Foreword xxiii
Introduction xxv
Chapter 1: Security Operations and Administration 1
Comply with Codes of Ethics 2
Understand, Adhere to, and Promote Professional Ethics 3
(ISC)2 Code of Ethics 4
Organizational Code of Ethics 5
Understand Security Concepts 6
Conceptual Models for Information Security 7
Confidentiality 8
Integrity 15
Availability 17
Accountability 18
Privacy 18
Nonrepudiation 26
Authentication 27
Safety 28
Fundamental Security Control Principles 29
Access Control and Need-to-Know 34
Job Rotation and Privilege Creep 35
Document, Implement, and Maintain Functional Security Controls 37
Deterrent Controls 37
Preventative Controls 39
Detective Controls 39
Corrective Controls 40
Compensating Controls 41
The Lifecycle of a Control 42
Participate in Asset Management 43
Asset Inventory 44
Lifecycle (Hardware, Software, and Data) 47
Hardware Inventory 48
Software Inventory and Licensing 49
Data Storage 50
Implement Security Controls and Assess Compliance 56
Technical Controls 57
Physical Controls 58
Administrative Controls 61
Periodic Audit and Review 64
Participate in Change Management 66
Execute Change Management Process 68
Identify Security Impact 70
Testing/Implementing Patches, Fixes, and Updates 70
Participate in Security Awareness and Training 71
Security Awareness Overview 72
Competency as the Criterion 73
Build a Security Culture, One Awareness Step at a Time 73
Participate in Physical Security Operations 74
Physical Access Control 74
The Data Center 78
Service Level Agreements 79
Summary 82
Chapter 2: Access Controls 83
Access Control Concepts 85
Subjects and Objects 86
Privileges: What Subjects Can Do with Objects 88
Data Classification, Categorization, and Access Control 89
Access Control via Formal Security Models 91
Implement and Maintain Authentication Methods 94
Single-Factor/Multifactor Authentication 95
Accountability 114
Single Sign-On 116
Device Authentication 117
Federated Access 118
Support Internetwork Trust Architectures 120
Trust Relationships (One-Way, Two-Way, Transitive) 121
Extranet 122
Third-Party Connections 123
Zero Trust Architectures 124
Participate in the Identity Management Lifecycle 125
Authorization 126
Proofing 127
Provisioning/Deprovisioning 128
Identity and Access Maintenance 130
Entitlement 134
Identity and Access Management Systems 137
Implement Access Controls 140
Mandatory vs. Discretionary Access Control 141
Role-Based 142
Attribute-Based 143
Subject-Based 144
Object-Based 144
Summary 145
Chapter 3: Risk Identification, Monitoring, And Analysis 147
Defeating the Kill Chain One Skirmish at a Time 148
Kill Chains: Reviewing the Basics 151
Events vs. Incidents 155
Understand the Risk Management Process 156
Risk Visibility and Reporting 159
Risk Management Concepts 165
Risk Management Frameworks 185
Risk Treatment 195
Perform Security Assessment Activities 203
Security Assessment Workflow Management 204
Participate in Security Testing 206
Interpretation and Reporting of Scanning and Testing Results 215
Remediation Validation 216
Audit Finding Remediation 217
Manage the Architectures: Asset Management and Configuration Control 218
Operate and Maintain Monitoring Systems 220
Events of Interest 222
Logging 229
Source Systems 230
Legal and Regulatory Concerns 236
Analyze Monitoring Results 238
Security Baselines and Anomalies 240
Visualizations, Metrics, and Trends 243
Event Data Analysis 244
Document and Communicate Findings 245
Summary 246
Chapter 4: Incident Response and Recovery 247
Support the Incident Lifecycle 249
Think like a Responder 253
Physical, Logical, and Administrative Surfaces 254
Incident Response: Measures of Merit 254
The Lifecycle of a Security Incident 255
Preparation 257
Detection, Analysis, and Escalation 264
Containment 275
Eradication 277
Recovery 279
Lessons Learned; Implementation of New Countermeasures 283
Third-Party Considerations 284
Understand and Support Forensic Investigations 287
Legal and Ethical Principles 289
Logistics Support to Investigations 291
Evidence Handling 292
Evidence Collection 297
Understand and Support Business Continuity Plan and Disaster Recovery Plan Activities 306
Emergency Response Plans and Procedures 307
Interim or Alternate Processing Strategies 310
Restoration Planning 313
Backup and Redundancy Implementation 315
Data Recovery and Restoration 319
Training and Awareness 321
Testing and Drills 322
CIANA+PS at Layer 8 and Above 328
It Is a Dangerous World Out There 329
People Power and Business Continuity 333
Summary 333
Chapter 5: Cryptography 335
Understand Fundamental Concepts of Cryptography 336
Building Blocks of Digital Cryptographic Systems 339
Hashing 347
Salting 351
Symmetric Block and Stream Ciphers 353
Stream Ciphers 365
Eu Ecrypt 371
Asymmetric Encryption 371
Elliptical Curve Cryptography 380
Nonrepudiation 383
Digital Certificates 388
Encryption Algorithms 392
Key Strength 393
Cryptographic Attacks, Cryptanalysis, and Countermeasures 395
Cryptologic Hygiene as Countermeasures 396
Common Attack Patterns and Methods 401
Secure Cryptoprocessors, Hardware Security Modules, and Trusted Platform Modules 409
Understand the Reasons and Requirements for Cryptography 414
Confidentiality 414
Integrity and Authenticity 415
Data Sensitivity 417
Availability 418
Nonrepudiation 418
Authentication 420
Privacy 421
Safety 422
Regulatory and Compliance 423
Transparency and Auditability 423
Competitive Edge 424
Understand and Support Secure Protocols 424
Services and Protocols 425
Common Use Cases 437
Deploying Cryptography: Some Challenging Scenarios 442
Limitations and Vulnerabilities 444
Understand Public Key Infrastructure Systems 446
Fundamental Key Management Concepts 447
Hierarchies of Trust 459
Web of Trust 462
Summary 464
Chapter 6: Network and Communications Security 467
Understand and Apply Fundamental Concepts of Networking 468
Complementary, Not Competing, Frameworks 470
OSI and TCP/IP Models 471
OSI Reference Model 486
TCP/IP Reference Model 501
Converged Protocols 508
Software-Defined Networks 509
IPv4 Addresses, DHCP, and Subnets 510
IPv4 Address Classes 510
Subnetting in IPv4 512
Running Out of Addresses? 513
IPv4 vs. IPv6: Key Differences and Options 514
Network Topographies 516
Network Relationships 521
Transmission Media Types 525
Commonly Used Ports and Protocols 530
Understand Network Attacks and Countermeasures 536
CIANA+PS Layer by Layer 538
Common Network Attack Types 553
SCADA, IoT, and the Implications of Multilayer Protocols 562
Manage Network Access Controls 565
Network Access Control and Monitoring 568
Network Access Control Standards and Protocols 573
Remote Access Operation and Configuration 575
Manage Network Security 583
Logical and Physical Placement of Network Devices 586
Segmentation 587
Secure Device Management 591
Operate and Configure Network-Based Security Devices 593
Network Address Translation 594
Additional Security Device Considerations 596
Firewalls and Proxies 598
Network Intrusion Detection/Prevention Systems 605
Security Information and Event Management Systems 607
Routers and Switches 609
Network Security from Other Hardware Devices 610
Traffic-Shaping Devices 613
Operate and Configure Wireless Technologies 615
Wireless: Common Characteristics 616
Wi-Fi 624
Bluetooth 637
Near-Field Communications 638
Cellular/Mobile Phone Networks 639
Ad Hoc Wireless Networks 640
Transmission Security 642
Wireless Security Devices 645
Summary 646
Chapter 7: Systems and Application Security 649
Systems and Software Insecurity 650
Software Vulnerabilities Across the Lifecycle 654
Risks of Poorly Merged Systems 663
Hard to Design It Right, Easy to Fix It? 664
Hardware and Software Supply Chain Security 667
Positive and Negative Models for Software Security 668
Is Blocked Listing Dead? Or Dying? 669
Information Security = Information Quality + Information Integrity 670
Data Modeling 671
Preserving Data Across the Lifecycle 674
Identify and Analyze Malicious Code and Activity 678
Malware 679
Malicious Code Countermeasures 682
Malicious Activity 684
Malicious Activity Countermeasures 688
Implement and Operate Endpoint Device Security 689
HIDS 691
Host-Based Firewalls 692
Allowed Lists: Positive Control for App Execution 693
Endpoint Encryption 694
Trusted Platform Module 695
Mobile Device Management 696
Secure Browsing 697
IoT Endpoint Security 700
Endpoint Security: EDR, MDR, XDR, UEM, and Others 701
Operate and Configure Cloud Security 701
Deployment Models 702
Service Models 703
Virtualization 706
Legal and Regulatory Concerns 709
Data Storage and Transmission 716
Third-Party/Outsourcing Requirements 716
Lifecycles in the Cloud 717
Shared Responsibility Model 718
Layered Redundancy as a Survival Strategy 719
Operate and Secure Virtual Environments 720
Software-Defined Networking 723
Hypervisor 725
Virtual Appliances 726
Continuity and Resilience 727
Attacks and Countermeasures 727
Shared Storage 729
Summary 730
Appendix: Cross-Domain Challenges 731
Paradigm Shifts in Information Security? 732
Pivot 1: Turn the Attackers Playbooks Against Them 734
ATT&CK: Pivoting Threat Intelligence 734
Analysis: Real-Time and Retrospective 735
The SOC as a Fusion Center 737
All-Source, Proactive Intelligence: Part of the Fusion Center 738
Pivot 2: Cybersecurity Hygiene: Think Small, Act Small 739
CIS IG 1 for the SMB and SME 740
Hardening Individual Cybersecurity 740
Assume the Breach 742
Pivot 3: Flip the Data-Driven Value Function 743
Data-Centric Defense and Resiliency 744
Ransomware as a Service 745
Supply Chains, Security, and the SSCP 746
ICS, IoT, and SCADA: More Than SUNBURST 747
Extending Physical Security: More Than Just Badges and Locks 749
The IoRT: Robots Learning via the Net 750
Pivot 4: Operationalize Security Across the Immediate and Longer Term 751
Continuous Assessment and Continuous Compliance 752
SDNs and SDS 753
SOAR: Strategies for Focused Security Effort 755
A DevSecOps Culture: SOAR for Software Development 756
Pivot 5: Zero-Trust Architectures and Operations 757
FIDO and Passwordless Authentication 760
Threat Hunting, Indicators, and Signature Dependence 761
Other Dangers on the Web and Net 763
Surface, Deep, and Dark Webs 763
Deep and Dark: Risks and Countermeasures 764
DNS and Namespace Exploit Risks 765
Cloud Security: Edgier and Foggier 766
Curiosity as Countermeasure 766
Index 769
