Cover
Title Page
Copyright Page
Contents
Introduction
About This Book
What Is an SSCP?
Using This Book
Major Changes in This Edition
Objective Map
Earning Your Certification
Congratulations! You’re Now an SSCP. Now What?
Let’s Get Started!
Assessment Test
Answers to Assessment Test
Part I Getting Started as an SSCP
Chapter 1 The Business Case for Decision Assurance and Information Security
Information: The Lifeblood of Business
Data, Information, Knowledge, Wisdom…
Information Is Not Information Technology
Policy, Procedure, and Process: How Business Gets Business Done
Who Is the Business?
“What’s the Business Case for That?”
Purpose, Intent, Goals, Objectives
Business Logic and Business Processes: Transforming Assets into Opportunity, Wealth, and Success
The Value Chain
Being Accountable
Who Runs the Business?
Owners and Investors
Boards of Directors
Managing or Executive Directors and the “C-Suite”
Layers of Function, Structure, Management, and Responsibility
Plans and Budgets, Policies, and Directives
Summary
Exam Essentials
Review Questions
Chapter 2 Information Security Fundamentals
The Common Needs for Privacy, Confidentiality, Integrity, and Availability
Privacy
Confidentiality
Integrity
Availability
Privacy vs. Security, or Privacy and Security?
CIANA+PS Needs of Individuals
Private Business’s Need for CIANA+PS
Government’s Need for CIANA+PS
The Modern Military’s Need for CIA
Do Societies Need CIANA+PS?
Training and Educating Everybody
SSCPs and Professional Ethics
Summary
Exam Essentials
Review Questions
Part II Integrated Risk Management and Mitigation
Chapter 3 Integrated Information Risk Management
It’s a Dangerous World
What Is Risk?
Risk: When Surprise Becomes Disruption
Information Security: Delivering Decision Assurance
“Common Sense” and Risk Management
The Four Faces of Risk
Outcomes-Based Risk
Process-Based Risk
Asset-Based Risk
Threat-Based (or Vulnerability-Based) Risk
Getting Integrated and Proactive with Information Defense
Lateral Movement: Mitigate with Integrated C3
Trust, but Verify
Due Care and Due Diligence: Whose Jobs Are These?
Be Prepared: First, Set Priorities
Risk Management: Concepts and Frameworks
The SSCP and Risk Management
Plan, Do, Check, Act
Risk Assessment
Establish Consensus about Information Risk
Information Risk Impact Assessment
Information Classification and Categorization
Risk Analysis
The Business Impact Analysis
From Assessments to Information Security Requirements
Four Choices for Limiting or Containing Damage
Deter
Detect
Prevent
Avoid
Summary
Exam Essentials
Review Questions
Chapter 4 Operationalizing Risk Mitigation
From Tactical Planning to Information Security Operations
Operationally Outthinking Your Adversaries
Getting Inside the Other Side’s OODA Loop
Defeating the Kill Chain
Operationalizing Risk Mitigation: Step by Step
Step 1: Assess the Existing Architectures
Step 2: Assess Vulnerabilities and Threats
Step 3: Select Risk Treatment and Controls
Step 4: Implement Controls
Step 5: Authorize: Senior Leader Acceptance and Ownership
The Ongoing Job of Keeping Your Baseline Secure
Build and Maintain User Engagement with Risk Controls
Participate in Security Assessments
Manage the Architectures: Asset Management and Change Control
Ongoing, Continuous Monitoring
Exploiting What Monitoring and Event Data Is Telling You
Incident Investigation, Analysis, and Reporting
Reporting to and Engaging with Management
Summary
Exam Essentials
Review Questions
Part III The Technologies of Information Security
Chapter 5 Communications and Network Security
Trusting Our Communications in a Converged World
CIANA+PS: Applying Security Needs to Networks
Threat Modeling for Communications Systems
Internet Systems Concepts
Datagrams and Protocol Data Units
Handshakes
Packets and Encapsulation
Addressing, Routing, and Switching
Network Segmentation
URLs and the Web
Topologies
“Best Effort” and Trusting Designs
Two Protocol Stacks, One Internet
Complementary, Not Competing, Frameworks
Layer 1: The Physical Layer
Layer 2: The Data Link Layer
Layer 3: The Network Layer
Layer 4: The Transport Layer
Layer 5: The Session Layer
Layer 6: The Presentation Layer
Layer 7: The Application Layer
Cross-Layer Protocols and Services
IP and Security
Layers or Planes?
Network Architectures
DMZs and Botnets
Software-Defined Networks
Virtual Private Networks
Wireless Network Technologies
Wi-Fi
Bluetooth
Near-Field Communication
IP Addresses, DHCP, and Subnets
DHCP Leases: IPv4 and IPv6
IPv4 Address Classes
Subnetting in IPv4
IPv4 vs. IPv6: Important Differences and Options
CIANA Layer by Layer
CIANA at Layer 1: Physical
CIANA at Layer 2: Data Link
CIANA at Layer 3: Network
CIANA at Layer 4: Transport
CIANA at Layer 5: Session
CIANA at Layer 6: Presentation
CIANA at Layer 7: Application
Securing Networks as Systems
Network Security Devices and Services
Wireless Network Access and Security
CIANA+PS and Wireless
Monitoring and Analysis for Network Security
A SOC Is Not a NOC
Tools for the SOC and the NOC
Integrating Network and Security Management
Summary
Exam Essentials
Review Questions
Chapter 6 Identity and Access Control
Identity and Access: Two Sides of the Same CIANA+PS Coin
Identity Management Concepts
Identity Provisioning and Management
Identity and AAA
Access Control Concepts
Subjects and Objects—Everywhere!
Data Classification and Access Control
Bell-LaPadula and Biba Models
Role-Based
Attribute-Based
Subject-Based
Object-Based
Rule-Based Access Control
Risk-Based Access Control
Mandatory vs. Discretionary Access Control
Network Access Control
IEEE 802.1X Concepts
RADIUS Authentication
TACACS and TACACS+
Implementing and Scaling IAM
Choices for Access Control Implementations
“Built-in” Solutions?
Other Protocols for IAM
Multifactor Authentication
Server-Based IAM
Integrated IAM systems
Single Sign-On
OpenID Connect
Identity as a Service (IDaaS)
Federated IAM
Session Management
Kerberos
Credential Management
Trust Frameworks and Architectures
User and Entity Behavior Analytics (UEBA)
Zero Trust Architectures
Summary
Exam Essentials
Review Questions
Chapter 7 Cryptography
Cryptography: What and Why
Codes and Ciphers: Defining Our Terms
Cryptography, Cryptology, or…?
Building Blocks of Digital Cryptographic Systems
Cryptographic Algorithms
Cryptographic Keys
Hashing as One-Way Cryptography
A Race Against Time
“The Enemy Knows Your System”
Keys and Key Management
Key Storage and Protection
Key Revocation and Disposal
Modern Cryptography: Beyond the “Secret Decoder Ring”
Symmetric Key Cryptography
Asymmetric Key Cryptography
Hybrid Cryptosystems
Design and Use of Cryptosystems
Cryptanalysis, Ethical and Unethical
Cryptographic Primitives
Cryptographic Engineering
“Why Isn’t All of This Stuff Secret?”
Cryptography and CIANA+PS
Confidentiality
Authentication
Integrity
Nonrepudiation
“But I Didn’t Get That Email…”
Availability
Privacy
Safety
Public Key Infrastructures
Diffie-Hellman-Merkle Public Key Exchange
RSA Encryption and Key Exchange
ElGamal Encryption
Elliptical Curve Cryptography (ECC)
Digital Signatures
Digital Certificates and Certificate Authorities
Hierarchies (or Webs) of Trust
Pretty Good Privacy
TLS
HTTPS
Symmetric Key Algorithms and PKI
Encapsulation for Security: IPSec, ISAKMP, and Others
Applying Cryptography to Meet Different Needs
Message Integrity Controls
S/MIME
DKIM
Blockchain
Data Storage, Content Distribution, and Archiving
Steganography
Access Control Protocols
Managing Cryptographic Assetsand Systems
Measures of Merit for Cryptographic Solutions
Attacks and Countermeasures
Social Engineering for Key Discovery
Implementation Attacks
Brute Force and Dictionary Attacks
Side Channel Attacks
Numeric (Algorithm or Key) Attacks
Traffic Analysis, “Op Intel,” and Social Engineering Attacks
Massively Parallel Systems Attacks
Supply Chain Vulnerabilities
The “Sprinkle a Little Crypto Dust on It” Fallacy
Countermeasures
PKI and Trust: A Recap
On the Near Horizon
Pervasive and Homomorphic Encryption
Quantum Cryptography and Post–Quantum Cryptography
AI, Machine Learning, and Cryptography
Summary
Exam Essentials
Review Questions
Chapter 8 Hardware and Systems Security
Infrastructure Security Is Baseline Management
It’s About Access Control…
It’s Also About Supply Chain Security
Do Clouds Have Boundaries?
Securing the Physical Context
Facilities Security
Services Security
OT-Intensive (or Reliant) Contexts
Infrastructures 101 and Threat Modeling
Protecting the Trusted Computing Base
Hardware Vulnerabilities
Firmware Vulnerabilities
Operating Systems Vulnerabilities
Virtual Machines and Vulnerabilities
Network Operating Systems
Endpoint Security
MDM, COPE, and BYOD
BYOI? BYOC?
Malware: Exploiting the Infrastructure’s Vulnerabilities
Countering the Malware Threat
Privacy and Secure Browsing
“The Sin of Aggregation”
Updating the Threat Model
Managing Your Systems’ Security
Summary
Exam Essentials
Review Questions
Chapter 9 Applications, Data, and Cloud Security
It’s a Data-Driven World…At the Endpoint
Software as Appliances
Applications Lifecycles and Security
The Software Development Lifecycle (SDLC)
Why Is (Most) Software So Insecure?
Hard to Design It Right, Easy to Fix It?
CIANA+PS and Applications Software Requirements
Positive and Negative Models for Software Security
Is Negative Control Dead? Or Dying?
Application Vulnerabilities
Vulnerabilities Across the Lifecycle
Human Failures and Frailties
“Shadow IT:” The Dilemma of the User as Builder
Data and Metadata as Procedural Knowledge
Information Quality and Information Assurance
Information Quality Lifecycle
Preventing (or Limiting) the “Garbage In” Problem
Protecting Data in Motion, in Use, and at Rest
Data Exfiltration I: The Traditional Threat
Detecting Unauthorized Data Acquisition
Preventing Data Loss
Detecting and Preventing Malformed Data Attacks
Into the Clouds: Endpoint App and Data Security Considerations
Cloud Deployment Models and Information Security
Cloud Service Models and Information Security
Edge and Fog Security: Virtual Becoming Reality
Clouds, Continuity, and Resiliency
Clouds and Threat Modeling
Cloud Security Methods
Integrate and Correlate
SLAs, TORs, and Penetration Testing
Data Exfiltration II: Hiding in the Clouds
Legal and Regulatory Issues
Countermeasures: Keeping Your Apps and Data Safe and Secure
Summary
Exam Essentials
Review Questions
Part IV People Power: What Makes or Breaks Information Security
Chapter 10 Incident Response and Recovery
Defeating the Kill Chain One Skirmish at a Time
Kill Chains: Reviewing the Basics
Events vs. Incidents
Harsh Realities of Real Incidents
MITRE’s ATT&CK Framework
Learning from Others’ Painful Experiences
Incident Response Framework
Incident Response Team: Roles and Structures
Incident Response Priorities
Preparation
Preparation Planning
Put the Preparation Plan in Motion
Are You Prepared?
Detection and Analysis
Warning Signs
Initial Detection
Timeline Analysis
Notification
Prioritization
Containment and Eradication
Evidence Gathering, Preservation, and Use
Constant Monitoring
Recovery: Getting Back to Business
Data Recovery
Post-Recovery: Notification and Monitoring
Post-Incident Activities
Learning the Lessons
Orchestrate and Automate
Support Ongoing Forensics Investigations
Information and Evidence Retention
Information Sharing with the Larger IT Security Community
Summary
Exam Essentials
Review Questions
Chapter 11 Business Continuity via Information Security and People Power
What Is a Disaster?
Surviving to Operate: Plan for It!
Business Continuity
IS Disaster Recovery Plans
Plans, More Plans, and Triage
Timelines for BC/DR Planning and Action
Options for Recovery
Backups, Archives, and Image Copies
Cryptographic Assets and Recovery
“Golden Images” and Validation
Scan Before Loading: Blocking Historical Zero-Day Attacks
Restart from a Clean Baseline
Cloud-Based “Do-Over” Buttons for Continuity, Security, and Resilience
Restoring a Virtual Organization
People Power for BC/DR
Threat Vectors: It Is a Dangerous World Out There
“Blue Team’s” C3I
Learning from Experience
Security Assessment: For BC/DR and Compliance
Converged Communications: Keeping Them Secure During BC/DR Actions
POTS and VoIP Security
People Power for Secure Communications
Summary
Exam Essentials
Review Questions
Chapter 12 Cross-Domain Challenges
Operationalizing Security Across the Immediate and Longer Term
Continuous Assessment and Continuous Compliance
SDNs and SDS
SOAR: Strategies for Focused Security Effort
A “DevSecOps” Culture: SOAR for Software Development
Just-in-Time Education, Training, and Awareness
Supply Chains, Security, and the SSCP
ICS, IoT, and SCADA: More Than SUNBURST
Extending Physical Security: More Than Just Badges and Locks
All-Source, Proactive Intelligence: The SOC as a Fusion Center
Other Dangers on the Web and Net
Surface, Deep, and Dark Webs
Deep and Dark: Risks and Countermeasures
DNS and Namespace Exploit Risks
On Our Way to the Future
Cloud Security: Edgier and Foggier
AI, ML, and Analytics: Explicability and Trustworthiness
Quantum Communications, Computing, and Cryptography
Paradigm Shifts in Information Security?
Perception Management and Information Security
Widespread Lack of Useful Understanding of Core Technologies
Enduring Lessons
You Cannot Legislate Security (But You Can Punish Noncompliance)
It’s About Managing Our Security and Our Systems
People Put It Together
Maintain Flexibility of Vision
Accountability—It’s Personal. Make It So
Stay Sharp
Your Next Steps
At the Close
Exam Essentials
Review Questions
Appendix Answers to Review Questions
Chapter 1: The Business Case for Decision Assurance and Information Security
Chapter 2: Information Security Fundamentals
Chapter 3: Integrated Information Risk Management
Chapter 4: Operationalizing Risk Mitigation
Chapter 5: Communications and Network Security
Chapter 6: Identity and Access Control
Chapter 7: Cryptography
Chapter 8: Hardware and Systems Security
Chapter 9: Applications, Data, and Cloud Security
Chapter 10: Incident Response and Recovery
Chapter 11: Business Continuity via Information Security and People Power
Chapter 12: Cross-Domain Challenges
Index
EULA