security professional at the University of British Columbia (Vancouver, BC). She took the CISSP exam and soon after was hired by Deloitte and Touche LLP as a Senior Computer Assurance Services (CAS) Specialist. Does she feel being a CISSP holder helped her in her recent job search?

"Yes. It's a great self marketing tool. I know the concepts, but a CISSP after my name says that a formal organization also believes that I know the material. There are certification bodies for engineers and accountants. These organizations enable employers to choose from a qualified group of people. Information system security is a critical function for any enterprise. Only qualified people should work on security. Computer security is more than just IDs and passwords. Security professionals must have working knowledge of policies, investigations, and laws. It was hard work. But it formalized the knowledge I obtained on the job."

How do you know if you are ready to take the test?

How can people evaluate whether or not they're ready to take the test? Purewal offers some tips. "People should take the self test in the CISSP Examination Study Guide available from (ISC)2. It will help you identify the areas were more learning is required. (ISC)2 asks for three years of experience. I seriously doubt anyone under three years of experience could pass the test anyway."

How would she suggest you prepare for the CISSP?

"Get hands on experience in as many areas of the Common Body of Knowledge as possible. Familiarize yourself with industry standards. An individual's knowledge should cover more than what technologies and practices are used at their own organization."

CISSP is approaching critical mass

Hal Tipton of HFT Associates (Villa Park, CA) is one of the scions of information security and a leading force in the Herculean effort to make the certification process a reality. Tipton was also the driving force in developing both the CISSP training course and study guide.

According to Tipton, there are over 700 CISSP holders. Approximately 400 have passed the exam, approximately 300 were "grandfathered" in at the beginning. "When we get a thousand or so certified people and there's a pool of people available, we'll see more headhunters and HR people insisting on CISSP as a qualification."

How big is the known universe of those who should take the test?

Tipton says it could be as many as 20,000. Clearly the high number involves many beyond those whose full-time job is information security. Among others Tipton cites as likely candidates to benefit from being a CISSP holder include network administrators, auditors and industrial security personnel. "A lot of small organizations might not be able to afford a full-time information security person, but they might be able to afford someone who is certified and double-hat the person with some other job. For example, a network administrator in an organization that cannot afford information security staff but has the need for security."

Tipton suggests that independent security consultants seek CISSP certification as well. "Some of the Big Six people really want you to have that CISSP designation. And for the smaller independent guys, it's a good way to win a contract. If you put in your proposal that you're CISSP-certified and the other bidders aren't, well, that's an advantage."

Why people fail and how you can avoid it

Of course, every silver lining is attached to a cloud. The CISSP exam is a straight pass or fail situation and some people do fall short. "The object of the certification process is not to fail peopleПwe would like to have 90% passП but it's all passed on the curve set up by the testing service based on the group that have taken the exam in that particular period of time." Tipton cautions against going it alone.

"The people that have failed are those who didn't take the seminar and just did the review on their own. They're failing 'Physical Security,' 'Cryptography' and 'Law, Investigations and Ethics.' That makes a lot of sense. In the field, information security personnel usually don't have a lot of hands-on experience with physical security. It is usually left to the industrial security types. In regard to cryptography, most organizations weren't into crypto at all until recently. With the rise of the Internet, it is becoming a much more important issue. It shouldn't be too hard to guess why the test scores on "Law, Investigations and Ethics" are so low. Organizations simply don't report incidents."

Where and when to move forward

CSI will host Hal Tipton's all-day course "An Introduction to the CISSP Exam" at NetSec '97 (San Francisco, CA) on Sun-day, June 8th. Later in the year, CSI will host the CISSP exam at the 24th Annual Computer Security Conference and Exhibition (Washington, DC) on Sunday, November 16th, 1997. For more information on the CISSP certification process and training materials, contact (ISC)2 via the World Wide Web at http://www.isc2.org, e-mail: [email protected], telephone: 508-842-7329 or fax: 508-842-6461.

Sample Tests

Information Security Magazine Can You Top the Bar? BY MOLLIE KREHNKE AND DAVID KREHNKE

MOLLIE KREHNKE, CISSP, is a computer security analyst at Lockheed Martin Energy Systems. DAVID KREHNKE, CISSP, is the program manager for ISC.

Information Security Magazine CISSP SAMPLE EXAMINATION The paper also contains answers to those question

I. Access Control Systems and Methodology
1. In a discretionary mode, who has delegation authority to grant access to information to other people?
a. User
b. Security officer
c. Group leader
d. Owner

2. An access system that grants users only those rights necessary for them to perform their work is operating on which security principle?
a. Discretionary access
b. Least privilege
c. Mandatory access
d. Separation of duties

3. The type of penetration testing used to discover whether numerous usercode/password combinations can be attempted without detection is called
a. Keystroke capturing
b. Access validation testing
c. Brute force testing
d. Accountability testing

II. Telecommunications & Network Security

4. Which of the following telecommunications media is MOST resistant to tapping?
a. Twisted pair
b. Coaxial
c. Shielded coaxial
d. Fiber optic

5. Which network topology passes all traffic through all active nodes?
a. Broadband
b. Hub and spoke
c. Baseband
d. Token ring

6. Layer 4 of the OSI stack is known as
a. The data link layer
b. The transport layer
c. The network layer
d. The presentation layer

III. Security Management
7. Which of the following represents an ALE calculation?
a. Gross loss expectancy x loss frequency
b. Asset value x loss expectancy
c. Total cost of loss + actual replacement value
d. Single loss expectancy x annualized rate of occurrence

8. Who is ultimately responsible for ensuring that information is categorized and that specific protective measures are taken?
a. Security officer
b. Management
c. Data owner
d. Custodian

9. What principle recommends the division of responsibilities so that one person cannot commit an undetected fraud?
a. Separation of duties
b. Mutual exclusion
c. Need to know
d. Least privilege

IV. Application & System Development Security

10. When a database error has been detected requiring a backing-out process, a mechanism that permits starting the process at designated places in the process is called

a. Restart
b. Reboot
c. Checkpoint
d. Journal

11. Which one of the following is an automated software product used to review security logs?
a. User profiling
b. Intrusion detection
c. System baselining
d. Access modeling

12. Which of the following is a malicious program, the purpose of which is to reproduce itself throughout the network utilizing system resources?
a. Logic bomb
b. Virus
c. Worm
d. Trojan horse

V. Cryptography


13. In what way does the Rivest-Shamir-Adleman algorithm differ from the Data Encryption Standard?
a. It is based on a symmetric algorithm.
b. It uses a public key for encryption.
c. It eliminates the need for a key-distribution center.
d. It cannot produce a digital signature.

14. The fact that it is easier to find prime numbers than to factor the product of two prime numbers is fundamental to what kind of algorithm?
a. Symmetric key
b. Asymmetric key
c. Secret key
d. Stochastic key

15. The Data Encryption Algorithm performs how many rounds of substitution and permutation?
a. 4
b. 16
c. 54
d. 64

VI. Security Architecture & Models
16. At which ITSEC or TCSEC class is design verification first required?
a. F5 or A1
b. F3 or B1
c. F2 or C2
d. F1 or C1 17.

What software flaw allows stack overflows and other memory-bound attacks to succeed?

a. Inadequate confinement properties.
b. Compartmentalization not enforced.
c. Insufficient parameter checking.
d. Applications execute in privileged mode.

18. Between-the-lines, line disconnects, interrupt and NAK attacks are all examples of exploits related to
a. System data channel
b. System timing (TOC/TOU)
c. System bounds checking
d. Passive monitoring

VII. Operations Security
19. Why are unique user IDs critical in the review of audit trails?
a. They show which files were altered.
b. They establish individual accountability.
c . They cannot be easily altered.
d. They trigger corrective controls.

20. An e-mail gateway that does not restrict the reception of e-mail to a known set of addresses can be used by a hacker for
a. Spamming attacks
b. NAK attacks
c. Exhaustive attacks
d. Spoofing attacks

21. Which of the following is an example of an operations security attack that is designed to cause the system, or a portion of the system, to cease operations?
a. Ping of Death
b. Brute force
c. Satan attack
d. Back door

VIII. Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)
22. Which of the following criteria should be met by off-site storage protection for media backup?
a. The storage site should be located at least 15 miles from the main site.
b. The storage site should be easily accessible during working hours.
c. The storage site should always be protected by an armed guard.
d. The storage site should guard against unauthorized access.

23. Which of the following best describes remote journaling?
a. Send hourly tapes containing transactions off-site.
b. Send daily tapes containing transactions off-site.
c . Real-time capture of transactions to multiple storage devices.
d. The electronic forwarding of transactions to an off-site facility.

IX. Law, Investigations & Ethics
24. Computer-generated evidence is not considered reliable because it is
a. Stored on volatile media
b. Too complex for jurors to understand
c. Seldom comprehensive enough to validate
d. Too difficult to detect electronic tampering

25. Before powering off a computer system, the computer crime investigator should record the contents of the monitor and
a. Save the contents of the spooler queue
b. Dump the memory contents to disk
c. Back up the hard drive
d. Collect the owner's bootup disks

26. According to the Internet Activities Board, which one of the following activities is in violation of RFC 1087 "Ethics and the Internet?"
a. Performing penetration testing against an Internet host.
b. Entering information into an active Web page.
c. Creating a network-based computer virus.
d. Disrupting Internet communica- tions.

X. Physical Security
27. Which of the following measures would be the BEST deterrent to the theft of corporate information from a laptop that was left in a hotel room?
a. Store all data on disks and lock them in an in-room safe.
b. Remove the batteries and power supply from the laptop and store them separately from the computer.
c. Install a cable lock on the laptop when it is unattended.
d. Encrypt the data on the hard drive.

28. Which of the following BEST describes a transponder-based identification card?
a. The card is read by passing it through a magnetic strip reader.
b. The card is read by holding it in the proximity of the reader.
c. The card is read by slipping the card into a standard card edge connector.
d. The card is read by passing light through the holes in the card.

29. Under what conditions would use of a "Class C" hand-held fire extinguisher be preferable to use of a "Class A" hand-held fire extinguisher?
a. When the fire is in its incipient stage.
b. When the fire involves electrical equipment.
c. When the fire is located in an enclosed area.
d. When the fire is caused by flammable products

 

Security Management Practices

Security Management Concepts and Principles

Change/Control Management


Data Classification Schemes


Employment Policies and Practices


Security Policies, Standards, Guidelines, and Procedures

Antivirus policies

Risk Analysys Management


Roles and Responsibilities


Security Awareness


Security Management Planning

Integrated Safeguards and Security Management

 
SECURITY: O'Reilly Network: Introduction to PAM

(Sep 30, 2001, 16:06 UTC) (1616 reads) (0 talkbacks) (Posted by mhall)
"PAM provides an interface that programs can use to connect to whatever authentication methods are desired. Authentication can be as trivial as the user typing "hello world", as complex as biometrics, or as prosaic as passwords."

IBM DeveloperWorks/Linux Security: Improving the security of open UNIX platforms -- simple MD5 checking shell script(bash) by Igor Maximov ([email protected]).  Nothing special.

 
O'Reilly Network: Authentication and Squid

(Aug 12, 2001, 13:45 UTC) (609 reads) (0 talkbacks) (Posted by mhall)
O'Reilly finishes up its three-part look at Squid with a piece on authentication: "HTTP authentication uses the same basic protocols for HTTP web servers and HTTP proxy servers. These protocols have two authentication modes: basic and digest mode. In basic mode, the client passes the user name and the password to the server as a single base64-encoded block. In digest mode, the server encodes the password with a different key in a unidirectional function and the client decodes the function using the password, then returns the key."

 

SECURITY: SecurityFocus.com: NFS and NIS Security

(Jan 28, 2001, 14:22 UTC) (807 reads) (1 talkbacks) (Posted by marty)
"Why is it that when you read almost any book or paper about Solaris security it will explicitly say: turn off the NFS and NIS services. Some system administrators, though, cannot just turn off these services, as they are already key services implemented across their enterprises."

[Dec 28, 2000] LWN - SecurityThis week, I.C. Wiener published a SecurID token emulator, prompting a discussion on BugTraq of the implications. Adam Shostack commented that such code has been in the wild since 1996 and that its current publication will have the value of allowing a real test of the assertion that the numbers on the SecurID card do not reveal sufficient information to determine the card's secret.

[Dec 28, 2000] Two additional problems in Oracle 8.1.7 were reported  by Juan Manuel Pascual Escriba, including a local root exploit and a file overwrite exploit.

[Dec 28, 2000] Hewlett-Packard has a security-announcement list but the signup procedure involves a few separate steps. One posting that explains the procedure is http://www.securityfocus.com/archive/1/151712

[Dec 28, 2000] NSA Security-Enhanced Linux

The  has a well-defined architecture (named Flask) for flexible mandatory access controls that has been experimentally validated through several prototype systems (DTMach, DTOS, and Flask). The architecture provides clean separation of policy from enforcement, well-defined policy decision interfaces, flexibility in labeling and access decisions, support for policy changes, and fine-grained controls over the kernel abstractions. Detailed studies have been performed of the ability of the architecture to support a wide variety of security policies and are available on the DTOS and Flask web pages accessible via the Background page (http://www.nsa.gov/selinux/background.html). A published paper about the Flask architecture is also available on the Background page. The architecture and its implementation in Linux are described in detail in the documentation (http://www.nsa.gov/selinux/docs.html). RSBAC appears to have similar goals to the Security-Enhanced Linux. Like the Security-Enhanced Linux, it separates policy from enforcement and supports a variety of security policies. RSBAC uses a different architecture (the Generalized Framework for Access Control or GFAC) than the Security-Enhanced Linux, although the Flask paper notes that at the highest level of abstraction, the the Flask architecture is consistent with the GFAC. However, the GFAC does not seem to fully address the issue of policy changes and revocation, as discussed in the Flask paper. RSBAC also differs in the specifics of its policy interfaces and its controls, but a careful evaluation of the significance of these differences has not been performed.

SecurityPortal - Ask Buffy Apache Security

I am trying to implement security on the Apache Server 1.3.12 running on a Linux Red Hat 6.2. Are there any good docs or how-tos on this subject?

Aejaz Sheriff

Very few security problems exist with the Apache server itself. Having said that, however, I suggest that you upgrade to Apache 1.3.14, which solves some security issues. For online documentation of the Apache server the following URLs are excellent:

http://httpd.apache.org/docs/misc/security_tips.html
http://httpd.apache.org/docs/

The majority of Web-based security problems come from poorly written CGI programs, online databases, and the like. Razvan Peteanu has written the following article:

http://securityportal.com/cover/coverstory20001030.html - Best Practices for Secure Web Development

And I highly recommend reading it.

Buffy ([email protected])

Who should own Apache? I have nobody as the owner and the group, but I'm not sure if this is safe or not.

Brad

The usual default for "owning" Apache is user and group root:

-rwxr-xr-x    1 root     root
       301820 Aug 23 13:45 /usr/sbin/httpd

As for who Apache runs as, this is usually the user and group "nobody" or "apache." In both cases, these groups are heavily restricted from accessing anything important, from the httpd.conf file:

#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# . On SCO (ODT 3) use "User nouser" and "Group nogroup".
# . On HPUX you may not be able to use shared memory as nobody, and the
# suggested workaround is to create a user www and use that user.
# NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
# when the value of (unsigned)Group is above 60000;
# don't use Group nobody on these systems!
#
User apache
Group apache

Most Linux distributions now have a special user and group called "apache" for running the Apache Web server. This user is locked out (no password), the home directory is usually the www root, and no command shell is available. This is slightly safer than using nobody because the "nobody" account may be used by other services. If an attacker manages to get privileges of "nobody" on the system, she may be able to elevate privileges using some other software. Segmenting "apache" with different users is a better strategy.

Buffy ([email protected])

Slashdot Theo de Raadt Respond

Q: Would you and/or other members of the OpenBSD coders consider writing a book on secure, bug-free coding and auditing? Most programming books feature sample code that is written for pedagogical purposes. Quite often this runs contrary to how secure code should be written, leaving a gap in many a programmers knowledge. A book on audinting and how to avoid security pitfalls when coding would also make your life easier - less code to audit for OpenBSD, and more time top concentrate on nifty new features!!!

Theo:

There is perhaps a split between the two issues you bring up. On the one side is secure coding, as in code written to be secure by the original author(s). On the other side, auditing, which is where an outsider (or an insider) later on goes and tries to clean up the mess which remains. And there is always a mess. Perhaps part of the problem is that a huge gap lies between these two. In the end though, I think that a book on such a topic would probably have to repeat the same thing every second paragraph, throughout the book: Understand the interfaces which you are coding to! Understand the interfaces which you are coding to! Most of the security (or simply bug) issues we audited out of our source tree are just that. The programmer in question was a careless slob, not paying attention to the interface he was using. The repeated nature of the same classes of bugs throughout the source tree, also showed us that most programmers learn to code by (bad) examples. A solid systems's approach should not be based on "but it works". Yet, time and time again, we see that for most people this is the case. They don't care about good software, only about "good enough" software. So the programmers can continue to make such mistakes. Thus, I do not feel all that excited about writing a book which would simply teach people that the devil is in the details. If they haven't figured it out by now, perhaps they should consider another occupation (one where they will cause less damage).

OpenBSD has a well deserved reputation for security "out of the box" and for the fact the inbuilt tools are as secure as they're ever likely to be. However, the Ports system is, perhaps, an example of where the secure approach currently has limitations - an installation of OpenBSD running popular third-party systems like INN can only be so secure because the auditing of INN, and other such software, is outside the scope of the BSD audit.

My question is, has the OpenBSD team ever proposed looking into how to create a 'secured ports' tree, or some other similar system, that would ensure that many of the applications people specifically want secure platforms like OpenBSD to run could be as trusted as the platforms themselves?

Theo:

We have our hands already pretty full, just researching new ideas in our main source tree, which is roughly 300MB in size. We also lightly involved ourselves in working with the XFree86 people a while back for some components there. Auditing the components outside of this becomes rather unwieldy. The difficulty lies not only in the volume of such code, but also in other issues. Sometimes communication with the maintainers of these other packages is difficult, for various reasons. Sometimes they are immediately turned off because we don't use the word Linux. Some of these portable software packages are by their nature never really going to approach the quality of regular system software, because they are so bulky.

But most importantly, please remember that we are also human beings, trying to live our lives in a pleasant way, and don't usually get all that excited about suddenly burning 800 hours in some disgusting piece of badly programmer trash which we can just avoid running. I suppose that quite often some of our auditors look at a piece of code and go "oh, wow, this is really bad", and then just avoid using it. I know that doesn't make you guys feel better, but what can we say...

With the release of SGI's B1 code, and the attempts by many U*ixen to secure their contents via capabilities, ACL's, etc, ad nausium, how is OpenBSD approaching the issue of resource control?

... ...

Theo:

On the first question, I think there is great confusion in the land of Orange Book. Many people think that is about security. It is not. Largely, those standards are about accountability in the face of threat. Which really isn't about making systems secure. It's about knowing when your system's security breaks down. Not quite the same thing. Please count the commercially deployed C, B, or even A systems which are actually being used by real people for real work, before foaming at the mouth about it all being "so great". On the other hand, I think we wil see if some parts of that picture actually start to show up in real systems, over time. By the way, I am surprised to see you list ACLs, which don't really have anything to do with B1 systems.

Did the drive to audit code come from the need or the design of BSD? Or was it initially a whim? More imporantly, where did you learn it from? Is their some "mentor" you looked too for ridge design? I have to admire your team's daunting code reviewing...I wonder if I'll ever have that kind of meticulous coding nature.

Theo:

The auditing process developed out of a desire to improve the quality of our operating system. Once we started on it, it becomes fascinating, fun, and very nearly fanatical. About ten people worked together on it, basically teaching ourselves as things went along. We searched for basic source-code programmer mistakes and sloppiness, rather than "holes" or "bugs". We just kept recursing through the source tree everytime we found a sloppiness. Everytime we found a mistake a programmer made (such as using mktemp(3) in such a way that a filesystem race occurred), we would go throughout the source tree and fix ALL of them. Then when we fix that one, we would find some other basic mistake, and then fix ALL of them. Yes, it's a lot of work. But it has a serious payback. Can you imagine if a Boeing engineer didn't fix ALL of the occurrences of a wiring flaw? Why not at least try to engineer software in the same way?

Older news were moved to a separate file due to volume -- see Chronicle

Recommended Links

Top dozen

  1. *** CIAC
  2. ***+ The SANS Institute - A Cooperative Research and Education Organization
  3. ***+ UNIX security sites -- ISS security library.
  4. Ronald L. Rivest Cryptography and Security -- nice collection of lnks
  5. *** Unix SysAdm Resources Firewalls & Unix Security -- good collection of links
  6. ***+Console/Firewall and Security  -- freshmeat collection of tools
  7. Security Focus - computer security information clearinghouse. Includes a calendar, free tools, forums, industry news, and a library.
  8. ***+ Unix Security  --  NIH Security Resources -- links from National Institutes of Health. One of the best collection of security-related links. A decent collection of computer security resources, including documents, links to other web pages, and tools. Recommended.
  9. *** Corporate Technologies Technical Library -- contains the list of free security software. Peter Galvin is chief technologist for Corporate Technologies, Inc.
  10. *** http://www.cs.purdue.edu/coast/archive/data/category_index.html  -- COAST
  11. *** Root Shell -- Security and Exploit reference. A little bit speculative
  12. [***+]  AusCERT - Australian Computer Emergency Response Team

Etc

Government sites

University Centers

Individual pages

Etc.

Archives

Information about open source security tools can be found on:

Usenet and lists

**** BugTraq -- full-disclosure UNIX security mailing list.

RISKS-LIST RISKS-FORUM Digest

 www.eds.org -- The Security-Audit Mailing list FAQ

See Also

History

Improving the Security of Your UNIX System   by David A. Curry.The "SRI Paper" that has been widely distributed around the Internet. It was written in 1990 and was a predecessor to the UNIX System Security book.  David A. Curry is the author of  UNIX Systems Programming for SVR4 and is also active tool developer (see his home page for the complete list). Among them are (description are borrowed from the author's page):

How to improve security on SunOS.4.1.3  -- outdated, but some information can be useful

Improving the Security of Your Site by Breaking Into it -- famous (now outdated) SATAN-related paper. Not that SATAN was better than other, but the name provoke a media craziness that gave the authors a lot of exposure...

1993: An Architectural Overview of UNIX Network Security  February 18, 1993 Robert B. Reinhardt [email protected]

Philosophy

Tutorials

See also CIAC advisories below. Shorter tutorials are listed in Articles

Etc

Magazines

Government Publications

CIAC

CERT:

Vendors Pages

See also: SecurityPortal -- recent security news. Good...

IBM Security home page

Red Hat

Caldera's security page.

Reference

Contents of FOLDOC -- The Free On-line Dictionary of Computing

RFQs

rfc1087 - Ethics and the Internet

RFC 2196Site Security Handbook

This handbook is a guide to developing computer security policies and procedures for sites that have systems on the Internet. The purpose of this handbook is to provide practical guidance to administrators trying to secure their information and services. The subjects covered include policy content and formation, a broad range of technical system and network security topics, and security incident response.

 

rfc2828 - Internet Security Glossary
 
DFN-CERT RFCs about Security Sorted by Titles
fc1170 Public Key Standards and Licenses
 
rfc1319 The MD2 Message-Digest Algorithm  
rfc1320 The MD4 Message-Digest Algorithm  
rfc1321 The MD5 Message-Digest Algorithm  
rfc1760 The S/Key One-Time Password System  
rfc1810 Report on MD5 Performance  
rfc1824 The Exponential Security System TESS: An Identity-Based Cryptographic Protocol for Authenticated Key-Exchange  
rfc1828 IP Authentication using Keyed MD5  
rfc1829 The ESP DES-CBC Transform  
rfc1851 The ESP Triple DES Transform  
rfc1949 Scalable Multicast Key Distribution  
rfc2025 The Simple Public-Key GSS-API Mechanism (SPKM)  
rfc2082 RIP-2 MD5 Authentication  
rfc2085 HMAC-MD5 IP Authentication with Replay Prevention  
rfc2093 Group Key Management Protocol (GKMP) Specification  
rfc2094 Group Key Management Protocol (GKMP) Architecture  
rfc2104 HMAC: Keyed-Hashing for Message Authentication  
rfc2144 The CAST-128 Encryption Algorithm  
rfc2202 Test Cases for HMAC-MD5 and HMAC-SHA-1  
rfc2222 Simple Authentication and Security Layer (SASL)  
rfc2230 Key Exchange Delegation Record for the DNS  
rfc2268 A Description of the RC2(r) Encryption Algorithm  
rfc2286 Test Cases for HMAC-RIPEMD160 and HMAC-RIPEMD128  
rfc2367 PF_KEY Key Management API, Version 2  
rfc2385 Protection of BGP Sessions via the TCP MD5 Signature Option  
rfc2401 Security Architecture for the Internet Protocol (IPsec)  
rfc2402 IP Authentication Header  
rfc2403 The Use of HMAC-MD5-96 within ESP and AH  
rfc2404 The Use of HMAC-SHA-1-96 within ESP and AH  
rfc2406 IP Encapsulating Security Payload (ESP)  
rfc2407 The Internet IP Security Domain of Interpretation for ISAKMP  
rfc2408 Internet Security Association and Key Management Protocol (ISAKMP)  
rfc2409 The Internet Key Exchange (IKE)  
rfc2412 The OAKLEY Key Determination Protocol  
rfc2437 PKCS #1: RSA Cryptography Specification Version 2.0  
rfc2510 Internet X.509 Public Key Infrastructure: Certificate Management Protocols  
rfc2511 Internet X.509 Certificate Request Message Format  
rfc2522 Photuris: Session-Key Management Protocol  
rfc2527 Internet X.509 Public Key Infrastructure: Certificate Policy and Certification Practices Framework  
rfc2528 Internet X.509 Public Key Infrastructure: Representation of Key Exchange Algorithm (KEA) Keys in Internet X.509 Public Key Infrastructure Certificates  
rfc2539 Storage of Diffie-Hellman Keys in the Domain Name System (DNS)  
rfc2559 Internet X.509 Public Key Infrastructure: Operational Protocols - LDAPv2  
rfc2560 X.509 Internet Public Key Infrastructure: Online Certificate Status Protocol - OCSP  
rfc2585 Internet X.509 Public Key Infrastructure: Operational Protocols: FTP and HTTP  
rfc2587 Internet X.509 Public Key Infrastructure LDAPv2 Schema  
rfc2627 Key Management for Multicast: Issues and Architectures  
rfc2630 Cryptographic Message Syntax  
rfc2631 Diffie-Hellman Key Agreement Method  
rfc2692 SPKI Requirements  
rfc2693 SPKI Certificate Theory  
rfc2773 Encryption using KEA and SKIPJACK  
rfc2785 Methods for Avoiding the "Small-Subgroup" Attacks on the Diffie-Hellman Key Agreement Method for S/MIME  
rfc2786 Diffie-Hellman USM Key Management Information Base and Textual Convention  
rfc2792 DSA and RSA Key and Signature Encoding for the KeyNote Trust Management System  
rfc2841 IP Authentication using Keyed SHA1 with Interleaved Padding (IP-MAC)  
rfc2845 Secret Key Transaction Authentication for DNS (TSIG)  
rfc2847 LIPKEY - A Low Infrastructure Public Key Mechanism Using SPKM  
rfc2857 The Use of HMAC-RIPEMD-160-96 within ESP and AH  
rfc2875 Diffie-Hellman Proof-of-Possession Algorithms  
rfc2890 Key and Sequence Number Extensions to GRE  
rfc2898 PKCS #5: Password-Based Cryptography Specification Version 2.0  
rfc2930 Secret Key Establishment for DNS (TKEY RR)  
rfc2945 The SRP Authentication and Key Exchange System  
rfc2951 TELNET Authentication Using KEA and SKIPJACK  
rfc2952 Telnet Encryption: DES 64 bit Cipher Feedback  
rfc2953 Telnet Encryption: DES 64 bit Output Feedback  
rfc2985 PKCS #9: Selected Object Classes and Attribute Types Version 2.0  
rfc2986 PKCS #10: Certification Request Syntax Specification Version 1.7  
rfc3029 Internet X.509 Public Key Infrastructure: Data Validation and Certification Server Protocols  
rfc3039 Internet X.509 Public Key Infrastructure: Qualified Certificates Profile  
rfc3104 RSIP Support for End-to-end IPsec  
rfc3110 RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)  
rfc3161 Internet X.509 Public Key Infrastructure: Time-Stamp Protocol (TSP)  
rfc3174 US Secure Hash Algorithm 1 (SHA1)  
rfc3211 Password-based Encryption for CMS  
rfc3217 Triple-DES and RC2 Key Wrapping  
rfc3268 Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS)  
rfc3278 Use of Elliptic Curve Cryptography (ECC) Algorithms in
Cryptographic Message Syntax (CMS)		  
rfc3279 Algorithms and Identifiers for the Internet X.509: Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile  
rfc3280 Internet X.509 Public Key Infrastructure: Certificate and Certificate Revocation List (CRL) Profile

 

FAQs

See also metalinks:

Security FAQs - the list of security-related FAQs maintained by Internet Security Systems, Inc.

Shadow Password HOWTO Note. caldera 1.3 and later install shadow password file by default. RedHat 6.0 and later also instell shadow password file.

Security HOWTO

[Nov.7,1998] www.eds.org -- The Security-Audit Mailing list FAQ

Frequently Asked Questions (FAQ)

 

Etc