Table of Contents

Introduction xlvii
Chapter 1 Security and Risk Management 5
Security Terms 6
CIA 6
Auditing and Accounting 7
Non-repudiation 8
Default Security Posture 8
Defense in Depth 9
Abstraction 10
Data Hiding 10
Encryption 10
Security Governance Principles 10
Security Function Alignment 12
Organizational Processes 14
Organizational Roles and Responsibilities 16
Security Control Frameworks 20
Due Care and Due Diligence 38
Compliance 38
Contractual, Legal, Industry Standards, and Regulatory Compliance 40
Privacy Requirements Compliance 40
Legal and Regulatory Issues 41
Computer Crime Concepts 41
Major Legal Systems 43
Licensing and Intellectual Property 46
Cyber Crimes and Data Breaches 50
Import/Export Controls 51
Trans-Border Data Flow 51
Privacy 52
Investigation Types 62
Operations/Administrative 63
Criminal 63
Civil 64
Regulatory 64
Industry Standards 64
eDiscovery 67
Professional Ethics 67
(ISC)2 Code of Ethics 67
Computer Ethics Institute 68
Internet Architecture Board 68
Organizational Code of Ethics 69
Security Documentation 69
Policies 70
Processes 72
Procedures 72
Standards 73
Guidelines 73
Baselines 73
Business Continuity 73
Business Continuity and Disaster Recovery Concepts 73
Scope and Plan 77
BIA Development 81
Personnel Security Policies and Procedures 85
Candidate Screening and Hiring 85
Employment Agreements and Policies 87
Employee Onboarding and Offboarding Policies 88
Vendor, Consultant, and Contractor Agreements and Controls 88
Compliance Policy Requirements 89
Privacy Policy Requirements 89
Job Rotation 89
Separation of Duties 89
Risk Management Concepts 90
Asset and Asset Valuation 90
Vulnerability 91
Threat 91
Threat Agent 91
Exploit 91
Risk 91
Exposure 92
Countermeasure 92
Risk Appetite 92
Attack 93
Breach 93
Risk Management Policy 94
Risk Management Team 94
Risk Analysis Team 94
Risk Assessment 95
Implementation 100
Control Categories 100
Control Types 102
Controls Assessment, Monitoring, and Measurement 108
Reporting and Continuous Improvement 108
Risk Frameworks 109
A Risk Management Standard by the Federation of European Risk Management Associations (FERMA) 128
Geographical Threats 129
Internal Versus External Threats 129
Natural Threats 130
System Threats 131
Human-Caused Threats 133
Politically Motivated Threats 135
Threat Modeling 137
Threat Modeling Concepts 138
Threat Modeling Methodologies 138
Identifying Threats 141
Potential Attacks 142
Remediation Technologies and Processes 143
Security Risks in the Supply Chain 143
Risks Associated with Hardware, Software, and Services 144
Third-Party Assessment and Monitoring 144
Minimum Service-Level and Security Requirements 145
Service-Level Requirements 146
Security Education, Training, and Awareness 147
Levels Required 147
Methods and Techniques 148
Periodic Content Reviews 148
Review All Key Topics 148
Complete the Tables and Lists from Memory 150
Define Key Terms 150
Answers and Explanations 157
Chapter 2 Asset Security 165
Asset Security Concepts 166
Asset and Data Policies 166
Data Quality 167
Data Documentation and Organization 168
Identify and Classify Information and Assets 169
Data and Asset Classification 170
Sensitivity and Criticality 170
Private Sector Data Classifications 175
Military and Government Data Classifications 176
Information and Asset Handling Requirements 177
Marking, Labeling, and Storing 178
Destruction 178
Provision Resources Securely 179
Asset Inventory and Asset Management 179
Data Life Cycle 180
Databases 182
Roles and Responsibilities 188
Data Collection and Limitation 191
Data Location 192
Data Maintenance 192
Data Retention 193
Data Remanence and Destruction 193
Data Audit 194
Asset Retention 195
Data Security Controls 197
Data Security 197
Data States 197
Data Access and Sharing 198
Data Storage and Archiving 199
Baselines 200
Scoping and Tailoring 201
Standards Selection 201
Data Protection Methods 202
Review All Key Topics 205
Define Key Terms 205
Answers and Explanations 207
Chapter 3 Security Architecture and Engineering 213
Engineering Processes Using Secure Design Principles 214
Objects and Subjects 215
Closed Versus Open Systems 215
Threat Modeling 215
Least Privilege 216
Defense in Depth 216
Secure Defaults 216
Fail Securely 217
Separation of Duties (SoD) 217
Keep It Simple 218
Zero Trust 218
Privacy by Design 218
Trust but Verify 219
Shared Responsibility 219
Security Model Concepts 220
Confidentiality, Integrity, and Availability 220
Confinement 220
Bounds 221
Isolation 221
Security Modes 221
Security Model Types 222
Security Models 226
System Architecture Steps 230
ISO/IEC 42010:2011 231
Computing Platforms 231
Security Services 234
System Components 235
System Security Evaluation Models 244
TCSEC 245
ITSEC 248
Common Criteria 250
Security Implementation Standards 252
Controls and Countermeasures 255
Certification and Accreditation 256
Control Selection Based on Systems Security Requirements 256
Security Capabilities of Information Systems 257
Memory Protection 257
Trusted Platform Module 258
Interfaces 259
Fault Tolerance 259
Policy Mechanisms 260
Encryption/Decryption 260
Security Architecture Maintenance 261
Vulnerabilities of Security Architectures, Designs, and Solution Elements 261
Client-Based Systems 262
Server-Based Systems 263
Database Systems 264
Cryptographic Systems 265
Industrial Control Systems 265
Cloud-Based Systems 268
Large-Scale Parallel Data Systems 274
Distributed Systems 275
Grid Computing 275
Peer-to-Peer Computing 275
Internet of Things 276
Microservices 280
Containerization 281
Serverless Systems 281
High-Performance Computing Systems 282
Edge Computing Systems 282
Virtualized Systems 283
Vulnerabilities in Web-Based Systems 283
Maintenance Hooks 284
Time-of-Check/Time-of-Use Attacks 284
Web-Based Attacks 285
XML 285
SAML 285
OWASP 286
Vulnerabilities in Mobile Systems 286
Device Security 287
Application Security 287
Mobile Device Concerns 287
NIST SP 800-164 290
Vulnerabilities in Embedded Systems 291
Cryptographic Solutions 292
Cryptography Concepts 292
Cryptography History 294
Cryptosystem Features 298
NIST SP 800-175A and B 299
Cryptographic Mathematics 300
Cryptographic Life Cycle 302
Cryptographic Types 304
Running Key and Concealment Ciphers 305
Substitution Ciphers 305
Transposition Ciphers 307
Symmetric Algorithms 308
Asymmetric Algorithms 310
Hybrid Ciphers 311
Elliptic Curves 312
Quantum Cryptography 312
Symmetric Algorithms 312
DES and 3DES 313
AES 316
IDEA 317
Skipjack 317
Blowfish 317
Twofish 318
RC4/RC5/RC6/RC7 318
CAST 318
Asymmetric Algorithms 319
Diffie-Hellman 320
RSA 320
El Gamal 321
ECC 321
Knapsack 322
Zero-Knowledge Proof 322
Public Key Infrastructure and Digital Certificates 322
Certificate Authority and Registration Authority 323
Certificates 323
Certificate Life Cycle 324
Certificate Revocation List 327
OCSP 327
PKI Steps 327
Cross-Certification 328
Key Management Practices 328
Message Integrity 332
Hashing 333
Message Authentication Code 337
Salting 339
Digital Signatures and Non-repudiation 339
DSS 340
Non-repudiation 340
Applied Cryptography 340
Link Encryption Versus End-to-End Encryption 340
Email Security 340
Internet Security 341
Cryptanalytic Attacks 341
Ciphertext-Only Attack 342
Known Plaintext Attack 342
Chosen Plaintext Attack 342
Chosen Ciphertext Attack 342
Social Engineering 342
Brute Force 343
Differential Cryptanalysis 343
Linear Cryptanalysis 343
Algebraic Attack 343
Frequency Analysis 343
Birthday Attack 344
Dictionary Attack 344
Replay Attack 344
Analytic Attack 344
Statistical Attack 344
Factoring Attack 344
Reverse Engineering 344
Meet-in-the-Middle Attack 345
Ransomware Attack 345
Side-Channel Attack 345
Implementation Attack 345
Fault Injection 345
Timing Attack 346
Pass-the-Hash Attack 346
Digital Rights Management 346
Document DRM 347
Music DRM 347
Movie DRM 347
Video Game DRM 348
E-book DRM 348
Site and Facility Design 348
Layered Defense Model 348
CPTED 348
Physical Security Plan 350
Facility Selection Issues 351
Site and Facility Security Controls 353
Doors 353
Locks 355
Biometrics 356
Type of Glass Used for Entrances 356
Visitor Control 357
Wiring Closets/Intermediate Distribution Facilities 357
Restricted and Work Areas 357
Environmental Security and Issues 358
Equipment Physical Security 362
Review All Key Topics 364
Complete the Tables and Lists from Memory 366
Define Key Terms 366
Answers and Explanations 372
Chapter 4 Communication and Network Security 377
Secure Network Design Principles 378
OSI Model 378
TCP/IP Model 383
IP Networking 389
Common TCP/UDP Ports 389
Logical and Physical Addressing 391
IPv4 392
Network Transmission 399
IPv6 403
Network Types 416
Protocols and Services 421
ARP/RARP 422
DHCP/BOOTP 423
DNS 424
FTP, FTPS, SFTP, and TFTP 424
HTTP, HTTPS, and S-HTTP 425
ICMP 425
IGMP 426
IMAP 426
LDAP 426
LDP 426
NAT 426
NetBIOS 426
NFS 427
PAT 427
POP 427
CIFS/SMB 427
SMTP 427
SNMP 427
SSL/TLS 428
Multilayer Protocols 428
Converged Protocols 429
FCoE 429
MPLS 430
VoIP 431
iSCSI 431
Wireless Networks 431
FHSS, DSSS, OFDM, VOFDM, FDMA, TDMA, CDMA, OFDMA, and GSM 432
WLAN Structure 435
WLAN Standards 436
WLAN Security 439
Communications Cryptography 445
Link Encryption 445
End-to-End Encryption 446
Email Security 446
Internet Security 448
Secure Network Components 450
Hardware 450
Transmission Media 471
Network Access Control Devices 491
Endpoint Security 493
Content-Distribution Networks 494
Secure Communication Channels 495
Voice 495
Multimedia Collaboration 495
Remote Access 497
Data Communications 507
Virtualized Networks 507
Network Attacks 509
Cabling 509
Network Component Attacks 510
ICMP Attacks 512
DNS Attacks 514
Email Attacks 516
Wireless Attacks 518
Remote Attacks 519
Other Attacks 519
Review All Key Topics 521
Define Key Terms 522
Answers and Explanations 529
Chapter 5 Identity and Access Management (IAM) 535
Access Control Process 536
Identify Resources 536
Identify Users 536
Identify the Relationships Between Resources and Users 537
Physical and Logical Access to Assets 537
Access Control Administration 538
Information 539
Systems 539
Devices 540
Facilities 540
Applications 541
Identification and Authentication Concepts 541
NIST SP 800-63 542
Five Factors for Authentication 546
Single-Factor Versus Multifactor Authentication 557
Device Authentication 557
Identification and Authentication Implementation 558
Separation of Duties 558
Least Privilege/Need-to-Know 559
Default to No Access 560
Directory Services 560
Single Sign-on 561
Session Management 566
Registration, Proof, and Establishment of Identity 566
Credential Management Systems 567
Remote Authentication Dial-In User Service (RADIUS)/Terminal Access Controller Access Control System Plus (TACACS+) 568
Accountability 568
Just-In-Time (JIT) 570
Identity as a Service (IDaaS) Implementation 571
Third-Party Identity Services Integration 571
Authorization Mechanisms 572
Permissions, Rights, and Privileges 572
Access Control Models 572
Access Control Policies 580
Provisioning Life Cycle 580
Provisioning 581
User, System, and Service Account Access Review 582
Account Transfers 582
Account Revocation 583
Role Definition 583
Privilege Escalation 583
Access Control Threats 584
Password Threats 585
Social Engineering Threats 586
DoS/DDoS 588
Buffer Overflow 588
Mobile Code 588
Malicious Software 589
Spoofing 589
Sniffing and Eavesdropping 589
Emanating 590
Backdoor/Trapdoor 590
Access Aggregation 590
Advanced Persistent Threat 591
Prevent or Mitigate Access Control Threats 591
Review All Key Topics 592
Define Key Terms 593
Answers and Explanations 596
Chapter 6 Security Assessment and Testing 601
Design and Validate Assessment and Testing Strategies 602
Security Testing 602
Security Assessments 603
Red Team versus Blue Team 603
Security Auditing 604
Internal, External, and Third-party Security Assessment, Testing, and Auditing 604
Conduct Security Control Testing 605
Vulnerability Assessment 605
Penetration Testing 609
Log Reviews 611
Synthetic Transactions 616
Code Review and Testing 616
Misuse Case Testing 619
Test Coverage Analysis 619
Interface Testing 620
Collect Security Process Data 620
NIST SP 800-137 620
Account Management 621
Management Review and Approval 622
Key Performance and Risk Indicators 622
Backup Verification Data 623
Training and Awareness 623
Disaster Recovery and Business Continuity 624
Analyze Test Outputs and Generate a Report 624
Conduct or Facilitate Security Audits 624
Review All Key Topics 626
Define Key Terms 627
Answers and Explanations 630
Chapter 7 Security Operations 637
Investigations 638
Forensic and Digital Investigations 638
Evidence Collection and Handling 646
Digital Forensic Tools, Tactics, and Procedures 651
Logging and Monitoring Activities 654
Audit and Review 654
Log Types 655
Intrusion Detection and Prevention 656
Security Information and Event Management (SIEM) 656
Continuous Monitoring 657
Egress Monitoring 657
Log Management 658
Threat Intelligence 658
User and Entity Behavior Analytics (UEBA) 659
Configuration and Change Management 659
Resource Provisioning 661
Baselining 664
Automation 664
Security Operations Concepts 664
Need to Know/Least Privilege 664
Managing Accounts, Groups, and Roles 665
Separation of Duties and Responsibilities 666
Privilege Account Management 666
Job Rotation and Mandatory Vacation 666
Two-Person Control 667
Sensitive Information Procedures 667
Record Retention 667
Information Life Cycle 668
Service-Level Agreements 668
Resource Protection 669
Protecting Tangible and Intangible Assets 669
Asset Management 671
Incident Management 680
Event Versus Incident 680
Incident Response Team and Incident Investigations 681
Rules of Engagement, Authorization, and Scope 681
Incident Response Procedures 682
Incident Response Management 682
Detect 683
Respond 683
Mitigate 683
Report 684
Recover 684
Remediate 684
Review and Lessons Learned 684
Detective and Preventive Measures 684
IDS/IPS 685
Firewalls 685
Whitelisting/Blacklisting 685
Third-Party Security Services 686
Sandboxing 686
Honeypots/Honeynets 686
Anti-malware/Antivirus 686
Clipping Levels 686
Deviations from Standards 687
Unusual or Unexplained Events 687
Unscheduled Reboots 687
Unauthorized Disclosure 687
Trusted Recovery 688
Trusted Paths 688
Input/Output Controls 688
System Hardening 688
Vulnerability Management Systems 689
Machine Learning and Artificial Intelligence (AI)-Based Tools 689
Patch and Vulnerability Management 689
Recovery Strategies 690
Create Recovery Strategies 691
Backup Storage Strategies 699
Recovery and Multiple Site Strategies 700
Redundant Systems, Facilities, and Power 703
Fault-Tolerance Technologies 704
Insurance 704
Data Backup 705
Fire Detection and Suppression 705
High Availability 705
Quality of Service 706
System Resilience 706
Disaster Recovery 706
Response 707
Personnel 707
Communications 709
Assessment 710
Restoration 710
Training and Awareness 710
Lessons Learned 710
Testing Disaster Recovery Plans 711
Read-Through Test 711
Checklist Test 712
Table-Top Exercise 712
Structured Walk-Through Test 712
Simulation Test 712
Parallel Test 712
Full-Interruption Test 712
Functional Drill 713
Evacuation Drill 713
Business Continuity Planning and Exercises 713
Physical Security 713
Perimeter Security Controls 713
Building and Internal Security Controls 719
Personnel Safety and Security 719
Duress 720
Travel 720
Monitoring 720
Emergency Management 721
Security Training and Awareness 721
Review All Key Topics 722
Define Key Terms 723
Answers and Explanations 727
Chapter 8 Software Development Security 733
Software Development Concepts 734
Machine Languages 734
Assembly Languages and Assemblers 734
High-Level Languages, Compilers, and Interpreters 734
Object-Oriented Programming 735
Distributed Object-Oriented Systems 737
Mobile Code 739
Security in the System and Software Development Life Cycle 743
System Development Life Cycle 743
Software Development Life Cycle 746
DevSecOps 750
Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) 750
Security Orchestration and Automated Response (SOAR) 751
Software Development Methods and Maturity Models 751
Operation and Maintenance 762
Integrated Product Team 763
Security Controls in Development 764
Software Development Security Best Practices 764
Software Environment Security 765
Source Code Analysis Tools 766
Code Repository Security 766
Software Threats 766
Software Protection Mechanisms 772
Assess Software Security Effectiveness 774
Auditing and Logging 774
Risk Analysis and Mitigation 774
Regression and Acceptance Testing 775
Security Impact of Acquired Software 775
Secure Coding Guidelines and Standards 776
Security Weaknesses and Vulnerabilities at the Source Code Level 776
Security of Application Programming Interfaces 780
Secure Coding Practices 780
Review All Key Topics 782
Define Key Terms 782
Answers and Explanations 786
Chapter 9 Final Preparation 791
Tools for Final Preparation 791
Pearson Test Prep Practice Test Engine and Questions on the Website 791
Customizing Your Exams 793
Updating Your Exams 794
Memory Tables 795
Chapter-Ending Review Tools 795
Suggested Plan for Final Review/Study 795
Summary 796
Online Elements
Appendix A Memory Tables
Appendix B Memory Tables Answer Key
Glossary

9780137507474 TOC 9/19/2022