Overview of the SSCP Domains | SSCP Study Guide and DVD Training System

The SSCP certification exam consists of 125 questions derived from seven domains. The test is arranged in a multiple-choice format. The domains are often large and contain many subsections that you need to understand and successfully work with in order to pass the exam. To increase your understanding of the overall scope of these domains, we have described and defined their content in the following sections. Each of the domains contains topics that are possible sources of test questions, and each will be fully discussed in the chapters that follow in this book. Although the candidate and certification qualifications do not require work experience in all the domains, your examination will require answering questions from all seven of the SSCP domains.

Domain One: Access Controls

First among the domains that we explore is access controls. In this domain, we will work to develop an understanding of the concepts of implementing and enforcing access methods and policies we have planned and chosen to use. We'll learn the procedures that give administrators the ability to control access to systems and resources and many of the methods that can be used to monitor and enforce the security rules that are put in place to limit access to those who are entitled to use the resources. Access controls are fully discussed in Chapter 2.

As we begin to look at the areas that could be tested in the access controls domain, we have to define what we are working on. Access control involves your organization's ability to choose the methods of access and the level of access for individuals, groups, or machines to use resources such as files or directories located on your file servers or other network or system services. Additionally, access controls allow management or IT staff the ability to control the type of activity that is allowed, when it is allowed, where it is allowed, and who is allowed to perform the activity or task. The access controls domain is very comprehensive. Success on the examination requires a good working knowledge of the concepts, technologies, and methodologies that are involved. In the access controls domain, we'll look at methods of control, such as hardware-based tokens and smart cards, and other methods such as the use of certificates and biometrics. Additionally, we'll look at password policies and administration, access rights and permissions, and access control administration. In the next section, we'll look briefly at each of these areas and the specialty areas within them that you need to know about.

Specialty Areas

Within the focus areas of the access control domain, we need to look also at the components that make up those sections that you need to understand to effectively work as a SSCP. In this domain, you'll need to be familiar with a number of main topic areas, including these large areas:

Accountability
Identification and authentication techniques
Password administration
Access control techniques
Access control administration
Access rights and permissions
Access control models, methodologies, and implementation
Methods of attack
Monitoring
Penetration testing

Within these broad areas, you must be comfortable with a number of other concepts. Many of the main topics contain additional concepts and working areas that you must know and understand. In the next section, we'll briefly detail the additional concepts that are involved.

The identification and authentication techniques area has sublevels that include knowledge of the types of identification that can be used. These include:

Use of passwords
Smart cards
Biometrics
Kerberos tickets
Single sign-on (SSO)
One-time passwords in everything (OPIE)

The password administration topic includes coverage of:

Password selection
Password management
Password control

The access control techniques area contains concepts that might be new to you; within this section we consider the methods that may be used to achieve access control, including:

Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Access control lists (ACLs)
The principle of least privilege
The practice of separation of duties and responsibilities

Access control administration includes:

The methods and practices for account administration
The duties of monitoring journals, logs, and accounts

Access rights and permissions detail procedures to deal with access; we will also review the methodologies involved. In this area, you need to understand ways to:

Implement access rights and permissions
Maintain access rights and permissions
Revoke access rights and permissions

Access control models, methodologies, and implementation requires that we examine:

Centralized and remote access authentication controls
Decentralized access controls
Concepts of control, including what to consider in relation to file and data owners, custodians, and users

We'll also begin to look at concepts that are involved in the methods of attack topic, including:

Denial of Service (DoS) attacks
Dictionary attacks
Brute-force attacks
Spoofing
Man-in-the-middle (MITM) attacks
Spamming
Sniffers
Crackers

Monitoring will include a discussion of the processes needed for successfully performing or creating:

Intrusion detection
Audit trails
Violation reports
Signals
Alarms

Product Types

As we proceed through the chapter, we'll mention in each of the domains some of the types of products that can be utilized relative to the topic for the domain, with the goal of giving you a frame of reference from your experience. In the case of access controls, you could use a number of network devices that involve access controls technologies and knowledge. Among these are such items as firewalls, routers, smart cards, and biometric devices. Each of these products would be used within the access controls area to define rules and methods for access to systems.

Standards and Methodologies

The access controls domain emphasizes the methods we use to control access. Additionally, it is concerned with planning, permissions, access auditing, and monitoring of the conditions of our developed and implemented plan and the controls-whether policy, software, or hardware-that we use to grant or deny access to various systems and networks in our control.

Domain Two: Administration

The next domain we must address is the administration domain. In this domain, we'll see that we need to develop an understanding of methods to perform system and machine administration tasks that provide a secure system and a security plan to maintain the integrity of our operation, including networks and machines. In the sections that follow, we'll continue to detail the concepts and technologies you must know in order to succeed in security administration and the examination. These concepts are explored and explained fully in Chapter 3.

The administration facet of IS includes knowledge of the methods to document, enforce, and implement an organization's plan to protect information and maintain confidentiality. This effort includes working with procedures and guidelines for security as well as creating and enforcing policies and procedures to produce the desired result. The administration domain covers working with users, custodians of information, and management to implement a plan to maintain confidentiality, integrity, and availability. As we'll see, you'll need knowledge of the methodologies and strategies of administration as well as how to work with defining and controlling areas of responsibility. You'll also need to know and understand the industry standards for these processes.

Specialty Areas

The administration domain encompasses many conceptual areas in its scope and again requires an above-average working knowledge of the concepts and technologies that are contained within the domain categories. You need to be familiar with a number of main topic areas, including:

Security administration principles
CIA triad
The security equation
Security architecture
Configuration management
Data classification
Information/data
Employment policies and practices
Roles and responsibilities
Security awareness training
Security management planning
Data and information system attacks

Each of the domains has numerous subsections that also must be considered. In the administration domain, we will be working with many subsections. While discussing and learning about security administration principles, we'll review concepts including privacy; confidentiality, integrity, and availability (CIA); authorization; identification and authentication; accountability; nonrepudiation; data classifications; documentation; and audit principles. The CIA triad discusses the three component parts of CIA-confidentiality, integrity, and availability-and describes their function. Security architecture considers the development life cycle and the components that are related to that development. These components include understanding conceptual definitions and definitions of functional requirements as well as functional design, code, and system test review areas. Additionally, the process and methods to achieve certification and accreditation of the architectural design are discussed. Security control architecture includes information about the concepts of process isolation and hardware segmentation. Also contained in this subarea is a discussion of accountability, system high-security kernel, and reference monitor. The security architecture section also includes a look at system, database, and operating system integrity, along with system confidentiality. A protection mechanisms discussion includes sections on layering, abstraction, and data hiding. We'll consider supervisor and user modes when looking at modes of operation, and in the area of data/information storage, we'll look at primary, secondary, real, virtual, random, volatile, and sequential types.

Configuration management concepts include change control and the change control process, and data classification works with the objectives of classification schemes, the criteria used for classification, and commercial and government data classification. Information/data considers a worth/valuation determination method and collection and analysis techniques. The administration area includes a subsection on employment policies and practices. This topic requires knowledge of background checks and security clearances, employment agreements, hiring and termination practices, job descriptions, job rotations, and separation of duties and responsibilities. Roles and responsibilities topics include roles in the defined areas of management, owners, custodians, users, and IS/IT security functions. Finally, the data/information system attacks subsection requires a knowledge of hidden code, interrupts, remote maintenance, logic bombs, trap doors, browsing, spoofing, exhaustive attacks, inference attacks, traffic analysis, and the concepts of time of check/time of use (TOC/TOU), which is a type of asynchronous attack.

Product Types

Within the second domain, in which we discuss security administration, a number of different products contribute to our knowledge and ability to care for our security configuration. Among these are products that allow us to track change in our systems to formulate good change management practices, including products from vendors such as System Tools and Computer Associates. In this area we also work actively with human resources tools used to design appropriate policies and procedures, as well as software and hardware products that allow us to perform traffic analysis and firewall and intrusion detection system tools.

Standards and Methodologies

The administration domain focuses heavily on the CIA triad, security architecture types and models, principles and best practices surrounding the security administration principles, and appropriate and best-practice models of configuration management and evaluation of roles and responsibilities within the organization and how best to handle those roles. This area also concerns attack types that must be considered, such as hidden code, trap doors, TOC/TOU, and spoofing in relation to administration best practices.

Domain Three: Audit and Monitoring

Auditing and monitoring of our systems have become increasingly important with the advances in computing technology and the variety of freely accessible and available tools that have made attacks against our systems easier for even the casual attacker to perform. As we look at the auditing and monitoring domain for the SSCP examination, we will explore many different facets that will help us not only in the examination process, but in our daily work as well. We define the areas we need to be concerned with in the following sections and develop the topic fully in Chapter 4.

Auditing and monitoring involve knowledge of the appropriate procedures and methods to implement and use to track, prioritize, collect, and report the activity that occurs in our organization's operating environment and network. This includes the methods and tools that are used to develop the security policies and to track compliance to these policies and the access that they allow or deny. Additionally, we need to know about ways to collect this data, how to work with it, how to implement the auditing process, and the reporting requirements that go with auditing. We need to be able to work with the process so that we can understand and successfully report to management and be comfortable with the process of working with either inside or outside audit teams in the case of an independent audit. We also need to fully understand legal requirements so that the compiled reports are usable, if necessary, for prosecution or other needs.

Specialty Areas

To really understand the domain's focus, we need to break out the broad concepts of auditing and monitoring to a more easily defined set of concepts for study. In the auditing and monitoring domain, we'll work with the following main topic areas:

Control types
Security audits
Reporting mechanisms
Intrusion detection
Types of intrusion detection
Penetration testing
Wardialing
Sniffing
Eavesdropping
Radiation monitoring
Dumpster diving
Social engineering
Inappropriate activities

The area of auditing and monitoring also has many subsections of concentration that demand our attention. While looking at the control types area, we need to also consider a number of related areas, such as directive controls, preventive controls, detective controls, corrective controls, and recovery controls. Security audits require a further understanding of internal and external audits, the auditing process, and the standard of due care. This area also requires competence in and knowledge of audit trails, individual accountability, reconstruction of events, problem detection (such as intrusion or breach), problem resolution, and reporting concepts (such as structure, format, content, procedures, and the reporting path and frequency). Other areas of concern within the auditing and monitoring domain include the subsections of reporting mechanisms. In this subsection, we'll work on concepts and procedures for audit logging, security events, audit trails, retention periods, and appropriate media. We'll also look to methods to protect against alteration of records, keeping them secure, and backup of the logs we generate. Monitoring tools and techniques for monitoring will be discussed, as will the use of warning banners, keystroke monitoring, traffic analysis, and trend analysis. This area also contains information about available tools, and event monitoring (real time, ad hoc, and passive).

Intrusion detection in this domain concentrates on intrusion prevention, detection, and response. Types of intrusion detection involve pattern recognition and baseline creation procedures as well as exploring anomaly and attack signature identification, hardware monitoring, and illegal software monitoring. Inappropriate activities include fraud, collusion, waste, abuse, and theft.

Product Types

Domain Three involves the use of auditing and monitoring tools to determine baseline security configurations and to analyze and report conditions that exist in the systems we are tracking. Many network operating systems (NOSs) have built-in monitoring tools, such as the Windows NT/Windows 2000 capability to audit object access, logon/logoff activity, and so forth. Many commercial tools also provide us with the ability to monitor and audit different conditions. You are probably very familiar with SMTP-based tools that are used to report conditions from managed network devices such as routers, hubs, switches, and servers that provide status reports of conditions they have been set to track. In the case of security monitoring, we may also use more full-featured tool sets created by third-party vendors to centralize these functions. For instance, in the Windows environment, we might use a product such as GFI's Network Security Scanner to evaluate patch conditions and application vulnerabilities in a Windows 2000 environment. Each of the NOS types does contain appropriate monitoring and logging tools for our use. Of course, it is understood that we must incorporate a good log analysis practice using those tools to be effective in tracking breach and appropriate accesses.

Standards and Methodologies

Auditing and monitoring use our knowledge of the various types of controls and the auditing process to generate a model that uses audit trails and allows for the reconstruction of events as needed to track trends and possible breaches in the system. This area requires us to know how to develop and maintain an auditing and monitoring policy and structure and to use the various methods of monitoring to assist us in tracking illegal software use, unauthorized access to resources, and hardware attacks through the use of appropriate tools and methods. In addition, we must be able to monitor and control inappropriate activity on the system.

Domain Four: Risk, Response, and Recovery

The risk, response, and recovery domain includes knowledge of risk management, incident-handling procedures and methodologies, and disaster planning and recovery. The domain contains a significant amount of required information and is extensively explored in Chapter 5.

With respect to the information that is a basis for this domain, we'll see that the amount of subject matter is broken down into three major areas of consideration. Each of these major areas contains numerous topics that require our attention and knowledge. These major areas are risk management, incident handling and investigations, and business continuity and disaster recovery plans.

Risk management includes review of security plans and risk analysis to determine potential risk of loss or failure, review of and planning for safeguards, cost versus benefit analysis, management plans and decisions, implementation, and review to ascertain plan effectiveness.
Incident handling and investigations require that we know how to react quickly with appropriate personnel at the front lines of the incident and quickly apply a consistent approach to solving the problem. The investigations portion will need attention from us as we learn to properly collect data, preserve integrity, know the procedures for seizure of hardware and software when necessary, and collect, handle, and store evidence using the reporting requirements that we need.
Business continuity planning and disaster recovery are discussed together, but these are actually two separate processes grouped for convenience. Business continuity planning involves building a plan that helps speed recovery in the event of disaster while at the same time allowing critical business functions to continue. Disaster recovery planning consists of the actual methods and procedures that we develop for emergency response, such as offsite backup operations that allow us to recover in the event of loss of hardware or facilities resulting from disaster. You need to know the differences between the types of plans, how to create them, and how to implement them, along with knowing how to identify what's critical and how to recover in the event a disaster does strike.

Specialty Areas

As we can see from the description of this domain, it carries three separate areas of consideration: risk, response, and recovery. In this section, we visit each of those three major areas individually. The first of these areas is the area of risk management. Its major areas include:

Risk management tools and methodologies
The principles of risk management
Common threats, vulnerabilities, and risks
Risk management process
Asset identification and evaluation
Threat identification and assessment
Vulnerability and exposures identification and assessment
Quantitative and qualitative risk assessment methodologies
Risk equation
Calculation of single occurrence loss and annual loss expectancy
Safeguards and countermeasure identification and evaluation, including risk management practices and tools to identify, rate, and reduce risk for information assets
Calculation of the annual loss expectancy and resulting residual risk
Risk reduction/assignment/acceptance
Communication of the residual risk for approval by management or assignment (insurance)

Our second area of study within the domain is incident handling and investigations. The major areas of concern in this area are:

Security incidents-accidental, deliberate, or environmental
Recognition skills
Response skills
Technical skills
Generally accepted guidelines for reporting incidents
Generally accepted guidelines for gathering evidence
Generally accepted guidelines for evidence handling
Investigations
Surveillance

As we look into the requirements of the domain, we'll find that we need to know about subsections in some of the major areas we've described. In the security incidents section, we'll first more closely define accidental incidents as unauthorized acts by privileged and nonprivileged employees. In the deliberate incidents category, we'll start with that same concept but add some other areas of concern, including viruses and malicious code, attacks with origins in terrorists, spam and e-mail, firewall breeches, social engineering, redirects, and sniffer attacks. When learning about environmental incidents, we'll look at natural disasters and manmade disasters such as hardware or software malfunctions and utility outages. The next section that contains additional information and knowledge requirements is the investigations topic. Within this topic, we need to be able to define and work with concepts such as target, object/subject, team composition, forensics, search and seizure, privacy, interrogation, internal and external confidentiality, time frames, and reporting. Finally, the surveillance topic requires knowledge of physical and computer surveillance.

The final section of the risk, response, and recovery domain is that of business continuity planning and disaster recovery. As we noted earlier, this is a very large topic area. These are the major areas of study we'll work with:

Business continuity planning process
Legal and regulatory requirements
Business impact analysis
Backup strategy
Recovery strategy
Testing strategy
Plan development, including how to develop a business continuity plan (BCP)
Plan implementation
Plan maintenance and keeping plans up to date
Disaster recovery planning (DRP) process and its elements
DRP creation and strategies
DRP testing
DRP implementation
DRP maintenance
Elements of business continuity planning
BCP/DRP events

While we work within this subsection, we'll need to look at a large number of topic areas that fall within the scope of the general topics we've listed. Let's begin with what we'll need to know about business impact analysis. In this section, you have to be well versed in your knowledge of how to identify business success factors and critical capabilities, identify critical applications, and establish priorities. We'll explore how to develop alternate means of accomplishing objectives and what a containment strategy involves. Then we'll explore how to develop a containment strategy and the provisions and processes that go with it.

Another important consideration as we proceed is a backup strategy. Here, you need to know how to determine what to back up, how often to back up, the appropriate storage method and facility for backup, and where and when to use and apply UPS technologies. Our recovery strategy study will include methods of developing a recovery strategy, developing alternate sources of supply, considering software escrow arrangements, and picking an alternate processing site. Testing strategy requires us to know how to develop a testing plan.

The disaster recovery planning process requires us to understand a number of different concepts. These include knowing what response teams are, how to develop them, what emergency response is, and how to develop the procedures for response. It also includes training strategies, site and system restoration strategies, personnel notification strategies, and developing these strategies as well as how to work with them.

The elements of business continuity planning section includes a knowledge of the components of this type of plan. They include:

Awareness and discovery
Contingency planning goals
Statement of importance
Statement of priorities
Statement of organizational responsibility
Statement of urgency and timing
Risk assessment
Vital records program
Emergency response guidelines
Emergency response procedures
Mitigation
Preparation
Testing

Finally, the BCP/DRP events section requires knowledge of the correct response and procedure for bombings, explosions, earthquakes, fires, floods, power outages or other utility failures, storms, failure of hardware or software, worker strikes, testing outages, hazardous material spills, and employee evacuation or unavailability plans.

Product Types

A substantial number of concepts are discussed in Domain Four as we begin to delve into territory that might not be totally familiar to you in your work. Here we begin to look at the concepts of risk management practices and how they relate to our efforts to secure and track our systems. For a little more information about the risk management process, you might want to take a look at the relevant Microsoft documentation. You can find an initial set of documents that could help at www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/tandp/innsol/msfrl/MSRMD11.asp.

Along with risk and disaster planning, you must develop knowledge of some tools that can be used to track incidents and preserve the evidence of the incidents in case of need for prosecution. To accomplish this task, you could work with older tools such as SATAN or newer combinations of tools such as NESSUS and others for analysis and tracking. Within this area, you'll also learn to develop and implement appropriate backup and recovery plans. Here, you could be dealing with various backup products, both software based and hardware based, for appropriate coverage in your plan.

Standards and Methodologies

Risk, response, and recovery test our knowledge of the processes involved in planning for risk management, business continuity, and disaster recover. The domain uses the risk management process to set the patterns for determining and mitigating risk. Incident handling and investigation patterns and tools will be used to properly detect, process, protect, and prosecute as needed, with coverage of proper tools and attention to established procedures for maintaining evidence. Business continuity planning and disaster recovery planning use industry-standard planning processes and implement these plans to protect our systems.

Domain Five: Cryptography

Protection of data from outside interception and modification has become increasingly important in recent years. This domain concentrates on the protection of data and messages, network communication, and data transmitted on public networks. Additionally, it discusses the core concepts that allow the successful use of cryptography to protect our resources when needed. We'll continue with our introduction of the areas of study here and discuss all the relevant concepts more fully in Chapter 6.

When we use or plan the use of cryptography, we are using a protection methodology to protect data and ensure that we maintain the data's confidentiality, integrity, and authenticity, as well as providing for non-repudiation. To accomplish this goal, we can modify the information using some secret knowledge to disguise it and protect it from attack. The cryptography domain contains information about the basic concepts of cryptography. These include public and private key algorithms and how they are applied and used, key distribution and management, algorithm constructs and construction, and use of digital signatures to provide authenticity and non-repudiation.

Specialty Areas

The cryptography domain consists of areas of study that are required for a successful understanding of cryptography concepts. The main areas of concern are as follows:

The appropriate use of cryptography to achieve the desired business effects
Confidentiality, integrity, and availability
Non-repudiation
Cryptographic concepts, methodologies, and practices, including the difference between symmetric and asymmetric cryptography and public and private keys, message authentication, and digital signatures
Basic functionality of hash/crypto algorithms, including DES, RSA, SHA, MD5, HMAC, and DSA, and the effects of key length
Basic functions of key management, including the processes of creation, verification, and revocation and others related to the process that may affect cryptographic integrity, as well as key distribution methods (manual, Kerberos, ISAKMP)
Error-detecting features, key escrow, and key recovery methods
Vulnerabilities in cryptographic functions, including strengths and weaknesses of key lengths and algorithms
Key administration and storage, particularly related to methods of compromise
Attack methods
Use and function of certificate authorities (CAs) and Public Key Infrastructure (PKI)
System architecture requirements for implementing cryptographic functions
The use of application and network-based protocols, including Privacy Enhanced Mail (PEM), S/MIME, Secure Sockets Layer (SSL), HTTPS and S-HTTP, Secure Electronic Transaction Protocol (SET), and Internet Protocol Security (IPSec)
Application and use of hardware components such as smart cards and tokens
Application of cryptographic components such as IPSec nodes/ISAKMP

Attack methods contained in this domain include ciphertext-only attack (COA), known plaintext attack (KPA), chosen plaintext attack (CPA), adaptive chosen plaintext attack (ACPA), adaptive chosen ciphertext attack (ACCA), brute force, replay, man in the middle (MITM), birthday, and CRACK. You must also be aware of how to recognize the various types of attacks. CAs and PKI include the need for a knowledge of how certificates are created, issued, revoked, distributed, and verified, along with knowing how the certificate hierarchy chain is created and maintained. Additionally, we'll look at the standards that are involved in the certificate process, components of a CA, and the structure of PKI.

Product Types

Domain Five, cryptography, utilizes quite a few products that you are probably familiar with in your work. Certificate servers and PKI, secure Web transactions and Web servers, encrypted e-mail products, and utilization of hardware and software virtual private network (VPN) tunnels, as well as the encryption and protection of locally stored and network delivered data are all covered in the cryptology domain. Activities in this domain could involve use of specially configured switches, routers, and servers to handle the protected traffic in a system.

Standards and Methodologies

The cryptography domain incorporates protection methods and technologies to protect data. As we work within the cryptography arena, we'll use methods of protection such as hash/crypto algorithms, appropriate key management practices and usage methods, and CA creation, maintenance, and use to further enhance the protection of our resources. We'll also use the appropriate network and application-based protocols within our networks and technologies such as smart cards and tokens to further protect our resources.

Exam Warning

Are acronyms getting you down? Sometimes the sheer number of abbreviations and acronyms related to technology can become overwhelming. For your studies, try using some of the Web-based resources to find the definitions and help you remember what the various acronyms stand for. You need to be comfortable with acronyms because they appear frequently, not only in the examination, but in resources that you will need to use to learn about the topics. One resource that we've found helpful is located on the SANS Web site, which has a resource originally compiled by NSA. You can find it here: www.sans.org/newlook/resources/glossary.htm.

Domain Six: Data Communications

The movement of data and communication over various transport and media types is an area of concern for the security professional. In this domain, we'll look at securing the data and networks via which this communication is carried, the technologies that allow this communication, and some communication security techniques and methods that we can employ to protect that communication. Data communications are described in the following sections and discussed in their entirety in Chapter 7.

The data communications domain is concerned with knowledge of network structures, methods of information transmission, formats used for transmissions, and security measures used to protect this system of communication from harm. Additionally, it requires knowledge of LAN and WAN technologies, remote access and the methods of supporting it, and methods of protection of information transmission over public and private networks. We must also know about VPN technologies, TCP/IP, and other related protocols. To be prepared for the examination, we must also be aware of the methods to prevent network-based attacks, detect intrusions, and employ countermeasures that could be needed to counteract such attacks.

Specialty Areas

The data communications domain includes a need to understand the physical and logical characteristics of many types of existing network structures. To help define these areas, we'll look at the following main topics as we continue through our examination of the domain's requirements:

ISO/OSI layers and characteristics
Communications and network security
Physical media characteristics
Network topologies
TCP/IP characteristics and vulnerabilities
Local area networks
Wide area networks
Remote access and telecommuting techniques
RADIUS/TACACS
Internet/intranet/extranet
Network hardware and access points
Protocols
PPP/SLIP
Services
Communications security techniques
Security boundaries
Network attacks and countermeasures

As we have in previous sections, here we break some of the main topics into subsections that are important to know about and understand as you work in this domain. The physical media characteristics area requires that we know the various media types, such as fiber optic, coaxial, and twisted-pair cable. As we study network topologies, we'll examine various types of topology, including star, bus, and ring. Network hardware and access points involve information about firewalls, routers, switches, gateways, and proxies.

The protocols section requires a knowledge of TCP/IP, network layer security protocols (such as IPSec, Simple Key Management for Internet Protocols (SKIP), SWIPE (an encryption protocol used in some Sun and UNIX implementations), and application layer security protocols (such as S/MIME, SSL, SET, and PEM). This section also requires review and new concepts such as the Challenge Handshake Authentication Protocol (CHAP) and Password Authentication Protocol (PAP). While looking at the services section, we'll examine the various methods of providing network services and the security that goes with them. These include Frame Relay, X.25, ISDN, Synchronous Data Link Control (SDLC), and High-Level Data Link Control (HDLC). Our security boundaries sublayer topics include VPN and tunneling, network monitors and packet sniffers, NAT, and e-mail security. Finally, the network attacks and countermeasures section looks at ARP, brute force, worms, flooding, eavesdropping, sniffers, and spamming.

Product Types

Domain Six, in its discussion of data communications, covers all the media and devices that we use to provide network communications and access in our environment. This involves the use of all types of transmission devices, such as routers, bridges, switches, and hubs. It also involves the use of devices such as CSU/DSU devices for multiplexing and Frame Relay, ATM, and OC technologies to deliver the data securely and efficiently. It also involves consideration of the appropriate types of media for our security needs. For instance, we might need to determine the relative security difference and risks involved between operating a system based on Ethernet and UTP cable or fiber optic media in an arrangement that could include an FDDI ring or other topology to secure the information we are transmitting.

Standards and Methodologies

The data communications domain discusses the technologies and standards involved in the ISO/OSI network models and specifications and covers the technologies related to LAN and WAN connectivity and protection. As the domain progresses, we'll find that we are required to have knowledge of basic network theory and operation information as well as understand and work with the technologies related to remote access, such as RADIUS and TACACS. The domain also covers media types and devices and techniques for controlling access, such as routers, network protocols, encryption protocols in use while providing data transmission, and basic security functions such as securing e-mail and using NAT and VPNs.

Domain Seven: Malicious Code or Malware

In this final domain, we'll look at areas that need to be addressed to protect systems and users from malicious code and programs that are designed to destroy or damage our systems and operations. We'll look at various types of implementations that can damage our systems and ways to protect and secure our systems to minimize or eliminate the impacts of these operations. A full explanation of this domain can be found in Chapter 8.

The malicious code or malware domain discusses computer code that is destructive within the computing environment. Within this area, we'll look at a number of types of possible attacks, including those that could come from viruses, logic bombs, Trojan horse and worm attacks, and others that could damage or destroy our data. Additionally, we'll need to visit other potential attack methods such as Perl, ActiveX, and Java because they are further developed and are not always platform dependent. We'll need to be comfortable with the concepts of malicious and mobile code, the threats such code poses, how it is introduced, and how to protect against it.

Specialty Areas

In the malicious code/malware domain, we'll need to work with some concepts that should be familiar to most security practitioners, but we'll also work in some areas that might not be everyday operations for many people. To begin our look at this domain, let's break out the main topic areas and then describe additional areas of study that fall under the main headings. The main topics in this domain are:

Malicious code concepts
Definitions
Behaviors
Jargon
Myths and hoaxes
Computer viruses and other types of malicious code
Antivirus protection and antivirus software
Scanning and appropriate locations
Trusted-source software
Backup
Integrity checkers
User awareness program implementations

As we have seen in the earlier domain introductions, there are often numerous subsections within the main topics. In this domain, we'll need to look at these to know the domain requirements for the examination. In the definitions area, we'll need to know the differences between polymorphic, stealth, malware, and heuristic scanning. Within the myths/hoaxes area, we'll look at the definitions and descriptions of hackers, crackers, phreaks, and virus writers, and DoS topics. Computer viruses and other forms of malicious code include types of viruses, such as multipartite, macro, boot sector infectors, Macintosh, and file infectors. This section also includes learning about worms, Trojan horses, logic bombs, and salami attacks. As we continue to look at this subsection, we'll visit software and programming techniques that can be attacked or compromised, such as ActiveX, Java, mobile code, and trap doors. The subsection also requires knowledge of how malicious code can be introduced into the computing environment. This discussion includes learning about brute-force and dictionary attacks, spoofing, alteration of code, flooding, spamming, cramming, and pseudo-flaw processes. We'll also look at how and why these areas can be exploited and mechanisms that can be used to detect, prevent, and correct the attacks that come from malicious code.

Product Types

Domain Seven is concerned with malicious code and malware. The most familiar products used in this area include antivirus software products. Additionally, we use products that can track changes to the Registry or other code that we want to protect and make sure remains unchanged. This could involve use of tools from Domain Five, in which we would create and manage checksums on the particular data to ensure that they were unabridged before use.

Standards and Methodologies

The malicious code/malware section requires us to be proficient in detecting and identifying viruses and program code that could harm our operations. Additionally, it discusses the methods that can be used to introduce these variants within our systems and tools and procedures to limit exposure to these types of activity, including training users to help our efforts.

Exam Warning

The SSCP examination requires that you know the information from all the domains, even though you don't have to actively work with them every day. (ISC)² has provided a link that lists recommended study resources that might be helpful in your study of areas you are not familiar with. This page can be accessed at www.isc2.org/cgi-bin/content.cgi?page=36.