Table of Contents:
Introduction xlv Chapter 1 Security and Risk Management 2 Security Terms 5     CIA 5     Auditing and Accounting 6     Non-Repudiation 7     Default Security Posture 7     Defense in Depth 7     Abstraction 8     Data Hiding 8     Encryption 8 Security Governance Principles 8     Security Function Alignment 9     Organizational Processes 12     Organizational Roles and Responsibilities 14     Security Control Frameworks 17     Due Care and Due Diligence 32 Compliance 33     Contractual, Legal, Industry Standards, and Regulatory Compliance 34     Privacy Requirements Compliance 35 Legal and Regulatory Issues 35     Computer Crime Concepts 36     Major Legal Systems 38     Licensing and Intellectual Property 40     Cyber Crimes and Data Breaches 44     Import/Export Controls 45     Trans-Border Data Flow 45     Privacy 45 Professional Ethics 52      (ISC)2 Code of Ethics 52     Computer Ethics Institute 53     Internet Architecture Board 54     Organizational Code of Ethics 54 Security Documentation 54     Policies 55     Processes 57     Procedures 57     Standards 57     Guidelines 58     Baselines 58 Business Continuity 58     Business Continuity and Disaster Recovery Concepts 58     Scope and Plan 61     BIA Development 65 Personnel Security Policies and Procedures 68     Candidate Screening and Hiring 69     Employment Agreements and Policies 70     Employee Onboarding and Offboarding Policies 71     Vendor, Consultant, and Contractor Agreements and Controls 72     Compliance Policy Requirements 72     Privacy Policy Requirements 72     Job Rotation 73     Separation of Duties 73 Risk Management Concepts 73     Asset and Asset Valuation 73     Vulnerability 74     Threat 74     Threat Agent 74     Exploit 75     Risk 75     Exposure 75     Countermeasure 75     Risk Appetite 76     Attack 76     Breach 76     Risk Management Policy 77     Risk Management Team 77     Risk Analysis Team 77     Risk Assessment 78     Implementation 82     Control Categories 83     Control Types 84     Controls Assessment, Monitoring, and Measurement 89     Reporting and Continuous Improvement 89     Risk Frameworks 90 Geographical Threats 108     Internal Versus External Threats 108     Natural Threats 109     System Threats 110     Human-Caused Threats 111     Politically Motivated Threats 114 Threat Modeling 115     Threat Modeling Concepts 116     Threat Modeling Methodologies 116     Identifying Threats 119     Potential Attacks 120     Remediation Technologies and Processes 121 Security Risks in the Supply Chain 121     Risks Associated with Hardware, Software, and Services 121     Third-party Assessment and Monitoring 122     Minimum Service-Level and Security Requirements 123     Service-Level Requirements 123 Security Education, Training, and Awareness 124     Levels Required 124     Methods and Techniques 125     Periodic Content Reviews 126 Exam Preparation Tasks 126 Chapter 2 Asset Security 140 Asset Security Concepts 141     Data Policy 141     Roles and Responsibilities 143     Data Quality 144     Data Documentation and Organization 145 Identify and Classify Information and Assets 146     Data and Asset Classification 146     Sensitivity and Criticality 146     Private Sector Classifications 151     Military and Government Classifications 152     Information Life Cycle 153     Databases 155     Data Audit 160 Information and Asset Ownership 160 Protect Privacy 161     Owners 161     Data Processors 162     Data Remanence 162     Collection Limitation 163 Asset Retention 164 Data Security Controls 166     Data Security 166     Data States 166     Data Access and Sharing 167     Data Storage and Archiving 168     Baselines 169     Scoping and Tailoring 170     Standards Selection 170     Data Protection Methods 171 Information and Asset Handling Requirements 172     Marking, Labeling, and Storing 172     Destruction 173 Exam Preparation Tasks 173 Chapter 3 Security Architecture and Engineering 178 Engineering Processes Using Secure Design Principles 180     Objects and Subjects 181     Closed Versus Open Systems 182 Security Model Concepts 182     Confidentiality, Integrity, and Availability 182     Confinement 183     Bounds 183     Isolation 183     Security Modes 183     Defense in Depth 185     Security Model Types 185     Security Models 188     System Architecture Steps 192     ISO/IEC 42010:2011 193     Computing Platforms 193     Security Services 196     System Components 196 System Security Evaluation Models 205     TCSEC 206     ITSEC 209     Common Criteria 211     Security Implementation Standards 213     Controls and Countermeasures 217 Certification and Accreditation 217 Control Selection Based upon Systems Security Requirements 218 Security Capabilities of Information Systems 219     Memory Protection 219     Virtualization 220     Trusted Platform Module 220     Interfaces 221     Fault Tolerance 221     Policy Mechanisms 222     Encryption/Decryption 223 Security Architecture Maintenance 223 Vulnerabilities of Security Architectures, Designs, and Solution Elements 224     Client-Based Systems 224     Server-Based Systems 225     Database Systems 226     Cryptographic Systems 227     Industrial Control Systems 227     Cloud-Based Systems 230     Large-Scale Parallel Data Systems 236     Distributed Systems 237     Grid Computing 237     Peer-to-Peer Computing 237     Internet of Things 238 Vulnerabilities in Web-Based Systems 242     Maintenance Hooks 242     Time-of-Check/Time-of-Use Attacks 243     Web-Based Attacks 243     XML 244     SAML 244     OWASP 244 Vulnerabilities in Mobile Systems 244     Device Security 245     Application Security 246     Mobile Device Concerns 246     NIST SP 800-164 248 Vulnerabilities in Embedded Devices 250 Cryptography 250     Cryptography Concepts 250     Cryptography History 253     Cryptosystem Features 256     NIST SP 800-175A and B 257     Cryptographic Mathematics 258     Cryptographic Life Cycle 261 Cryptographic Types 262     Running Key and Concealment Ciphers 263     Substitution Ciphers 263     Transposition Ciphers 265     Symmetric Algorithms 266     Asymmetric Algorithms 268     Hybrid Ciphers 269 Symmetric Algorithms 269     DES and 3DES 270     AES 274     IDEA 274     Skipjack 274     Blowfish 275     Twofish 275     RC4/RC5/RC6/RC7 275     CAST 275 Asymmetric Algorithms 276     Diffie-Hellman 277     RSA 277     El Gamal 278     ECC 278     Knapsack 279     Zero-knowledge Proof 279 Public Key Infrastructure 279     Certification Authority and Registration Authority 279     Certificates 280     Certificate Life Cycle 281     Certificate Revocation List 283     OCSP 284     PKI Steps 284     Cross-Certification 285 Key Management Practices 285 Message Integrity 293     Hashing 294     Message Authentication Code 297     Salting 299 Digital Signatures 299     DSS 300 Applied Cryptography 300     Link Encryption Versus End-to-End Encryption 300     Email Security 300     Internet Security 300 Cryptanalytic Attacks 301     Ciphertext-Only Attack 302     Known Plaintext Attack 302     Chosen Plaintext Attack 302     Chosen Ciphertext Attack 302     Social Engineering 302     Brute Force 302     Differential Cryptanalysis 303     Linear Cryptanalysis 303     Algebraic Attack 303     Frequency Analysis 303     Birthday Attack 303     Dictionary Attack 303     Replay Attack 304     Analytic Attack 304     Statistical Attack 304     Factoring Attack 304     Reverse Engineering 304     Meet-in-the-Middle Attack 304     Ransomware Attack 304     Side-Channel Attack 305 Digital Rights Management 305     Document DRM 306     Music DRM 306     Movie DRM 306     Video Game DRM 306     E-book DRM 307 Site and Facility Design 307     Layered Defense Model 307     CPTED 307     Physical Security Plan 308     Facility Selection Issues 309 Site and Facility Security Controls 312     Doors 312     Locks 313     Biometrics 315     Glass Entries 315     Visitor Control 315     Wiring Closets/Intermediate Distribution Facilities 316     Work Areas 316     Environmental Security 317     Equipment Security 321 Exam Preparation Tasks 323 Chapter 4 Communication and Network Security 334 Secure Network Design Principles 335     OSI Model 335     TCP/IP Model 340 IP Networking 345     Common TCP/UDP Ports 346     Logical and Physical Addressing 347     IPv4 348     Network Transmission 353     IPv6 357     Network Types 370 Protocols and Services 372     ARP/RARP 372     DHCP/BOOTP 373     DNS 374     FTP, FTPS, SFTP, TFTP 374     HTTP, HTTPS, S-HTTP 375     ICMP 375     IGMP 376     IMAP 376     LDAP 376     LDP 376     NAT 376     NetBIOS 376     NFS 377     PAT 377     POP 377     CIFS/SMB 377     SMTP 377     SNMP 377     SSL/TLS 378     Multilayer Protocols 378 Converged Protocols 379     FCoE 379     MPLS 380     VoIP 381     iSCSI 381 Wireless Networks 381     FHSS, DSSS, OFDM, VOFDM, FDMA, TDMA, CDMA, OFDMA, and GSM 382     WLAN Structure 384     WLAN Standards 384     WLAN Security 387 Communications Cryptography 392     Link Encryption 392     End-to-End Encryption 393     Email Security 393     Internet Security 394 Secure Network Components 396     Hardware 397     Transmission Media 415     Network Access Control Devices 435     Endpoint Security 437     Content-Distribution Networks 438 Secure Communication Channels 438     Voice 439     Multimedia Collaboration 439     Remote Access 440     Data Communications 450     Virtualized Networks 450 Network Attacks 451     Cabling 451     Network Component Attacks 453     ICMP Attacks 454     DNS Attacks 456     Email Attacks 458     Wireless Attacks 459     Remote Attacks 460     Other Attacks 460 Exam Preparation Tasks 462 Chapter 5 Identity and Access Management (IAM) 474 Access Control Process 475     Identify Resources 475     Identify Users 476     Identify the Relationships Between Resources and Users 476 Physical and Logical Access to Assets 477     Access Control Administration 477     Information 478     Systems 478     Devices 479     Facilities 479 Identification and Authentication Concepts 480     NIST SP 800-63 480     Five Factors for Authentication 484     Single-Factor Versus Multi-Factor Authentication 495     Device Authentication 495 Identification and Authentication Implementation 496     Separation of Duties 496     Least Privilege/Need-to-Know 497     Default to No Access 497     Directory Services 498     Single Sign-on 498     Session Management 503     Registration and Proof of Identity 503     Credential Management Systems 504     Accountability 505 Identity as a Service (IDaaS) Implementation 507 Third-Party Identity Services Integration 507 Authorization Mechanisms 508     Permissions, Rights, and Privileges 508     Access Control Models 508     Access Control Policies 514 Provisioning Life Cycle 514     Provisioning 515     User and System Account Access Review 516     Account Revocation 516 Access Control Threats 516     Password Threats 517     Social Engineering Threats 518     DoS/DDoS 520     Buffer Overflow 520     Mobile Code 520     Malicious Software 521     Spoofing 521     Sniffing and Eavesdropping 521     Emanating 522     Backdoor/Trapdoor 522     Access Aggregation 522     Advanced Persistent Threat 523 Prevent or Mitigate Access Control Threats 523 Exam Preparation Tasks 524 Chapter 6 Security Assessment and Testing 532 Design and Validate Assessment and Testing Strategies 533     Security Testing 534     Security Assessments 534     Security Auditing 535     Internal, External, and Third-party Security Assessment, Testing, and Auditing 535 Conduct Security Control Testing 535     Vulnerability Assessment 535     Penetration Testing 539     Log Reviews 541     Synthetic Transactions 546     Code Review and Testing 546     Misuse Case Testing 549     Test Coverage Analysis 549     Interface Testing 549 Collect Security Process Data 550     NIST SP 800-137 550     Account Management 551     Management Review and Approval 551     Key Performance and Risk Indicators 552     Backup Verification Data 553     Training and Awareness 553     Disaster Recovery and Business Continuity 553 Analyze and Report Test Outputs 553 Conduct or Facilitate Security Audits 554 Exam Preparation Tasks 555 Chapter 7 Security Operations 564 Investigations 566     Forensic and Digital Investigations 566     Evidence Collection and Handling 574     Digital Forensic Tools, Tactics, and Procedures 579 Investigation Types 581     Operations/Administrative 581     Criminal 582     Civil 582     Regulatory 582     Industry Standards 582     eDiscovery 585 Logging and Monitoring Activities 585     Audit and Review 585     Intrusion Detection and Prevention 587     Security Information and Event Management (SIEM) 588     Continuous Monitoring 588     Egress Monitoring 588 Resource Provisioning 589     Asset Inventory and Management 590     Configuration Management 592 Security Operations Concepts 593     Need to Know/Least Privilege 593     Managing Accounts, Groups, and Roles 594     Separation of Duties and Responsibilities 594     Privilege Account Management 595     Job Rotation and Mandatory Vacation 595     Two-Person Control 596     Sensitive Information Procedures 596     Record Retention 596     Information Life Cycle 596     Service-Level Agreements 597 Resource Protection 597     Protecting Tangible and Intangible Assets 597     Asset Management 599 Incident Management 608     Event Versus Incident 608     Incident Response Team and Incident Investigations 609     Rules of Engagement, Authorization, and Scope 609     Incident Response Procedures 610     Incident Response Management 610     Detect 610     Respond 611     Mitigate 611     Report 611     Recover 612     Remediate 612     Lessons Learned and Review 612 Detective and Preventive Measures 612     IDS/IPS 612     Firewalls 613     Whitelisting/Blacklisting 613     Third-Party Security Services 613     Sandboxing 614     Honeypots/Honeynets 614     Anti-malware/Antivirus 614     Clipping Levels 614     Deviations from Standards 615     Unusual or Unexplained Events 615     Unscheduled Reboots 615     Unauthorized Disclosure 615     Trusted Recovery 615     Trusted Paths 616     Input/Output Controls 616     System Hardening 616     Vulnerability Management Systems 616 Patch and Vulnerability Management 617 Change Management Processes 618 Recovery Strategies 618     Create Recovery Strategies 619     Backup Storage Strategies 626     Recovery and Multiple Site Strategies 628     Redundant Systems, Facilities, and Power 630     Fault-Tolerance Technologies 631     Insurance 631     Data Backup 632     Fire Detection and Suppression 632     High Availability 632     Quality of Service 633     System Resilience 633 Disaster Recovery 633     Response 634     Personnel 634     Communications 636     Assessment 636     Restoration 637     Training and Awareness 637 Testing Disaster Recovery Plans 637     Read-Through Test 638     Checklist Test 638     Table-Top Exercise 638     Structured Walk-Through Test 638     Simulation Test 639     Parallel Test 639     Full-Interruption Test 639     Functional Drill 639     Evacuation Drill 639 Business Continuity Planning and Exercises 639 Physical Security 640     Perimeter Security Controls 640     Building and Internal Security Controls 645 Personnel Safety and Security 645     Duress 646     Travel 646     Monitoring 646     Emergency Management 646     Security Training and Awareness 647 Exam Preparation Tasks 647 Chapter 8 Software Development Security 658 Software Development Concepts 659     Machine Languages 659     Assembly Languages and Assemblers 660     High-Level Languages, Compilers, and Interpreters 660     Object-Oriented Programming 660     Distributed Object-Oriented Systems 663     Mobile Code 664 Security in the System and Software Development Life Cycles 668     System Development Life Cycle 668     Software Development Life Cycle 670     Software Development Methods and Maturity Models 674     Operation and Maintenance 684     Integrated Product Team 685 Security Controls in Development 686     Software Development Security Best Practices 686     Software Environment Security 687     Source Code Analysis Tools 688     Code Repository Security 688     Software Threats 688     Software Protection Mechanisms 694 Assess Software Security Effectiveness 695     Auditing and Logging 695     Risk Analysis and Mitigation 695     Regression and Acceptance Testing 696 Security Impact of Acquired Software 696 Secure Coding Guidelines and Standards 697     Security Weaknesses and Vulnerabilities at the Source Code Level 697     Security of Application Programming Interfaces 700     Secure Coding Practices 701 Exam Preparation Tasks 702 Chapter 9 Final Preparation 712 Tools for Final Preparation 713     Pearson Test Prep Practice Test Engine and Questions on the Website 713     Customizing Your Exams 715     Updating Your Exams 716     Memory Tables 717     Chapter-Ending Review Tools 717 Suggested Plan for Final Review/Study 717 Summary 718 Glossary 721   Online Elements Appendix A Memory Tables Appendix B Memory Tables Answer Key Glossary   9780789759696   TOC   6/27/2018