The Basics of Information Security This page intentionally left blank The Basics of Information Security Understanding the Fundamentals of InfoSec in Theory and Practice Jason Andress Technical Editor Russ Rogers Amsterdam • Boston • Heidelberg • London • New York Oxford • Paris • San Diego • San Francisco Singapore • Sydney • Tokyo Syngress Press is an imprint of Elsevier Acquiring Editor: Angelina Ward Development Editor: Heather Scherer Project Manager: Jessica Vaughan Designer: Alisa Andreola Syngress is an imprint of Elsevier 225 Wyman Street, Waltham, MA 02451, USA © 2011 Elsevier Inc. All rights reserved No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions. This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein). Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility. To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein. Library of Congress Cataloging-in-Publication Data Andress, Jason. The basics of information security : understanding the fundamentals of InfoSec in theory and practice/ Jason Andress. p. cm. Includes index. ISBN 978-1-59749-653-7 1. Computer security. 2. Computer networks–Security measures. 3. Information resources management. I. Title. QA76.9.A25A5453 2011 005.8–dc23 2011013969 British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library. ISBN: 978-1-59749-653-7 11 12 13 14 15 10 9 8 7 6 5 4 3 2 1 Printed in the United States of America For information on all Syngress publications visit our website at www.syngress.com Dedication v Many thanks go to my family for persevering through another proj- ect. Additionally, thanks to Russ for a great job tech editing, and to Steve Winterfeld for being willing to jump in and help. Steve, you’re a fine acquisi- tions editor, and you don’t get nearly the credit that you should. This page intentionally left blank Contents vii ABOUT THE AUTHOR �������������������������������������������������������������������������������ix ABOUT THE TECHNICAL EDITOR ��������������������������������������������������������������xi FOREWORD ������������������������������������������������������������������������������������������� xiii INTRODUCTION �������������������������������������������������������������������������������������� xv CHAPTER 1 What Is Information Security? ��������������������������������������������1 CHAPTER 2 Identification and Authentication ��������������������������������������17 CHAPTER 3 Authorization and Access Control �������������������������������������33 CHAPTER 4 Auditing and Accountability ����������������������������������������������51 CHAPTER 5 Cryptography �������������������������������������������������������������������63 CHAPTER 6 Operations Security ���������������������������������������������������������81 CHAPTER 7 Physical Security �������������������������������������������������������������97 CHAPTER 8 Network Security �����������������������������������������������������������115 CHAPTER 9 Operating System Security ���������������������������������������������131 CHAPTER 10 Application Security �������������������������������������������������������147 INDEX ��������������������������������������������������������������������������������������������������167 This page intentionally left blank About the Author ix Jason Andress (ISSAP, CISSP, GPEN, CEH) is a seasoned security professional with a depth of experience in both the academic and business worlds. He is presently employed by a major software company, providing global informa- tion security oversight, and performing penetration testing, risk assessment, and compliance functions to ensure that the company’s assets are protected. Jason has taught undergraduate and graduate security courses since 2005 and holds a doctorate in computer science, researching in the area of data pro- tection. He has authored several publications and books, writing on topics including data security, network security, penetration testing, and digital forensics. This page intentionally left blank About the Technical Editor xi Russ Rogers (CISSP, CISM, IAM, IEM, HonScD), author of the popular Hacking a Terror Network (Syngress, ISBN 1-928994-98-9); coauthor of multiple other books including the best-selling Stealing the Network: How to Own a Continent (Syngress, ISBN 1-931836-05-1), Network Security Evaluation Using the NSA IEM (Syngress, 1-597490-35-0), and former editor-in-chief of The Security Journal; is currently a penetration tester for a federal agency and the cofounder and chief executive officer of Peak Security, Inc., a veteran-owned small business based in Colorado Springs, CO. He has been involved in information technology since 1980 and has spent the last 20 years working professionally as both an IT and INFOSEC consultant. He has worked with the United States Air Force (USAF), National Security Agency (NSA), Defense Information Systems Agency (DISA), and other federal agencies. He is a globally renowned security expert, speaker, and author who has presented at conferences around the world including Amsterdam, Tokyo, Singapore, Sao Paulo, Abu Dhabi, and cities all over the United States. Russ has an honorary doctorate of science in information technology from the University of Advancing Technology, a master’s degree in computer systems management from the University of Maryland, a bachelor of science in com- puter information systems from the University of Maryland, and an associate degree in applied communications technology from the Community College of the Air Force. He is currently pursuing a bachelor of science in electri- cal engineering from the University of Colorado at Colorado Springs. He is a member of ISSA and ISC2 (CISSP). He also teaches at and fills the role of pro- fessor of network security for the University of Advancing Technology (http:// www.uat.edu). Russ would like to thank his children, his father, and Tracie for being so sup- portive over the years. Thanks and shout-outs go out to Chris Hurley, Mark Carey, Rob Bathurst, Pushpin, Paul Criscuolo, Ping Look, Greg Miles, Ryan Clarke, Luke McOmie, Curtis Letson, and Eddie Mize. This page intentionally left blank Foreword xiii Boring, boring, boring. Isn’t this what immediately comes to mind when one sees books on foundational concepts of information security? Monotonous coverage of theory, dry details of history, brief yet inadequate coverage of every topic known to man, even though you know that you’ll never be hired by the NSA as a cryptographer. All you really want is a book that makes you fall asleep every 30 minutes instead of every five. It’s all the “necessary evil” that must be endured, right? Not this time, my budding security professional. So let’s be honest. You actually do have a strong interest in making security a career and not just a hobby. Why else would you have this book in your hand? But like many of you, I didn’t know (and sometimes still wonder to this day) what I wanted to be when I grew up. So why this book? What’s so great about another extensive volume on information security? How does it help me not only to learn the basics but also to push my career aspirations in the right direction? When my son was 4, I took him to the park down the road from our house. There were kids playing baseball, others chasing their friends through the plas- tic and metal jungle, and even a few climbing the fake rock-climbing wall. Then he saw the boys at the skateboard park. He had a board of his own but never knew someone could do that! Of course, he wanted to try it immedi- ately. As a responsible Dad, I couldn’t let him launch himself off the top of a 6-foot ramp only to end up unconscious waiting to be run over by the next prepubescent wannabe Tony Hawk. But what I could do is require him to show me that he could do something basic like stand on the board and ride it all the way down the driveway at home. As a reward, he could go to the skate park. Once there, he didn’t feel quite as comfortable as when on the driveway, so he rode down the ramp while sitting. Eventually, he dictated his own path; he set his own goals; he controlled the time it took to get where he wanted to be. His path was different from many others at the park that day. But imagine