The Official

Foreword xxiii Introduction xxv Chapter 1: Security Operations and Administration 1 Comply with Codes of Ethics 2 Understand, Adhere to, and Promote Professional Ethics 3 (ISC)2 Code of Ethics 4 Organizational Code of Ethics 5 Understand Security Concepts 6 Conceptual Models for Information Security 7 Confidentiality 8 Integrity 15 Availability 17 Accountability 18 Privacy 18 Nonrepudiation 26 Authentication 27 Safety 28 Fundamental Security Control Principles 29 Access Control and Need-to-Know 34 Job Rotation and Privilege Creep 35 Document, Implement, and Maintain Functional Security Controls 37 Deterrent Controls 37 Preventative Controls 39 Detective Controls 39 Corrective Controls 40 Compensating Controls 41 The Lifecycle of a Control 42 Participate in Asset Management 43 Asset Inventory 44 Lifecycle (Hardware, Software, and Data) 47 Hardware Inventory 48 Software Inventory and Licensing 49 Data Storage 50 Implement Security Controls and Assess Compliance 56 Technical Controls 57 Physical Controls 58 Administrative Controls 61 Periodic Audit and Review 64 Participate in Change Management 66 Execute Change Management Process 68 Identify Security Impact 70 Testing/Implementing Patches, Fixes, and Updates 70 Participate in Security Awareness and Training 71 Security Awareness Overview 72 Competency as the Criterion 73 Build a Security Culture, One Awareness Step at a Time 73 Participate in Physical Security Operations 74 Physical Access Control 74 The Data Center 78 Service Level Agreements 79 Summary 82 Chapter 2: Access Controls 83 Access Control Concepts 85 Subjects and Objects 86 Privileges: What Subjects Can Do with Objects 88 Data Classification, Categorization, and Access Control 89 Access Control via Formal Security Models 91 Implement and Maintain Authentication Methods 94 Single-Factor/Multifactor Authentication 95 Accountability 114 Single Sign-On 116 Device Authentication 117 Federated Access 118 Support Internetwork Trust Architectures 120 Trust Relationships (One-Way, Two-Way, Transitive) 121 Extranet 122 Third-Party Connections 123 Zero Trust Architectures 124 Participate in the Identity Management Lifecycle 125 Authorization 126 Proofing 127 Provisioning/Deprovisioning 128 Identity and Access Maintenance 130 Entitlement 134 Identity and Access Management Systems 137 Implement Access Controls 140 Mandatory vs. Discretionary Access Control 141 Role-Based 142 Attribute-Based 143 Subject-Based 144 Object-Based 144 Summary 145 Chapter 3: Risk Identification, Monitoring, And Analysis 147 Defeating the Kill Chain One Skirmish at a Time 148 Kill Chains: Reviewing the Basics 151 Events vs. Incidents 155 Understand the Risk Management Process 156 Risk Visibility and Reporting 159 Risk Management Concepts 165 Risk Management Frameworks 185 Risk Treatment 195 Perform Security Assessment Activities 203 Security Assessment Workflow Management 204 Participate in Security Testing 206 Interpretation and Reporting of Scanning and Testing Results 215 Remediation Validation 216 Audit Finding Remediation 217 Manage the Architectures: Asset Management and Configuration Control 218 Operate and Maintain Monitoring Systems 220 Events of Interest 222 Logging 229 Source Systems 230 Legal and Regulatory Concerns 236 Analyze Monitoring Results 238 Security Baselines and Anomalies 240 Visualizations, Metrics, and Trends 243 Event Data Analysis 244 Document and Communicate Findings 245 Summary 246 Chapter 4: Incident Response and Recovery 247 Support the Incident Lifecycle 249 Think like a Responder 253 Physical, Logical, and Administrative Surfaces 254 Incident Response: Measures of Merit 254 The Lifecycle of a Security Incident 255 Preparation 257 Detection, Analysis, and Escalation 264 Containment 275 Eradication 277 Recovery 279 Lessons Learned; Implementation of New Countermeasures 283 Third-Party Considerations 284 Understand and Support Forensic Investigations 287 Legal and Ethical Principles 289 Logistics Support to Investigations 291 Evidence Handling 292 Evidence Collection 297 Understand and Support Business Continuity Plan and Disaster Recovery Plan Activities 306 Emergency Response Plans and Procedures 307 Interim or Alternate Processing Strategies 310 Restoration Planning 313 Backup and Redundancy Implementation 315 Data Recovery and Restoration 319 Training and Awareness 321 Testing and Drills 322 CIANA+PS at Layer 8 and Above 328 It Is a Dangerous World Out There 329 People Power and Business Continuity 333 Summary 333 Chapter 5: Cryptography 335 Understand Fundamental Concepts of Cryptography 336 Building Blocks of Digital Cryptographic Systems 339 Hashing 347 Salting 351 Symmetric Block and Stream Ciphers 353 Stream Ciphers 365 Eu Ecrypt 371 Asymmetric Encryption 371 Elliptical Curve Cryptography 380 Nonrepudiation 383 Digital Certificates 388 Encryption Algorithms 392 Key Strength 393 Cryptographic Attacks, Cryptanalysis, and Countermeasures 395 Cryptologic Hygiene as Countermeasures 396 Common Attack Patterns and Methods 401 Secure Cryptoprocessors, Hardware Security Modules, and Trusted Platform Modules 409 Understand the Reasons and Requirements for Cryptography 414 Confidentiality 414 Integrity and Authenticity 415 Data Sensitivity 417 Availability 418 Nonrepudiation 418 Authentication 420 Privacy 421 Safety 422 Regulatory and Compliance 423 Transparency and Auditability 423 Competitive Edge 424 Understand and Support Secure Protocols 424 Services and Protocols 425 Common Use Cases 437 Deploying Cryptography: Some Challenging Scenarios 442 Limitations and Vulnerabilities 444 Understand Public Key Infrastructure Systems 446 Fundamental Key Management Concepts 447 Hierarchies of Trust 459 Web of Trust 462 Summary 464 Chapter 6: Network and Communications Security 467 Understand and Apply Fundamental Concepts of Networking 468 Complementary, Not Competing, Frameworks 470 OSI and TCP/IP Models 471 OSI Reference Model 486 TCP/IP Reference Model 501 Converged Protocols 508 Software-Defined Networks 509 IPv4 Addresses, DHCP, and Subnets 510 IPv4 Address Classes 510 Subnetting in IPv4 512 Running Out of Addresses? 513 IPv4 vs. IPv6: Key Differences and Options 514 Network Topographies 516 Network Relationships 521 Transmission Media Types 525 Commonly Used Ports and Protocols 530 Understand Network Attacks and Countermeasures 536 CIANA+PS Layer by Layer 538 Common Network Attack Types 553 SCADA, IoT, and the Implications of Multilayer Protocols 562 Manage Network Access Controls 565 Network Access Control and Monitoring 568 Network Access Control Standards and Protocols 573 Remote Access Operation and Configuration 575 Manage Network Security 583 Logical and Physical Placement of Network Devices 586 Segmentation 587 Secure Device Management 591 Operate and Configure Network-Based Security Devices 593 Network Address Translation 594 Additional Security Device Considerations 596 Firewalls and Proxies 598 Network Intrusion Detection/Prevention Systems 605 Security Information and Event Management Systems 607 Routers and Switches 609 Network Security from Other Hardware Devices 610 Traffic-Shaping Devices 613 Operate and Configure Wireless Technologies 615 Wireless: Common Characteristics 616 Wi-Fi 624 Bluetooth 637 Near-Field Communications 638 Cellular/Mobile Phone Networks 639 Ad Hoc Wireless Networks 640 Transmission Security 642 Wireless Security Devices 645 Summary 646 Chapter 7: Systems and Application Security 649 Systems and Software Insecurity 650 Software Vulnerabilities Across the Lifecycle 654 Risks of Poorly Merged Systems 663 Hard to Design It Right, Easy to Fix It? 664 Hardware and Software Supply Chain Security 667 Positive and Negative Models for Software Security 668 Is Blocked Listing Dead? Or Dying? 669 Information Security = Information Quality + Information Integrity 670 Data Modeling 671 Preserving Data Across the Lifecycle 674 Identify and Analyze Malicious Code and Activity 678 Malware 679 Malicious Code Countermeasures 682 Malicious Activity 684 Malicious Activity Countermeasures 688 Implement and Operate Endpoint Device Security 689 HIDS 691 Host-Based Firewalls 692 Allowed Lists: Positive Control for App Execution 693 Endpoint Encryption 694 Trusted Platform Module 695 Mobile Device Management 696 Secure Browsing 697 IoT Endpoint Security 700 Endpoint Security: EDR, MDR, XDR, UEM, and Others 701 Operate and Configure Cloud Security 701 Deployment Models 702 Service Models 703 Virtualization 706 Legal and Regulatory Concerns 709 Data Storage and Transmission 716 Third-Party/Outsourcing Requirements 716 Lifecycles in the Cloud 717 Shared Responsibility Model 718 Layered Redundancy as a Survival Strategy 719 Operate and Secure Virtual Environments 720 Software-Defined Networking 723 Hypervisor 725 Virtual Appliances 726 Continuity and Resilience 727 Attacks and Countermeasures 727 Shared Storage 729 Summary 730 Appendix: Cross-Domain Challenges 731 Paradigm Shifts in Information Security? 732 Pivot 1: Turn the Attackers’ Playbooks Against Them 734 ATT&CK: Pivoting Threat Intelligence 734 Analysis: Real-Time and Retrospective 735 The SOC as a Fusion Center 737 All-Source, Proactive Intelligence: Part of the Fusion Center 738 Pivot 2: Cybersecurity Hygiene: Think Small, Act Small 739 CIS IG 1 for the SMB and SME 740 Hardening Individual Cybersecurity 740 Assume the Breach 742 Pivot 3: Flip the “Data-Driven Value Function” 743 Data-Centric Defense and Resiliency 744 Ransomware as a Service 745 Supply Chains, Security, and the SSCP 746 ICS, IoT, and SCADA: More Than SUNBURST 747 Extending Physical Security: More Than Just Badges and Locks 749 The IoRT: Robots Learning via the Net 750 Pivot 4: Operationalize Security Across the Immediate and Longer Term 751 Continuous Assessment and Continuous Compliance 752 SDNs and SDS 753 SOAR: Strategies for Focused Security Effort 755 A “DevSecOps” Culture: SOAR for Software Development 756 Pivot 5: Zero-Trust Architectures and Operations 757 FIDO and Passwordless Authentication 760 Threat Hunting, Indicators, and Signature Dependence 761 Other Dangers on the Web and Net 763 Surface, Deep, and Dark Webs 763 Deep and Dark: Risks and Countermeasures 764 DNS and Namespace Exploit Risks 765 Cloud Security: Edgier and Foggier 766 Curiosity as Countermeasure 766 Index 769