Isc 2 Sscp Systems Security Certified Practitioner Official Study - Guide, 2nd Editio

Read more

The only SSCP study guide officially approved by (ISC)²The (ISC)² Systems Security Certified Practitioner (SSCP) certification is a well-known vendor-neutral global IT security certification. The SSCP is designed to show that holders have the technical skills to implement, monitor, and administer IT infrastructure using information security policies and procedures.This comprehensive Official Study Guide--the only study guide officially approved by (ISC)²--covers all objectives of the seven SSCP domains.* Access Controls* Security Operations and Administration* Risk Identification, Monitoring, and Analysis* Incident Response and Recovery* Cryptography* Network and Communications Security* Systems and Application SecurityIf you're an information security professional or student of cybersecurity looking to tackle one or more of the seven domains of the SSCP, this guide gets you prepared to pass the exam and enter the information security workforce with confidence.

List of contents

Foreword xxiIntroduction xxiiiSelf-Assessment xlvPart I Getting Started as an SSCP 1Chapter 1 The Business Case for Decision Assurance and Information Security 3Information: The Lifeblood of Business 4Data, Information, Knowledge, Wisdom... 5Information Is Not Information Technology 8Policy, Procedure, and Process: How Business Gets Business Done 10Who Is the Business? 11"What's Your Business Plan?" 12Purpose, Intent, Goals, Objectives 13Business Logic and Business Processes: Transforming Assets into Opportunity, Wealth, and Success 14The Value Chain 15Being Accountable 17Who Runs the Business? 19Owners and Investors 19Boards of Directors 20Managing or Executive Directors and the "C-Suite" 20Layers of Function, Structure, Management, and Responsibility 21Plans and Budgets, Policies, and Directives 22Summary 23Chapter 2 Information Security Fundamentals 25The Common Needs for Privacy, Confidentiality, Integrity, and Availability 26Privacy 26Confidentiality 29Integrity 30Availability 31Privacy vs. Security, or Privacy and Security? 32CIA Needs of Individuals 34Private Business's Need for CIA 35Government's Need for CIA 36The Modern Military's Need for CIA 36Do Societies Need CIA? 36Training and Educating Everybody 38SSCPs and Professional Ethics 38Summary 40Exam Essentials 40Review Questions 44Part II Integrated Risk Management and Mitigation 51Chapter 3 Integrated Information Risk Management 53It's a Dangerous World 54What Is Risk? 55Risk: When Surprise Becomes Disruption 59Information Security: Delivering Decision Assurance 60"Common Sense" and Risk Management 63The Four Faces of Risk 65Outcomes-Based Risk 67Process-Based Risk 67Asset-Based Risk 68Threat-Based (or Vulnerability-Based) Risk 69Getting Integrated and Proactive with Information Defense 72Trust, but Verify 76Due Care and Due Diligence: Whose Jobs Are These? 76Be Prepared: First, Set Priorities 77Risk Management: Concepts and Frameworks 78The SSCP and Risk Management 81Plan, Do, Check, Act 82Risk Assessment 84Establish Consensus about Information Risk 84Information Risk Impact Assessment 85The Business Impact Analysis 92From Assessments to Information Security Requirements 92Four Choices for Limiting or Containing Damage 94Deter 96Detect 96Prevent 97Avoid 97Summary 100Exam Essentials 101Review Questions 105Chapter 4 Operationalizing Risk Mitigation 111From Tactical Planning to Information Security Operations 112Operationally Outthinking Your Adversaries 114Getting Inside the Other Side's OODA Loop 116Defeating the Kill Chain 117Operationalizing Risk Mitigation: Step by Step 118Step 1: Assess the Existing Architectures 119Step 2: Assess Vulnerabilities and Threats 126Step 3: Select Risk Treatment and Controls 135Step 4: Implement Controls 141Step 5: Authorize: Senior Leader Acceptance and Ownership 146The Ongoing Job of Keeping Your Baseline Secure 146Build and Maintain User Engagement with Risk Controls 147Participate in Security Assessments 148Manage the Architectures: Asset Management and Configuration Control 151Ongoing, Continuous Monitoring 152Exploiting What Monitoring and Event Data Is Telling You 155Incident Investigation, Analysis, and Reporting 159Reporting to and Engaging with Management 160Summary 161Exam Essentials 161Review Questions 166Part III The Technologies of Information Security 173Chapter 5 Communications and Network Security 175Trusting Our Communications in a Converged World 176Introducing CIANA 179Threat Modeling for Communications Systems 180Internet Systems Concepts 181Datagrams and Protocol Data Units 182Handshakes 184Packets and Encapsulation 185Addressing, Routing, and Switching 187Network Segmentation 188URLs and the Web 188Topologies 189"Best Effort" and Trusting Designs 193Two Protocol Stacks, One Internet 194Complementary, Not Competing, Frameworks 194Layer 1: The Physical Layer 198Layer 2: The Data Link Layer 199Layer 3: The Network Layer 201Layer 4: The Transport Layer 202Layer 5: The Session Layer 206Layer 6: The Presentation Layer 207Layer 7: The Application Layer 208Cross-Layer Protocols and Services 209IP and Security 210Layers or Planes? 211Software-Defined Networks 212Virtual Private Networks 213A Few Words about Wireless 214IP Addresses, DHCP, and Subnets 217IPv4 Address Classes 217Subnetting in IPv4 219IPv4 vs. IPv6: Key Differences and Options 221CIANA Layer by Layer 223CIANA at Layer 1: Physical 223CIANA at Layer 2: Data Link 226CIANA at Layer 3: Network 228CIANA at Layer 4: Transport 229CIANA at Layer 5: Session 230CIANA at Layer 6: Presentation 231CIANA at Layer 7: Application 232Securing Networks as Systems 233A SOC Is Not a NOC 234Tools for the SOC and the NOC 235Integrating Network and Security Management 236Summary 238Exam Essentials 238Review Questions 243Chapter 6 Identity and Access Control 249Identity and Access: Two Sides of the Same CIANA Coin 250Identity Management Concepts 251Identity Provisioning and Management 252Identity and AAA 254Access Control Concepts 255Subjects and Objects--Everywhere! 257Data Classification and Access Control 258Bell-LaPadula and Biba Models 260Role-Based 263Attribute-Based 263Subject-Based 264Object-Based 264Mandatory vs. Discretionary Access Control 264Network Access Control 265IEEE 802.1X Concepts 267RADIUS Authentication 268TACACS and TACACS+ 269Implementing and Scaling IAM 270Choices for Access Control Implementations 271"Built-in" Solutions? 273Multifactor Authentication 274Server-Based IAM 276Integrated IAM systems 277Zero Trust Architectures 281Summary 282Exam Essentials 283Review Questions 290Chapter 7 Cryptography 297Cryptography: What and Why 298Codes and Ciphers: Defining Our Terms 300Cryptography, Cryptology, or...? 305Building Blocks of Digital Cryptographic Systems 306Cryptographic Algorithms 307Cryptographic Keys 308Hashing as One-Way Cryptography 310A Race Against Time 313"The Enemy Knows Your System" 314Keys and Key Management 314Key Storage and Protection 315Key Revocation and Zeroization 315Modern Cryptography: Beyond the "Secret Decoder Ring" 317Symmetric Key Cryptography 317Asymmetric Key (or Public Key) Cryptography 318Hybrid Cryptosystems 318Design and Use of Cryptosystems 319Cryptanalysis (White Hat and Black Hat) 319Cryptographic Primitives 320Cryptographic Engineering 320"Why Isn't All of This Stuff Secret?" 320Cryptography and CIANA 322Confidentiality 322Authentication 323Integrity 323Nonrepudiation 324"But I Didn't Get That Email..." 324Availability 325Public Key Infrastructures 327Diffie-Hellman-Merkle Public Key Exchange 328RSA Encryption and Key Exchange 331ElGamal Encryption 331Digital Signatures 332Digital Certificates and Certificate Authorities 332Hierarchies (or Webs) of Trust 333Pretty Good Privacy 337TLS 338HTTPS 340Symmetric Key Algorithms and PKI 341PKI and Trust: A Recap 342Other Protocols: Applying Cryptography to Meet Different Needs 344IPSec 344S/MIME 345DKIM 345Blockchain 346Access Control Protocols 348Measures of Merit for Cryptographic Solutions 348Attacks and Countermeasures 349Brute Force and Dictionary Attacks 350Side Channel Attacks 350Numeric (Algorithm or Key) Attacks 351Traffic Analysis, "Op Intel," and Social Engineering Attacks 352Massively Parallel Systems Attacks 353Supply Chain Vulnerabilities 354The "Sprinkle a Little Crypto Dust on It" Fallacy 354Countermeasures 355On the Near Horizon 357Pervasive and Homomorphic Encryption 358Quantum Cryptography and Post-Quantum Cryptography 358AI, Machine Learning, and Cryptography 360Summary 361Exam Essentials 361Review Questions 366Chapter 8 Hardware and Systems Security 371Infrastructure Security Is Baseline Management 372It's About Access Control... 373It's Also About Supply Chain Security 374Do Clouds Have Boundaries? 375Infrastructures 101 and Threat Modeling 376Hardware Vulnerabilities 379Firmware Vulnerabilities 380Operating Systems Vulnerabilities 382Virtual Machines and Vulnerabilities 385Network Operating Systems 386MDM, COPE, and BYOD 388BYOI? BYOC? 389Malware: Exploiting the Infrastructure's Vulnerabilities 391Countering the Malware Threat 394Privacy and Secure Browsing 395"The Sin of Aggregation" 397Updating the Threat Model 398Managing Your Systems' Security 399Summary 399Exam Essentials 400Review Questions 407Chapter 9 Applications, Data, and Cloud Security 413It's a Data-Driven World...At the Endpoint 414Software as Appliances 417Applications Lifecycles and Security 420The Software Development Lifecycle (SDLC) 421Why Is (Most) Software So Insecure? 424Hard to Design It Right, Easy to Fix It? 427CIANA and Applications Software Requirements 428Positive and Negative Models for Software Security 431Is Blacklisting Dead? Or Dying? 432Application Vulnerabilities 434Vulnerabilities Across the Lifecycle 434Human Failures and Frailties 436"Shadow IT:" The Dilemma of the User as Builder 436Data and Metadata as Procedural Knowledge 438Information Quality and Information Assurance 440Information Quality Lifecycle 441Preventing (or Limiting) the "Garbage In" Problem 442Protecting Data in Motion, in Use, and at Rest 443Data Exfiltration I: The Traditional Threat 445Detecting Unauthorized Data Acquisition 446Preventing Data Loss 447Into the Clouds: Endpoint App and Data Security Considerations 448Cloud Deployment Models and Information Security 449Cloud Service Models and Information Security 450Clouds, Continuity, and Resiliency 452Clouds and Threat Modeling 453Cloud Security Methods 455SLAs, TORs, and Penetration Testing 456Data Exfiltration II: Hiding in the Clouds 456Legal and Regulatory Issues 456Countermeasures: Keeping Your Apps and Data Safe and Secure 458Summary 459Exam Essentials 460Review Questions 470Part IV People Power: What Makes or Breaks Information Security 477Chapter 10 Incident Response and Recovery 479Defeating the Kill Chain One Skirmish at a Time 480Kill Chains: Reviewing the Basics 482Events vs. Incidents 484Incident Response Framework 485Incident Response Team: Roles and Structures 487Incident Response Priorities 490Preparation 491Preparation Planning 491Put the Preparation Plan in Motion 493Are You Prepared? 494Detection and Analysis 497Warning Signs 497Initial Detection 499Timeline Analysis 500Notification 500Prioritization 501Containment and Eradication 502Evidence Gathering, Preservation, and Use 504Constant Monitoring 505Recovery: Getting Back to Business 505Data Recovery 506Post-Recovery: Notification and Monitoring 508Post-Incident Activities 508Learning the Lessons 509Support Ongoing Forensics Investigations 510Information and Evidence Retention 511Information Sharing with the Larger IT Security Community 511Summary 512Exam Essentials 512Review Questions 518Chapter 11 Business Continuity via Information Security and People Power 525A Spectrum of Disruption 526Surviving to Operate: Plan for It! 529Cloud-Based "Do-Over" Buttons for Continuity, Security, and Resilience 531CIANA at Layer 8 and Above 537It Is a Dangerous World Out There 539People Power for Secure Communications 541POTS and VoIP Security 542Summary 543Exam Essentials 544Review Questions 547Chapter 12 Risks, Issues, and Opportunities, Starting Tomorrow 553On Our Way to the Future 554Access Control and Zero Trust 555AI, ML, BI, and Trustworthiness 556Quantum Communications, Computing, and Cryptography 557Paradigm Shifts in Information Security? 558Perception Management and Information Security 559Widespread Lack of Useful Understanding of Core Technologies 560IT Supply Chain Vulnerabilities 561Government Overreactions 561CIA, CIANA, or CIANAPS? 562Enduring Lessons 563You Cannot Legislate Security 563It's About Managing Our Security and Our Systems 563People Put It Together 564Maintain Flexibility of Vision 565Accountability--It's Personal. Make It So. 565Stay Sharp 566Your Next Steps 567At the Close 568Appendix Answers to Review Questions 569Self-Assessment 570Chapter 2: Information Security Fundamentals 576Chapter 3: Integrated Information Risk Management 579Chapter 4: Operationalizing Risk Mitigation 581Chapter 5: Communications and Network Security 583Chapter 6: Identity and Access Control 586Chapter 7: Cryptography 589Chapter 8: Hardware and Systems Security 592Chapter 9: Applications, Data, and Cloud Security 594Chapter 10: Incident Response and Recovery 597Chapter 11: Business Continuity via Information Security and People Power 601Index 605

About the author

Mike Wills, SSCP, CISSP, Assistant Professor and Program Chair of Applied Information Technologies in the College of Business at Embry-Riddle Aeronautical University's Worldwide Campus. Mike has been a pioneer in ethical hacking since his days as a phone phreak. His many years of cutting-edge experience in secure systems design, development, and operation have enriched the dozens of courses he's built and taught. He created ERAU's Master of Science in Information Security and Assurance degree program and leads the university's teaching and courseware development for the Microsoft Software & Systems Academy at ERAU's 13 US teaching sites.

Summary

The only SSCP study guide officially approved by (ISC)²

The (ISC)² Systems Security Certified Practitioner (SSCP) certification is a well-known vendor-neutral global IT security certification. The SSCP is designed to show that holders have the technical skills to implement, monitor, and administer IT infrastructure using information security policies and procedures.

This comprehensive Official Study Guide--the only study guide officially approved by (ISC)²--covers all objectives of the seven SSCP domains.
* Access Controls
* Security Operations and Administration
* Risk Identification, Monitoring, and Analysis
* Incident Response and Recovery
* Cryptography
* Network and Communications Security
* Systems and Application Security

If you're an information security professional or student of cybersecurity looking to tackle one or more of the seven domains of the SSCP, this guide gets you prepared to pass the exam and enter the information security workforce with confidence.