(ISC)2 SSCP Systems Security Certified Practitioner Official Study Guide

Cover
Title Page
Copyright Page
Contents
Introduction
	About This Book
	What Is an SSCP?
	Using This Book
	Major Changes in This Edition
	Objective Map
	Earning Your Certification
	Congratulations! You’re Now an SSCP. Now What?
	Let’s Get Started!
Assessment  Test
Answers to Assessment  Test
Part I Getting Started as an SSCP
	Chapter 1 The Business Case for Decision Assurance and Information Security
		Information: The Lifeblood of Business
			Data, Information, Knowledge, Wisdom…
			Information Is Not Information Technology
		Policy, Procedure, and Process: How Business Gets Business Done
			Who Is the Business?
			“What’s the Business Case for That?”
			Purpose, Intent, Goals, Objectives
			Business Logic and Business Processes: Transforming Assets into Opportunity, Wealth, and Success
			The Value Chain
			Being Accountable
		Who Runs the Business?
			Owners and Investors
			Boards of Directors
			Managing or Executive Directors and the “C-Suite”
			Layers of Function, Structure, Management, and Responsibility
			Plans and Budgets, Policies, and Directives
		Summary
		Exam Essentials
		Review Questions
	Chapter 2 Information Security Fundamentals
		The Common Needs for Privacy, Confidentiality, Integrity, and Availability
			Privacy
			Confidentiality
			Integrity
			Availability
			Privacy vs. Security, or Privacy and Security?
			CIANA+PS Needs of Individuals
			Private Business’s Need for CIANA+PS
			Government’s Need for CIANA+PS
			The Modern Military’s Need for CIA
			Do Societies Need CIANA+PS?
		Training and Educating Everybody
		SSCPs and Professional Ethics
		Summary
		Exam Essentials
		Review Questions
Part II Integrated Risk Management and Mitigation
	Chapter 3 Integrated Information Risk Management
		It’s a Dangerous World
			What Is Risk?
			Risk: When Surprise Becomes Disruption
			Information Security: Delivering Decision Assurance
			“Common Sense” and Risk Management
		The Four Faces of Risk
			Outcomes-Based Risk
			Process-Based Risk
			Asset-Based Risk
			Threat-Based (or Vulnerability-Based) Risk
		Getting Integrated and Proactive with Information Defense
			Lateral Movement: Mitigate with Integrated C3
			Trust, but Verify
			Due Care and Due Diligence: Whose Jobs Are These?
			Be Prepared: First, Set Priorities
		Risk Management: Concepts and Frameworks
			The SSCP and Risk Management
			Plan, Do, Check, Act
		Risk Assessment
			Establish Consensus about Information Risk
			Information Risk Impact Assessment
			Information Classification and Categorization
			Risk Analysis
			The Business Impact Analysis
			From Assessments to Information Security Requirements
		Four Choices for Limiting or Containing Damage
			Deter
			Detect
			Prevent
			Avoid
		Summary
		Exam Essentials
		Review Questions
	Chapter 4 Operationalizing Risk Mitigation
		From Tactical Planning to Information Security Operations
			Operationally Outthinking Your Adversaries
			Getting Inside the Other Side’s OODA Loop
			Defeating the Kill Chain
		Operationalizing Risk Mitigation: Step by Step
			Step 1: Assess the Existing Architectures
			Step 2: Assess Vulnerabilities and Threats
			Step 3: Select Risk Treatment and Controls
			Step 4: Implement Controls
			Step 5: Authorize: Senior Leader Acceptance and Ownership
		The Ongoing Job of Keeping Your Baseline Secure
			Build and Maintain User Engagement with Risk Controls
			Participate in Security Assessments
			Manage the Architectures: Asset Management and Change Control
		Ongoing, Continuous Monitoring
			Exploiting What Monitoring and Event Data Is Telling You
			Incident Investigation, Analysis, and Reporting
		Reporting to and Engaging with Management
		Summary
		Exam Essentials
		Review Questions
Part III The Technologies of Information  Security
	Chapter 5 Communications and Network Security
		Trusting Our Communications in a Converged World
			CIANA+PS: Applying Security Needs to Networks
			Threat Modeling for Communications Systems
		Internet Systems Concepts
			Datagrams and Protocol Data Units
			Handshakes
			Packets and Encapsulation
			Addressing, Routing, and Switching
			Network Segmentation
			URLs and the Web
			Topologies
			“Best Effort” and Trusting Designs
		Two Protocol Stacks, One Internet
			Complementary, Not Competing, Frameworks
			Layer 1: The Physical Layer
			Layer 2: The Data Link Layer
			Layer 3: The Network Layer
			Layer 4: The Transport Layer
			Layer 5: The Session Layer
			Layer 6: The Presentation Layer
			Layer 7: The Application Layer
			Cross-Layer Protocols and Services
			IP and Security
			Layers or Planes?
			Network Architectures
			DMZs and Botnets
			Software-Defined Networks
			Virtual Private Networks
			Wireless Network Technologies
				Wi-Fi
				Bluetooth
				Near-Field Communication
		IP Addresses, DHCP, and Subnets
			DHCP Leases: IPv4 and IPv6
			IPv4 Address Classes
			Subnetting in IPv4
		IPv4 vs. IPv6: Important Differences and Options
		CIANA Layer by Layer
			CIANA at Layer 1: Physical
			CIANA at Layer 2: Data Link
			CIANA at Layer 3: Network
			CIANA at Layer 4: Transport
			CIANA at Layer 5: Session
			CIANA at Layer 6: Presentation
			CIANA at Layer 7: Application
		Securing Networks as Systems
			Network Security Devices and Services
			Wireless Network Access and Security
			CIANA+PS and Wireless
			Monitoring and Analysis for Network Security
			A SOC Is Not a NOC
			Tools for the SOC and the NOC
			Integrating Network and Security Management
		Summary
		Exam Essentials
		Review Questions
	Chapter 6 Identity and Access Control
		Identity and Access: Two Sides of the Same CIANA+PS Coin
		Identity Management Concepts
			Identity Provisioning and Management
			Identity and AAA
		Access Control Concepts
			Subjects and Objects—Everywhere!
			Data Classification and Access Control
			Bell-LaPadula and Biba Models
			Role-Based
			Attribute-Based
			Subject-Based
			Object-Based
			Rule-Based Access Control
			Risk-Based Access Control
			Mandatory vs. Discretionary Access Control
		Network Access Control
			IEEE 802.1X Concepts
			RADIUS Authentication
			TACACS and TACACS+
		Implementing and Scaling IAM
			Choices for Access Control Implementations
			“Built-in” Solutions?
			Other Protocols for IAM
			Multifactor Authentication
			Server-Based IAM
			Integrated IAM systems
			Single Sign-On
			OpenID Connect
			Identity as a Service (IDaaS)
			Federated IAM
			Session Management
			Kerberos
			Credential Management
			Trust Frameworks and Architectures
		User and Entity Behavior Analytics (UEBA)
		Zero Trust Architectures
		Summary
		Exam Essentials
		Review Questions
	Chapter 7 Cryptography
		Cryptography: What and Why
			Codes and Ciphers: Defining Our Terms
			Cryptography, Cryptology, or…?
		Building Blocks of Digital Cryptographic Systems
			Cryptographic Algorithms
			Cryptographic Keys
			Hashing as One-Way Cryptography
			A Race Against Time
			“The Enemy Knows Your System”
		Keys and Key Management
			Key Storage and Protection
			Key Revocation and Disposal
		Modern Cryptography: Beyond the “Secret Decoder Ring”
			Symmetric Key Cryptography
			Asymmetric Key Cryptography
			Hybrid Cryptosystems
			Design and Use of Cryptosystems
			Cryptanalysis, Ethical and Unethical
			Cryptographic Primitives
			Cryptographic Engineering
		“Why Isn’t All of This Stuff Secret?”
		Cryptography and CIANA+PS
			Confidentiality
			Authentication
			Integrity
			Nonrepudiation
			“But I Didn’t Get That Email…”
			Availability
			Privacy
			Safety
		Public Key Infrastructures
			Diffie-Hellman-Merkle Public Key Exchange
			RSA Encryption and Key Exchange
			ElGamal Encryption
			Elliptical Curve Cryptography (ECC)
			Digital Signatures
			Digital Certificates and Certificate Authorities
			Hierarchies (or Webs) of Trust
			Pretty Good Privacy
			TLS
			HTTPS
			Symmetric Key Algorithms and PKI
			Encapsulation for Security: IPSec, ISAKMP, and Others
		Applying Cryptography to Meet Different Needs
			Message Integrity Controls
			S/MIME
			DKIM
			Blockchain
			Data Storage, Content Distribution, and Archiving
			Steganography
			Access Control Protocols
		Managing Cryptographic Assetsand Systems
		Measures of Merit for Cryptographic Solutions
		Attacks and Countermeasures
			Social Engineering for Key Discovery
			Implementation Attacks
			Brute Force and Dictionary Attacks
			Side Channel Attacks
			Numeric (Algorithm or Key) Attacks
			Traffic Analysis, “Op Intel,” and Social Engineering Attacks
			Massively Parallel Systems Attacks
			Supply Chain Vulnerabilities
			The “Sprinkle a Little Crypto Dust on It” Fallacy
			Countermeasures
		PKI and Trust: A Recap
		On the Near Horizon
			Pervasive and Homomorphic Encryption
			Quantum Cryptography and Post–Quantum Cryptography
			AI, Machine Learning, and Cryptography
		Summary
		Exam Essentials
		Review Questions
	Chapter 8 Hardware and Systems Security
		Infrastructure Security Is Baseline Management
			It’s About Access Control…
			It’s Also About Supply Chain Security
			Do Clouds Have Boundaries?
		Securing the Physical Context
			Facilities Security
			Services Security
			OT-Intensive (or Reliant) Contexts
		Infrastructures 101 and Threat Modeling
			Protecting the Trusted Computing Base
			Hardware Vulnerabilities
			Firmware Vulnerabilities
			Operating Systems Vulnerabilities
			Virtual Machines and Vulnerabilities
			Network Operating Systems
		Endpoint Security
			MDM, COPE, and BYOD
			BYOI? BYOC?
		Malware: Exploiting the Infrastructure’s Vulnerabilities
			Countering the Malware Threat
		Privacy and Secure Browsing
		“The Sin of Aggregation”
		Updating the Threat Model
		Managing Your Systems’ Security
		Summary
		Exam Essentials
		Review Questions
	Chapter 9 Applications, Data, and Cloud Security
		It’s a Data-Driven World…At the Endpoint
		Software as Appliances
		Applications Lifecycles and Security
			The Software Development Lifecycle (SDLC)
			Why Is (Most) Software So Insecure?
			Hard to Design It Right, Easy to Fix It?
		CIANA+PS and Applications Software Requirements
			Positive and Negative Models for Software Security
			Is Negative Control Dead? Or Dying?
		Application Vulnerabilities
			Vulnerabilities Across the Lifecycle
			Human Failures and Frailties
		“Shadow IT:” The Dilemma of the User as Builder
			Data and Metadata as Procedural Knowledge
		Information Quality and Information Assurance
			Information Quality Lifecycle
			Preventing (or Limiting) the “Garbage In” Problem
		Protecting Data in Motion, in Use, and at Rest
			Data Exfiltration I: The Traditional Threat
			Detecting Unauthorized Data Acquisition
			Preventing Data Loss
			Detecting and Preventing Malformed Data Attacks
		Into the Clouds: Endpoint App and Data Security Considerations
			Cloud Deployment Models and Information Security
			Cloud Service Models and Information Security
			Edge and Fog Security: Virtual Becoming Reality
			Clouds, Continuity, and Resiliency
			Clouds and Threat Modeling
			Cloud Security Methods
			Integrate and Correlate
			SLAs, TORs, and Penetration Testing
			Data Exfiltration II: Hiding in the Clouds
		Legal and Regulatory Issues
		Countermeasures: Keeping Your Apps and Data Safe and Secure
		Summary
		Exam Essentials
		Review Questions
Part IV People Power: What Makes or Breaks Information Security
	Chapter 10 Incident Response and Recovery
		Defeating the Kill Chain One Skirmish at a Time
			Kill Chains: Reviewing the Basics
			Events vs. Incidents
		Harsh Realities of Real Incidents
			MITRE’s ATT&CK Framework
			Learning from Others’ Painful Experiences
		Incident Response Framework
			Incident Response Team: Roles and Structures
			Incident Response Priorities
		Preparation
			Preparation Planning
			Put the Preparation Plan in Motion
			Are You Prepared?
		Detection and Analysis
			Warning Signs
			Initial Detection
			Timeline Analysis
			Notification
			Prioritization
		Containment and Eradication
			Evidence Gathering, Preservation, and Use
			Constant Monitoring
		Recovery: Getting Back to Business
			Data Recovery
			Post-Recovery: Notification and Monitoring
		Post-Incident Activities
			Learning the Lessons
			Orchestrate and Automate
			Support Ongoing Forensics Investigations
			Information and Evidence Retention
			Information Sharing with the Larger IT Security Community
		Summary
		Exam Essentials
		Review Questions
	Chapter 11 Business Continuity via Information Security and People Power
		What Is a Disaster?
		Surviving to Operate: Plan for It!
			Business Continuity
			IS Disaster Recovery Plans
			Plans, More Plans, and Triage
		Timelines for BC/DR Planning and Action
		Options for Recovery
			Backups, Archives, and Image Copies
			Cryptographic Assets and Recovery
			“Golden Images” and Validation
			Scan Before Loading: Blocking Historical Zero-Day Attacks
			Restart from a Clean Baseline
		Cloud-Based “Do-Over” Buttons for Continuity, Security, and Resilience
			Restoring a Virtual Organization
		People Power for BC/DR
			Threat Vectors: It Is a Dangerous World Out There
			“Blue Team’s” C3I
			Learning from Experience
		Security Assessment: For BC/DR and Compliance
		Converged Communications: Keeping Them Secure During BC/DR Actions
			POTS and VoIP Security
			People Power for Secure Communications
		Summary
		Exam Essentials
		Review Questions
	Chapter 12 Cross-Domain Challenges
		Operationalizing Security Across the Immediate and Longer Term
			Continuous Assessment and Continuous Compliance
			SDNs and SDS
			SOAR: Strategies for Focused Security Effort
			A “DevSecOps” Culture: SOAR for Software Development
			Just-in-Time Education, Training, and Awareness
		Supply Chains, Security, and the SSCP
			ICS, IoT, and SCADA: More Than SUNBURST
			Extending Physical Security: More Than Just Badges and Locks
			All-Source, Proactive Intelligence: The SOC as a Fusion Center
		Other Dangers on the Web and Net
			Surface, Deep, and Dark Webs
			Deep and Dark: Risks and Countermeasures
			DNS and Namespace Exploit Risks
		On Our Way to the Future
			Cloud Security: Edgier and Foggier
			AI, ML, and Analytics: Explicability and Trustworthiness
			Quantum Communications, Computing, and Cryptography
			Paradigm Shifts in Information Security?
			Perception Management and Information Security
			Widespread Lack of Useful Understanding of Core Technologies
		Enduring Lessons
			You Cannot Legislate Security (But You Can Punish Noncompliance)
			It’s About Managing Our Security and Our Systems
			People Put It Together
			Maintain Flexibility of Vision
			Accountability—It’s Personal. Make It So
			Stay Sharp
		Your Next Steps
		At the Close
		Exam Essentials
		Review Questions
Appendix Answers to Review Questions
	Chapter 1: The Business Case for  Decision Assurance and Information Security
	Chapter 2: Information Security Fundamentals
	Chapter 3: Integrated Information Risk Management
	Chapter 4: Operationalizing Risk Mitigation
	Chapter 5: Communications and Network Security
	Chapter 6: Identity and Access Control
	Chapter 7: Cryptography
	Chapter 8: Hardware and Systems Security
	Chapter 9: Applications, Data, and Cloud Security
	Chapter 10: Incident Response and Recovery
	Chapter 11:  Business Continuity via Information Security and People Power
	Chapter 12: Cross-Domain Challenges
Index
EULA