Introduction xxv
Assessment Test xlviii
Part I Getting Started as an SSCP 1
Chapter 1 The Business Case for Decision Assurance
and Information Security 3
Information: The Lifeblood of Business 4
Data, Information, Knowledge, Wisdom… 5
Information Is Not Information Technology 8
Policy, Procedure, and Process: How Business Gets
Business Done 10
Who Is the Business? 11
“What’s the Business Case for That?” 12
Purpose, Intent, Goals, Objectives 13
Business Logic and Business Processes: Transforming
Assets into Opportunity, Wealth, and Success 14
The Value Chain 15
Being Accountable 17
Who Runs the Business? 20
Owners and Investors 20
Boards of Directors 20
Managing or Executive Directors and the “C-Suite” 21
Layers of Function, Structure, Management, and
Responsibility 21
Plans and Budgets, Policies, and Directives 23
Summary 24
Exam Essentials 24
Review Questions 26
Chapter 2 Information Security Fundamentals 33
The Common Needs for Privacy, Confidentiality, Integrity,
and Availability 34
Privacy 34
Confidentiality 38
Integrity 39
Availability 40
Privacy vs. Security, or Privacy and Security? 41
CIANA+PS Needs of Individuals 43
Private Business’s Need for CIANA+PS 44
COPYRIGHTED MATERIAL
xiv Contents
Government’s Need for CIANA+PS 45
The Modern Military’s Need for CIA 45
Do Societies Need CIANA+PS? 46
Training and Educating Everybody 47
SSCPs and Professional Ethics 47
Summary 49
Exam Essentials 50
Review Questions 54
Part II Integrated Risk Management and Mitigation 61
Chapter 3 Integrated Information Risk Management 63
It’s a Dangerous World 64
What Is Risk? 66
Risk: When Surprise Becomes Disruption 69
Information Security: Delivering Decision Assurance 71
“Common Sense” and Risk Management 74
The Four Faces of Risk 75
Outcomes-Based Risk 77
Process-Based Risk 78
Asset-Based Risk 79
Threat-Based (or Vulnerability-Based) Risk 79
Getting Integrated and Proactive with Information Defense 83
Lateral Movement: Mitigate with Integrated C3 86
Trust, but Verify 87
Due Care and Due Diligence: Whose Jobs Are These? 87
Be Prepared: First, Set Priorities 88
Risk Management: Concepts and Frameworks 89
The SSCP and Risk Management 92
Plan, Do, Check, Act 93
Risk Assessment 95
Establish Consensus about Information Risk 95
Information Risk Impact Assessment 96
Information Classification and Categorization 97
Risk Analysis 99
The Business Impact Analysis 105
From Assessments to Information Security Requirements 106
Four Choices for Limiting or Containing Damage 107
Deter 109
Detect 110
Prevent 110
Avoid 111
Summary 114
Exam Essentials 114
Review Questions 120
Chapter 4 Operationalizing Risk Mitigation 127
From Tactical Planning to Information Security Operations 128
Operationally Outthinking Your Adversaries 130
Getting Inside the Other Side’s OODA Loop 132
Defeating the Kill Chain 133
Operationalizing Risk Mitigation: Step by Step 134
Step 1: Assess the Existing Architectures 135
Step 2: Assess Vulnerabilities and Threats 142
Step 3: Select Risk Treatment and Controls 152
Step 4: Implement Controls 159
Step 5: Authorize: Senior Leader Acceptance and
Ownership 163
The Ongoing Job of Keeping Your Baseline Secure 164
Build and Maintain User Engagement with Risk
Controls 165
Participate in Security Assessments 166
Manage the Architectures: Asset Management and
Change Control 169
Ongoing, Continuous Monitoring 174
Exploiting What Monitoring and Event Data Is
Telling You 177
Incident Investigation, Analysis, and Reporting 181
Reporting to and Engaging with Management 182
Summary 183
Exam Essentials 183
Review Questions 189
Part III The Technologies of Information Security 197
Chapter 5 Communications and Network Security 199
Trusting Our Communications
in a Converged World 200
CIANA+PS: Applying Security Needs to Networks 203
Threat Modeling for Communications Systems 205
Internet Systems Concepts 206
Datagrams and Protocol Data Units 207
Handshakes 208
Packets and Encapsulation 209
Addressing, Routing, and Switching 211
Network Segmentation 212
URLs and the Web 212
Topologies 213
“Best Effort” and Trusting Designs 217
Two Protocol Stacks, One Internet 218
Complementary, Not Competing, Frameworks 218
Layer 1: The Physical Layer 222
Layer 2: The Data Link Layer 223
Layer 3: The Network Layer 225
Layer 4: The Transport Layer 226
Layer 5: The Session Layer 230
Layer 6: The Presentation Layer 231
Layer 7: The Application Layer 232
Cross-Layer Protocols and Services 233
IP and Security 234
Layers or Planes? 235
Network Architectures 236
DMZs and Botnets 237
Software-Defined Networks 238
Virtual Private Networks 239
Wireless Network Technologies 240
Wi-Fi 241
Bluetooth 242
Near-Field Communication 242
IP Addresses, DHCP, and Subnets 243
DHCP Leases: IPv4 and IPv6 243
IPv4 Address Classes 245
Subnetting in IPv4 247
IPv4 vs. IPv6: Important Differences
and Options 248
CIANA Layer by Layer 251
CIANA at Layer 1: Physical 251
CIANA at Layer 2: Data Link 254
CIANA at Layer 3: Network 256
CIANA at Layer 4: Transport 257
CIANA at Layer 5: Session 258
CIANA at Layer 6: Presentation 260
CIANA at Layer 7: Application 260
Securing Networks as Systems 262
Network Security Devices and Services 263
Wireless Network Access and Security 264
CIANA+PS and Wireless 265
Monitoring and Analysis for Network Security 267
A SOC Is Not a NOC 269
Tools for the SOC and the NOC 270
Integrating Network and Security Management 271
Summary 273
Exam Essentials 273
Review Questions 280
Chapter 6 Identity and Access Control 285
Identity and Access: Two Sides of the Same CIANA+PS Coin 286
Identity Management Concepts 288
Identity Provisioning and Management 289
Identity and AAA 293
Access Control Concepts 295
Subjects and Objects—Everywhere! 296
Data Classification and Access Control 297
Bell-LaPadula and Biba Models 299
Role-Based 302
Attribute-Based 303
Subject-Based 303
Object-Based 304
Rule-Based Access Control 304
Risk-Based Access Control 304
Mandatory vs. Discretionary Access Control 305
Network Access Control 305
IEEE 802.1X Concepts 307
RADIUS Authentication 308
TACACS and TACACS+ 309
Implementing and Scaling IAM 310
Choices for Access Control Implementations 311
“Built-in” Solutions? 313
Other Protocols for IAM 314
Multifactor Authentication 315
Server-Based IAM 319
Integrated IAM systems 320
Single Sign-On 321
OpenID Connect 322
Identity as a Service (IDaaS) 322
Federated IAM 322
Session Management 323
Kerberos 325
Credential Management 326
Trust Frameworks and Architectures 328
User and Entity Behavior Analytics (UEBA) 329
Zero Trust Architectures 332
Summary 333
Exam Essentials 334
Review Questions 343
Chapter 7 Cryptography 349
Cryptography: What and Why 350
Codes and Ciphers: Defining Our Terms 352
Cryptography, Cryptology, or…? 357
Building Blocks of Digital Cryptographic Systems 358
Cryptographic Algorithms 359
Cryptographic Keys 360
Hashing as One-Way Cryptography 362
A Race Against Time 365
“The Enemy Knows Your System” 366
Keys and Key Management 367
Key Storage and Protection 367
Key Revocation and Disposal 368
Modern Cryptography: Beyond the “Secret Decoder Ring” 370
Symmetric Key Cryptography 370
Asymmetric Key Cryptography 370
Hybrid Cryptosystems 371
Design and Use of Cryptosystems 371
Cryptanalysis, Ethical and Unethical 372
Cryptographic Primitives 373
Cryptographic Engineering 373
“Why Isn’t All of This Stuff Secret?” 373
Cryptography and CIANA+PS 375
Confidentiality 376
Authentication 376
Integrity 376
Nonrepudiation 377
“But I Didn’t Get That Email…” 378
Availability 379
Privacy 380
Safety 381
Public Key Infrastructures 381
Diffie-Hellman-Merkle Public Key Exchange 382
RSA Encryption and Key Exchange 385
ElGamal Encryption 385
Elliptical Curve Cryptography (ECC) 386
Digital Signatures 387
Digital Certificates and Certificate Authorities 387
Hierarchies (or Webs) of Trust 388
Pretty Good Privacy 392
TLS 393
HTTPS 394
Symmetric Key Algorithms and PKI 395
Encapsulation for Security: IPSec, ISAKMP, and Others 396
Applying Cryptography to Meet Different Needs 399
Message Integrity Controls 399
S/MIME 400
DKIM 400
Blockchain 401
Data Storage, Content Distribution, and Archiving 403
Steganography 404
Access Control Protocols 404
Managing Cryptographic Assets and Systems 405
Measures of Merit for Cryptographic Solutions 407
Attacks and Countermeasures 408
Social Engineering for Key Discovery 409
Implementation Attacks 410
Brute Force and Dictionary Attacks 410
Side Channel Attacks 411
Numeric (Algorithm or Key) Attacks 412
Traffic Analysis, “Op Intel,” and Social Engineering Attacks 413
Massively Parallel Systems Attacks 414
Supply Chain Vulnerabilities 414
The “Sprinkle a Little Crypto Dust on It” Fallacy 415
Countermeasures 416
PKI and Trust: A Recap 418
On the Near Horizon 420
Pervasive and Homomorphic Encryption 420
Quantum Cryptography and Post–Quantum Cryptography 421
AI, Machine Learning, and Cryptography 422
Summary 423
Exam Essentials 424
Review Questions 429
Chapter 8 Hardware and Systems Security 435
Infrastructure Security Is Baseline Management 437
It’s About Access Control… 437
It’s Also About Supply Chain Security 439
Do Clouds Have Boundaries? 439
Securing the Physical Context 442
Facilities Security 442
Services Security 443
OT-Intensive (or Reliant) Contexts 444
Infrastructures 101 and Threat Modeling 444
Protecting the Trusted Computing Base 447
Hardware Vulnerabilities 447
Firmware Vulnerabilities 449
Operating Systems Vulnerabilities 451
Virtual Machines and Vulnerabilities 454
Network Operating Systems 455
Endpoint Security 457
MDM, COPE, and BYOD 459
BYOI? BYOC? 460
Malware: Exploiting the Infrastructure’s Vulnerabilities 462
Countering the Malware Threat 465
Privacy and Secure Browsing 466
“The Sin of Aggregation” 469
Updating the Threat Model 469
Managing Your Systems’ Security 470
Summary 471
Exam Essentials 472
Review Questions 478
Chapter 9 Applications, Data, and Cloud Security 483
It’s a Data-Driven World…At the Endpoint 484
Software as Appliances 487
Applications Lifecycles and Security 490
The Software Development Lifecycle (SDLC) 491
Why Is (Most) Software So Insecure? 494
Hard to Design It Right, Easy to Fix It? 497
CIANA+PS and Applications Software Requirements 498
Positive and Negative Models for Software Security 502
Is Negative Control Dead? Or Dying? 503
Application Vulnerabilities 504
Vulnerabilities Across the Lifecycle 505
Human Failures and Frailties 506
“Shadow IT:” The Dilemma of the User as Builder 507
Data and Metadata as Procedural Knowledge 509
Information Quality and Information Assurance 511
Information Quality Lifecycle 512
Preventing (or Limiting) the “Garbage In” Problem 513
Protecting Data in Motion, in Use,
and at Rest 514
Data Exfiltration I: The Traditional Threat 516
Detecting Unauthorized Data Acquisition 518
Preventing Data Loss 519
Detecting and Preventing Malformed Data Attacks 521
Into the Clouds: Endpoint App and Data Security
Considerations 522
Cloud Deployment Models and Information Security 524
Cloud Service Models and Information Security 525
Edge and Fog Security: Virtual Becoming Reality 527
Clouds, Continuity, and Resiliency 528
Clouds and Threat Modeling 529
Cloud Security Methods 531
Integrate and Correlate 532
SLAs, TORs, and Penetration Testing 532
Data Exfiltration II: Hiding in the Clouds 533
Legal and Regulatory Issues 533
Countermeasures: Keeping Your Apps and Data
Safe and Secure 535
Summary 536
Exam Essentials 537
Review Questions 548
Part IV People Power: What Makes or Breaks Information Security 555
Chapter 10 Incident Response and Recovery 557
Defeating the Kill Chain One Skirmish at a Time 558
Kill Chains: Reviewing the Basics 560
Events vs. Incidents 562
Harsh Realities of Real Incidents 564
MITRE’s ATT&CK Framework 564
Learning from Others’ Painful Experiences 566
Incident Response Framework 566
Incident Response Team: Roles and Structures 568
Incident Response Priorities 570
Preparation 571
Preparation Planning 572
Put the Preparation Plan in Motion 574
Are You Prepared? 575
Detection and Analysis 578
Warning Signs 578
Initial Detection 580
Timeline Analysis 581
Notification 582
Prioritization 583
Containment and Eradication 584
Evidence Gathering, Preservation, and Use 585
Constant Monitoring 586
Recovery: Getting Back to Business 587
Data Recovery 588
Post-Recovery: Notification and Monitoring 589
Post-Incident Activities 590
Learning the Lessons 591
Orchestrate and Automate 592
Support Ongoing Forensics Investigations 592
Information and Evidence Retention 593
Information Sharing with the Larger IT
Security Community 594
Summary 594
Exam Essentials 595
Review Questions 601
Chapter 11 Business Continuity via Information Security
and People Power 607
What Is a Disaster? 608
Surviving to Operate: Plan for It! 609
Business Continuity 610
IS Disaster Recovery Plans 610
Plans, More Plans, and Triage 611
Timelines for BC/DR Planning and Action 615
Options for Recovery 617
Backups, Archives, and Image Copies 618
Cryptographic Assets and Recovery 620
“Golden Images” and Validation 621
Scan Before Loading: Blocking Historical
Zero-Day Attacks 622
Restart from a Clean Baseline 622
Cloud-Based “Do-Over” Buttons for Continuity, Security,
and Resilience 623
Restoring a Virtual Organization 625
People Power for BC/DR 626
Threat Vectors: It Is a Dangerous World Out There 628
“Blue Team’s” C3I 631
Learning from Experience 632
Security Assessment: For BC/DR
and Compliance 633
Converged Communications: Keeping Them Secure
During BC/DR Actions 634
POTS and VoIP Security 635
People Power for Secure Communications 636
Summary 637
Exam Essentials 637
Review Questions 641
Chapter 12 Cross-Domain Challenges 647
Operationalizing Security Across the Immediate and
Longer Term 648
Continuous Assessment and Continuous Compliance 650
SDNs and SDS 651
SOAR: Strategies for Focused Security Effort 653
A “DevSecOps” Culture: SOAR for Software Development 655
Just-in-Time Education, Training, and Awareness 656
Supply Chains, Security, and the SSCP 657
ICS, IoT, and SCADA: More Than SUNBURST 658
Extending Physical Security: More Than Just Badges
and Locks 660
All-Source, Proactive Intelligence: The SOC as a Fusion
Center 661
Other Dangers on the Web and Net 662
Surface, Deep, and Dark Webs 662
Deep and Dark: Risks and Countermeasures 664
DNS and Namespace Exploit Risks 665
On Our Way to the Future 666
Cloud Security: Edgier and Foggier 667
AI, ML, and Analytics: Explicability and Trustworthiness 667
Quantum Communications, Computing, and Cryptography 669
Paradigm Shifts in Information Security? 669
Perception Management and Information Security 671
Widespread Lack of Useful Understanding of Core
Technologies 672
Enduring Lessons 672
You Cannot Legislate Security (But You Can
Punish Noncompliance) 673
It’s About Managing Our Security and Our Systems 673
People Put It Together 674
Maintain Flexibility of Vision 675
Accountability—It’s Personal. Make It So 675
Stay Sharp 676
Your Next Steps 677
At the Close 678
Exam Essentials 678
Review Questions 683
Appendix Answers to Review Questions 689
Chapter 1: The Business Case for Decision Assurance and Information Security 690
Chapter 2: Information Security Fundamentals 693
Chapter 3: Integrated Information Risk Management 695
Chapter 4: Operationalizing Risk Mitigation 698
Chapter 5: Communications and Network Security 701
Chapter 6: Identity and Access Control 704
Chapter 7: Cryptography 707
Chapter 8: Hardware and Systems Security 709
Chapter 9: Applications, Data, and Cloud Security 712
Chapter 10: Incident Response and Recovery 715
Chapter 11: Business Continuity via Information Security and People Power 718
Chapter 12: Cross-Domain Challenges 722
Index 727
