Foreword xvii Introduction xix DOMAIN 1: ACCESS CONTROLS 1 Objectives 3 Access Control Concepts 3 Applying Logical Access Control in Terms of Subjects 4 Applying Logical Access Control in Terms of Objects or Object Groups 9 Implementing Access Controls 11 Discretionary Access Control 11 Role-Based Access Controls 14 Nondiscretionary Access Control 21 Mandatory Access Control 21 Attribute-Based Access Control 22 Security Architecture and Models 23 Bell LaPadula Confidentiality Model 23 Biba and Clark Wilson Integrity Models 24 Additional Models 26 Implementing Authentication Mechanisms Identification, Authentication, Authorization, and Accountability 27 Identification (Who Is the Subject?) 27 Authentication (Proof of Identity) 29 Authorization 51 Authentication Using Kerberos 55 User/Device Authentication Policies 58 Comparing Internetwork Trust Architectures 59 Internet 59 Intranet 60 Extranet 60 Demilitarized Zone (DMZ) 60 Trust Direction 61 One-Way Trust 62 Two-Way Trust 62 Trust Transitivity 62 Administering the Identity Management Lifecycle 62 Authorization 62 Proofing 63 Provisioning 63 Maintenance 63 Entitlement 63 Summary 63 Sample Questions 64 Notes 67 DOMAIN 2: SECURITY OPERATIONS 71 Objectives 73 Code of Ethics 74 Code of Ethics Preamble 74 Code of Ethics Canons 75 Applying a Code of Ethics to Security Practitioners 76 Security Program Objectives: The C-I-A Triad and Beyond 77 Confidentiality 77 Integrity 78 Availability 79 Non-Repudiation 80 Privacy 80 Security Best Practices 82 Designing a Security Architecture 82 Secure Development and Acquisition Lifecycles 95 System Vulnerabilities, Secure Development, and Acquisition Practices 101 Hardware/Software 104 Data 106 Disclosure Controls: Data Leakage Prevention 118 Technical Controls 119 Operational Controls 121 Managerial Controls 121 Implementation and Release Management 130 Systems Assurance and Controls Validation 132 Change Control and Management 132 Configuration Management 135 Security Impact Assessment 139 System Architecture/Interoperability of Systems 139 Patch Management 140 Monitoring System Integrity 142 Security Awareness and Training 142 Interior Intrusion Detection Systems 146 Building and Inside Security 152 Securing Communications and Server Rooms 166 Restricted and Work Area Security 169 Data Center Security 170 Summary 177 Sample Questions 178 Notes 181 DOMAIN 3: RISK IDENTIFICATION, MONITORING, AND ANALYSIS 185 Objectives 187 Introduction to Risk Management 187 Risk Management Concepts 187 Security Auditing Overview 203 Responding to an Audit 208 Exit Interview 208 Presentation of Audit Findings 208 Management Response 208 Security Assessment Activities 209 Vulnerability Scanning and Analysis 209 Penetration Testing 224 Operating and Maintaining Monitoring Systems 239 Security Monitoring Concepts 239 Attackers 245 Intrusions 246 Events 247 Types of Monitoring 247 Log Files 249 Source Systems 257 Security Analytics, Metrics, and Trends 258 Visualization 260 Event Data Analysis 261 Communication of Findings 266 Going Hands-on Risk Identification Exercise 266 Virtual Testing Environment 267 Creating the Environment 268 Summary 279 Sample Questions 280 Notes 283 DOMAIN 4: INCIDENT RESPONSE AND RECOVERY 285 Objectives 287 Incident Handling 287 Preparation 289 Detection and Analysis 296 Containment, Eradication, and Recovery 306 Post-Incident Activity 308 Recovery and Business Continuity 319 Business Continuity Planning 319 Disaster Recovery Planning 326 Plan Testing 330 Plan Review and Maintenance 333 Summary 340 Sample Questions 341 Notes 344 DOMAIN 5: CRYPTOGRAPHY 345 Objectives 346 Encryption Concepts 347 Key Concepts and Definitions 347 Foundational Concepts 350 Evaluation of Algorithms 355 Hashing 356 Encryption and Decryption 361 Symmetric Cryptography 361 Asymmetric Cryptography 376 Hybrid Cryptography 381 Message Digests 382 Message Authentication Code 382 HMAC 383 Digital Signatures 383 Non-Repudiation 384 Methods of Cryptanalytic Attack 385 Data Sensitivity and Regulatory Requirements 390 Legislative and Regulatory Compliance 390 End-User Training 394 Public Key Infrastructure (PKI) 395 Fundamental Key Management Concepts 397 Management and Distribution of Keys 404 Secure Protocols 413 Going Hands-on with Cryptography Cryptography Exercise 417 Requirements 417 Setup 418 Key Exchange and Sending Secure E-mail 431 Conclusion 439 Summary 439 Sample Questions 440 End Notes 443 DOMAIN 6: NETWORKS AND COMMUNICATIONS SECURITY 447 Objectives 449 Security Issues Related to Networks 449 OSI and TCP/IP Models 450 IP Networking 460 Network Topographies and Relationships 467 Commonly Used Ports and Protocols 477 Telecommunications Technologies 496 Converged Communications 496 VoIP 499 POTS and PBX 500 Cellular 501 Attacks and Countermeasures 501 Control Network Access 503 Hardware 507 Wired Transmission Media 509 Endpoint Security 513 Voice Technologies 513 Multimedia Collaboration 515 Open Protocols, Applications, and Services 516 Remote Access 517 Data Communication 522 LAN-Based Security 522 Separation of Data Plane and Control Plane 522 Segmentation 523 Media Access Control Security (IEEE 802.1AE) 526 Secure Device Management 527 Network-Based Security Devices 530 Network Security Objectives and Attack Modes 531 Firewalls and Proxies 534 Network Intrusion Detection/Prevention Systems 537 IP Fragmentation Attacks and Crafted Packets 544 DoS/DDoS 547 Spoofing 551 Wireless Technologies 555 Wireless Technologies, Networks, and Methodologies 555 Transmission Security and Common Vulnerabilities and Countermeasures 558 Summary 563 Sample Questions 564 End Notes 568 DOMAIN 7: SYSTEMS AND APPLICATION SECURITY 577 Objectives 580 Identifying and Analyzing Malicious Code and Activity 580 CIA Triad: Applicability to Malcode 581 Malcode Naming Conventions and Types 582 Malicious Code Countermeasures 598 Vectors of Infection 611 Malicious Activity 614 How to Do It for Yourself: Using the Social Engineer Toolkit (SET) 615 Long File Extensions 619 Double File Extensions 619 Fake Related Extension 622 Fake Icons 623 Password-Protected ZIP Files/RAR 624 Hostile Codecs 624 E-mail 624 Insider Human Threats 626 Insider Hardware and Software Threats 628 Spoofing, Phishing, Spam, and Botnets 630 Spoofing 630 Phishing 631 Spam 633 Botnets 635 Malicious Web Activity 638 Cross-Site Scripting (XSS) Attacks 639 Zero-Day Exploits and Advanced Persistent Threats (APTs) 639 Brute-Force Attacks 641 Instant Messaging 643 Peer-to-Peer Networks 643 Internet Relay Chat 644 Rogue Products and Search Engines 645 Infected Factory Builds and Media 645 Web Exploitation Frameworks 645 Payloads 646 Backdoor Trojans 646 Man-in-the-Middle Malcode 647 Identifying Infections 649 Malicious Activity Countermeasures 652 Third-Party Certifi cations 655 The Wildlist 656 Questionable Behavior on a Computer 656 Inspection of Processes 658 Inspection of the Windows Registry 659 How to Do It for Yourself: Installing Strawberry Perl in Windows 7 or Windows 8 659 Inspection of Common File Locations 661 Behavioral Analysis of Malcode 666 Static File Analysis 669 Testing Remote Websites Found in Network Log Files 677 Testing of Samples in Virtualized Environments 683 Free Online Sandbox Solutions 686 Interactive Behavioral Testing 687 Malcode Mitigation 687 Strategic 687 Tactical 689 Implementing and Operating End-Point Device Security 691 Host-Based Intrusion Detection System 691 Host-Based Firewalls 692 Application Whitelisting 692 Endpoint Encryption 693 Trusted Platform Module 693 Mobile Device Management 694 Secure Browsing 695 Operating and Confi guring Cloud Security 696 The Five Essential Characteristics of Clouds 696 Deployment Models 697 Service Models 699 Virtualization 702 Legal and Privacy Concerns 704 Classifi cation of Discovered Sensitive Data 709 Mapping and Defi nition of Controls 710 Application of Defined Controls for Personally Identifiable Information (PII) 711 Data Storage and Transmission 712 Threats to Storage Types 716 Technologies Available to Address Threats 716 DLP 716 Encryption 719 Sample Use Cases for Encryption 720 Cloud Encryption Challenges 720 Encryption Architecture 722 Data Encryption in IaaS 722 Key Management 724 Encryption Alternatives and Other Data Protection Technologies 726 Data Masking/Data Obfuscation 726 Data Anonymization 727 Tokenization 728 Third-Party/Outsourcing Implications 729 Data Retention Policies 729 Data Deletion Procedures and Mechanisms 730 Data Archiving Procedures and Mechanisms 731 Event Sources 732 Data Event Logging and Event Attributes 735 Storage and Analysis of Data Events 736 Securing Big Data Systems 738 Operating and Securing Virtual Environments 740 Software-Defined Network (SDN) 741 Virtual Appliances 741 Continuity and Resilience 742 Attacks and Countermeasures 743 Security Virtualization Best Practices 744 Summary 750 Sample Questions 750 End Notes 757 APPENDIX A: ANSWERS TO SAMPLE QUESTIONS 769 Domain 1: Access Controls 770 Domain 2: Security Operations 777 Domain 3: Risk, Identification, Monitoring, and Analysis 785 Domain 4: Incident Response and Recovery 793 Domain 5: Cryptography 798 Domain 6: Networks and Communications Security 805 Domain 7: Systems and Application Security 814 APPENDIX B: DNSSEC WALKTHROUGH 831 Hardware and Software Requirements 832 Configuring the Test Lab 832 Configuring DC1 832 Creating a Domain Administrator Account 834 Configuring the sec.isc2.com DNS Zone 834 Enabling Remote Desktop on DC1 835 Configuring DNS1 835 Installing the OS and Configuring TCP/IP on DC1 836 Installing and Configuring DNS on DNS1 836 Signing a Zone on DC1 and Distributing Trust Anchors 837 Distributing a Trust Anchor to DNS1 838 Verifying Trust Anchors 838 Querying a Signed Zone with DNSSEC Validation Required 838 Unsigning the Zone 839 Resigning the Zone with Custom Parameters 840 APPENDIX C: GLOSSARY OF TERMS RELATED TO THE SSCP 841 Index 873
