- A
- access, determining, 165
- access reviews, 69
- alert fatigue, 100
- API keys, 79
- application programming interfaces (APIs), 109–110, 115, 162
- applications
- application logs, 50, 54
- cloud, 103–116
- deploying, 113
- legacy, 65
- scalability of, 113
- security of, 83
- B
- badges, 39
- BAS (breach and attack simulation), 155
- best of breed, 26
- best practices, 46
- blind spots, 95, 105, 114–115
- blue team, 134
- Box, 114
- breach and attack simulation (BAS), 155
- buffer overflows, 144
- bug bounty programs, 85
- Business Continuity Plan (BCP), 28, 46
- Business Impact Assessment (BIA), 28
- business outcomes, 165
- C
- cameras, 161
- Capability Maturity Model, 154, 163, 167
- card reader, 30, 31, 33, 34, 36, 38, 39–41, 161
- CASB (Cloud Access Security Broker), 95, 107, 114, 162
- CCPA, 71
- Centola, David, 130
- challenge questions, 65
- Chang, Donna, 5
- CIAQ (Consensus Assessments Initiative Questionnaire), 106
- CI/CD (continuous integration and continuous delivery), 76–77, 79
- Cloud Access Security Broker (CASB), 95, 107, 114, 162
- cloud apps, 103–116
- cloud logging, 95
- cloud security, 120
- Cloud Security Alliance, 106, 115, 120
- cloud services, 162
- CMDB tools, 100
- code review, 82
- collaboration tools, 122, 123
- compliance, 26
- compliance-management mechanisms, 50, 54
- Consensus Assessments Initiative Questionnaire (CIAQ), 106
- Consumer Identity and Access Management, 161
- container checks, 111
- containment, 32, 163
- Containment, Eradication, and Recovery stage, of NIST Cybersecurity Framework, 99–100
- containment, measuring, 96, 101
- continuous integration and continuous delivery (CI/CD), 76–77, 79
- contracts, 106
- Covey, Stephen
- credentialed scan, 145, 148–149
- cross-site scripting (XSS), 84–85, 114–115
- culture of security. See sustainable culture
- Cunningham, Chase, 7
- Curphey, Mark, 78
- cyber insurance carrier, 142–143
- D
- data, applications, assets, and services (DAAS) elements, 165, 167
- data-driven decisions, 44
- deception technologies, 155
- defense in depth, 26
- Defined stage
- of Capability Maturity Model, 163
- of Zero Trust Maturity Model, 168–170
- deploying applications/services, 113
- DevOps, 73–85, 161
- disaster recovery tools, 100
- Docker, 84
- E
- emulation tools, 155
- Equifax, 115–116
- ERP change control, 49, 54
- ERP systems, 50, 52, 53, 54, 161
- error pages, 108
- Experian, 115–116
- F
- Facebook, 115
- false positives, 135
- feedback loop, 101
- firewalls, 32, 80
- fog of war, 149
- Forrester, 54
- G
- Gartner, 54
- General Data Protection Regulation (GDPR), 59–60, 71
- Google, 54
- Groves, Dennis, 78
- H
- HIPAA, 71
- honeypots, 96, 157
- honeytokens, 96
- hotwash, 143
- human behavior, 130
- I
- IaaS (infrastructure as a code), 81
- identity
- about, 50
- as a cornerstone, 57–72
- importance of, 161
- Identity Defined Security Alliance (IDSA), 69, 72
- incident management, 41
- incident response (IR) process, 97, 99, 100, 101–102
- Information Security Advisory Council (ISAC), 123
- infrastructure as a code (IaaS), 81
- Initial stage
- of Capability Maturity Model, 163
- of Zero Trust Maturity Model, 168–170
- inside-out design, 109
- intellectual property, 76
- internal network, 32
- inventory, 160
- IoT devices, 144, 148
- IP addresses, 88–89, 123–124
- IR (incident response) process, 97, 99, 100, 101–102
- ISAC (Information Security Advisory Council), 123
- ISO 27001, 98
- K
- Kindervag, John, 7, 51, 71, 92, 154, 159
- Kubernetes, 79–80, 84, 110–111
- L
- legacy applications, 65
- live-fire drill, 135, 148
- Lockheed Martin Cyber Kill Chain, 59
- M
- Managed Security Service Provider (MSSP), 91, 93, 101, 161–162
- Managed stage
- of Capability Maturity Model, 163
- of Zero Trust Maturity Model, 168–170
- Master Scenario Events List (MSEL), 135, 147, 171–177
- maturity model, 163
- memory-safe IoT programming language, 144
- MFA (multifactor authentication), 64–65, 68, 107–108, 113, 123
- microsegmentation, 40–41
- MITRE ATT&CK framework, 94, 96, 156
- MITRE Engage framework, 156–157
- monitoring, 68–69, 95, 166, 170
- MSEL (Master Scenario Events List), 135, 147, 171–177
- MSSP (Managed Security Service Provider), 91, 93, 101, 161–162
- multifactor authentication (MFA), 64–65, 68, 107–108, 113, 123
- N
- National Institute of Standards and Technology (NIST)
- definition of Zero Trust (ZT), 55
- NIST Cybersecurity Framework, 98, 99, 102
- SP 800-53, 98
- SP 800-61, 99, 102
- SP 800-84 Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, 135, 147, 171
- SP 800-171, 98
- SP 800-207, 51, 54–55, 108, 109, 114, 161
- Zero Trust network view, 52
- Network Detection and Response (NDR) tools, 95
- network segmentation, 80
- network-based detection, 95
- networked devices, 40
- O
- OneDrive, 107, 114
- Open Supervised Device Protocol (OSDP), 34
- Open Web Application Security Project (OWASP), 77–78, 79, 84, 109, 114–115
- Optimized stage
- of Capability Maturity Model, 163
- of Zero Trust Maturity Model, 168–170
- OSDP (Open Supervised Device Protocol), 34
- OWASP (Open Web Application Security Project), 77–78, 79, 84, 109, 114–115
- P
- PAM (privileged access management), 64
- Park, Chun, 117
- Parler, 115
- password vault, 124
- passwords
- patches, 47, 76–77, 101–102
- Peloton, 115
- people, as the weakest link, 131, 162
- perimeter security, 31–33
- The Phoenix Project, 76
- physical security, 31–33, 39, 160–161
- policy enforcement point, 108–109
- policy engine, 114
- port scan, 148
- privileged access management (PAM), 64
- problem management, 41
- protect surfaces, 93, 97, 98, 100, 104, 105, 113, 120, 128, 154, 163, 165, 166, 168
- provisioning accounts, 60–63
- proximity badges, 40
- proximity card system, 33
- PSExec, 89, 90
- purchase orders, 106
- purple team, 134
- Pygmalion effect, 127, 131
- R
- RBAC (role-based access control), 80
- reauthentication, 66
- red herrings, 149
- red team, 134
- Repeatable stage
- of Capability Maturity Model, 163
- of Zero Trust Maturity Model, 168–170
- RFID cloner, 39
- rightsizing exercise, 154
- risk register, 160, 163
- role cleanup, 68
- role-based access control (RBAC), 80
- Rosenthal, Robert, 131
- Rust, 144
- S
- SaaS (software-as-a-service), 106–107, 115
- SalesForce, 114
- scalability, of applications/services, 113
- SDP (software-defined perimeter), 108–109, 114
- secondary attack surface, 32
- Secure Access Services Edge (SASE), 109, 110, 114
- Secure Service Edge (SSE), 109
- security
- security awareness training, 125, 130
- security dongle, 139
- security guards, 41
- security information and event management (SIEM) system, 53, 69
- security minute, 124–125
- Security Operations Center (SOC), 87–102, 161–162
- security orchestration system, 93, 94
- segmentation, 145
- shadow IT, 113–114
- Shared Assessments, 115
- SharePoint, 107, 114, 130
- Shift Left philosophy, 94
- SIEM (security information and event management) system, 53, 69
- SIM-jacking, 60
- Single Sign On (SSO), 83, 122–123
- Slack, 130
- SOC (Security Operations Center), 87–102, 161–162
- software-as-a-service (SaaS), 106–107, 115
- software-defined perimeter (SDP), 108–109, 114
- SolarWinds breach, 65–66
- specialized programming languages, 49, 54
- Speed of Light (Covey), 131
- SQL injection, 78, 84–85, 114–115
- SSE (Secure Service Edge), 109
- SSO (Single Sign On), 83, 122–123
- standards, 110–111, 147
- strategy, Zero Trust as a, 13–28
- sustainable culture, 117–131
- T
- tabletop exercise, 133–149, 162
- tactics, techniques, and procedures (TTPs), 100–101, 156
- teams, implementing, 160
- technology silos, 159
- telemetry, 166
- traditional vulnerability management tools, 49, 54
- traffic
- inspecting and logging, 165
- unknown, 160
- transaction flow matrix chart, 154–155
- transaction flows, 36–37, 39, 47–49, 166, 169
- trust
- compared with Zero Trust, 10–11
- as a vulnerability, 29–41
- TTPs (tactics, techniques, and procedures), 100–101, 156
- U
- UEBA, 52, 69
- uncredentialed scan, 145
- unknown traffic, 160
- V
- Vega, Victor, 73
- vendors, 106
- Verizon Data Breach report (2021), 163
- virtual local area network (VLAN), 40
- vulnerability, trust as a, 29–41
- vulnerability scanning server, 144–145, 148–149
- W
- web application firewalls (WAFs), 80–81, 84–85, 107–108, 109, 114–115, 162
- wellness program, 125–126
- X
- XSS (cross-site scripting), 84–85, 114–115
- Z
- Zero Trust (ZT)
- architecture for, 166, 169
- case for, 1–11
- challenges of, 56
- compared with trust, 10–11
- defined, 55
- design principles, 16, 18, 27, 30–31, 51, 92, 159, 165
- DevOps, 73–85
- implementation curve, 27–28
- methodology, 18, 27, 159, 166
- policy for, 166, 170
- SOC, 87–102
- as a strategy, 13–28
- sustainable culture, 117–131
- tabletop exercise, 133–149
- tenets of, 55
- trap to, 131
- Zero Trust Enterprise (ZTE), 55
- Zero Trust Maturity Model, 153–154, 167–170
..................Content has been hidden....................
You can't read the all page of ebook, please click
here login for view all page.