The Official (ISC)2 SSCP CBK Reference 5e

Mike Wills, SSCP, CISSP, Assistant Professor and Program Chair of Applied Information Technologies in the College of Business at Embry-Riddle Aeronautical University's Worldwide Campus. Mike has been a pioneer in ethical hacking since his days as a phone phreak. His many years of cutting-edge experience in secure systems design, development, and operation have enriched the dozens of courses he's built and taught. He created ERAU's Master of Science in Information Security and Assurance degree program and leads the university's teaching and courseware development for the Microsoft Software & Systems Academy at ERAU's 13 US teaching sites.

Foreword xxi

Introduction xxiii

Chapter 1: Access Controls 1

Access Control Concepts 3

Subjects and Objects 4

Privileges: What Subjects Can Do with Objects 6

Data Classification and Access Control 7

Access Control via Formal Security Models 9

Implement and Maintain Authentication Methods 12

Single-Factor/Multifactor Authentication 13

Accountability 32

Single Sign-On 34

Device Authentication 35

Federated Access 36

Support Internetwork Trust Architectures 38

Trust Relationships (One-Way, Two-Way, Transitive) 39

Extranet 40

Third-Party Connections 41

Zero Trust Architectures 42

Participate in the Identity Management Lifecycle 43

Authorization 44

Proofing 45

Provisioning/Deprovisioning 46

Identity and Access Maintenance 48

Entitlement 52

Identity and Access Management Systems 55

Implement Access Controls 58

Mandatory, Discretionary, and Nondiscretionary 59

Role-Based 61

Attribute-Based 62

Subject-Based 62

Object-Based 62

Summary 63

Chapter 2: Security Operations and Administration 65

Comply with Codes of Ethics 66

Understand, Adhere to, and Promote Professional Ethics 67

(ISC)2 Code of Ethics 68

Organizational Code of Ethics 69

Understand Security Concepts 70

Conceptual Models for Information Security 71

Confidentiality 72

Integrity 79

Availability 81

Accountability 82

Privacy 82

Nonrepudiation 90

Authentication 91

Safety 92

Key Control Principles 93

Access Control and Need-to-Know 98

Job Rotation and Privilege Creep 99

Document, Implement, and Maintain Functional Security Controls 101

Deterrent Controls 101

Preventative Controls 103

Detective Controls 103

Corrective Controls 104

Compensating Controls 105

The Lifecycle of a Control 106

Participate in Asset Management 107

Asset Inventory 108

Lifecycle (Hardware, Software, and Data) 111

Hardware Inventory 112

Software Inventory and Licensing 113

Data Storage 114

Implement Security Controls and Assess Compliance 120

Technical Controls 121

Physical Controls 122

Administrative Controls 125

Periodic Audit and Review 128

Participate in Change Management 130

Execute Change Management Process 132

Identify Security Impact 134

Testing/Implementing Patches, Fixes, and Updates 134

Participate in Security Awareness and Training 135

Security Awareness Overview 136

Competency as the Criterion 137

Build a Security Culture, One Awareness Step at a Time 137

Participate in Physical Security Operations 138

Physical Access Control 138

The Data Center 142

Service Level Agreements 143

Summary 146

Chapter 3: Risk Identification, Monitoring, and Analysis 147

Defeating the Kill Chain One Skirmish at a Time 148

Kill Chains: Reviewing the Basics 151

Events vs. Incidents 155

Understand the Risk Management Process 156

Risk Visibility and Reporting 159

Risk Management Concepts 165

Risk Management Frameworks 185

Risk Treatment 195

Perform Security Assessment Activities 203

Security Assessment Workflow Management 204

Participate in Security Testing 206

Interpretation and Reporting of Scanning and Testing Results 215

Remediation Validation 216

Audit Finding Remediation 217

Manage the Architectures: Asset Management and Configuration Control 218

Operate and Maintain Monitoring Systems 220

Events of Interest 222

Logging 229

Source Systems 230

Legal and Regulatory Concerns 236

Analyze Monitoring Results 238

Security Baselines and Anomalies 240

Visualizations, Metrics, and Trends 243

Event Data Analysis 244

Document and Communicate Findings 245

Summary 246

Chapter 4: Incident Response and Recovery 247

Support the Incident Lifecycle 249

Think like a Responder 253

Physical, Logical, and Administrative Surfaces 254

Incident Response: Measures of Merit 254

The Lifecycle of a Security Incident 255

Preparation 257

Detection, Analysis, and Escalation 264

Containment 275

Eradication 277

Recovery 279

Lessons Learned; Implementation of New Countermeasures 283

Third-Party Considerations 284

Understand and Support Forensic Investigations 287

Legal and Ethical Principles 289

Logistics Support to Investigations 291

Evidence Handling 292

Evidence Collection 297

Understand and Support Business Continuity Plan and Disaster Recovery Plan Activities 306

Emergency Response Plans and Procedures 307

Interim or Alternate Processing Strategies 310

Restoration Planning 313

Backup and Redundancy Implementation 315

Data Recovery and Restoration 319

Training and Awareness 321

Testing and Drills 322

CIANA at Layer 8 and Above 328

It is a Dangerous World Out There 329

People Power and Business Continuity 332

Summary 333

Chapter 5: Cryptography 335

Understand Fundamental Concepts of Cryptography 336

Building Blocks of Digital Cryptographic Systems 339

Hashing 347

Salting 351

Symmetric Block and Stream Ciphers 353

Stream Ciphers 365

EU ECRYPT 371

Asymmetric Encryption 371

Elliptical Curve Cryptography 380

Nonrepudiation 383

Digital Certificates 388

Encryption Algorithms 392

Key Strength 393

Cryptographic Attacks, Cryptanalysis, and Countermeasures 395

Cryptologic Hygiene as Countermeasures 396

Common Attack Patterns and Methods 401

Secure Cryptoprocessors, Hardware Security Modules, and Trusted Platform Modules 409

Understand the Reasons and Requirements for Cryptography 414

Confidentiality 414

Integrity and Authenticity 415

Data Sensitivity 417

Availability 418

Nonrepudiation 418

Authentication 420

Privacy 421

Safety 422

Regulatory 423

Transparency and Auditability 423

Competitive Edge 424

Understand and Support Secure Protocols 424

Services and Protocols 425

Common Use Cases 437

Deploying Cryptography: Some Challenging Scenarios 442

Limitations and Vulnerabilities 444

Understand Public Key Infrastructure Systems 446

Fundamental Key Management Concepts 447

Hierarchies of Trust 459

Web of Trust 462

Summary 464

Chapter 6: Network and Communications Security 467

Understand and Apply Fundamental Concepts of Networking 468

Complementary, Not Competing, Frameworks 470

OSI and TCP/IP Models 471

OSI Reference Model 486

TCP/IP Reference Model 501

Converged Protocols 508

Software-Defined Networks 509

IPv4 Addresses, DHCP, and Subnets 510

IPv4 Address Classes 510

Subnetting in IPv4 512

Running Out of Addresses? 513

IPv4 vs. IPv6: Key Differences and Options 514

Network Topographies 516

Network Relationships 521

Transmission Media Types 525

Commonly Used Ports and Protocols 530

Understand Network Attacks and Countermeasures 536

CIANA+PS Layer by Layer 538

Common Network Attack Types 553

SCADA, IoT, and the Implications of Multilayer Protocols 562

Manage Network Access Controls 565

Network Access Control and Monitoring 568

Network Access Control Standards and Protocols 573

Remote Access Operation and Configuration 575

Manage Network Security 583

Logical and Physical Placement of Network Devices 586

Segmentation 587

Secure Device Management 591

Operate and Configure Network-Based Security Devices 593

Network Address Translation 594

Additional Security Device Considerations 596

Firewalls and Proxies 598

Network Intrusion Detection/Prevention Systems 605

Security Information and Event Management Systems 607

Routers and Switches 609

Network Security from Other Hardware Devices 610

Traffic-Shaping Devices 613

Operate and Configure Wireless Technologies 615

Wireless: Common Characteristics 616

Wi-Fi 624

Bluetooth 637

Near-Field Communications 638

Cellular/Mobile Phone Networks 639

Ad Hoc Wireless Networks 640

Transmission Security 642

Wireless Security Devices 645

Summary 646

Chapter 7: Systems and Application Security 649

Systems and Software Insecurity 650

Software Vulnerabilities Across the Lifecycle 654

Risks of Poorly Merged Systems 663

Hard to Design It Right, Easy to Fix It? 664

Hardware and Software Supply Chain Security 667

Positive and Negative Models for Software Security 668

Is Blacklisting Dead? Or Dying? 669

Information Security = Information Quality + Information Integrity 670

Data Modeling 671

Preserving Data Across the Lifecycle 674

Identify and Analyze Malicious Code and Activity 678

Malware 679

Malicious Code Countermeasures 682

Malicious Activity 684

Malicious Activity Countermeasures 688

Implement and Operate Endpoint Device Security 689

HIDS 691

Host-Based Firewalls 692

Application White Listing 693

Endpoint Encryption 694

Trusted Platform Module 695

Mobile Device Management 696

Secure Browsing 697

IoT Endpoint Security 700

Operate and Configure Cloud Security 701

Deployment Models 702

Service Models 703

Virtualization 706

Legal and Regulatory Concerns 709

Data Storage and Transmission 716

Third-Party/Outsourcing Requirements 716

Lifecycles in the Cloud 717

Shared Responsibility Model 718

Layered Redundancy as a Survival Strategy 719

Operate and Secure Virtual Environments 720

Software-Defined Networking 723

Hypervisor 725

Virtual Appliances 726

Continuity and Resilience 727

Attacks and Countermeasures 727

Shared Storage 729

Summary 730

Index 731