Foreword xxi
Introduction xxiii
Self-Assessment xlv
Part I Getting Started as an SSCP 1
Chapter 1 The Business Case for Decision Assurance and Information Security 3
Information: The Lifeblood of Business 4
Data, Information, Knowledge, Wisdom... 5
Information Is Not Information Technology 8
Policy, Procedure, and Process: How Business Gets Business Done 10
Who Is the Business? 11
What's Your Business Plan? 12
Purpose, Intent, Goals, Objectives 13
Business Logic and Business Processes: Transforming Assets into Opportunity, Wealth, and Success 14
The Value Chain 15
Being Accountable 17
Who Runs the Business? 19
Owners and Investors 19
Boards of Directors 20
Managing or Executive Directors and the C-Suite 20
Layers of Function, Structure, Management, and Responsibility 21
Plans and Budgets, Policies, and Directives 22
Summary 23
Chapter 2 Information Security Fundamentals 25
The Common Needs for Privacy, Confidentiality, Integrity, and Availability 26
Privacy 26
Confidentiality 29
Integrity 30
Availability 31
Privacy vs. Security, or Privacy and Security? 32
CIA Needs of Individuals 34
Private Business's Need for CIA 35
Government's Need for CIA 36
The Modern Military's Need for CIA 36
Do Societies Need CIA? 36
Training and Educating Everybody 38
SSCPs and Professional Ethics 38
Summary 40
Exam Essentials 40
Review Questions 44
Part II Integrated Risk Management and Mitigation 51
Chapter 3 Integrated Information Risk Management 53
It's a Dangerous World 54
What Is Risk? 55
Risk: When Surprise Becomes Disruption 59
Information Security: Delivering Decision Assurance 60
Common Sense and Risk Management 63
The Four Faces of Risk 65
Outcomes-Based Risk 67
Process-Based Risk 67
Asset-Based Risk 68
Threat-Based (or Vulnerability-Based) Risk 69
Getting Integrated and Proactive with Information Defense 72
Trust, but Verify 76
Due Care and Due Diligence: Whose Jobs Are These? 76
Be Prepared: First, Set Priorities 77
Risk Management: Concepts and Frameworks 78
The SSCP and Risk Management 81
Plan, Do, Check, Act 82
Risk Assessment 84
Establish Consensus about Information Risk 84
Information Risk Impact Assessment 85
The Business Impact Analysis 92
From Assessments to Information Security Requirements 92
Four Choices for Limiting or Containing Damage 94
Deter 96
Detect 96
Prevent 97
Avoid 97
Summary 100
Exam Essentials 101
Review Questions 105
Chapter 4 Operationalizing Risk Mitigation 111
From Tactical Planning to Information Security Operations 112
Operationally Outthinking Your Adversaries 114
Getting Inside the Other Side's OODA Loop 116
Defeating the Kill Chain 117
Operationalizing Risk Mitigation: Step by Step 118
Step 1: Assess the Existing Architectures 119
Step 2: Assess Vulnerabilities and Threats 126
Step 3: Select Risk Treatment and Controls 135
Step 4: Implement Controls 141
Step 5: Authorize: Senior Leader Acceptance and Ownership 146
The Ongoing Job of Keeping Your Baseline Secure 146
Build and Maintain User Engagement with Risk Controls 147
Participate in Security Assessments 148
Manage the Architectures: Asset Management and Configuration Control 151
Ongoing, Continuous Monitoring 152
Exploiting What Monitoring and Event Data Is Telling You 155
Incident Investigation, Analysis, and Reporting 159
Reporting to and Engaging with Management 160
Summary 161
Exam Essentials 161
Review Questions 166
Part III The Technologies of Information Security 173
Chapter 5 Communications and Network Security 175
Trusting Our Communications in a Converged World 176
Introducing CIANA 179
Threat Modeling for Communications Systems 180
Internet Systems Concepts 181
Datagrams and Protocol Data Units 182
Handshakes 184
Packets and Encapsulation 185
Addressing, Routing, and Switching 187
Network Segmentation 188
URLs and the Web 188
Topologies 189
Best Effort and Trusting Designs 193
Two Protocol Stacks, One Internet 194
Complementary, Not Competing, Frameworks 194
Layer 1: The Physical Layer 198
Layer 2: The Data Link Layer 199
Layer 3: The Network Layer 201
Layer 4: The Transport Layer 202
Layer 5: The Session Layer 206
Layer 6: The Presentation Layer 207
Layer 7: The Application Layer 208
Cross-Layer Protocols and Services 209
IP and Security 210
Layers or Planes? 211
Software-Defined Networks 212
Virtual Private Networks 213
A Few Words about Wireless 214
IP Addresses, DHCP, and Subnets 217
IPv4 Address Classes 217
Subnetting in IPv4 219
IPv4 vs. IPv6: Key Differences and Options 221
CIANA Layer by Layer 223
CIANA at Layer 1: Physical 223
CIANA at Layer 2: Data Link 226
CIANA at Layer 3: Network 228
CIANA at Layer 4: Transport 229
CIANA at Layer 5: Session 230
CIANA at Layer 6: Presentation 231
CIANA at Layer 7: Application 232
Securing Networks as Systems 233
A SOC Is Not a NOC 234
Tools for the SOC and the NOC 235
Integrating Network and Security Management 236
Summary 238
Exam Essentials 238
Review Questions 243
Chapter 6 Identity and Access Control 249
Identity and Access: Two Sides of the Same CIANA Coin 250
Identity Management Concepts 251
Identity Provisioning and Management 252
Identity and AAA 254
Access Control Concepts 255
Subjects and Objects-Everywhere! 257
Data Classification and Access Control 258
Bell-LaPadula and Biba Models 260
Role-Based 263
Attribute-Based 263
Subject-Based 264
Object-Based 264
Mandatory vs. Discretionary Access Control 264
Network Access Control 265
IEEE 802.1X Concepts 267
RADIUS Authentication 268
TACACS and TACACS+ 269
Implementing and Scaling IAM 270
Choices for Access Control Implementations 271
Built-in Solutions? 273
Multifactor Authentication 274
Server-Based IAM 276
Integrated IAM systems 277
Zero Trust Architectures 281
Summary 282
Exam Essentials 283
Review Questions 290
Chapter 7 Cryptography 297
Cryptography: What and Why 298
Codes and Ciphers: Defining Our Terms 300
Cryptography, Cryptology, or...? 305
Building Blocks of Digital Cryptographic Systems 306
Cryptographic Algorithms 307
Cryptographic Keys 308
Hashing as One-Way Cryptography 310
A Race Against Time 313
The Enemy Knows Your System 314
Keys and Key Management 314
Key Storage and Protection 315
Key Revocation and Zeroization 315
Modern Cryptography: Beyond the Secret Decoder Ring 317
Symmetric Key Cryptography 317
Asymmetric Key (or Public Key) Cryptography 318
Hybrid Cryptosystems 318
Design and Use of Cryptosystems 319
Cryptanalysis (White Hat and Black Hat) 319
Cryptographic Primitives 320
Cryptographic Engineering 320
Why Isn't All of This Stuff Secret? 320
Cryptography and CIANA 322
Confidentiality 322
Authentication 323
Integrity 323
Nonrepudiation 324
But I Didn't Get That Email... 324
Availability 325
Public Key Infrastructures 327
Diffie-Hellman-Merkle Public Key Exchange 328
RSA Encryption and Key Exchange 331
ElGamal Encryption 331
Digital Signatures 332
Digital Certificates and Certificate Authorities 332
Hierarchies (or Webs) of Trust 333
Pretty Good Privacy 337
TLS 338
HTTPS 340
Symmetric Key Algorithms and PKI 341
PKI and Trust: A Recap 342
Other Protocols: Applying Cryptography to Meet Different Needs 344
IPSec 344
S/MIME 345
DKIM 345
Blockchain 346
Access Control Protocols 348
Measures of Merit for Cryptographic Solutions 348
Attacks and Countermeasures 349
Brute Force and Dictionary Attacks 350
Side Channel Attacks 350
Numeric (Algorithm or Key) Attacks 351
Traffic Analysis, Op Intel, and Social Engineering Attacks 352
Massively Parallel Systems Attacks 353
Supply Chain Vulnerabilities 354
The Sprinkle a Little Crypto Dust on It Fallacy 354
Countermeasures 355
On the Near Horizon 357
Pervasive and Homomorphic Encryption 358
Quantum Cryptography and Post-Quantum Cryptography 358
AI, Machine Learning, and Cryptography 360
Summary 361
Exam Essentials 361
Review Questions 366
Chapter 8 Hardware and Systems Security 371
Infrastructure Security Is Baseline Management 372
It's About Access Control... 373
It's Also About Supply Chain Security 374
Do Clouds Have Boundaries? 375
Infrastructures 101 and Threat Modeling 376
Hardware Vulnerabilities 379
Firmware Vulnerabilities 380
Operating Systems Vulnerabilities 382
Virtual Machines and Vulnerabilities 385
Network Operating Systems 386
MDM, COPE, and BYOD 388
BYOI? BYOC? 389
Malware: Exploiting the Infrastructure's Vulnerabilities 391
Countering the Malware Threat 394
Privacy and Secure Browsing 395
The Sin of Aggregation 397
Updating the Threat Model 398
Managing Your Systems' Security 399
Summary 399
Exam Essentials 400
Review Questions 407
Chapter 9 Applications, Data, and Cloud Security 413
It's a Data-Driven World...At the Endpoint 414
Software as Appliances 417
Applications Lifecycles and Security 420
The Software Development Lifecycle (SDLC) 421
Why Is (Most) Software So Insecure? 424
Hard to Design It Right, Easy to Fix It? 427
CIANA and Applications Software Requirements 428
Positive and Negative Models for Software Security 431
Is Blacklisting Dead? Or Dying? 432
Application Vulnerabilities 434
Vulnerabilities Across the Lifecycle 434
Human Failures and Frailties 436
Shadow IT: The Dilemma of the User as Builder 436
Data and Metadata as Procedural Knowledge 438
Information Quality and Information Assurance 440
Information Quality Lifecycle 441
Preventing (or Limiting) the Garbage In Problem 442
Protecting Data in Motion, in Use, and at Rest 443
Data Exfiltration I: The Traditional Threat 445
Detecting Unauthorized Data Acquisition 446
Preventing Data Loss 447
Into the Clouds: Endpoint App and Data Security Considerations 448
Cloud Deployment Models and Information Security 449
Cloud Service Models and Information Security 450
Clouds, Continuity, and Resiliency 452
Clouds and Threat Modeling 453
Cloud Security Methods 455
SLAs, TORs, and Penetration Testing 456
Data Exfiltration II: Hiding in the Clouds 456
Legal and Regulatory Issues 456
Countermeasures: Keeping Your Apps and Data Safe and Secure 458
Summary 459
Exam Essentials 460
Review Questions 470
Part IV People Power: What Makes or Breaks Information Security 477
Chapter 10 Incident Response and Recovery 479
Defeating the Kill Chain One Skirmish at a Time 480
Kill Chains: Reviewing the Basics 482
Events vs. Incidents 484
Incident Response Framework 485
Incident Response Team: Roles and Structures 487
Incident Response Priorities 490
Preparation 491
Preparation Planning 491
Put the Preparation Plan in Motion 493
Are You Prepared? 494
Detection and Analysis 497
Warning Signs 497
Initial Detection 499
Timeline Analysis 500
Notification 500
Prioritization 501
Containment and Eradication 502
Evidence Gathering, Preservation, and Use 504
Constant Monitoring 505
Recovery: Getting Back to Business 505
Data Recovery 506
Post-Recovery: Notification and Monitoring 508
Post-Incident Activities 508
Learning the Lessons 509
Support Ongoing Forensics Investigations 510
Information and Evidence Retention 511
Information Sharing with the Larger IT Security Community 511
Summary 512
Exam Essentials 512
Review Questions 518
Chapter 11 Business Continuity via Information Security and People Power 525
A Spectrum of Disruption 526
Surviving to Operate: Plan for It! 529
Cloud-Based Do-Over Buttons for Continuity, Security, and Resilience 531
CIANA at Layer 8 and Above 537
It Is a Dangerous World Out There 539
People Power for Secure Communications 541
POTS and VoIP Security 542
Summary 543
Exam Essentials 544
Review Questions 547
Chapter 12 Risks, Issues, and Opportunities, Starting Tomorrow 553
On Our Way to the Future 554
Access Control and Zero Trust 555
AI, ML, BI, and Trustworthiness 556
Quantum Communications, Computing, and Cryptography 557
Paradigm Shifts in Information Security? 558
Perception Management and Information Security 559
Widespread Lack of Useful Understanding of Core Technologies 560
IT Supply Chain Vulnerabilities 561
Government Overreactions 561
CIA, CIANA, or CIANAPS? 562
Enduring Lessons 563
You Cannot Legislate Security 563
It's About Managing Our Security and Our Systems 563
People Put It Together 564
Maintain Flexibility of Vision 565
Accountability-It's Personal. Make It So. 565
Stay Sharp 566
Your Next Steps 567
At the Close 568
Appendix Answers to Review Questions 569
Self-Assessment 570
Chapter 2: Information Security Fundamentals 576
Chapter 3: Integrated Information Risk Management 579
Chapter 4: Operationalizing Risk Mitigation 581
Chapter 5: Communications and Network Security 583
Chapter 6: Identity and Access Control 586
Chapter 7: Cryptography 589
Chapter 8: Hardware and Systems Security 592
Chapter 9: Applications, Data, and Cloud Security 594
Chapter 10: Incident Response and Recovery 597
Chapter 11: Business Continuity via Information Security and People Power 601
Index 605
