Introduction xlvii
Chapter 1 Security and Risk Management 5
Security Terms 6
    CIA 6
    Auditing and Accounting 7
    Non-repudiation 8
    Default Security Posture 8
    Defense in Depth 9
    Abstraction 10
    Data Hiding 10
    Encryption 10
Security Governance Principles 10
    Security Function Alignment 12
    Organizational Processes 14
    Organizational Roles and Responsibilities 16
    Security Control Frameworks 20
    Due Care and Due Diligence 38
Compliance 38
    Contractual, Legal, Industry Standards, and Regulatory Compliance 40
    Privacy Requirements Compliance 40
Legal and Regulatory Issues 41
    Computer Crime Concepts 41
    Major Legal Systems 43
    Licensing and Intellectual Property 46
    Cyber Crimes and Data Breaches 50
    Import/Export Controls 51
    Trans-Border Data Flow 51
    Privacy 52
Investigation Types 62
    Operations/Administrative 63
    Criminal 63
    Civil 64
    Regulatory 64
    Industry Standards 64
    eDiscovery 67
Professional Ethics 67
     (ISC)2 Code of Ethics 67
    Computer Ethics Institute 68
    Internet Architecture Board 68
    Organizational Code of Ethics 69
Security Documentation 69
    Policies 70
    Processes 72
    Procedures 72
    Standards 73
    Guidelines 73
    Baselines 73
Business Continuity 73
    Business Continuity and Disaster Recovery Concepts 73
    Scope and Plan 77
    BIA Development 81
Personnel Security Policies and Procedures 85
    Candidate Screening and Hiring 85
    Employment Agreements and Policies 87
    Employee Onboarding and Offboarding Policies 88
    Vendor, Consultant, and Contractor Agreements and Controls 88
    Compliance Policy Requirements 89
    Privacy Policy Requirements 89
    Job Rotation 89
    Separation of Duties 89
Risk Management Concepts 90
    Asset and Asset Valuation 90
    Vulnerability 91
    Threat 91
    Threat Agent 91
    Exploit 91
    Risk 91
    Exposure 92
    Countermeasure 92
    Risk Appetite 92
    Attack 93
    Breach 93
    Risk Management Policy 94
    Risk Management Team 94
    Risk Analysis Team 94
    Risk Assessment 95
    Implementation 100
    Control Categories 100
    Control Types 102
    Controls Assessment, Monitoring, and Measurement 108
    Reporting and Continuous Improvement 108
    Risk Frameworks 109
    A Risk Management Standard by the Federation of European Risk Management Associations (FERMA) 128
Geographical Threats 129
    Internal Versus External Threats 129
    Natural Threats 130
    System Threats 131
    Human-Caused Threats 133
    Politically Motivated Threats 135
Threat Modeling 137
    Threat Modeling Concepts 138
    Threat Modeling Methodologies 138
    Identifying Threats 141
    Potential Attacks 142
    Remediation Technologies and Processes 143
Security Risks in the Supply Chain 143
    Risks Associated with Hardware, Software, and Services 144
    Third-Party Assessment and Monitoring 144
    Minimum Service-Level and Security Requirements 145
    Service-Level Requirements 146
Security Education, Training, and Awareness 147
    Levels Required 147
    Methods and Techniques 148
    Periodic Content Reviews 148
Review All Key Topics 148
Complete the Tables and Lists from Memory 150
Define Key Terms 150
Answers and Explanations 157
Chapter 2 Asset Security 165
Asset Security Concepts 166
    Asset and Data Policies 166
    Data Quality 167
    Data Documentation and Organization 168
Identify and Classify Information and Assets 169
    Data and Asset Classification 170
    Sensitivity and Criticality 170
    Private Sector Data Classifications 175
    Military and Government Data Classifications 176
Information and Asset Handling Requirements 177
    Marking, Labeling, and Storing 178
    Destruction 178
Provision Resources Securely 179
    Asset Inventory and Asset Management 179
Data Life Cycle 180
    Databases 182
    Roles and Responsibilities 188
    Data Collection and Limitation 191
    Data Location 192
    Data Maintenance 192
    Data Retention 193
    Data Remanence and Destruction 193
    Data Audit 194
Asset Retention 195
Data Security Controls 197
    Data Security 197
    Data States 197
    Data Access and Sharing 198
    Data Storage and Archiving 199
    Baselines 200
    Scoping and Tailoring 201
    Standards Selection 201
    Data Protection Methods 202
Review All Key Topics 205
Define Key Terms 205
Answers and Explanations 207
Chapter 3 Security Architecture and Engineering 213
Engineering Processes Using Secure Design Principles 214
    Objects and Subjects 215
    Closed Versus Open Systems 215
    Threat Modeling 215
    Least Privilege 216
    Defense in Depth 216
    Secure Defaults 216
    Fail Securely 217
    Separation of Duties (SoD) 217
    Keep It Simple 218
    Zero Trust 218
    Privacy by Design 218
    Trust but Verify 219
    Shared Responsibility 219
Security Model Concepts 220
    Confidentiality, Integrity, and Availability 220
    Confinement 220
    Bounds 221
    Isolation 221
    Security Modes 221
    Security Model Types 222
    Security Models 226
    System Architecture Steps 230
    ISO/IEC 42010:2011 231
    Computing Platforms 231
    Security Services 234
    System Components 235
System Security Evaluation Models 244
    TCSEC 245
    ITSEC 248
    Common Criteria 250
    Security Implementation Standards 252
    Controls and Countermeasures 255
Certification and Accreditation 256
Control Selection Based on Systems Security Requirements 256
Security Capabilities of Information Systems 257
    Memory Protection 257
    Trusted Platform Module 258
    Interfaces 259
    Fault Tolerance 259
    Policy Mechanisms 260
    Encryption/Decryption 260
Security Architecture Maintenance 261
Vulnerabilities of Security Architectures, Designs, and Solution Elements 261
    Client-Based Systems 262
    Server-Based Systems 263
    Database Systems 264
    Cryptographic Systems 265
    Industrial Control Systems 265
    Cloud-Based Systems 268
    Large-Scale Parallel Data Systems 274
    Distributed Systems 275
    Grid Computing 275
    Peer-to-Peer Computing 275
    Internet of Things 276
    Microservices 280
    Containerization 281
    Serverless Systems 281
    High-Performance Computing Systems 282
    Edge Computing Systems 282
    Virtualized Systems 283
Vulnerabilities in Web-Based Systems 283
    Maintenance Hooks 284
    Time-of-Check/Time-of-Use Attacks 284
    Web-Based Attacks 285
    XML 285
    SAML 285
    OWASP 286
Vulnerabilities in Mobile Systems 286
    Device Security 287
    Application Security 287
    Mobile Device Concerns 287
    NIST SP 800-164 290
Vulnerabilities in Embedded Systems 291
Cryptographic Solutions 292
    Cryptography Concepts 292
    Cryptography History 294
    Cryptosystem Features 298
    NIST SP 800-175A and B 299
    Cryptographic Mathematics 300
    Cryptographic Life Cycle 302
Cryptographic Types 304
    Running Key and Concealment Ciphers 305
    Substitution Ciphers 305
    Transposition Ciphers 307
    Symmetric Algorithms 308
    Asymmetric Algorithms 310
    Hybrid Ciphers 311
    Elliptic Curves 312
    Quantum Cryptography 312
Symmetric Algorithms 312
    DES and 3DES 313
    AES 316
    IDEA 317
    Skipjack 317
    Blowfish 317
    Twofish 318
    RC4/RC5/RC6/RC7 318
    CAST 318
Asymmetric Algorithms 319
    Diffie-Hellman 320
    RSA 320
    El Gamal 321
    ECC 321
    Knapsack 322
    Zero-Knowledge Proof 322
Public Key Infrastructure and Digital Certificates 322
    Certificate Authority and Registration Authority 323
    Certificates 323
    Certificate Life Cycle 324
    Certificate Revocation List 327
    OCSP 327
    PKI Steps 327
    Cross-Certification 328
Key Management Practices 328
Message Integrity 332
    Hashing 333
    Message Authentication Code 337
    Salting 339
Digital Signatures and Non-repudiation 339
    DSS 340
    Non-repudiation 340
Applied Cryptography 340
    Link Encryption Versus End-to-End Encryption 340
    Email Security 340
    Internet Security 341
Cryptanalytic Attacks 341
    Ciphertext-Only Attack 342
    Known Plaintext Attack 342
    Chosen Plaintext Attack 342
    Chosen Ciphertext Attack 342
    Social Engineering 342
    Brute Force 343
    Differential Cryptanalysis 343
    Linear Cryptanalysis 343
    Algebraic Attack 343
    Frequency Analysis 343
    Birthday Attack 344
    Dictionary Attack 344
    Replay Attack 344
    Analytic Attack 344
    Statistical Attack 344
    Factoring Attack 344
    Reverse Engineering 344
    Meet-in-the-Middle Attack 345
    Ransomware Attack 345
    Side-Channel Attack 345
    Implementation Attack 345
    Fault Injection 345
    Timing Attack 346
    Pass-the-Hash Attack 346
Digital Rights Management 346
    Document DRM 347
    Music DRM 347
    Movie DRM 347
    Video Game DRM 348
    E-book DRM 348
Site and Facility Design 348
    Layered Defense Model 348
    CPTED 348
    Physical Security Plan 350
    Facility Selection Issues 351
Site and Facility Security Controls 353
    Doors 353
    Locks 355
    Biometrics 356
    Type of Glass Used for Entrances 356
    Visitor Control 357
    Wiring Closets/Intermediate Distribution Facilities 357
    Restricted and Work Areas 357
    Environmental Security and Issues 358
    Equipment Physical Security 362
Review All Key Topics 364
Complete the Tables and Lists from Memory 366
Define Key Terms 366
Answers and Explanations 372
Chapter 4 Communication and Network Security 377
Secure Network Design Principles 378
    OSI Model 378
    TCP/IP Model 383
IP Networking 389
    Common TCP/UDP Ports 389
    Logical and Physical Addressing 391
    IPv4 392
    Network Transmission 399
    IPv6 403
    Network Types 416
Protocols and Services 421
    ARP/RARP 422
    DHCP/BOOTP 423
    DNS 424
    FTP, FTPS, SFTP, and TFTP 424
    HTTP, HTTPS, and S-HTTP 425
    ICMP 425
    IGMP 426
    IMAP 426
    LDAP 426
    LDP 426
    NAT 426
    NetBIOS 426
    NFS 427
    PAT 427
    POP 427
    CIFS/SMB 427
    SMTP 427
    SNMP 427
    SSL/TLS 428
    Multilayer Protocols 428
Converged Protocols 429
    FCoE 429
    MPLS 430
    VoIP 431
    iSCSI 431
Wireless Networks 431
    FHSS, DSSS, OFDM, VOFDM, FDMA, TDMA, CDMA, OFDMA, and GSM 432
    WLAN Structure 435
    WLAN Standards 436
    WLAN Security 439
Communications Cryptography 445
    Link Encryption 445
    End-to-End Encryption 446
    Email Security 446
    Internet Security 448
Secure Network Components 450
    Hardware 450
    Transmission Media 471
    Network Access Control Devices 491
    Endpoint Security 493
    Content-Distribution Networks 494
Secure Communication Channels 495
    Voice 495
    Multimedia Collaboration 495
    Remote Access 497
    Data Communications 507
    Virtualized Networks 507
Network Attacks 509
    Cabling 509
    Network Component Attacks 510
    ICMP Attacks 512
    DNS Attacks 514
    Email Attacks 516
    Wireless Attacks 518
    Remote Attacks 519
    Other Attacks 519
Review All Key Topics 521
Define Key Terms 522
Answers and Explanations 529
Chapter 5 Identity and Access Management (IAM) 535
Access Control Process 536
    Identify Resources 536
    Identify Users 536
    Identify the Relationships Between Resources and Users 537
Physical and Logical Access to Assets 537
    Access Control Administration 538
    Information 539
    Systems 539
    Devices 540
    Facilities 540
    Applications 541
Identification and Authentication Concepts 541
    NIST SP 800-63 542
    Five Factors for Authentication 546
    Single-Factor Versus Multifactor Authentication 557
    Device Authentication 557
Identification and Authentication Implementation 558
    Separation of Duties 558
    Least Privilege/Need-to-Know 559
    Default to No Access 560
    Directory Services 560
    Single Sign-on 561
    Session Management 566
    Registration, Proof, and Establishment of Identity 566
    Credential Management Systems 567
    Remote Authentication Dial-In User Service (RADIUS)/Terminal Access Controller Access Control System Plus (TACACS+) 568
    Accountability 568
    Just-In-Time (JIT) 570
Identity as a Service (IDaaS) Implementation 571
Third-Party Identity Services Integration 571
Authorization Mechanisms 572
    Permissions, Rights, and Privileges 572
    Access Control Models 572
    Access Control Policies 580
Provisioning Life Cycle 580
    Provisioning 581
    User, System, and Service Account Access Review 582
    Account Transfers 582
    Account Revocation 583
    Role Definition 583
    Privilege Escalation 583
Access Control Threats 584
    Password Threats 585
    Social Engineering Threats 586
    DoS/DDoS 588
    Buffer Overflow 588
    Mobile Code 588
    Malicious Software 589
    Spoofing 589
    Sniffing and Eavesdropping 589
    Emanating 590
    Backdoor/Trapdoor 590
    Access Aggregation 590
    Advanced Persistent Threat 591
Prevent or Mitigate Access Control Threats 591
Review All Key Topics 592
Define Key Terms 593
Answers and Explanations 596
Chapter 6 Security Assessment and Testing 601
Design and Validate Assessment and Testing Strategies 602
    Security Testing 602
    Security Assessments 603
    Red Team versus Blue Team 603
    Security Auditing 604
    Internal, External, and Third-party Security Assessment, Testing, and Auditing 604
Conduct Security Control Testing 605
    Vulnerability Assessment 605
    Penetration Testing 609
    Log Reviews 611
    Synthetic Transactions 616
    Code Review and Testing 616
    Misuse Case Testing 619
    Test Coverage Analysis 619
    Interface Testing 620
Collect Security Process Data 620
    NIST SP 800-137 620
    Account Management 621
    Management Review and Approval 622
    Key Performance and Risk Indicators 622
    Backup Verification Data 623
    Training and Awareness 623
    Disaster Recovery and Business Continuity 624
Analyze Test Outputs and Generate a Report 624
Conduct or Facilitate Security Audits 624
Review All Key Topics 626
Define Key Terms 627
Answers and Explanations 630
Chapter 7 Security Operations 637
Investigations 638
    Forensic and Digital Investigations 638
    Evidence Collection and Handling 646
    Digital Forensic Tools, Tactics, and Procedures 651
Logging and Monitoring Activities 654
    Audit and Review 654
    Log Types 655
    Intrusion Detection and Prevention 656
    Security Information and Event Management (SIEM) 656
    Continuous Monitoring 657
    Egress Monitoring 657
    Log Management 658
    Threat Intelligence 658
    User and Entity Behavior Analytics (UEBA) 659
Configuration and Change Management 659
    Resource Provisioning 661
    Baselining 664
    Automation 664
Security Operations Concepts 664
    Need to Know/Least Privilege 664
    Managing Accounts, Groups, and Roles 665
    Separation of Duties and Responsibilities 666
    Privilege Account Management 666
    Job Rotation and Mandatory Vacation 666
    Two-Person Control 667
    Sensitive Information Procedures 667
    Record Retention 667
    Information Life Cycle 668
    Service-Level Agreements 668
Resource Protection 669
    Protecting Tangible and Intangible Assets 669
    Asset Management 671
Incident Management 680
    Event Versus Incident 680
    Incident Response Team and Incident Investigations 681
    Rules of Engagement, Authorization, and Scope 681
    Incident Response Procedures 682
    Incident Response Management 682
    Detect 683
    Respond 683
    Mitigate 683
    Report 684
    Recover 684
    Remediate 684
    Review and Lessons Learned 684
Detective and Preventive Measures 684
    IDS/IPS 685
    Firewalls 685
    Whitelisting/Blacklisting 685
    Third-Party Security Services 686
    Sandboxing 686
    Honeypots/Honeynets 686
    Anti-malware/Antivirus 686
    Clipping Levels 686
    Deviations from Standards 687
    Unusual or Unexplained Events 687
    Unscheduled Reboots 687
    Unauthorized Disclosure 687
    Trusted Recovery 688
    Trusted Paths 688
    Input/Output Controls 688
    System Hardening 688
    Vulnerability Management Systems 689
    Machine Learning and Artificial Intelligence (AI)-Based Tools 689
Patch and Vulnerability Management 689
Recovery Strategies 690
    Create Recovery Strategies 691
    Backup Storage Strategies 699
    Recovery and Multiple Site Strategies 700
    Redundant Systems, Facilities, and Power 703
    Fault-Tolerance Technologies 704
    Insurance 704
    Data Backup 705
    Fire Detection and Suppression 705
    High Availability 705
    Quality of Service 706
    System Resilience 706
Disaster Recovery 706
    Response 707
    Personnel 707
    Communications 709
    Assessment 710
    Restoration 710
    Training and Awareness 710
    Lessons Learned 710
Testing Disaster Recovery Plans 711
    Read-Through Test 711
    Checklist Test 712
    Table-Top Exercise 712
    Structured Walk-Through Test 712
    Simulation Test 712
    Parallel Test 712
    Full-Interruption Test 712
    Functional Drill 713
    Evacuation Drill 713
Business Continuity Planning and Exercises 713
Physical Security 713
    Perimeter Security Controls 713
    Building and Internal Security Controls 719
Personnel Safety and Security 719
    Duress 720
    Travel 720
    Monitoring 720
    Emergency Management 721
    Security Training and Awareness 721
Review All Key Topics 722
Define Key Terms 723
Answers and Explanations 727
Chapter 8 Software Development Security 733
Software Development Concepts 734
    Machine Languages 734
    Assembly Languages and Assemblers 734
    High-Level Languages, Compilers, and Interpreters 734
    Object-Oriented Programming 735
    Distributed Object-Oriented Systems 737
    Mobile Code 739
Security in the System and Software Development Life Cycle 743
    System Development Life Cycle 743
    Software Development Life Cycle 746
    DevSecOps 750
    Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) 750
    Security Orchestration and Automated Response (SOAR) 751
    Software Development Methods and Maturity Models 751
    Operation and Maintenance 762
    Integrated Product Team 763
Security Controls in Development 764
    Software Development Security Best Practices 764
    Software Environment Security 765
    Source Code Analysis Tools 766
    Code Repository Security 766
    Software Threats 766
    Software Protection Mechanisms 772
Assess Software Security Effectiveness 774
    Auditing and Logging 774
    Risk Analysis and Mitigation 774
    Regression and Acceptance Testing 775
Security Impact of Acquired Software 775
Secure Coding Guidelines and Standards 776
    Security Weaknesses and Vulnerabilities at the Source Code Level 776
    Security of Application Programming Interfaces 780
    Secure Coding Practices 780
Review All Key Topics 782
Define Key Terms 782
Answers and Explanations 786
Chapter 9 Final Preparation 791
Tools for Final Preparation 791
    Pearson Test Prep Practice Test Engine and Questions on the Website 791
    Customizing Your Exams 793
    Updating Your Exams 794
    Memory Tables 795
    Chapter-Ending Review Tools 795
Suggested Plan for Final Review/Study 795
Summary 796
Online Elements
Appendix A Memory Tables
Appendix B Memory Tables Answer Key
Glossary

9780137507474   TOC   9/19/2022