Please note that index links point to page beginnings from the print edition. Locations are approximate in e-readers, and you may need to page down one or more times after clicking a link to get to the indexed material.
3DES (Triple DES encryption), 509, 510
3G standard, 111
4G standard, 111
128-bit level cryptography, 202, 509
802.1x authentication server, 107
802.3 standard, 78
802.11 standards, 103
802.11i standard, 105
A
A record, 88
AAA (authentication, authorization, and accounting), 18–19, 140–142
AAAA record, 88
ABAC (Attribute-based Access Control), 53–54, 147
acceptable use policy (AUP), 209, 281, 341, 436, 439
acceptance, 479
access control entries (ACEs), 51
access control lists (ACLs), 49, 129
access control matrix, 57
access control models, 49–57
access controls, 27–70
Attribute-based Access Control, 53–54
Discretionary Access Control, 50–51
federated access, 42–43
implementing, 46–49
logical, 49
maintenance, 59–60
Mandatory Access Control, 54–57
non-discretionary, 51–57
protecting data via, 404
Role-based Access Control, 51–53
Rule-based Access Control, 53
subjects vs. objects, 46–49
unauthorized access, 281
weak, 260
access points (APs), 103, 104, 203–204
account lockout policies, 59–60
account lockouts, 59–60, 373, 439
accountability. See also audits/auditing
access control and, 370–371
with audit logs. See audit logs
statement of, 437
accounting systems, 372–373
accreditation, 419–426
ACEs (access control entries), 51
ACLs (access control lists), 49, 74, 129–130
Active Directory, 107
ActiveX controls, 187, 188, 228
Address Resolution Protocol (ARP), 86–87, 179
administrative controls, 335, 336
Advanced Encryption Standard (AES), 11, 105–106, 499, 509–510
advanced persistent threats (APTs), 165–166, 169, 172, 260, 310
AES (Advanced Encryption Standard), 11, 105–106, 499, 509–510
aggregate data, 414
AH (authentication header), 93, 527
AI (artificial intelligence), 303–304
ALE (annual loss expectancy), 273, 274, 275
alerts
anomalies, 296
clipping levels, 372–373
Cyber Awareness Alerts, 239
SIEM applications, 308
Amazon Two-Step Verification, 39
Amazon Web Services (AWS), 151, 167
annual loss expectancy (ALE), 273, 274, 275
annual rate of occurence (ARO), 273, 274, 275
anomaly-based detection, 303–304
Ansible tool, 388
antennas, wireless, 105
antivirus software, 236–240. See also viruses
behavior-based detection, 239–240
content-filtering appliances, 241–243
example of, 236–238
keeping signatures up to date, 240, 260
malware posing as, 224–225
overview, 236
sandboxing and, 244–245
signature-based detection, 238
spam filters, 240–241
using, 339
virus resources, 238
appliances
content-filtering, 241–243
application logs, 375
application reviews, 186
applications. See also software
input validation, 185–186
MDM, 346–347
sandboxing, 188
updates to, 234
APs (access points), 103, 104, 203–204
APTs (advanced persistent threats), 165–166, 169, 172, 260, 310
archiving, 405
armored viruses, 221
ARO (annual rate of occurence), 273, 274, 275
ARP (Address Resolution Protocol), 86–87, 179
artificial intelligence (AI), 303–304
assets
data storage, 419
hardware inventory, 418–419
identifying, 266
managing throughout lifecycle, 418–419
software inventory/licenses, 419
Associate of (ISC)2 designation, 2
asymmetric encryption, 499, 512–525
asynchronous dynamic passwords, 35, 36
attachments, infected, 235
attack surface, 272
attack vectors, 272
attackers, 163–169
advanced persistent threats, 165–166
based in China, 165–166
based in Iran, 172
based in North Korea, 169, 226, 481
based in Russia, 166, 172, 226, 310, 481
crackers, 164
defined, 164
hackers. See hackers
maintaining a presence, 260
overview, 163–164
retaliating against, 443
terminated employees, 260
threat actors, 257–258
attacks, 163–217. See also malware
backdoor attacks, 228–229
basic countermeasures, 170–171
buffer overflows, 188–189
ciphertext-only attacks, 537
collision attacks, 537–538
considerations, 169–170
covert channels, 201–202
cross-site request forgery, 192–193
cross-site scripting attacks, 191
data interference attacks, 414
DNS poisoning, 184
drive-by downloads, 174–175, 198, 233–234, 517
fingerprinting, 179–180
fraggle attacks, 185
injection attacks, 189–191
known-plaintext attacks, 537
LAND attack, 174
man-in-the-middle attacks, 181–183
methods/activities, 259–260
obtaining sensitive information, 166, 191, 249, 259
OS detection, 180
phishing attacks, 166, 167, 197–200, 226
ping of death, 174
port scanning, 179–180
ransomware attacks, 169, 225–226
reconnaissance attacks, 179–180, 259, 318
replay attacks, 183
session hijacking, 183–184
smishing attacks, 200
smurf attacks, 184–185
sniffing attacks, 176–179
spam, 196–197
SYN flood attacks, 75, 173, 301–302
tools for, 259
trapdoor attacks, 228–229
VM escape attacks, 348
wireless attacks, 202–205
WPA cracking attacks, 205
WPS attacks, 205
zero day exploits, 200–201, 234, 242
Attribute-based Access Control (ABAC), 53–54, 147
attributes, 411
attribute-value pairs (AVPs), 139
audit finding remediation, 315–316
audit logs, 374–380
considerations, 372
holding users accountable with, 370–372
managing, 380
*nix logs, 376–377
nonrepudiation and, 17
operating system logs, 374–376
recording activity, 369
recording details with, 371–372
repudiation and, 371
reviewing, 379–380
storing on remote systems, 376
types of, 374–378
auditing systems, 344
audits/auditing
auditing activity, 369
change management, 388–390
configuration management, 385–388
ISACA, 382–383
log files. See audit logs
overview, 369
passwords, 381–382
PCI DSS, 383–385
performing security audits, 380–385
physical access controls, 385
reviewing audits, 380–381
security policies, 382
AUP (acceptable use policy), 209, 281, 341, 436, 439
authentication, 28–46
centralized vs. decentralized, 44
certificates, 528
CHAP, 139
considerations, 27
described, 28
device, 45–46
Diameter, 141
digital signatures, 518
EAP, 139–140
federated access, 42–43
Kerberos protocol, 40–42
MS-CHAP, 139
multifactor, 38–39
offline, 45
PAP, 138
passwords. See passwords
PEAP, 139
remote access, 138–142
reviewing identification, 40
SAML, 43
smart cards, 34–35
something you know, 29–34
TACACS+, 142
three factors of, 29–39
two-step verification, 39
authentication, authorization, and accounting (AAA), 18–19, 140–142
authentication header (AH), 93, 527
authentication servers, 35
authenticity, 498
authorization, 18, 19, 27, 28, 58–59
Auto-Tuning, 312
AVPs (attribute-value pairs), 139
AWS (Amazon Web Services), 151, 167
B
backdoor attacks, 228–229
backup plans, 438
backups, 356–360
full, 357
full/differential, 359
full/incremental, 357–358
image-based, 359–360
overview, 356–357
BCP (business continuity plan), 445–456
business impact analysis, 447–448
considerations, 446
described, 445
vs. DRP, 451–452
response plans, 341
restoration planning, 452
Bcrypt encryption, 511
behavior-based detection, 239–240
Bell, David Elliot, 55–56
Bell-LaPadula model, 55–56
Berkeley Internet Name Domain (BIND), 88
BIA (business impact analysis), 447–451
cost considerations, 448
described, 445
identifying critical functions, 341, 446
maximum acceptable outage, 448
output, 450–451
overview, 447–448
recovery point objective, 449
recovery time objective, 448–449
BIND (Berkeley Internet Name Domain), 88
biometrics, 36–38
behavioral, 37
errors, 37–38
BitLocker, 349
Bitly, 244
bits, 72
black box testing, 311
black hats, 164
blacklisting applications, 245
blacklisting/blacklists, 128, 348
block ciphers, 509
blog articles, 5
Blowfish encryption, 511
Bluebugging, 110
Bluejacking, 110
Bluesnarfing, 110
Bluetooth technology, 110
Bogachev, Evgeniy Mikhailovich, 226
boot sector viruses, 221
BootP (Bootstrap Protocol), 87
Bootstrap Protocol (BootP), 87
botnet traffic, 517
bring your own device (BYOD), 345, 346
broadcast messages, 89
brute-force attacks, 194
buffer overflow attacks, 188–189
bus topology, 79–80
business continuity, 438
business continuity plan. See BCP
business impact analysis (BIA), 447–448
BYOD (bring your own device), 345, 346
C
CA (certificate authority), 187, 531–534
CACs (Common Access Cards), 40
Cambridge Analytica, 409
canvas fingerprinting, 46, 230
capability table, 57
CAPTCHA code, 226
Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA), 79
Carrier Sense Multiple Access/Collision Detection (CSMA/CD), 79
Cascading Style Sheets (CSS), 191
CBA (cost-benefit analysis), 328–329
CBK (Common Body of Knowledge), 2
CBT (Computer-Based Testing), 3
CC (Common Criteria), 421–422
CCMP (Cipher Block Chaining Message Authentication Code Protocol), 105, 106, 107, 202
centralized authentication, 44
CER (Crossover Error Rate), 37, 38
CERT (Computer Emergency Response Team), 222
CERT Division, 460
certificate authority (CA), 187, 531–534
certificate revocation list (CRL), 533, 534
certificate trust chain, 531–532
certificate trusts, 534–536
certificates, 527–531
cross-certification trust, 535–536
information included with, 531
purposes of, 528–529
revoking, 533
self-signed, 535
validating, 533–534
certification process, 419–426. See also SSCP certification
Common Criteria, 421–422
overview, 419–420
requirements, 420–422
risk management framework, 422–423
system development lifecycle, 423–426
Certified Information Security Manager (CISM) certification, 382
Certified Information Systems Auditor (CISA) certification, 382
Certified Information Systems Security Professional (CISSP) certification, 4–5
Challenge Handshake Authentication Protocol (CHAP), 139
change control, 342
change management, 388–390
channels, 201
CHAP (Challenge Handshake Authentication Protocol), 139
Chef tool, 388
Children’s Online Privacy Protection Act (COPPA), 487
Chinese hackers, 165–166
choose your own device (CYOD), 346
chosen-plaintext attacks, 537
CIA (confidentiality, integrity, and availability), 9–14, 331
CIDR (Classless Inter-Domain Routing) notation, 123
Cipher Block Chaining Message Authentication Code Protocol (CCMP), 105, 106, 107
ciphertext, 498
ciphertext-only attacks, 537
CIRT (computer incident response team), 282–283
CISA (Certified Information Systems Auditor) certification, 382
CISM (Certified Information Security Manager) certification, 382
CISSP (Certified Information Systems Security Professional) certification, 4–5
clarity, 479
Classless Inter-Domain Routing (CIDR) notation, 123
Clear to Send (CTS), 79
client-server network, 84
client-side validation, 186
clipping levels, 372–373
cloud computing, 149–154
cloud operation models, 151
compliance, 153–154
data breaches and, 152–153
data control, 153
data handling and, 407
legal issues, 152, 153–154, 488–489
models, 151
privacy and, 152–153
shared responsibility models, 149–151
storage, 152
CME (continuing medical education) credits, 9
CNAME record, 88
CNSA (Commercial National Security Algorithms), 203
COBIT (Control Objectives for Information and Related Technology), 382–383
code
backdoor, 228–229
HTML, 191
JaveScript, 191
malicious. See malware
mobile code, 228
review of, 186
trapdoor, 228–229
code signing, 187–188, 228, 245, 528
code of ethics
complying with, 442–443
(ISC)2, 7–9
cognitive passwords, 30, 58, 409
collision attacks, 537–538
columns, 411
Commercial National Security Algorithms (CNSA), 203
Common Access Cards (CACs), 40
Common Body of Knowledge (CBK), 2
Common Criteria (CC), 421–422
Common Vulnerabilities and Exposures (CVE) list, 246–247
Common Vulnerability Scoring System (CVSS), 268–269
community cloud, 151
compensating controls, 333–334
compliance monitoring, 296
compromise, 259
computer abuse, 480–481
computer crime
vs. computer abuse, 480–481
forensics. See computer forensics
fraud/embezzlement, 480–484
identity theft, 171–172, 484–485
Ponzi schemes, 482
prevention of, 482–484
Computer Emergency Response Team (CERT), 222
computer forensics, 469–480
first responders, 473–474
fraud and, 479–480
handling evidence, 473–474
incident lifecycle, 469–473
legal/ethical principles, 478–480
overview, 469
phases of investigation, 474–478
computer incident response team (CIRT), 282–283
Computer-Based Testing (CBT), 3
Confidential classification, 400, 401, 500
confidentiality, integrity, and availability (CIA), 9–14, 331
configuration management, 342, 385–388
connectionless communication, 76
connection-oriented communication, 76
content-filtering appliances, 241–243
continuing medical education (CME) credits, 9
continuing professional education (CPE) credits, 9
Control Objectives for Information and Related Technology (COBIT), 382–383
control plane, 147–148
controls. See security controls
COPE (corporate-owned, personally enabled) devices, 346
COPPA (Children’s Online Privacy Protection Act), 487
copyrights, 16
corporate-owned, personally enabled (COPE) devices, 346
corrective controls, 333
cost of control, 273
cost-benefit analysis (CBA), 328–329
countermeasures, 170–171. See also security controls
covert channels, 201–202
CPE (continuing professional education) credits, 9
crackers, 164
credential management systems, 32
credibility, 479
crimes. See computer crime
CRL (certificate revocation list), 533, 534
cross-certification trust, 535–536
Crossover Error Rate (CER), 37, 38
cross-site request forgery (CSRF), 192–193
cross-site scripting (XSS) attacks, 191, 193
cryptanalysis attacks, 536–538
authenticity, 498
chosen-plaintext attacks, 537
ciphertext-only attacks, 537
considerations, 536
countermeasures, 538
hash collision attacks, 537–538
integrity, 497
known-plaintext attacks, 537
cryptanalysis techniques, 536
cryptographic systems, 499
cryptography, 497–546. See also encryption
128-bit level, 509
basic concepts, 497–501
confidentiality, 497
data sensitivity and, 500
described, 499
ECC, 517–518
hashing. See hashes/hashing
public key infrastructure. See PKI
regulatory requirements, 500–501
RSA algorithm, 513–514
terminology, 498–499
CryptoLocker, 225–226, 229, 238
CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance), 79
CSMA/CD (Carrier Sense Multiple Access/Collision Detection), 79
CSRF (cross-site request forgery), 192–193
CSS (Cascading Style Sheets), 191
CTS (Clear to Send), 79
CVE (Common Vulnerabilities and Exposures) list, 246–247
CVSS (Common Vulnerability Scoring System), 268–269
cyberbullying, 481
CyberGhost, 204
Cybersecurity Framework, 457–459
cyberstalking, 481
cyberwareware, 481
CYOD (choose your own device), 346
D
DAA (Designated Approving Authority), 420
DAC (Discretionary Access Control) model, 50–51
DACLs (discretionary access control lists), 50
DARPA (Defense Advanced Research Projects Agency), 77
data
aggregate, 414
auditing, 153
breaches. See data breaches
destruction of, 153
encrypted. See encryption
handling of. See data handling
machine, 308
persistent, 476
personal/private. See PII
portability, 153
privacy. See privacy
public, 401
resilience, 153
sensitive. See sensitive data
skimming, 207–208
SMB, 135–136
stored in RAM, 476
unclassified, 400
value of, 442
volatile, 476
data at rest, 403–404
data breaches
with cloud providers, 152–153
data theft and, 171–172
defining, 485
personally identifiable information and, 415, 416, 484–485
system patches and, 170
data center assessment, 61–62
data centers, 347
data classifications, 500
data custodian, 402
Data Definition Language (DDL), 413
Data Encryption Standard (DES), 11, 509, 510
data exfiltration, 296
data handling, 399–418
access control methods, 404
archiving/retention, 405
classifying data, 399–402
cloud computing and, 407
considerations, 399
data at rest, 403–404
data diddling, 415
data in motion, 403–404
data in use, 404
data interference, 414
data loss prevention, 408
deduplication, 407–408
importance of, 399
information rights management, 409–410
magnetic-based media, 406
marking/labeling data, 402
need-to-know principle, 400
regulatory requirements, 415–417
removing data remnants, 405–407, 425
roles/responsibilities, 402–403
sanitizing/purging data, 406
social network usage and, 408–409
storage of data, 404–405
training/awareness, 417–418
transmission of data, 405
data in motion, 403–404
data in use, 404
data interference, 486
Data Link layer, 74
data loss prevention (DLP), 408
data management policies, 404–410
Data Manipulation Language (DML), 413
data normalization, 412
data plane, 147–148
data remanence, 406
data transmissions, 105–107
databases, 410–414
basic concepts, 410–411
communicating with, 413
described, 410
key elements of, 411
OLTP vs. OLAP, 413–414
relational, 410–412
views, 412–413
DDL (Data Definition Language), 413
DDoS (distributed DoS) attacks, 174, 175, 281
debugging process, 229
decentralized authentication, 44
decryption process, 498
deduplication, 407–408
Defense Advanced Research Projects Agency (DARPA), 77
defense diversity, 132–133
defense in depth, 16–17, 242, 300
degaussing, 406
demilitarized zone. See DMZ
denial of service (DoS) attacks, 172–174, 281
Department of Homeland Security (DHS), 166
de-provisioning, 60
DES (Data Encryption Standard), 11, 509, 510
Designated Approving Authority (DAA), 420
detection system logs, 305–306
detective controls, 332–333
deterrent controls, 334
devices
Apple, 348
authentication, 45–46
Bluetooth, 110
COPE, 346
CYOD, 346
drives. See drives
endpoint, 344–350
fingerprinting, 45
IoT, 176
mobile. See mobile devices
UTM, 131–132
virtual network, 149
DHCP (Dynamic Host Configuration Protocol), 86, 103
DHCP servers, 86
DHS (Department of Homeland Security), 166
Diameter protocol, 141
dictionary attacks, 194
Diffie-Hellman algorithm, 517
digital files, 402
digital rights management (DRM), 409–410
Digital Signature Algorithm (DSA), 519
digital signatures, 18, 88, 519–521, 522
directive controls, 334
disaster recovery plan (DRP), 445–456
discovery, 318
discretionary access control lists (DACLs), 50
Discretionary Access Control (DAC) model, 50–51
distributed DoS (DDoS) attacks, 174, 175, 281
DKIM (Domain Keys Identified Mail), 241, 524
DLP (data loss prevention), 408
DMARC (Domain-based Message Authentication, Reporting and Conformance), 241, 524
DML (Data Manipulation Language), 413
DMZ (demilitarized zone)
considerations, 306
firewalls and, 129, 130, 132, 133
IP addresses and, 99
overview, 97–98
DNS (Domain Name System), 87–88, 150
DNS attacks, 150
DNS cache, 88
DNS servers, 87–88, 150, 176, 184
DNSSEC (Domain Name System Security Extensions), 88
DocuSign, 518
domain controllers, 84
Domain Keys Identified Mail (DKIM), 241, 524
Domain Name System. See DNS entries
Domain Name System Security Extensions (DNSSEC), 88
domain validation, 529
Domain-based Message Authentication, Reporting and Conformance (DMARC), 241, 524
DoS (denial of service) attacks, 172–174, 281
drills, 453
drive-by downloads, 174–175, 198, 233–234, 517
drives
authenticating with hashes, 477
destruction of, 425
flash, 133, 331, 347, 404, 439, 510
USB, 133, 220, 235, 242, 404, 439
DRM (digital rights management), 409–410
Dropbox, 152–153
DRP (disaster recovery plan), 445–456
alternative locations, 453
vs. BCP, 451–452
emergency response plans, 451
fault tolerance and, 451
high-risk zones, 446–447
mobile sites, 455–456
preparing for disasters, 446–447
response plans, 341
service disruptions, 445
testing/drills, 453
DSA (Digital Signature Algorithm), 519
due care, 20–21
due diligence, 20
dumpster diving, 208
Dynamic Host Configuration Protocol. See DHCP
dynamic ports, 94
dynamic SQL, 189–190
E
EALs (Evaluation Assurance Levels), 421
EAP (Extensible Authentication Protocol), 139–140
EAP-TTLS (EAP-Tunneled TLS), 139–140
EAP-Tunneled TLS (EAP-TTLS), 139–140
Ebbers, Bernard, 482
ECC (elliptic curve cryptography), 517–518
ECDSA (Elliptic Curve Digital Signature Algorithm), 519
e-discovery (electronic discovery), 152, 489
education, 2. See also training programs
EER (Equal Error Rate), 37
EF (exposure factor), 246–247, 273
electromagnetic interference (EMI), 73
electronic discovery (e-discovery), 152, 489
electronic signatures, 518
elliptic curve cryptography (ECC), 517–518
Elliptic Curve Digital Signature Algorithm (ECDSA), 519
encrypting, 521–523
filtering spam, 240–241
hoaxes, 230
infected attachments, 235
malicious links in, 243–244
malware on, 234–235
phishing attacks, 166, 167, 197–200, 226
protecting with certificates, 528
protecting with DKIM, 241, 524
protecting with S/MIME, 518
spam, 196–197
SPF records, 241
Trojan horse, 223
e-mail protocols, 93
e-mail servers, 93
embezzlement, 481–484
emergency response plans, 451
EMI (electromagnetic interference), 73
employees. See also users
job rotation, 483–484
mandatory vacations, 482–483
permissions. See permissions
social engineering and. See social engineering
terminated, 260
training. See training programs
Encapsulating Security Protocol (ESP), 94, 527
encapsulation, 72
encryption. See also cryptography
Bcrypt, 511
Blowfish, 511
certificates, 528
considerations, 500
data, 112
data at rest/data in motion, 403–404
deduplication and, 408
described, 498
digital signatures, 519–521, 522
e-mail, 521–523
endpoint, 348–349
GPG, 524–525
IDEA, 511
one-way, 502–503
PGP, 524–525
process, 10–11
RC4, 511
reversible, 31
Rijndael, 509
ROT13, 507–508
S/MIME, 518
SSH, 518
steganography, 525–526
TLS. See TLS entries
encryption algorithm, 499
encryption process, 498
endpoint device security, 344–350
endpoint encryption, 348–349
Enron scandal, 417
Enterprise mode, 106–107
entitlement, 60
environmental metrics, 269
environmental protection, 337
Equal Error Rate (EER), 37
Equifax data breach, 170, 415–416, 441
error handling, 188
error rates, 479
ESP (Encapsulating Security Protocol), 94, 527
Ethernet, 78–79
ethical hackers, 164
ethics statement, 440
EUI (Extended Unique Identifier), 87
EUI-64 addresses, 87
Evaluation Assurance Levels (EALs), 421
event data analysis, 305
Event Viewer, 374–376
events
analysis of, 305
anomalies, 296
compliance monitoring, 296
data exfiltration, 296
intrusions, 296
resulting in service disruptions, 445
unauthorized changes, 296
events log, 375–376
events of interest, 295–296
evidence
acquiring, 475–477
analyzing, 477–478
authenticating, 477
handling, 473–474
evil twins, 204
Exam Objective Map, 4
Exam Outline, 4
examination. See SSCP certification
experience, work, 2
exploitability metrics, 268
exposure factor (EF), 246–247, 273
Extended Unique Identifier (EUI), 87
Extensible Authentication Protocol (EAP), 139–140
external testing, 311
F
face-recognition technologies, 40
failover clusters, 13, 354–355
False Acceptance Rate (FAR), 37, 38
False Rejection Rate (FRR), 37, 38
Fancy Bear, 310
FAR (False Acceptance Rate), 37, 38
fault-tolerant controls, 350–356
FDDI (Fiber Distributed Data Interface), 82
Federal Information Processing Standards (FIPS), 456
federated access, 42–43
fiber connections, 73
Fiber Distributed Data Interface (FDDI), 82
fiber-optic cabling, 73
fields, 411
file integrity checkers, 306
File Transfer Protocol. See FTP
files
authenticating with hashes, 477
checking integrity of, 306
digital, 402
log. See log files
transferring with FTP, 76, 84, 90, 177
fingerprinting
devices, 45
network, 318
TCP/IP stack, 180
fingerprinting attacks, 179–180
FIPS (Federal Information Processing Standards), 456
FireEye, 225
firewall logs, 378
firewalls, 128–133
application, 131
application gateway, 131
basic, 104
defense diversity, 132–133
enabling, 339
next-generation, 131–132
packet-filtering, 128–130
stateful inspection, 130–131
third-generation, 131
UTM devices, 131–132
fixes, 342–344
flash drives, 133, 331, 347, 404, 439, 510
foreign key, 410–412
forensics. See computer forensics
forwarding plane, 147
fraggle attacks, 185
fraud, 480–484
FRR (False Rejection Rate), 37, 38
FTP (File Transfer Protocol), 76, 84, 90, 177
FTP servers, 90
fuzzy hashing, 238
G
GDPR (General Data Protection Regulation), 417, 485–486, 488, 501
General Data Protection Regulation (GDPR), 417, 485–486, 488, 501
Generic Routing Encapsulation (GRE), 136
Get Certified Get Ahead website, 5
Gigabit Ethernet, 78
global positioning system (GPS), 112
Global System for Mobile Communications (GSM), 111
GNU Privacy Guard (GPG), 525, 535
Google, 150
Google 2-Step Verification, 39
Google Cloud platform, 151
Google Drive, 152
GPG (GNU Privacy Guard), 525, 535
GPS (global positioning system), 112
gray box testing, 311
gray hats, 164
GRE (Generic Routing Encapsulation), 136
Group Policy, 387
H
hackers. See also attackers
black hats, 164
Chinese, 165–166
vs. crackers, 164
described, 164
ethical, 164
gray hats, 164
Russian, 166, 172, 226, 310, 481
script kiddies, 168–169
white hats, 164
handwriting analysis, 37
hardening servers, 84
hardening systems, 170, 260, 338–340
hardware
access to, 283
inventory, 418–419
labeling, 402
loss of, 168
usage, 439
hash collision attacks, 537–538
hash message authentication code. See HMAC
hashed passwords, 194
hashes/hashing, 501–506
authenticating files/drives, 477
CHAP and, 139
considerations, 501–502
enforcing integrity with, 501–502
fuzzy, 238
MD5. See MD5 entries
one-way encryption, 502–503
overview, 11–12
salting passwords, 506
verifying integrity with, 504–505
hashing algorithms, 306, 499, 501, 502–504
hashing tools, 505
Health Insurance Portability and Accountability Act (HIPAA), 16, 416, 501
heuristic-based detection, 239–240
HIDS (host-based IDS), 297, 299–300
High Speed Packet Access (HSPA), 111
HIPAA (Health Insurance Portability and Accountability Act), 16, 416, 501
HIPS (host-based IPS), 301
HMAC (hash message authentication code), 36, 503–504
HMAC-based One-Time Password (HOTP) protocol, 36
HMAC-MD5 hash, 503–504
hoaxes, 230
honeynets, 307
honeypots, 307
host-based IDS (HIDS), 297, 299–300
host-based IPS (HIPS), 301
HOTP (HMAC-based One-Time Password) protocol, 36
HSPA (High Speed Packet Access), 111
HTML code, 191
HTML tags, 310
HTTP (Hypertext Transfer Protocol), 91, 92, 95, 298
HTTPS (Hypertext Transfer Protocol Secure), 10, 91, 92, 181, 183
HTTPS sessions, 514–516
hybrid cloud, 151
hybrid detection methods, 304
Hypertext Transfer Protocol (HTTP), 91, 92, 180, 298
Hypertext Transfer Protocol Secure (HTTPS), 10, 91, 92, 181, 183
I
IaaS (Infrastructure-as-a-Service), 149, 151
IAM (identity and access management), 58–60
IANA (Internet Assigned Numbers Authority), 94
iCloud service, 151
ICMP (Internet Control Message Protocol), 88–89
ICMP sweep, 312
IDEA (International Data Encryption Algorithm), 511
identification badges, 36
identity and access management (IAM), 58–60
identity proofing, 58
identity theft, 171–172, 484–485
Identity Theft Resource Center (ITRC), 171–172, 484–485
IdP (SecureAuth Identity Provider), 45
IDPS (IDS/IPS), 171, 182, 183, 304, 308. See also IDSs; IPSs
IDS/IPS (IDPS), 171, 182, 183, 304, 308
IDSs (intrusion detection systems), 171
considerations, 171
defense in depth and, 300
detecting unauthorized changes, 306–307
detection methods, 303–304
network-based IDS, 171, 297, 299, 304
overview, 296–297
IEEE (Institute of Electrical and Electronics Engineers), 78
IEEE 802.3 standards, 78
IGMP (Internet Group Message Protocol), 89
imaging technologies, 386–387
IMAP4 (Internet Message Access Protocol version 4), 93
impact assessments, 261–262
impact metrics, 268
impersonation, 207
incident handling processes, 470
incident lifecycle, 469–473
incident response
access to software/hardware, 283
detection/analysis/escalation, 283–284, 470
documentation, 283
implementing countermeasures, 473
incident response team, 282–283
lifecycle comparison, 281–282
war room, 283
incident response plans, 341
incidents. See also incident response
overview, 280–281
types of, 281
industrial property, 16
information rights management (IRM), 409–410
Information Technology Infrastructure Library (ITIL), 459
Information Technology Laboratory (ITL), 459
infrastructure security, 313–314
Infrastructure-as-a-Service (IaaS), 149, 151
injection attacks, 189–191
input validation, 185–186, 189, 190
Institute of Electrical and Electronics Engineers (IEEE), 78
integrity
digital signatures, 518
goal of, 497
overview, 11–13
system configuration, 11–12
verifying with hashes, 504–505
intellectual property, 16
internal testing, 311
International Data Encryption Algorithm (IDEA), 511
International Information Systems Security Certification Consortium. See (ISC)2 entries
International Organization for Standardization (ISO), 72, 269
Internet Assigned Numbers Authority (IANA), 94
Internet Control Message Protocol. See ICMP
Internet Group Message Protocol (IGMP), 89
Internet Message Access Protocol version 4 (IMAP4), 93
Internet of Things (IoT) devices, 176
Internet Protocol. See IP
Internet Protocol security. See IPsec
Internet Storm Center, 460
intrusion detection systems. See IDSs
intrusion prevention systems. See IPSs
intrusions, 296
IoT (Internet of Things) devices, 176
IP (Internet Protocol), 74
IP addresses
described, 129
filtering by, 129
private, 99–100
public, 99–100
public vs. private, 99–100
IP version 4. See IPv4
IP version 6. See IPv6
IPsec (Internet Protocol security)
components, 93–94
overview, 527
transport mode, 137
tunnel mode, 137
IPSs (intrusion prevention systems)
detecting unauthorized changes, 306–307
detection methods, 303–304
host-based IPS, 301
overview, 300–303
wireless IPS, 203
IPv4 (IP version 4), 84–85, 89, 99–100, 527
IPv4 addresses, 74
IPv4 multicasting, 89
IPv6 (IP version 6), 84–85, 89, 99–100, 527
IPv6 multicasting, 89
Iranian hackers, 172
IRM (information rights management), 409–410
ISACA, 382–383
(ISC)2 Code of Ethics, 7–9
(ISC)2 domains, 2
(ISC)2 SSCP certification. See SSCP certification
ISO (International Organization for Standardization), 72, 269
ISO 31000:2018, 281
ISO website, 269
ITIL (Information Technology Infrastructure Library), 459
ITL (Information Technology Laboratory), 459
ITRC (Identity Theft Resource Center), 171–172, 484–485
J
JavaScript libraries, 128
job rotation, 483–484
K
KDC (Key Distribution Center), 41
Kerberos protocol, 40–42
Kerberos servers, 41
Kernel PatchGuard, 228
key composition, 537
key creation, 537
Key Distribution Center (KDC), 41
key exchange, 537
key revocation, 537
key rotation, 536
key stretching, 511
keyloggers, 226–227
keys
foreign, 411
management concepts, 536–537
primary, 411
private, 499
strength of, 508–509
KnowBe4, 309–310
known-plaintext attacks, 537
L
L2F (Layer 2 Forwarding) protocol, 136
L2TP (Layer 2 Tunneling Protocol), 94, 136–137
LAN-based security, 121–126
LAND (local area network denial) attack, 174
LANs (local area networks), 78, 99, 122
LaPadula, Leonard J., 55–56
Largent, Michael, 482
Layer 2 Forwarding (L2F) protocol, 136
Layer 2 Tunneling Protocol (L2TP), 94, 136–137
least privilege, 14–15, 60, 245
least significant bit, 525–526
legal issues, 469–496
Children’s Online Privacy Protection Act, 487
cloud computing, 152, 153–154, 488–489
computer abuse, 480–481
computer crime, 480–481
data breaches, 485
electronic discovery (e-discovery), 152, 489
forensics. See computer forensics
fraud/embezzlement, 480–484
General Data Protection Regulation, 485–486
jurisdiction, 152, 407, 486, 488–489
long-term data storage, 405
Online Privacy Protection Act, 488
privacy issues, 484–488
regulatory concerns, 488–489
Social Security number confidentiality, 487
ZIP codes as PII, 486
link local addresses, 99–100
load balancing clusters, 355–356
local area network denial (LAND) attack, 174
local area networks (LANs), 78, 99, 122
log files
anomalies in, 284
application logs, 375
audit logs. See audit logs
detection system logs, 305–306
events log, 375–376
firewall logs, 378
Linux logs, 376–377
managing, 380
*nix logs, 376–377
operating system logs, 374–376
proxy server logs, 377–378
reviewing, 379–380
risk logs, 267–268
security logs, 375
setup logs, 375
storing on remote systems, 376
system logs, 305–306, 374–376, 476
UNIX logs, 376–377
logic bombs, 227
logical access controls, 49
logical controls. See technical controls
Logical Link Control, 74
logical segmentation, 123–126
Long-Term Evolution (LTE) standard, 111
LTE (Long-Term Evolution) standard, 111
M
MAC (Media Access Control), 74
MAC addresses
ARP and, 86–87
filtering, 109
NDP and, 87
spoofing, 109
whitelisting and, 304
MAC filtering, 45
MAC model, 54–57
machine data, 308
macro viruses, 221
macros, 228
Madoff, Bernie, 482
magnetic-based media, 406
mail exchange (MX) record, 88
maintenance, 59–60
malicious code. See malware
malicious websites, 191
malvertising, 234
malware, 219–254. See also attacks
analyzing attack stages, 231–233
blocking, 132
code signing and, 187–188
common vulnerabilities, 246–247
countermeasures, 235–246
delivery methods, 233–235, 259
dynamic nature of, 238
hoaxes, 230
jailbreaking, 349
keyloggers, 226–227
logic bombs, 227
malvertising, 234
preinstalled in VM, 148
ransomware, 225–226
remote access Trojan, 223
rootkits, 227–228
scareware, 224–225
security training, 246, 444, 501
spyware, 230
Trojan horse, 222–223
via e-mail, 234–235
viruses, 219–222
worms, 222
Zeus, 229
malware blocking, 132
Mandiant, 225
Mandiant virus, 226
man-in-the-middle (MITM) attacks, 181–183
mantraps, 207
MAO (maximum acceptable outage), 448
masquerading, 207
MAU (media access unit), 82
maximum acceptable outage (MAO), 448
maximum tolerable downtime (MTD), 448
maximum tolerable outage (MTO), 448
MCI WorldCom, 482
MD5 collisions, 538
MD5 hashing, 139, 194, 477, 503–504
Md5sum.exe, 505
MDM (mobile device management), 45, 143–144, 346–348
means, opportunity, and motive (MOM), 481
Media Access Control. See MAC entries
media access unit (MAU), 82
memory buffers, 188–189
mesh topology, 83
Message Digest 5 (MD5), 503
metadata, 127
metamorphic viruses, 221
metrics, 305
Microsoft OneDrive, 152
Microsoft Point-to-Point Encryption (MPPE), 136
mission statement, 437
MITM (man-in-the-middle) attacks, 181–183
MITRE Corporation, 246–247
MLD (Multicast Listener Discovery), 89
mobile code, 228
mobile device management (MDM), 45, 143–144, 346–348
mobile devices
COPE, 346
CYOD, 346
managing, 45, 143–144, 346–348
passwords, 112
mobile sites, 455–456
MOM (means, opportunity, and motive), 481
monitoring systems, 295–309
analyzing monitoring results, 305
communicating findings, 305, 309
continuous monitoring, 308–309
detecting unauthorized changes, 306–307
events. See events
honeypots, 307
intrusion detection systems. See IDSs
intrusion prevention systems. See IPSs
log files, 305–306, 374–376, 476
unauthorized connections, 306–307
Morris worm, 222
MPPE (Microsoft Point-to-Point Encryption), 136
MSAU (multistation access unit), 82
MS-CHAPv1 protocol, 139
MS-CHAPv2 protocol, 139
MTD (maximum tolerable downtime), 448
MTO (maximum tolerable outage), 448
Multicast Listener Discovery (MLD), 89
multicast messages, 89
multifactor authentication, 38–39
multipartite viruses, 221
multistation access unit (MSAU), 82
MX (mail exchange) record, 88
Mydoom worm, 229
N
NAC (network access control), 143–144
NAT (Network Address Translation), 100–101, 104, 127, 137, 377
NAT Traversal (NAT-T), 137
National Institute of Standards and Technology. See NIST
National Security Agency (NSA), 510
National Vulnerability Database (NVD), 268
NAT-T (NAT Traversal), 137
NDP (Network Discovery Protocol), 87
near field communication (NFC) technology, 110
need-to-know principle, 400
Nessus tool, 313
network access, 438
network access control (NAC), 143–144
Network Address Translation. See NAT
Network Discovery Protocol (NDP), 87
Network File System (NFS), 92
network function virtualization (NFV), 148
network interface cards (NICs), 74, 86, 133
Network layer, 74
network protocols, 84–97. See also specific protocols
network relationships, 83–84
network security
local area networks, 121–126
wireless networks, 105–109, 202–205
network topologies, 78–83
network-based IDSs (NIDSs), 171, 297, 299, 304
network-based IPSs (NIPSs), 171, 301
networking, 71–120. See also networks
cloud. See cloud computing
firewalls. See firewalls
network access control, 143–144
OSI Model, 72–77
protocols, 84–97
proxy servers, 127–128
relationships, 83–84
remote access solutions. See remote access
routers. See routers
security. See network security
switches. See switches
TCP/IP Model, 77
topologies. See network topologies
trust architectures, 97–102
use cases, 71
virtualization. See virtual environments
wireless. See wireless technologies
networks. See also networking
DMZ. See DMZ
Ethernet, 78–79
firewalls. See firewalls
PANs, 98
peer-to-peer, 83–84
security. See network security
segmentation, 123–126, 129, 148
social. See social networks
software-defined, 147–148
trust architectures, 97–102
types of, 97–99
virtual. See VPNs
WANs, 99
WPA. See WPA entries
WPA2. See WPA2 entries
NFC (near field communication) technology, 110
NFS (Network File System), 92
NFV (network function virtualization), 148
NICs (network interface cards), 74, 86, 133
NIDS agents, 297
NIDSs (network-based IDSs), 297, 299, 304
NIPSs (network-based IPSs), 171, 301
NIST (National Institute of Standards and Technology), 32, 256, 456–459
NIST bulletins, 459
NIST password recommendations, 33–34
NIST SP 800-37, 269–270
*nix logs, 376–377
Nmap, 312–313
no operation (NOOP) commands, 188
nonce, 139
non-Discretionary Access Control (non-DAC) models, 51–57
nonrepudiation, 17–18, 518–519
NOOP (no operation) commands, 188
North Korean hackers, 169, 226, 481
NSA (National Security Agency), 510
NVD (National Vulnerability Database), 268
O
OAuth, 44
object-based access control, 46, 48–49
objects, 46–49
OCSP (Online Certificate Status Protocol), 534
offline authentication, 45
OLAP (online analytical processing), 414
OLTP (online transaction processing), 413–414
One-time Password In Everything (OPIE), 36
online analytical processing (OLAP), 414
Online Certificate Status Protocol (OCSP), 534
Online Privacy Protection Act (OPPA), 488
online transaction processing (OLTP), 413–414
Open Shortest Path First (OSPF), 92
Open Systems Interconnection (OSI), 72–77
Open Web Application Security Project (OWASP), 191
Openfiler, 146
OpenID Connect, 44
OpenPGP, 535
OpenVPN, 138
operating system (OS). See also systems; specific systems
detection of, 180
keeping up to date, 243
log files, 374–376
patches. See patches
vulnerability scanning and, 312
OPIE (One-time Password In Everything), 36
OPPA (Online Privacy Protection Act), 488
OSI (Open Systems Interconnection), 72–77
OSI Model, 72–77
OSPF (Open Shortest Path First), 92
OWASP (Open Web Application Security Project), 191
P
PaaS (Platform-as-a-Service), 149, 150
packet capture, 295
packet dump, 295
packet filtering, 142
packet sniffers, 181
Padding Oracle On Downgraded Legacy Encryption. See POODLE
palm scanner, 37
PANs (personal area neworks), 98, 110
PAP (Password Authentication Protocol), 138
Password Authentication Protocol (PAP), 138
password history, 30
password manager, 31
Password-Based Key Derivation Function 2 (PBKDF2), 511
passwords
age of, 30
auditing, 381–382
authentication, 18–19
blacklisted, 33
changing, 32
classifications, 29–30
cleartext, 33
complexity/strength of, 31, 33–34, 193
considerations, 28, 29, 32, 107
default, 107
expiration, 34
guidelines, 31–34
hashed, 194
mobile devices, 112
policies, 30–33, 59, 381–382, 439
salting, 506
shoulder surfing, 208
social engineering, 194
static, 29
wireless device admin, 107
PAT (Port Address Translation), 101
patches, 342–344
applying, 344
auditing systems, 344
buffer overflow attacks, 189
data breaches, 170
documenting, 344
evaluating, 343
keeping OS up to date, 243
Kernel PatchGuard, 228
malicious scripts, 228
rootkits, 228
zero day exploits, 200–201
Payment Card Industry Data Security Standard (PCI DSS), 154, 383–385, 500–501
Payment Card Industry (PCI) Security Standards Council, 383
PBKDF2 (Password-Based Key Derivation Function 2), 511
PCI DSS (Payment Card Industry Data Security Standard), 154, 383–385, 500–501
PCI (Payment Card Industry) Security Standards Council, 383
PDU (protocol data unit), 76
PEAP (Protected EAP), 139
Pearson Vue account, 3
Pearson VUE test centers, 2–3
peer-to-peer networks, 83–84
penetration testing, 317–319
permission matrix, 14
personal area neworks (PANs), 98, 110
personal identification numbers (PINs), 29, 39, 205
Personal Identity Verification (PIV) cards, 40
personally identifiable information. See PII
PGP (Pretty Good Privacy), 524–525, 535
PHI (protected health information), 16, 416, 484, 485, 500, 501
phishing attacks, 166, 167, 197–200, 226
physical access controls, 385
Physical layer, 73–74
physical security, 61–62, 126, 439
physical security controls, 335, 337
physical segmentation, 123–126
piggybacking, 206–207
PII (personally identifiable information)
data breaches, 415, 416, 484–485
data theft and, 171–172
described, 16
overview, 414–415
privacy issues, 484–485
protection of, 16, 313, 415–416, 500
regulations for, 16, 472, 485–488
ZIP codes as, 486
ping command, 88
ping of death, 174
ping requests, 88
PINs (personal identification numbers), 29, 39, 205
PIV (Personal Identity Verification) cards, 40
PKI (public key infrastructure), 527–536
certificate authority, 531–534
certificates, 527–531
cross-certification trust, 535–536
key escrow, 534
overview, 527
revoking certificates, 533
trust chain, 531–532
trusted root CA, 532–533
validating certificates, 533–534
plaintext, 498
Platform-as-a-Service (PaaS), 149, 150
PMF (Protected Management Frames), 202
Point-to-Point Tunneling Protocol (PPTP), 94, 136
policies. See security policies
polymorphic viruses, 221
Ponzi schemes, 482
POP3 (Post Office Protocol 3), 93
pop-ups, 224–225
Port Address Translation (PAT), 101
port numbers, 75, 84, 95–97, 101
ports, 94–97
described, 129
detecting open ports, 180
dynamic, 94
filtering traffic via, 129
mapping to protocols, 94–95, 96
vs. protocol numbers, 95–97
registered, 94
use of, 94–95
Post Office Protocol 3 (POP3), 93
PPTP (Point-to-Point Tunneling Protocol), 94, 136
Presentation layer, 76
preshared key (PSK), 105, 106, 107
pretexting, 206
Pretty Good Privacy (PGP), 524–525, 535
preventive controls, 331–332
primary key, 411–412
privacy
cloud computing and, 152–153
considerations, 21
data breaches. See data breaches
data classifications, 400–401
information rights management, 409–410
intellectual property, 16
laws/regulations, 484–488
personally identifiable information. See PII
protected health information, 16, 484, 485, 500, 501
types of data, 16
Private classification, 401
private cloud, 151
private IP addresses, 99–100
private keys, 499
promiscuous mode, 105
Protected EAP (PEAP), 139
protected health information (PHI), 16, 416, 484, 485, 500, 501
Protected Management Frames (PMF), 202
protocol analyzers, 176–179
protocol data unit (PDU), 76
protocol numbers, 94, 95–97, 129
protocols. See also specific protocols
considerations, 129
e-mail, 93
network, 84–97
removing/disabling, 338–339
routing, 92
provisioning, 58–59
proximity cards, 36
proxy server logs, 377–378
proxy servers, 127–128, 150, 242
PSK (preshared key), 105, 106, 107
PTR record, 88
Public classification, 401
public cloud, 151
public IP addresses, 99–100
Puppet tool, 388
Q
qualitative analysis, 275–276
quantitative analysis, 272–275, 276
R
radio frequency identification (RFID), 111–112, 418–419
radio frequency interference (RFI), 73
RADIUS (Remote Authentication Dial-In User Service), 106, 140–142
RADIUS servers, 140–141
RAID (Redundant Array of Independent Disks), 13, 350–351
RAID-0, 351
RAID-1, 351
RAID-5, 351–353
RAID-6, 353–354
rainbow table attacks, 195–196
RAM (Random Access Memory), 476
Random Access Memory (RAM), 476
ransomware attacks, 169, 225–226
RARP (Reverse Address Resolution Protocol), 87
RAT (remote access Trojan), 223
RBAC (Role-based Access Control) model, 51–53
RC4 (Rivest Cipher), 511
reconnaissance, 179–180, 259, 318
recovery, 285
recovery agents, 534
recovery controls, 334
recovery point objective (RPO), 449
recovery time objective (RTO), 448–449
Redundant Array of Independent Disks. See RAID
redundant connections, 14, 356
redundant disks, 13
redundant servers, 13
redundant sites, 14
references, supplementary, 4
Regin, 231–233
regulatory concerns, 488–489
regulatory requirements, 500
relational databases, 410–412
remediation validation, 315
remote access, 134–142
authentication, 138–142
network access control, 143–144
overview, 134
risks/vulnerabilities, 134–135
traffic shaping, 142
tunneling protocols, 94, 135–138
WAN optimization, 142
Remote Authentication Dial-In User Service. See RADIUS
Remote Procedure Call (RPC), 76
remote wipe, 112
repudiation, 371
Request to Send (RTS), 79
Resource Record Signature (RRSIG), 88
resources, 438
response plans, 341
restoration planning, 452
retention requirements, 405
retina scans, 37
return on investment (ROI), 273
Reverse Address Resolution Protocol (RARP), 87
RFI (radio frequency interference), 73
RFID (radio frequency identification), 111–112, 418–419
Rijndael encryption, 509
RIPv2 (Routing Information Protocol version 2), 92
risk. See also risk assessment
accepting, 265
adverse impact, 257
assets. See assets
avoiding, 264
components of, 255–256
considerations, 255–257
due care, 20–21
due diligence, 20
incidents. See incident response; incidents
managing. See risk management
metrics, 268–269
overview, 255–257
recasting, 265
remote access and, 134–135
reporting, 267
residual, 265–266
responses to, 264–265
sharing/transferring, 264–265
threats. See threats
total risk, 256
vulnerabilities. See vulnerabilities
risk assessment, 271–280
addressing findings of, 280
contents of, 279–280
described, 271
impact assessments, 261–262
procedure for, 277–280
qualitative analysis, 275–276
quantitative analysis, 272–275, 276
threat modeling, 271–272
risk management, 263–271
Common Vulnerability Scoring System, 268–269
considerations, 438
identifying assets, 266
overview, 263–264
residual risk, 265–266
risk register/log, 267–268
risk treatment, 264–265
risk visibility/reporting, 267
Risk Management Framework (RMF), 269–270, 422–423
risk register/log, 267–268
Rivest Cipher (RC4), 511
rlogin utility, 91
RMF (Risk Management Framework), 269–270, 422–423
rogue access points, 203–204
rogueware, 224–225
ROI (return on investment), 273
Role-based Access Control (RBAC) model, 51–53
rootkits, 227–228
ROT13 encryption, 507–508
routers
implicit deny rule, 53, 129–130
vs. switches, 121–123
routing, 104
Routing Information Protocol version 2 (RIPv2), 92
routing protocols, 92
RPC (Remote Procedure Call), 76
RPO (recovery point objective), 449
RRSIG (Resource Record Signature), 88
RSA algorithm, 513–514
RTO (recovery time objective), 448–449
RTS (Request to Send), 79
Ruby language, 388
Rule-based Access Control, 53
Russian hackers, 166, 172, 226, 310, 481
Rustok botnet, 176
S
SaaS (Software-as-a-Service), 149, 150
safeguards. See countermeasures; security controls
salt, 506
salting passwords, 506
SAML (Security Assertion Markup Language), 43
SANS Institute, 460
Sarbanes-Oxley (SOX) Act of 2002, 417, 482
scanners, 243
scareware, 224–225
SCCM (System Center Configuration Manager), 344
SCP (Secure Copy), 90
script kiddies, 168–169
scripts, 228
SDLC (systems development lifecycle), 342, 423–426
SDN (software-defined networking), 147–148
Secret classification, 400, 500
Secure Copy (SCP), 90
Secure FTP (SFTP), 90
Secure Real-time Transport Protocol (SRTP), 126
Secure Shell (SSH), 90–91, 136, 177, 518
Secure Sockets Layer. See SSL
SecureAuth Identity Provider (IdP), 45
Secure/Multipurpose Internet Mail Extensions (S/MIME), 518
security. See also security operations
AAAs of, 18–19
access controls. See access controls
authentication. See authentication
authorization, 18, 19, 27, 28, 58–59
availability, 13–14
basic concepts, 9–14
data sensitivity. See sensitive data
due care, 20–21
due diligence, 20
encryption. See encryption
endpoint devices, 344–350
fundamentals, 14–21
infrastructure security, 313–314
integrity, 11–13
layers of, 16–17
least privilege, 14–15, 60, 245
network. See network security
nonreputiation, 17–18
passwords. See passwords
personal information. See PII
privacy. See privacy
separation of duties, 15
social media concerns, 408–409
security administration/planning
business continuity planning, 445–456
disaster recovery planning, 445–456
security organizations, 456–460
security policies. See security policies
security analytics/metrics, 305
Security Assertion Markup Language (SAML), 43
security assessments, 309–319
audit finding remediation, 315–316
penetration testing, 317–319
remediation validation, 315
requirements for, 420
results analysis, 316–317
risk management framework, 270
vulnerability assessments, 309–317, 318
security audits, 380–385
security controls, 269–271. See also countermeasures
administrative controls, 335, 336
basic controls, 338–350
compensating controls, 333–334
control families, 335–336
corrective controls, 333
cost-benefit analysis, 328–329
detective controls, 332–333
deterrent controls, 334
directive controls, 334
extensive coverage of, 334–335
fault-tolerant controls, 350–356
goals, 331–335
hardening systems, 338–340
implementation methods, 335–337
lifecycle, 329–330
overview, 327–328
physical access controls, 385
physical security controls, 335, 337
policies, 340–341
preventive controls, 331–332
recovery controls, 334
technical controls, 335, 336–337
security event management (SEM), 307
security identifier (SID), 50
security incidents. See incidents
security information and event management. See SIEM
security information management (SIM), 307
security kernel, 49
security logs, 375
security operations, 399–433. See also security
certification/accreditation, 419–426
Common Criteria, 421–422
data handling. See data handling
development/acquisition phase, 423, 424, 425
implementation/assessment phase, 423, 424, 425
managing assets through lifecycle, 418–419
operations/maintenance phase, 423, 424, 425
risk management framework, 422–423
security assessments, 270, 309, 336, 420
system development lifecycle, 423–426
security organizations, 456–460
CERT Division, 460
NIST. See NIST entries
SANS Institute, 460
US-CERT, 459–460
security policies, 425–445
acceptable use policy, 341
auditing, 382
considerations, 340–341, 442, 443
ethics codes, 442–443
examples of, 340–341
Group Policy, 387
overview, 435–437
password policies, 30–33, 59, 381–382, 439
policy awareness, 443–444
reviewing, 445
sensitive data, 404–408
stages, 436
topics, 437–440
updating, 445
value of, 441
warning banners, 444
security training, 246, 444, 501
segmentation, 123–126, 129, 148, 170
SEM (security event management), 307
Sender Policy Framework (SPF) records, 241, 524
Sensitive classification, 401
sensitive data
attacks on, 166, 191, 249, 259
data at rest/data in motion, 404
destruction of, 153
policies, 404–408
Server Message Block (SMB) protocol, 135–136
servers
authentication, 35
DHCP, 86
e-mail, 93
failover clusters, 354–355
FTP, 90
hardening, 84
Kerberos, 41
NAC, 143
proxy, 127–128, 150, 242, 377–378
RADIUS, 140–141
redundant, 13
remote access. See remote access
virtualization, 347
web, 46
server-side validation, 186
service level agreement (SLA), 153
service scans, 180
service set identifier (SSID), 108–109
services, removing/disabling, 338
session hijacking, 183–184
setup logs, 375
SFTP (Secure FTP), 90
SHA-2 algorithm, 503
SHA-3 algorithm, 503
shielded twisted pair (STP) connections, 73, 81
Short Message Service (SMS), 200
shoulder surfing, 208
SID (security identifier), 50
SIEM (security information and event management), 307–309
SIEM applications, 378
signature-based detection, 303
SIM (security information management), 307
Simple Mail Transport Protocol (SMTP), 93
Simple Network Management Protocol (SNMP), 89
single loss expectancy (SLE), 273, 275
single sign-on (SSO) authentication, 40–44, 43
S/KEY password system, 36
skimming, 207–208
SLA (service level agreement), 153
SLE (single loss expectancy), 273, 275
small offices and home offices (SOHOs), 103
SMB (Server Message Block) protocol, 135–136
S/MIME (Secure/Multipurpose Internet Mail Extensions), 518
smishing, 200
SMS (Short Message Service), 200
SMTP (Simple Mail Transport Protocol), 93
smurf attacks, 184–185
sniffing attacks, 176–179
SNMP (Simple Network Management Protocol), 89
social engineering, 205–209
dumpster diving, 208
impersonation, 207
overview, 205–206
pretexting, 206
shoulder surfing, 208
skimming, 207–208
tailgating, 206–207
user awareness training, 170–171, 208–209
via phone calls, 206
vulnerabilities and, 309–310
social networks
data loss and, 408–409
social engineering and, 327, 409
Social Security numbers (SSNs), 487
software. See also applications
antivirus. See antivirus software
code signing, 187–188, 228, 245
inventory/licenses, 419
malicious. See malware
unsigned, 187
software tokens, 36
Software-as-a-Service (SaaS), 149, 150
software-defined networking (SDN), 147–148
SOHOs (small offices and home offices), 103
source address affinity, 356
source code. See code
SOX (Sarbanes-Oxley) Act of 2002, 417, 482
spam, 196–197
spear phishing, 166, 167, 198–199, 310
SPF (Sender Policy Framework) records, 241, 524
spyware, 230
SQL (Structured Query Language), 189, 413
SQL injection attacks, 189–191
SRTP (Secure Real-time Transport Protocol), 126
SSCP certification. See also certification process
blog, 5
vs. CISSP certification, 4–5
CME credits, 9
Code of Ethics, 7–9
Computer-Based Testing, 3
CPE credits, 9
exam fee, 3
Exam Objective Map, 4
Exam Outline, 4
maintaining, 9
passing exam, 4–7
registering for exam, 2–3
requirements for, 1–9
Supplementary References, 4
testing locations, 2–3
types of questions, 5–7
work/educational experience, 2
SSCP Common Body of Knowledge (CBK), 2
SSCP domains, 2
SSH (Secure Shell), 90–91, 136, 177, 518
SSID (service set identifier), 108–109
SSL (Secure Sockets Layer), 91, 92, 138, 514
SSL decryptors, 182–183, 516–517
SSNs (Social Security numbers), 487
SSO (single sign-on) authentication, 40–44, 43
star topology, 80–81
static passwords, 29
stealth viruses, 221
steganography, 525–526
STIX (Structured Threat Information eXpression), 263
storage media, 404–405
stored procedures, 190
STP (shielded twisted pair) connections, 73, 81
stream ciphers, 509
Structured Query Language. See SQL
Structured Threat Information eXpression (STIX), 263
subject-based access control, 46–48
sublayers, 74
subnet addresses, 129
subnets, 129
switches
considerations, 125–126, 148, 178
vs. hubs, 81
layer 2, 74
layer 3, 74
mirrored ports and, 81
vs. routers, 121–123
security, 126
symmetric encryption, 499, 507–511
symmetric key, 41
SYN flood attacks, 75, 173, 301–302
SYN stealth scan, 179
SYN/ACK packets, 284
synchronous dynamic passwords, 35
system baselines, 386
System Center Configuration Manager (SCCM), 344
system development lifecycle (SDLC), 423–426
system isolation, 170
systems. See also operating system
changing defaults, 338
configuration management, 385–388
inappropriate usage of, 281
keeping up to date, 339
lifecycle, 423–426
monitoring. See monitoring systems
patches. See patches
redundancies for, 261
removing unneeded protocols/services, 338–339
rootkits, 227–228
Windows. See Windows systems
systems development lifecycle (SDLC), 342, 423–426
Systems Security Certified Practitioner. See SSCP
T
tablets, 344–347
TACACS+ (Terminal Access Controller Access-Control System+), 142
tactics, techniques, and procedures (TTPs), 262–263
TAXII (Trusted Automated eXchange of Indicator Information), 263
TCP (Transmission Control Protocol), 75
TCP handshake, 201
TCP ports, 89–91, 93, 94, 137, 142
TCP sessions, 201
TCP/IP Model, 77
TCP/IP stack fingerprinting, 180
technical access controls, 49
technical controls, 31, 335, 336–337
Telnet, 90
Temporal Key Integrity Protocol (TKIP), 105–106
temporal metrics, 268
Terminal Access Controller Access-Control System+ (TACACS+), 142
terminator, 80
testability, 479
text messages, 200
TFTP (Trivial FTP), 76, 90, 177
TGT (ticket-granting ticket), 41, 42
thin clients, 348
threat modeling, 271–272
threats
accidental, 258
considerations, 255–257
defined, 255
environmental, 258
sharing threat intelligence, 262–263
sources of, 257–258
structural, 258
ticket-granting ticket (TGT), 41, 42
Time-based One-Time Password (TOTP) protocol, 36
TKIP (Temporal Key Integrity Protocol), 105–106
TLS (Transport Layer Security), 514–516
EAP-Tunneled TLS, 139–140
HTTP and, 91
MITM attacks and, 181–183
VPNs, 137–138
TLS decryptors, 182–183, 516–517
TLS sessions, 181–183, 515, 516, 517
token ring topology, 82
Top Secret classification, 400, 500
topography, 78
topology, 78
TorrentLocker, 226
TOTP (Time-based One-Time Password) protocol, 36
TPM (Trusted Platform Module), 349, 510
traceroute tools, 88
tracert tool, 88
traffic shaping, 142
training programs
data handling, 417–418
initial training, 209
security training, 246, 444, 501
social engineering, 170–171, 208–209
user awareness, 170–171, 208–209, 350
transitive trust, 102
Transmission Control Protocol. See TCP
Transport Layer Security. See TLS
transport mode, 137
trapdoor attacks, 228–229
tree topology, 81
trends, 305
Triple DES encryption (3DES), 509, 510
Trivial FTP (TFTP), 76, 90, 177
Trojan horse, 222–223
trust architectures, 97–102
trust relationships, 101–102
Trusted Automated eXchange of Indicator Information (TAXII), 263
Trusted Computer System Evaluation Criteria (TSCSEC), 421–422
Trusted Platform Module (TPM), 349, 510
trusted root certification authorities, 532–533
TSCSEC (Trusted Computer System Evaluation Criteria), 421–422
TTPs (tactics, techniques, and procedures), 262–263
tunnel mode, 137
tunneling protocols, 94, 135–138
twisted pair connections, 73
two-step verification, 39
U
UCE (unsolicited commercial e-mail), 196–197
UDP (User Datagram Protocol), 75–76
UDP connections, 131
UDP packets, 185
UMG Recording, 487
Unclassified classification, 400, 500
unicast messages, 89
unified threat management (UTM) devices, 131–132, 299, 300
Uniform Resource Locator. See URL
United States Cyber Command (USCYBERCOM), 166
universally unique identifier (UUID), 402
unshielded twisted pair (UTP) connections, 73, 81
unsolicited commercial e-mail (UCE), 196–197
updates, 342–344
URL (Uniform Resource Locator), 127, 243–244
U.S. Computer Emergency Readiness Team (US-CERT), 459–460
USB drives, 133, 220, 235, 242, 404, 439
US-CERT (U.S. Computer Emergency Readiness Team), 459–460
USCYBERCOM (United States Cyber Command), 166
use cases, 71
user accounts, 59–60
user awareness training, 170–171, 208–209, 501
User Datagram Protocol. See UDP
users. See also employees
access to data, 403
account lockouts, 59–60, 373, 439
audit logs and, 370–372
authenticated. See authentication
authorized, 10
social engineering and. See social engineering
training. See training programs
unauthorized, 10
wireless, 104
UTM (unified threat management) devices, 131–132, 299, 300
UTP (unshielded twisted pair) connections, 73, 81
UUID (universally unique identifier), 402
V
validation processes, 498
VBScript, 228
VDI (virtual desktop infrastructure), 146, 348
views, database, 412–413
virtual appliances, 145–146, 148
virtual desktop infrastructure (VDI), 146, 348
virtual environments, 144–149
continuity/resilience of, 146–147
guest VMs, 144–149, 188, 245, 348, 359
protecting, 148–149
shared storage, 145
terminology, 145
virtual machines, 144–149, 188, 245, 348, 359
virtual networks. See VPNs
virtual local area networks (VLANs), 123, 125–126, 148
virtual machines (VMs), 144–149, 188, 245, 348, 359
virtual network devices, 149
virtual private networks. See VPNs
virtualization, 144–148, 188, 347–348
virus signatures, 238, 240, 260
viruses, 219–222, 226. See also antivirus software
vishing, 199–200
VLANs (virtual local area networks), 123, 125–126, 148
VMs (virtual machines), 144–149, 188, 245, 348, 359
VMware, 149
Voice over Internet Protocol (VoIP), 126, 199–200
VoIP (Voice over Internet Protocol), 126, 199–200
VPNs (virtual private networks)
commercial, 204
described, 94
IPsec, 137
RADIUS and, 140–141
risks/vulnerabilities, 134–135
SSL, 138
TLS, 137–138
tunneling protocols, 94, 135–138
vulnerabilities
Common Vulnerabilities and Exposures, 246–247
Common Vulnerability Scoring System, 268–269
considerations, 255–257
documenting, 314
examples of, 260–261
exploiting, 318–319
identifying, 318
malware, 246–247
National Vulnerability Database, 268
overview, 260–261
remote access, 134–135
social engineering and, 309–310
vulnerability assessments, 309–317, 318
vulnerability-scanning tools, 243, 312–313
W
WAN optimization, 142
WANs (wide area networks), 99, 142
web browsers
sandboxing and, 350
secure browsing, 350
web servers, 46
web spiders, 197
websites
category lists, 127
cross-site request forgery, 192–193
malicious, 191
malicious links in, 243–244
protecting, 185–188
whitelists/blacklists, 127
WEP (Wired Equivalent Privacy), 105, 107, 202, 509, 537
white box testing, 311
white hats, 164
whitelisting applications, 245
whitelisting/whitelists, 127, 304, 348
wide area networks (WANs), 99
WIDSs (wireless IDSs), 203, 304–305
Wi-Fi Alliance, 202
Wi-Fi networks. See wireless networks
Wi-Fi Protected Access. See WPA
Wi-Fi Protected Access 2. See WPA2 entries
Wi-Fi Protected Access 3 (WPA3), 202, 203
Wi-Fi Protected Setup (WPS), 205
WiMAX (Worldwide Interoperability for Microwave Access), 111
Win32/Zbot, 229
Windows Server Update Services (WSUS), 344
Windows Stability Center, 191
Windows systems
ActiveX controls, 187, 188, 228
Auto-Tuning feature, 312
DNS cache display, 184
Event Viewer, 374–376
NTFS, 232
security identifiers, 50
WIPO (World Intellectual Property Organization), 16
WIPSs (wireless IPSs), 203
Wired Equivalent Privacy (WEP), 105, 107, 202, 509, 537
wireless antennas, 105
wireless attacks, 202–205
wireless IDSs (WIDSs), 203, 304–305
wireless IPSs (WIPSs), 203
wireless networks, 105–109, 202–205
wireless receivers, 105
wireless service set identifier, 108–109
wireless spectrum analyzers, 204
wireless technologies, 103–112
wireless transmissions, 73
wireless users, 104
WireLurker, 349
work/educational experience, 2
World Intellectual Property Organization (WIPO), 16
Worldwide Interoperability for Microwave Access (WiMAX), 111
worms, 222
WPA (Wi-Fi Protected Access), 105–106, 107, 202
WPA cracking attacks, 205
WPA handshake, 205
WPA2 (Wi-Fi Protected Access 2)
as countermeasure, 202, 509–510
MAC address filtering, 109
overview, 105–106
WPA2-Enterprise, 106–107, 109, 142, 205
WPA2-Personal, 106, 107, 109, 205
WPA3 (Wi-Fi Protected Access 3), 202, 203
WPA-Enterprise, 106–107
WPS (Wi-Fi Protected Setup), 205
WPS attacks, 205
WSUS (Windows Server Update Services), 344
X
XSRF (cross-site request forgery), 192–193
XSS (cross-site scripting) attacks, 191, 193
Y
YAML (YAML Ain’t Markup Language), 388
YAML Ain’t Markup Language (YAML), 388
Z
zero day exploits, 200–201, 234, 242
Zeus malware, 229
ZIP code validation, 185–186
18.119.131.72