| Foreword |
|
xxi | |
| Introduction |
|
xxiii | |
| Self-Assessment |
|
xlv | |
| Part I Getting Started as an SSCP |
|
1 | (50) |
|
Chapter 1 The Business Case for Decision Assurance and Information Security |
|
|
3 | (22) |
|
Information: The Lifeblood of Business |
|
|
4 | (6) |
|
Data, Information, Knowledge, Wisdom |
|
|
5 | (3) |
|
Information Is Not Information Technology |
|
|
8 | (2) |
|
Policy, Procedure, and Process: How Business Gets Business Done |
|
|
10 | (9) |
|
|
|
11 | (1) |
|
"What's Your Business Plan?" |
|
|
12 | (1) |
|
Purpose, Intent, Goals, Objectives |
|
|
13 | (1) |
|
Business Logic and Business Processes: Transforming Assets into Opportunity, Wealth, and Success |
|
|
14 | (1) |
|
|
|
15 | (2) |
|
|
|
17 | (2) |
|
|
|
19 | (4) |
|
|
|
19 | (1) |
|
|
|
20 | (1) |
|
Managing or Executive Directors and the "C-Suite" |
|
|
20 | (1) |
|
Layers of Function, Structure, Management, and Responsibility |
|
|
21 | (1) |
|
Plans and Budgets, Policies, and Directives |
|
|
22 | (1) |
|
|
|
23 | (2) |
|
Chapter 2 Information Security Fundamentals |
|
|
25 | (26) |
|
The Common Needs for Privacy, Confidentiality, Integrity, and Availability |
|
|
26 | (12) |
|
|
|
26 | (3) |
|
|
|
29 | (1) |
|
|
|
30 | (1) |
|
|
|
31 | (1) |
|
Privacy vs. Security, or Privacy and Security? |
|
|
32 | (2) |
|
|
|
34 | (1) |
|
Private Business's Need for CIA |
|
|
35 | (1) |
|
Government's Need for CIA |
|
|
36 | (1) |
|
The Modern Military's Need for CIA |
|
|
36 | (1) |
|
|
|
36 | (2) |
|
Training and Educating Everybody |
|
|
38 | (1) |
|
SSCPs and Professional Ethics |
|
|
38 | (2) |
|
|
|
40 | (1) |
|
|
|
40 | (4) |
|
|
|
44 | (7) |
| Part II Integrated Risk Management and Mitigation |
|
51 | (122) |
|
Chapter 3 Integrated Information Risk Management |
|
|
53 | (58) |
|
|
|
54 | (11) |
|
|
|
55 | (4) |
|
Risk: When Surprise Becomes Disruption |
|
|
59 | (1) |
|
Information Security: Delivering Decision Assurance |
|
|
60 | (3) |
|
"Common Sense" and Risk Management |
|
|
63 | (2) |
|
|
|
65 | (7) |
|
|
|
67 | (1) |
|
|
|
67 | (1) |
|
|
|
68 | (1) |
|
Threat-Based (or Vulnerability-Based) Risk |
|
|
69 | (3) |
|
Getting Integrated and Proactive with Information Defense |
|
|
72 | (6) |
|
|
|
76 | (1) |
|
Due Care and Due Diligence: Whose Jobs Are These? |
|
|
76 | (1) |
|
Be Prepared: First, Set Priorities |
|
|
77 | (1) |
|
Risk Management: Concepts and Frameworks |
|
|
78 | (6) |
|
The SSCP and Risk Management |
|
|
81 | (1) |
|
|
|
82 | (2) |
|
|
|
84 | (10) |
|
Establish Consensus about Information Risk |
|
|
84 | (1) |
|
Information Risk Impact Assessment |
|
|
85 | (7) |
|
The Business Impact Analysis |
|
|
92 | (1) |
|
From Assessments to Information Security Requirements |
|
|
92 | (2) |
|
Four Choices for Limiting or Containing Damage |
|
|
94 | (6) |
|
|
|
96 | (1) |
|
|
|
96 | (1) |
|
|
|
97 | (1) |
|
|
|
97 | (3) |
|
|
|
100 | (1) |
|
|
|
101 | (4) |
|
|
|
105 | (6) |
|
Chapter 4 Operationalizing Risk Mitigation |
|
|
111 | (62) |
|
From Tactical Planning to Information Security Operations |
|
|
112 | (6) |
|
Operationally Outthinking Your Adversaries |
|
|
114 | (2) |
|
Getting Inside the Other Side's OODA Loop |
|
|
116 | (1) |
|
|
|
117 | (1) |
|
Operationalizing Risk Mitigation: Step by Step |
|
|
118 | (28) |
|
Step 1: Assess the Existing Architectures |
|
|
119 | (7) |
|
Step 2: Assess Vulnerabilities and Threats |
|
|
126 | (9) |
|
Step 3: Select Risk Treatment and Controls |
|
|
135 | (6) |
|
Step 4: Implement Controls |
|
|
141 | (5) |
|
Step 5: Authorize: Senior Leader Acceptance and Ownership |
|
|
146 | (1) |
|
The Ongoing Job of Keeping Your Baseline Secure |
|
|
146 | (6) |
|
Build and Maintain User Engagement with Risk Controls |
|
|
147 | (1) |
|
Participate in Security Assessments |
|
|
148 | (3) |
|
Manage the Architectures: Asset Management and Configuration Control |
|
|
151 | (1) |
|
Ongoing, Continuous Monitoring |
|
|
152 | (8) |
|
Exploiting What Monitoring and Event Data Is Telling You |
|
|
155 | (4) |
|
Incident Investigation, Analysis, and Reporting |
|
|
159 | (1) |
|
Reporting to and Engaging with Management |
|
|
160 | (1) |
|
|
|
161 | (1) |
|
|
|
161 | (5) |
|
|
|
166 | (7) |
| Part III The Technologies of Information Security |
|
173 | (304) |
|
Chapter 5 Communications and Network Security |
|
|
175 | (74) |
|
Trusting Our Communications in a Converged World |
|
|
176 | (5) |
|
|
|
179 | (1) |
|
Threat Modeling for Communications Systems |
|
|
180 | (1) |
|
Internet Systems Concepts |
|
|
181 | (13) |
|
Datagrams and Protocol Data Units |
|
|
182 | (2) |
|
|
|
184 | (1) |
|
Packets and Encapsulation |
|
|
185 | (2) |
|
Addressing, Routing, and Switching |
|
|
187 | (1) |
|
|
|
188 | (1) |
|
|
|
188 | (1) |
|
|
|
189 | (4) |
|
"Best Effort" and Trusting Designs |
|
|
193 | (1) |
|
Two Protocol Stacks, One Internet |
|
|
194 | (23) |
|
Complementary, Not Competing, Frameworks |
|
|
194 | (4) |
|
Layer 1: The Physical Layer |
|
|
198 | (1) |
|
Layer 2: The Data Link Layer |
|
|
199 | (2) |
|
Layer 3: The Network Layer |
|
|
201 | (1) |
|
Layer 4: The Transport Layer |
|
|
202 | (4) |
|
Layer 5: The Session Layer |
|
|
206 | (1) |
|
Layer 6: The Presentation Layer |
|
|
207 | (1) |
|
Layer 7: The Application Layer |
|
|
208 | (1) |
|
Cross-Layer Protocols and Services |
|
|
209 | (1) |
|
|
|
210 | (1) |
|
|
|
211 | (1) |
|
Software-Defined Networks |
|
|
212 | (1) |
|
|
|
213 | (1) |
|
A Few Words about Wireless |
|
|
214 | (3) |
|
IP Addresses, DHCP, and Subnets |
|
|
217 | (4) |
|
|
|
217 | (2) |
|
|
|
219 | (2) |
|
IPv4 vs. IPv6: Key Differences and Options |
|
|
221 | (2) |
|
|
|
223 | (10) |
|
CIANA at Layer 1: Physical |
|
|
223 | (3) |
|
CIANA at Layer 2: Data Link |
|
|
226 | (2) |
|
CIANA at Layer 3: Network |
|
|
228 | (1) |
|
CIANA at Layer 4: Transport |
|
|
229 | (1) |
|
CIANA at Layer 5: Session |
|
|
230 | (1) |
|
CIANA at Layer 6: Presentation |
|
|
231 | (1) |
|
CIANA at Layer 7: Application |
|
|
232 | (1) |
|
Securing Networks as Systems |
|
|
233 | (5) |
|
|
|
234 | (1) |
|
Tools for the SOC and the NOC |
|
|
235 | (1) |
|
Integrating Network and Security Management |
|
|
236 | (2) |
|
|
|
238 | (1) |
|
|
|
238 | (5) |
|
|
|
243 | (6) |
|
Chapter 6 Identity and Access Control |
|
|
249 | (48) |
|
Identity and Access: Two Sides of the Same CIANA Coin |
|
|
250 | (1) |
|
Identity Management Concepts |
|
|
251 | (4) |
|
Identity Provisioning and Management |
|
|
252 | (2) |
|
|
|
254 | (1) |
|
|
|
255 | (10) |
|
Subjects and Objects-Everywhere! |
|
|
257 | (1) |
|
Data Classification and Access Control |
|
|
258 | (2) |
|
Bell-LaPadula and Biba Models |
|
|
260 | (3) |
|
|
|
263 | (1) |
|
|
|
263 | (1) |
|
|
|
264 | (1) |
|
|
|
264 | (1) |
|
Mandatory vs. Discretionary Access Control |
|
|
264 | (1) |
|
|
|
265 | (5) |
|
|
|
267 | (1) |
|
|
|
268 | (1) |
|
|
|
269 | (1) |
|
Implementing and Scaling IAM |
|
|
270 | (11) |
|
Choices for Access Control Implementations |
|
|
271 | (2) |
|
|
|
273 | (1) |
|
Multifactor Authentication |
|
|
274 | (2) |
|
|
|
276 | (1) |
|
|
|
277 | (4) |
|
|
|
281 | (1) |
|
|
|
282 | (1) |
|
|
|
283 | (7) |
|
|
|
290 | (7) |
|
|
|
297 | (74) |
|
Cryptography: What and Why |
|
|
298 | (8) |
|
Codes and Ciphers: Defining Our Terms |
|
|
300 | (5) |
|
Cryptography, Cryptology, or...? |
|
|
305 | (1) |
|
Building Blocks of Digital Cryptographic Systems |
|
|
306 | (8) |
|
|
|
307 | (1) |
|
|
|
308 | (2) |
|
Hashing as One-Way Cryptography |
|
|
310 | (3) |
|
|
|
313 | (1) |
|
"The Enemy Knows Your System" |
|
|
314 | (1) |
|
|
|
314 | (3) |
|
Key Storage and Protection |
|
|
315 | (1) |
|
Key Revocation and Zeroization |
|
|
315 | (2) |
|
Modern Cryptography: Beyond the "Secret Decoder Ring" |
|
|
317 | (3) |
|
Symmetric Key Cryptography |
|
|
317 | (1) |
|
Asymmetric Key (or Public Key) Cryptography |
|
|
318 | (1) |
|
|
|
318 | (1) |
|
Design and Use of Cryptosystems |
|
|
319 | (1) |
|
Cryptanalysis (White Hat and Black Hat) |
|
|
319 | (1) |
|
|
|
320 | (1) |
|
Cryptographic Engineering |
|
|
320 | (1) |
|
"Why Isn't All of This Stuff Secret?" |
|
|
320 | (2) |
|
|
|
322 | (5) |
|
|
|
322 | (1) |
|
|
|
323 | (1) |
|
|
|
323 | (1) |
|
|
|
324 | (1) |
|
"But I Didn't Get That Email..." |
|
|
324 | (1) |
|
|
|
325 | (2) |
|
Public Key Infrastructures |
|
|
327 | (17) |
|
Diffie-Hellman-Merkle Public Key Exchange |
|
|
328 | (3) |
|
RSA Encryption and Key Exchange |
|
|
331 | (1) |
|
|
|
331 | (1) |
|
|
|
332 | (1) |
|
Digital Certificates and Certificate Authorities |
|
|
332 | (1) |
|
Hierarchies (or Webs) of Trust |
|
|
333 | (4) |
|
|
|
337 | (1) |
|
|
|
338 | (2) |
|
|
|
340 | (1) |
|
Symmetric Key Algorithms and PKI |
|
|
341 | (1) |
|
|
|
342 | (2) |
|
Other Protocols: Applying Cryptography to Meet Different Needs |
|
|
344 | (4) |
|
|
|
344 | (1) |
|
|
|
345 | (1) |
|
|
|
345 | (1) |
|
|
|
346 | (2) |
|
|
|
348 | (1) |
|
Measures of Merit for Cryptographic Solutions |
|
|
348 | (1) |
|
Attacks and Countermeasures |
|
|
349 | (8) |
|
Brute Force and Dictionary Attacks |
|
|
350 | (1) |
|
|
|
350 | (1) |
|
Numeric (Algorithm or Key) Attacks |
|
|
351 | (1) |
|
Traffic Analysis, "Op Intel," and Social Engineering Attacks |
|
|
352 | (1) |
|
Massively Parallel Systems Attacks |
|
|
353 | (1) |
|
Supply Chain Vulnerabilities |
|
|
354 | (1) |
|
The "Sprinkle a Little Crypto Dust on It" Fallacy |
|
|
354 | (1) |
|
|
|
355 | (2) |
|
|
|
357 | (4) |
|
Pervasive and Homomorphic Encryption |
|
|
358 | (1) |
|
Quantum Cryptography and Post-Quantum Cryptography |
|
|
358 | (2) |
|
AI, Machine Learning, and Cryptography |
|
|
360 | (1) |
|
|
|
361 | (1) |
|
|
|
361 | (5) |
|
|
|
366 | (5) |
|
Chapter 8 Hardware and Systems Security |
|
|
371 | (42) |
|
Infrastructure Security Is Baseline Management |
|
|
372 | (4) |
|
It's About Access Control |
|
|
373 | (1) |
|
It's Also About Supply Chain Security |
|
|
374 | (1) |
|
Do Clouds Have Boundaries? |
|
|
375 | (1) |
|
Infrastructures 101 and Threat Modeling |
|
|
376 | (15) |
|
|
|
379 | (1) |
|
|
|
380 | (2) |
|
Operating Systems Vulnerabilities |
|
|
382 | (3) |
|
Virtual Machines and Vulnerabilities |
|
|
385 | (1) |
|
Network Operating Systems |
|
|
386 | (2) |
|
|
|
388 | (1) |
|
|
|
389 | (2) |
|
Malware: Exploiting the Infrastructure's Vulnerabilities |
|
|
391 | (4) |
|
Countering the Malware Threat |
|
|
394 | (1) |
|
Privacy and Secure Browsing |
|
|
395 | (2) |
|
|
|
397 | (1) |
|
Updating the Threat Model |
|
|
398 | (1) |
|
Managing Your Systems' Security |
|
|
399 | (1) |
|
|
|
399 | (1) |
|
|
|
400 | (7) |
|
|
|
407 | (6) |
|
Chapter 9 Applications, Data, and Cloud Security |
|
|
413 | (64) |
|
It's a Data-Driven World...At the Endpoint |
|
|
414 | (3) |
|
|
|
417 | (3) |
|
Applications Lifecycles and Security |
|
|
420 | (8) |
|
The Software Development Lifecycle (SDLC) |
|
|
421 | (3) |
|
Why Is (Most) Software So Insecure? |
|
|
424 | (3) |
|
Hard to Design It Right, Easy to Fix It? |
|
|
427 | (1) |
|
CIANA and Applications Software Requirements |
|
|
428 | (6) |
|
Positive and Negative Models for Software Security |
|
|
431 | (1) |
|
Is Blacklisting Dead? Or Dying? |
|
|
432 | (2) |
|
Application Vulnerabilities |
|
|
434 | (2) |
|
Vulnerabilities Across the Lifecycle |
|
|
434 | (2) |
|
Human Failures and Frailties |
|
|
436 | (1) |
|
"Shadow IT:" The Dilemma of the User as Builder |
|
|
436 | (4) |
|
Data and Metadata as Procedural Knowledge |
|
|
438 | (2) |
|
Information Quality and Information Assurance |
|
|
440 | (3) |
|
Information Quality Lifecycle |
|
|
441 | (1) |
|
Preventing (or Limiting) the "Garbage In" Problem |
|
|
442 | (1) |
|
Protecting Data in Motion, in Use, and at Rest |
|
|
443 | (5) |
|
Data Exfiltration I: The Traditional Threat |
|
|
445 | (1) |
|
Detecting Unauthorized Data Acquisition |
|
|
446 | (1) |
|
|
|
447 | (1) |
|
Into the Clouds: Endpoint App and Data Security Considerations |
|
|
448 | (8) |
|
Cloud Deployment Models and Information Security |
|
|
449 | (1) |
|
Cloud Service Models and Information Security |
|
|
450 | (2) |
|
Clouds, Continuity, and Resiliency |
|
|
452 | (1) |
|
Clouds and Threat Modeling |
|
|
453 | (2) |
|
|
|
455 | (1) |
|
SLAs, TORs, and Penetration Testing |
|
|
456 | (1) |
|
Data Exfiltration II: Hiding in the Clouds |
|
|
456 | (1) |
|
Legal and Regulatory Issues |
|
|
456 | (2) |
|
Countermeasures: Keeping Your Apps and Data Safe and Secure |
|
|
458 | (1) |
|
|
|
459 | (1) |
|
|
|
460 | (10) |
|
|
|
470 | (7) |
| Part IV People Power: What Makes or Breaks Information Security |
|
477 | (92) |
|
Chapter 10 Incident Response and Recovery |
|
|
479 | (46) |
|
Defeating the Kill Chain One Skirmish at a Time |
|
|
480 | (5) |
|
Kill Chains: Reviewing the Basics |
|
|
482 | (2) |
|
|
|
484 | (1) |
|
Incident Response Framework |
|
|
485 | (6) |
|
Incident Response Team: Roles and Structures |
|
|
487 | (3) |
|
Incident Response Priorities |
|
|
490 | (1) |
|
|
|
491 | (6) |
|
|
|
491 | (2) |
|
Put the Preparation Plan in Motion |
|
|
493 | (1) |
|
|
|
494 | (3) |
|
|
|
497 | (5) |
|
|
|
497 | (2) |
|
|
|
499 | (1) |
|
|
|
500 | (1) |
|
|
|
500 | (1) |
|
|
|
501 | (1) |
|
Containment and Eradication |
|
|
502 | (3) |
|
Evidence Gathering, Preservation, and Use |
|
|
504 | (1) |
|
|
|
505 | (1) |
|
Recovery: Getting Back to Business |
|
|
505 | (3) |
|
|
|
506 | (2) |
|
Post-Recovery: Notification and Monitoring |
|
|
508 | (1) |
|
|
|
508 | (4) |
|
|
|
509 | (1) |
|
Support Ongoing Forensics Investigations |
|
|
510 | (1) |
|
Information and Evidence Retention |
|
|
511 | (1) |
|
Information Sharing with the Larger IT Security Community |
|
|
511 | (1) |
|
|
|
512 | (1) |
|
|
|
512 | (6) |
|
|
|
518 | (7) |
|
Chapter 11 Business Continuity via Information Security and People Power |
|
|
525 | (28) |
|
|
|
526 | (3) |
|
Surviving to Operate: Plan for It! |
|
|
529 | (2) |
|
Cloud-Based "Do-Over" Buttons for Continuity, Security, and Resilience |
|
|
531 | (6) |
|
CIANA at Layer 8 and Above |
|
|
537 | (6) |
|
It Is a Dangerous World Out There |
|
|
539 | (2) |
|
People Power for Secure Communications |
|
|
541 | (1) |
|
|
|
542 | (1) |
|
|
|
543 | (1) |
|
|
|
544 | (3) |
|
|
|
547 | (6) |
|
Chapter 12 Risks, Issues, and Opportunities, Starting Tomorrow |
|
|
553 | (16) |
|
|
|
554 | (8) |
|
Access Control and Zero Trust |
|
|
555 | (1) |
|
AI, ML, BI, and Trustworthiness |
|
|
556 | (1) |
|
Quantum Communications, Computing, and Cryptography |
|
|
557 | (1) |
|
Paradigm Shifts in Information Security? |
|
|
558 | (1) |
|
Perception Management and Information Security |
|
|
559 | (1) |
|
Widespread Lack of Useful Understanding of Core Technologies |
|
|
560 | (1) |
|
IT Supply Chain Vulnerabilities |
|
|
561 | (1) |
|
|
|
561 | (1) |
|
|
|
562 | (1) |
|
|
|
563 | (4) |
|
You Cannot Legislate Security |
|
|
563 | (1) |
|
It's About Managing Our Security and Our Systems |
|
|
563 | (1) |
|
|
|
564 | (1) |
|
Maintain Flexibility of Vision |
|
|
565 | (1) |
|
Accountability-It's Personal. Make It So. |
|
|
565 | (1) |
|
|
|
566 | (1) |
|
|
|
567 | (1) |
|
|
|
568 | (1) |
| Appendix Answers to Review Questions |
|
569 | (36) |
|
|
|
570 | (6) |
|
Chapter 2 Information Security Fundamentals |
|
|
576 | (3) |
|
Chapter 3 Integrated Information Risk Management |
|
|
579 | (2) |
|
Chapter 4 Operationalizing Risk Mitigation |
|
|
581 | (2) |
|
Chapter 5 Communications and Network Security |
|
|
583 | (3) |
|
Chapter 6 Identity and Access Control |
|
|
586 | (3) |
|
|
|
589 | (3) |
|
Chapter 8 Hardware and Systems Security |
|
|
592 | (2) |
|
Chapter 9 Applications, Data, and Cloud Security |
|
|
594 | (3) |
|
Chapter 10 Incident Response and Recovery |
|
|
597 | (4) |
|
Chapter 11 Business Continuity via Information Security and People Power |
|
|
601 | (4) |
| Index |
|
605 | |
Rohkem infot Wiley Online kohta