Security Operations and Administration (ISC)2 SSCP CBK PDF

Summary

This document is the sixth edition of the (ISC)2 SSCP CBK Reference, covering security operations and administration. It details various security concepts, professional ethics, and operational aspects of cybersecurity. It's written by Michael S. Wills.

Full Transcript

The Official (ISC)2® SSCP® CBK® Reference Sixth Edition The Official (ISC) ® 2 SSCP® CBK® Reference Sixth Edition MICHAEL S. WILLS, SSCP, CISSP, CAMS Copyright © 2022 by (ISC)2 Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada. 97...

The Official (ISC)2® SSCP® CBK® Reference Sixth Edition The Official (ISC) ® 2 SSCP® CBK® Reference Sixth Edition MICHAEL S. WILLS, SSCP, CISSP, CAMS Copyright © 2022 by (ISC)2 Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada. 978-1-119-87486-7 978-1-119-87488-1 (ebk.) 978-1-119-87487-4 (ebk.) No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission. Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Website may provide or recommendations it may make. Further, readers should be aware the Internet Websites listed in this work may have changed or disappeared between when this work was written and when it is read. For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be avail- able in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com. Library of Congress Control Number: 2022930202 Trademarks: WILEY, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permis- sion. (ISC)2, SSCP, and CBK are registered trademarks or certification marks of International Information Systems Certification Consortium, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book. Cover design: Wiley and (ISC)2 Acknowledgments This newly revised sixth edition that you hold in your hands is the culmination of more than a year of effort with the team at (ISC)2 that I had the privilege of working with. This Common Book of Knowledge reflects the consensus across that team of the know-how that SSCPs need, on the job, to be part of maintaining the safety, security, integrity, and availability of the infor- mation systems we all depend upon. Where it achieves that objective, and provides you value in the years to come—is a tes- tament to the generosity of everyone on that combined set of project teams in sharing their insights with me. (And where it fails to work well, or work at all, it’s my own darned fault.) Countless hours on Zoom and Webex with subject-matter experts like Graham Thornbur- row-Dobson, John Warsinksi, Maytal Brooks-Kempler, Laural Hargadon, and Fabio Cerullo sharpened my thinking and focused my writing more toward the operational aspects of cyber- security and less on the theoretical. A special thank-you too goes out to Kaitlyn Langenbacher, the project owner for those updates at (ISC)2, and all of the editors and proofreaders working with her; throughout all of that, the support, questions, and co-creativity they brought made this work a truly joint, collaborative one. I would also like to acknowledge my faculty team- mates here at Embry-Riddle Aeronautical University for sharing their frank and candid views throughout many conversations on making this body of knowledge accessible and engaging in the classroom. The ideas and experiences of Drs. Aaron Glassman and Jason Clark have also profoundly affected my approach to what you see before you here in this book. Since this book needed to speak to troubleshooters, I drew on decades of teaching I’d received from many professionals in the military, in government, and in the private sector about the fine art and brute-force cybernetics of debugging networks, systems, highly secure communications systems, and all of the arcana of controlling space-based systems working many different missions. I’ve also drawn on years of working with small and medium but other- wise rather down-to-earth business IT systems and what it took to get them back into operations. Where that problem-solving focus comes through clearly and helps you shoot the troubles you have to deal with, I owe a great debt of thanks to those who let me learn how in real time. Without the tireless support of the editorial team at Wiley/Sybex—especially Jim Minatel and Pete Gaughan—I think I’d still be struggling with unflowing the lessons and reflowing them into reference and troubleshooting memory-joggers. The technical review by Graham Thornburrow-Dobson, as well as by Tara Zeiler and Fabio Cerullo at (ISC)2, have all helped make what you have in your hands right now deliver the right content in the best way pos- sible. Tracy Brown, Barath Kumar Rajasekaran, Kim Wimpsett, and the rest of the team of v proofreaders and copyeditors made it all look great too! Any remaining mistakes, omissions, or confusing passages that remain are mine and no one else’s; let me know please when you find one! Finally, I wish to thank my wife Nancy. She saved my life and brought me peace. Her strength inspired me to say “yes” one more time when Jim called me, again, about doing this book, and she has kept both of us healthy and happy throughout. We go together, on adven- tures like writing, and on ones for which we do need to pack a pocket handkerchief. vi Acknowledgments About the Author Michael S. Wills, SSCP, CISSP, CAMS, is Assistant Professor of Applied and Innovative Information Technologies at the College of Business, Embry-Riddle Aeronautical University—Worldwide, where he continues his graduate and undergraduate teaching and research in cybersecurity and information assurance. Mike has also been an advisor on science and technology policy to the UK’s Joint Intelligence Committee, Ministry of Justice, and Defense Sci- ence and Technology Laboratories, helping them to evolve an operational and policy consen- sus relating topics from cryptography and virtual worlds, through the burgeoning surveillance society, to the proliferation of weapons of mass disruption (not just “destruction”) and their effects on global, regional, national, and personal security. For a time, this had him sometimes known as the UK’s nonresident expert on outer space law. Mike has been supporting the work of (ISC)2 by writing, editing, and updating books, study guides, and course materials for both their SSCP and CISSP programs. He wrote the SSCP Official Study Guide 2nd Edition in 2019, followed quickly by the SSCP Official Common Book of Knowledge 5th Edition. He was lead author for the 2021 update of (ISC)2’s official CISSP and SSCP training materials. Mike has also contributed to several industry roundtables and white papers on digital identity and cyber fraud detection and prevention and has been a panelist and webinar presenter on these and related topics for ACAMS. Mike earned his BS and MS degrees in computer science, both with minors in electri- cal engineering, from Illinois Institute of Technology, and his MA in Defence Studies from King’s College, London. He is a graduate of the Federal Chief Information Officer program at National Defense University and the Program Manager’s Course at Defense Systems Manage- ment College. Mike and his wife Nancy currently call Wexford, Ireland, their home. Living abroad since the end of the last century, they find new perspectives, shared values, and wonderful people wherever they go. As true digital nomads, it’s getting time to move again. Where to? They’ll find out when they get there. vii About the Technical Editor Graham Thornburrow-Dobson, CISSP, SSCP, is a security consultant and instructor with more than 30 years of experience in IT, with 20 years focused on IT security and related training. Graham is an authorized (ISC)2 instructor who has delivered security training to a wide range of security professionals globally via both classroom-based and online training. Graham has also been supporting the efforts of (ISC)2 in the continued development of their CISSP, SSCP, and ISSAP programs as both a writer and a technical editor. Graham currently resides in Lincolnshire, United Kingdom. Graham would add more, but, hey, security! ix Contents at a Glance Forewordxxiii Introductionxxv CHAPTER 1: SECURITY OPERATIONS AND ADMINISTRATION 1 CHAPTER 2: ACCESS CONTROLS 83 CHAPTER 3: RISK IDENTIFICATION, MONITORING, AND ANALYSIS 147 CHAPTER 4: INCIDENT RESPONSE AND RECOVERY 247 CHAPTER 5: CRYPTOGRAPHY335 CHAPTER 6: NETWORK AND COMMUNICATIONS SECURITY 467 CHAPTER 7: SYSTEMS AND APPLICATION SECURITY 649 APPENDIX:    CROSS-DOMAIN CHALLENGES 731 Index 769 xi Contents Foreword xxiii Introductionxxv CHAPTER 1: SECURITY OPERATIONS AND ADMINISTRATION 1 Comply with Codes of Ethics 2 Understand, Adhere to, and Promote Professional Ethics 3 (ISC)2 Code of Ethics 4 Organizational Code of Ethics 5 Understand Security Concepts 6 Conceptual Models for Information Security 7 Confidentiality 8 Integrity 15 Availability 17 Accountability 18 Privacy 18 Nonrepudiation 26 Authentication 27 Safety 28 Fundamental Security Control Principles 29 Access Control and Need-to-Know 34 Job Rotation and Privilege Creep 35 Document, Implement, and Maintain Functional Security Controls 37 Deterrent Controls 37 Preventative Controls 39 Detective Controls 39 Corrective Controls 40 Compensating Controls 41 The Lifecycle of a Control 42 xiii Participate in Asset Management 43 Asset Inventory 44 Lifecycle (Hardware, Software, and Data) 47 Hardware Inventory 48 Software Inventory and Licensing 49 Data Storage 50 Implement Security Controls and Assess Compliance 56 Technical Controls 57 Physical Controls 58 Administrative Controls 61 Periodic Audit and Review 64 Participate in Change Management 66 Execute Change Management Process 68 Identify Security Impact 70 Testing/Implementing Patches, Fixes, and Updates 70 Participate in Security Awareness and Training 71 Security Awareness Overview 72 Competency as the Criterion 73 Build a Security Culture, One Awareness Step at a Time 73 Participate in Physical Security Operations 74 Physical Access Control 74 The Data Center 78 Service Level Agreements 79 Summary 82 CHAPTER 2: ACCESS CONTROLS 83 Access Control Concepts 85 Subjects and Objects 86 Privileges: What Subjects Can Do with Objects 88 Data Classification, Categorization, and Access Control 89 Access Control via Formal Security Models 91 Implement and Maintain Authentication Methods 94 Single-Factor/Multifactor Authentication 95 Accountability 114 Single Sign-On 116 Device Authentication 117 Federated Access 118 Support Internetwork Trust Architectures 120 Trust Relationships (One-Way, Two-Way, Transitive) 121 Extranet 122 xiv Contents Third-Party Connections 123 Zero Trust Architectures 124 Participate in the Identity Management Lifecycle 125 Authorization 126 Proofing 127 Provisioning/Deprovisioning 128 Identity and Access Maintenance 130 Entitlement 134 Identity and Access Management Systems 137 Implement Access Controls 140 Mandatory vs. Discretionary Access Control 141 Role-Based 142 Attribute-Based 143 Subject-Based 144 Object-Based 144 Summary 145 CHAPTER 3: RISK IDENTIFICATION, MONITORING, AND ANALYSIS 147 Defeating the Kill Chain One Skirmish at a Time 148 Kill Chains: Reviewing the Basics 151 Events vs. Incidents 155 Understand the Risk Management Process 156 Risk Visibility and Reporting 159 Risk Management Concepts 165 Risk Management Frameworks 185 Risk Treatment 195 Perform Security Assessment Activities 203 Security Assessment Workflow Management 204 Participate in Security Testing 206 Interpretation and Reporting of Scanning and Testing Results 215 Remediation Validation 216 Audit Finding Remediation 217 Manage the Architectures: Asset Management and Configuration Control 218 Operate and Maintain Monitoring Systems 220 Events of Interest 222 Logging 229 Source Systems 230 Legal and Regulatory Concerns 236 Analyze Monitoring Results 238 Security Baselines and Anomalies 240 Visualizations, Metrics, and Trends 243 Contents xv Event Data Analysis 244 Document and Communicate Findings 245 Summary 246 CHAPTER 4: INCIDENT RESPONSE AND RECOVERY 247 Support the Incident Lifecycle 249 Think like a Responder 253 Physical, Logical, and Administrative Surfaces 254 Incident Response: Measures of Merit 254 The Lifecycle of a Security Incident 255 Preparation 257 Detection, Analysis, and Escalation 264 Containment 275 Eradication 277 Recovery 279 Lessons Learned; Implementation of New Countermeasures 283 Third-Party Considerations 284 Understand and Support Forensic Investigations 287 Legal and Ethical Principles 289 Logistics Support to Investigations 291 Evidence Handling 292 Evidence Collection 297 Understand and Support Business Continuity Plan and Disaster Recovery Plan Activities 306 Emergency Response Plans and Procedures 307 Interim or Alternate Processing Strategies 310 Restoration Planning 313 Backup and Redundancy Implementation 315 Data Recovery and Restoration 319 Training and Awareness 321 Testing and Drills 322 CIANA+PS at Layer 8 and Above 328 It Is a Dangerous World Out There 329 People Power and Business Continuity 333 Summary 333 CHAPTER 5: CRYPTOGRAPHY 335 Understand Fundamental Concepts of Cryptography 336 Building Blocks of Digital Cryptographic Systems 339 Hashing 347 xvi Contents Salting 351 Symmetric Block and Stream Ciphers 353 Stream Ciphers 365 EU ECRYPT 371 Asymmetric Encryption 371 Elliptical Curve Cryptography 380 Nonrepudiation 383 Digital Certificates 388 Encryption Algorithms 392 Key Strength 393 Cryptographic Attacks, Cryptanalysis, and Countermeasures 395 Cryptologic Hygiene as Countermeasures 396 Common Attack Patterns and Methods 401 Secure Cryptoprocessors, Hardware Security Modules, and Trusted Platform Modules 409 Understand the Reasons and Requirements for Cryptography 414 Confidentiality 414 Integrity and Authenticity 415 Data Sensitivity 417 Availability 418 Nonrepudiation 418 Authentication 420 Privacy 421 Safety 422 Regulatory and Compliance 423 Transparency and Auditability 423 Competitive Edge 424 Understand and Support Secure Protocols 424 Services and Protocols 425 Common Use Cases 437 Deploying Cryptography: Some Challenging Scenarios 442 Limitations and Vulnerabilities 444 Understand Public Key Infrastructure Systems 446 Fundamental Key Management Concepts 447 Hierarchies of Trust 459 Web of Trust 462 Summary 464 Contents xvii CHAPTER 6: NETWORK AND COMMUNICATIONS SECURITY 467 Understand and Apply Fundamental Concepts of Networking 468 Complementary, Not Competing, Frameworks 470 OSI and TCP/IP Models 471 OSI Reference Model 486 TCP/IP Reference Model 501 Converged Protocols 508 Software-Defined Networks 509 IPv4 Addresses, DHCP, and Subnets 510 IPv4 Address Classes 510 Subnetting in IPv4 512 Running Out of Addresses? 513 IPv4 vs. IPv6: Key Differences and Options 514 Network Topographies 516 Network Relationships 521 Transmission Media Types 525 Commonly Used Ports and Protocols 530 Understand Network Attacks and Countermeasures 536 CIANA+PS Layer by Layer 538 Common Network Attack Types 553 SCADA, IoT, and the Implications of Multilayer Protocols 562 Manage Network Access Controls 565 Network Access Control and Monitoring 568 Network Access Control Standards and Protocols 573 Remote Access Operation and Configuration 575 Manage Network Security 583 Logical and Physical Placement of Network Devices 586 Segmentation 587 Secure Device Management 591 Operate and Configure Network-Based Security Devices 593 Network Address Translation 594 Additional Security Device Considerations 596 Firewalls and Proxies 598 Network Intrusion Detection/Prevention Systems 605 Security Information and Event Management Systems 607 Routers and Switches 609 Network Security from Other Hardware Devices 610 Traffic-Shaping Devices 613 xviii Contents Operate and Configure Wireless Technologies 615 Wireless: Common Characteristics 616 Wi-Fi 624 Bluetooth 637 Near-Field Communications 638 Cellular/Mobile Phone Networks 639 Ad Hoc Wireless Networks 640 Transmission Security 642 Wireless Security Devices 645 Summary 646 CHAPTER 7: SYSTEMS AND APPLICATION SECURITY 649 Systems and Software Insecurity 650 Software Vulnerabilities Across the Lifecycle 654 Risks of Poorly Merged Systems 663 Hard to Design It Right, Easy to Fix It? 664 Hardware and Software Supply Chain Security 667 Positive and Negative Models for Software Security 668 Is Blocked Listing Dead? Or Dying? 669 Information Security = Information Quality + Information Integrity 670 Data Modeling 671 Preserving Data Across the Lifecycle 674 Identify and Analyze Malicious Code and Activity 678 Malware 679 Malicious Code Countermeasures 682 Malicious Activity 684 Malicious Activity Countermeasures 688 Implement and Operate Endpoint Device Security 689 HIDS 691 Host-Based Firewalls 692 Allowed Lists: Positive Control for App Execution 693 Endpoint Encryption 694 Trusted Platform Module 695 Mobile Device Management 696 Secure Browsing 697 IoT Endpoint Security 700 Endpoint Security: EDR, MDR, XDR, UEM, and Others 701 Operate and Configure Cloud Security 701 Deployment Models 702 Contents xix Service Models 703 Virtualization 706 Legal and Regulatory Concerns 709 Data Storage and Transmission 716 Third-Party/Outsourcing Requirements 716 Lifecycles in the Cloud 717 Shared Responsibility Model 718 Layered Redundancy as a Survival Strategy 719 Operate and Secure Virtual Environments 720 Software-Defined Networking 723 Hypervisor 725 Virtual Appliances 726 Continuity and Resilience 727 Attacks and Countermeasures 727 Shared Storage 729 Summary 730 APPENDIX: CROSS-DOMAIN CHALLENGES 731 Paradigm Shifts in Information Security? 732 Pivot 1: Turn the Attackers’ Playbooks Against Them 734 ATT&CK: Pivoting Threat Intelligence 734 Analysis: Real-Time and Retrospective 735 The SOC as a Fusion Center 737 All-Source, Proactive Intelligence: Part of the Fusion Center 738 Pivot 2: Cybersecurity Hygiene: Think Small, Act Small 739 CIS IG 1 for the SMB and SME 740 Hardening Individual Cybersecurity 740 Assume the Breach 742 Pivot 3: Flip the “Data-Driven Value Function” 743 Data-Centric Defense and Resiliency 744 Ransomware as a Service 745 Supply Chains, Security, and the SSCP 746 ICS, IoT, and SCADA: More Than SUNBURST 747 Extending Physical Security: More Than Just Badges and Locks 749 The IoRT: Robots Learning via the Net 750 Pivot 4: Operationalize Security Across the Immediate and Longer Term 751 Continuous Assessment and Continuous Compliance 752 SDNs and SDS 753 xx Contents SOAR: Strategies for Focused Security Effort 755 A “DevSecOps” Culture: SOAR for Software Development 756 Pivot 5: Zero-Trust Architectures and Operations 757 FIDO and Passwordless Authentication 760 Threat Hunting, Indicators, and Signature Dependence 761 Other Dangers on the Web and Net 763 Surface, Deep, and Dark Webs 763 Deep and Dark: Risks and Countermeasures 764 DNS and Namespace Exploit Risks 765 Cloud Security: Edgier and Foggier 766 Curiosity as Countermeasure 766 Index 769 Contents xxi Foreword WELCOME TO THE OFFICIAL (ISC)2 SSCP CBK Reference! By picking up this book, you have demonstrated your commitment to continuing your professional education and have made the decision to take the next step in your career. An (ISC)2 Systems Security Certified Practitioner (SSCP) credential shows an understanding of and proficiency with the hands-on technical work that is needed in the information security field. The certification is ideal for IT professionals responsible for the hands-on operational security of their organiza- tions’ critical assets, including those in positions such as network security engineers, systems administrators and engineers, security analysts, consultants and administrators, database admin- istrators, and network analysts. It demonstrates that you closely follow best practices, policies, and procedures in accor- dance with the SSCP Common Body of Knowledge. Whether you are using this guide to supplement your preparation to sit for the exam or you are an existing SSCP member using this as a reference, this book helps to facilitate the practical knowledge you need to assure strong information security for your organization’s daily operations. (ISC)2 promotes the development of information security professionals throughout the world. As an SSCP with all the benefits of (ISC)2 membership, you will become part of a global network of more than 160,000 certified professionals who are working to inspire a safe and secure cyber world. By becoming a member of (ISC)2 you will have also officially committed to ethical conduct that aligns with your position of trust as a cybersecurity professional. Reflecting the most pertinent issues that security practitioners currently face, along with the best practices for mitigating those issues, The Official (ISC)2 SSCP CBK Reference offers step- by-step guidance through the seven different domains included in the exam, which are: Access Controls Security Operations and Administration Risk Identification, Monitoring and Analysis Incident Response and Recovery xxiii Cryptography Networks and Communications Security Systems and Application Security Drawing from a comprehensive, up-to-date global body of knowledge, this book prepares you to join thousands of practitioners worldwide who have obtained the SSCP. For those with proven technical skills and practical security knowledge, the SSCP cer- tification is the ideal credential. The SSCP confirms the breadth and depth of practical security knowledge expected of those in hands-on operational IT roles. The certification provides industry-leading confirmation of a practitioner’s ability to implement, monitor, and administer information security policies and procedures that ensure data confidenti- ality, integrity, and availability (CIA). The goal for SSCP credential holders is to achieve the highest standard for cyberse- curity expertise—managing multiplatform IT systems while keeping sensitive data secure. This becomes especially crucial in the era of digital transformation, where cybersecurity permeates virtually every data stream. Organizations that can demonstrate world-class cybersecurity capabilities and trusted transaction methods enable customer loyalty and fuel success. The opportunity has never been greater for dedicated professionals like yourself to carve out a meaningful career and make a difference in their organizations. The Official (ISC)2 SSCP CBK Reference will be your constant companion in protecting and securing the critical data assets of your organization, and it will serve you for years to come as you progress in your career. I wish you luck on the exam and success in your next step along your career path. Best regards, Clar Rosso, CEO, (ISC)2 xxiv Foreword Introduction CONGRATULATIONS ON CHOOSING TO become a Systems Security Certified Practitioner (SSCP)! In making this choice, you’re signing up to join the professionals who strive to keep our information-based modern world safe, secure, and reliable. SSCPs and other information security professionals help businesses and organizations keep private data private and help to ensure that published and public-facing information stays unchanged and unhacked. Whether you are new to the fields of information security, information assurance, or cybersecurity, or you’ve been working with these concepts, tools, and ideas for some time now, this book is here to help you grow your knowledge, skills, and abilities as a systems security professional. Let’s see how! ABOUT THIS BOOK You’re here because you need a ready reference source of ideas, information, knowledge, and experience about information systems security. Users of earlier editions of the CBK describe it as the place to go when you need to look up something about bringing your systems or networks back up and online—when you can’t exactly Google it. As a first responder in an information security incident, you may need to rely on what you know and what you’ve got at hand as you characterize, isolate, and contain an intruder and their malware or other causal agents. This book cannot answer all of the questions you’ll have in real time, but it may just remind you of important concepts as well as critical details when you need them. As with any reference work, it can help you think your way through to a solution. By taking key definitions and concepts and operationalizing them, showing how they work in practice, this book can enrich the checklists, troubleshooting guides, and task-focused procedures that you may already be using in your work. xxv The SSCP Seven Domains This book directly reflects the SSCP Common Body of Knowledge, which is the com- prehensive framework that (ISC)2 has developed to express what security professionals should have working knowledge of. These domains include theoretical knowledge, industry best practices, and applied skills and techniques. Chapter by chapter, this book takes you through these domains, with major headings within each chapter being your key to finding what you need when you need it. Topics that are covered in more than one domain will be found within sections or subsections in each chapter as appropriate. This Sixth Edition has been updated to reflect (ISC)2’s Domain Content Outline, released in November 2021. This outline update changed the relative order of the first two domains, but largely kept the topics within each domain the same. Revisions, clarifi- cations, and additions have been made throughout, while a new Appendix brings topics from across those Domains together to provide you assistance with today’s thorniest of information security challenges. (ISC)2 is committed to helping members learn, grow, and thrive. The Common Body of Knowledge (CBK) is the comprehensive framework that helps it fulfill this commitment. The CBK includes all the relevant subjects a security profes- sional should be familiar with, including skills, techniques, and best practices. (ISC)2 uses the various domains of the CBK to test a certificate candidate’s levels of expertise in the most critical aspects of information security. You can see this framework in the SSCP Exam Outline at https://www.isc2.org/-/media/ISC2/Certifications/ Exam-Outlines/2021/SSCP-Exam-Outline-English-Nov-2021.ashx?la=en&hash=ABCB9E34548D2E8170ADA04EAAD3003F5577D3F5 Successful candidates are competent in the following seven domains: Domain 1 Security Operations and Administration  Identification of informa- tion assets and documentation of policies, standards, procedures, and guidelines that ensure confidentiality, integrity, and availability, such as: 1.1 Comply with codes of ethics. 1.2 Understand security concepts. 1.3 Identify and implement security controls. 1.4 Document and maintain functional security controls. 1.5 Participate in asset management lifecycle (hardware, software, and data). 1.6 Participate in change management lifecycle. 1.7 Participate in implementing security awareness and training (e.g., social engineering/phishing). 1.8 Collaborate with physical security operations (e.g., data center assessment, badging). xxvi Introduction Domain 2 Access Controls  Policies, standards, and procedures that define users (human and nonhuman) as entities with identities that are approved to use an organi- zation’s systems and information assets, what they can do, which resources and infor- mation they can access, and what operations they can perform on a system, such as: 2.1 Implement and maintain authentication methods. 2.2 Support internetwork trust architectures. 2.3 Participate in the identity management lifecycle. 2.4 Understand and apply access controls. Domain 3 Risk Identification, Monitoring, and Analysis   Risk identification is the review, analysis, and implementation of processes essential to the identification, measurement, and control of loss associated with unplanned adverse events. Monitoring and analysis are determining system implementation and access in accor- dance with defined IT criteria. This involves collecting information for identification of, and response to, security breaches or events, such as: 3.1 Understand the risk management process. 3.2 Understand legal and regulatory concerns (e.g., jurisdiction, limitations, privacy). 3.3 Participate in security assessment and vulnerability management activities. 3.4 Operate and monitor security platforms (e.g., continuous monitoring). 3.5 Analyze monitoring results. Domain 4 Incident Response and Recovery  Prevent. Detect. Respond. Recover. Incident response and recovery focus on the near real-time actions that must take place if the organization is to survive a cyberattack or other information security incident, get back into operation, and continue as a viable entity. In this domain, the SSCP gains an understanding of how to handle incidents using consistent, applied approaches within a framework of business continuity planning (BCP) and disaster recovery planning (DRP). These approaches are utilized to mitigate damages, recover business operations, and avoid critical business interruption: 4.1 Support incident lifecycle (e.g., National Institute of Standards and Technology [NIST], International Organization for Standardization [ISO]). 4.2 Understand and support forensic investigations. 4.3 Understand and support business continuity plan (BCP) and disaster recovery plan (DRP) activities. Domain 5 Cryptography  The protection of information using techniques that ensure its integrity, confidentiality, authenticity, and nonrepudiation, and the recovery of encrypted information in its original form: Introduction xxvii 5.1 Understand reasons and requirements for cryptography. 5.2 Apply cryptography concepts. 5.3 Understand and implement secure protocols. 5.4 Understand and support public key infrastructure (PKI) systems. Domain 6 Network and Communications Security    The network structure, transmission methods and techniques, transport formats, and security measures used to operate both private and public communication networks: 6.1 Understand and apply fundamental concepts of networking. 6.2 Understand network attacks (e.g., distributed denial of service [DDoS], man-in- the-middle [MITM], Domain Name System [DNS] poisoning) and countermeasures (e.g., content delivery networks [CDN]). 6.3 Manage network access controls. 6.4 Manage network security. 6.5 Operate and configure network-based security devices. 6.6 Secure wireless communications. Domain 7 Systems and Application Security  Countermeasures and prevention techniques for dealing with viruses, worms, logic bombs, Trojan horses, and other related forms of intentionally created damaging code: 7.1 Identify and analyze malicious code and activity. 7.2 Implement and operate endpoint device security. 7.3 Administer Mobile Device Management (MDM). 7.4 Understand and configure cloud security. 7.5 Operate and maintain secure virtual environments. Appendix: Cross-Domain Challenges   In 2020 and 2021, the world was rocked by the Covid-19 pandemic and a significant increase in the complexity, scale, and severity of cybercrime and cyber attacks on businesses, government services, and critical infrastructures. In response, information security professionals around the globe worked tirelessly to address incident response and recovery. They also worked to improve systems hardening and intrusion detection techniques. Many of the per- sistent (and pernicious) attack strategies exploit aspects of nearly every topic in every SSCP Domain. Here in the CBK, the appendix offers five sets of strategies that can help security professionals shift the offense-versus-defense struggle more into the defense’s favor. These five shifts or pivots are: Turn the attackers’ playbooks against them. Cybersecurity hygiene: think small, act small. xxviii Introduction Flip the “data-driven value function.” Operationalizing security across the immediate and longer term. Zero-trust architectures and operations. The appendix also helps put the challenges of maintaining information security at the interface between an organization’s IT systems and its operational technology (OT) ones. Since 2019, cyber attacks on process controls, autonomous devices, smart buildings elements, and Internet of Things (IoT) systems have disrupted many organizations. The pressure is on for SSCPs and other information security professionals to better under- stand the security and safety issues related to how their organization’s data actually makes physical actions take place; the appendix provides you some places to start. Using This Book to Defeat the Cybersecurity Kill Chain Your employers or clients have entrusted the safety and security of their information systems to you, as one of their on-site information security professionals. Those systems are under constant attack—not just the threat of attack. Each day, the odds are great that somebody is knocking at your electronic front doors, trying the e-window latches on your organization’s web pages, and learning about your information systems and how you use them. That’s reconnaissance in action, the first step in the cybersecurity kill chain. As an SSCP you’re no doubt aware of the cybersecurity kill chain, as a summary of how advanced persistent threat (APT) actors plan and conduct their attacks against many private and public organizations, their IT infrastructures, and their information assets and systems. Originally developed during the 1990s by applying military planning doctrines of effects-based targeting, this kill chain is similar to the value chain concept used by businesses and public-sector organizations around the world. Both value chains and kill chains start with the objective—the desired end state or result—and work backward, all the way back to choosing the right targets to attack in the first place.1 Lockheed-Martin first published its cybersecurity kill chain in 2011; the MITRE Corporation, a federally funded research and development corporation (FFRDC), expanded on this in 2018 with its threat-based Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework. ATT&CK takes the kill chain concept down into the tactics, techniques, and procedures used by squad-level and individual soldiers in the field. (Note that in military parlance, planning flows from strategic, through operational, to tactical; but common 1 I had the privilege of developing and teaching some of these evolving concepts at the U.S. National Defense University’s School of Information Warfare and Strategy, 1998-2000. At the School, we made extensive use of the “Strategic Information Warfare” series of publications by Roger C. Molander and others at the RAND Corporation, which were exploring this backward chain from desired strategic effect to the “kill effect” required of attacks on information and information systems. Introduction xxix business-speak usage flips the names of the last two steps, looking at business operations as being the point-of-contact steps with customers, and the tactical layer of planning translating strategic objectives into manageable, measurable, value-producing packages of work.) ATT&CK as a framework is shown in Figure I.1, highlighting the two major phases that defenders need to be aware of and engaged with: prestrike planning and the enterprise-level targeted strikes at your systems, your data, and your mission. Recon Deliver Control Maintain Weaponize Exploit Execute Priority Definition Initial Access ∙ Planning, Direction Execution Target Selection Persistence Information Gathering Privilege Escalation ∙ Technical, People, Organizational Defense Evasion Weakness Identification Credential Access ∙ Technical, People, Organizational Discovery Adversary OpSec Lateral Movement Establish & Maintain Infrastructure Collection Persona Development Exfiltration Build Capabilities Command and Control Test Capabilities Stage Capabilities FIGURE I.1 MITRE’s ATT&CK cybersecurity kill chain model © 2018 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE, Lockheed Martin, and others may give slightly different names to the dif- ferent phases of their kill chain models. For example, MITRE’s combines exploitation with installation, while emphasizing the persistent presence of the adversary inside your systems as they maintain their capabilities to quietly wreak havoc and achieve their objectives. The names of the phases aren’t important; their underlying flow of ideas is what matters. To date, there does not seem to be any evidence that any given attacker has used exactly one planning model or another. There is abundant evidence, however, that defenders who do not understand these models pay for their ignorance—or, more pre- cisely, their employers and clients do. Combining these two models gives us eight phases of the life of an APT’s kill chain and suggests which domains of knowledge (and therefore which chapters) may be your first ports of call as you plan to detect, prevent, degrade, or defeat the individual tasks that might make up each step in such a kill chain’s operation. These are shown in Table I.1. xxx Introduction TABLE I.1 Kill Chain Phases Mapped to Chapters KILL CHAIN PHASE ATTACK OPERATIONS DEFENSIVE OPTIONS Reconnaissance All-source intelligence gathering to inform All chapters: enhance over- the attack: OSINT, scanning, early intrusion, all risk/security posture, social engineering awareness, vigilance Weaponization Select and prepare access techniques and Chapters 2, 7 pathways Delivery Email, USBs, URLs, access control gaps, etc. Chapters 1, 2, 5, 6, 7 Exploitation Malware, rootkit exploits, live off the land Chapters 2, 4, 6, 7 Installation Backdoors, false or subverted user IDs Chapters 2, 7 Command & Control Privilege escalation, credential access; lateral Chapters 1, 2, 4, 6 movement; find, fix, select in-system targets Execute the Attack Exfiltrate; corrupt; encrypt for ransom; Chapters 4, 5 springboard to other targets Maintain Hostile Continue to exploit target’s systems and Chapters 2, 4, 6, 7 Presence data; continue hiding one’s tracks You might be wondering why all chapters seem to apply to the Reconnaissance phase. The key to this is to recognize that the attacker will seek to find all possible sources of information about your organization, its business associates and relationships, its commu- nications patterns, and its IT systems. APTs seek understanding of their targets’ business and social networks, the “watering holes” where their people gather to collaborate with others in their trade or market. They’ll try to suck up every unencrypted, unprotected, unsecured bit of anything that might be of use to them, as they determine your value to them as a set of exploitable opportunities. As the defender, this is your first clear opportu- nity to practice what insurance companies call “all-risks coverage” by exerting all possible efforts to identify, prioritize, and control all hazards that your systems and your organiza- tion might be exposed to. The attack execution phase, by contrast, must rely heavily on your organization’s abil- ity to detect and respond in real time, or as close to real time as you can manage. Indus- try-wide, we’re not doing too well on this front. It takes businesses and organizations an average of 190 days to detect an intrusion into their IT systems, according to research for IBM Security done by the Ponemon Institute in 2021.2 On average, worldwide, any given 2 Ponemon Institute LLC, for IBM Security. “2021 Cost of a Data Breach Study: Global Overview.” Other sources, particularly business news media in India and Asia, have claimed as high as 220 days for this average, but there is little hard data to support this larger claim. Either way, this is seriously bad news. Introduction xxxi business may suffer as much as $3.86 million USD in losses due to a data breach attack. A ransom attack, however, can demand $50 million USD or more in payouts. Those firms that have chosen not to pay off their attackers have reportedly suffered even greater losses. The same research conducted by Ponemon, by the way, demonstrates that having an effective security incident response plan in place, with first responders properly trained and equipped, can save at least $340,000 per incident. As an SSCP, you’ve got your work cut out for you. Let this book be one of the many sources of knowledge, experience, and information you can count on, before, during, and after intruders start to target your organization’s information, its systems, and its very existence. WHERE DO YOU GO FROM HERE? The world of information systems security is constantly changing. You need to continu- ally grow your skills and keep up with the latest changes in the ways that businesses and organizations use the Internet and information technologies, as well as how the threat actors continually evolve to find new and different ways to exploit our systems against us. As a digital citizen of the 21st century, staying current—staying on the cutting edge of change, if not sometimes on the bleeding edge of it—is part of how you meet your due care and due diligence responsibilities to your clients, to your employers, and to the larger society around you. As a recognized member of that profession, the world expects you to stay sharp, stay focused, and stay informed. That journey begins with this book, which provides you with a tangible foundation for your learning, exploration, and discovery. As a resource, this book provides the follow- ing strengths: It provides context. The domain-based structure maps concepts, ideas, problems, and solutions into a comfortable, straightforward framework that should make it easier to find what you need when you need it and find it positioned in a proper context. This book grounds you in the fundamental concepts, principles, design standards, and practices that are an invaluable resource. It extends your memory, as all reference works can do, as it shows you best prac- tices in action, focused on the essentials and, again, in context. It provides clarity that can help you quickly orient to an issue or situation, while establishing links in your mind’s eye to other related or important information. xxxii Introduction The SSCP CBK and Your Professional Growth Path As an international, nonprofit membership association with more than 160,000 mem- bers, (ISC)2 has worked since its inception in 1989 to serve the needs for standardization and certification in the cybersecurity workplaces around the world. Since then, (ISC)2’s founders and members have been shaping the information security profession and have developed the following information security certifications: Certified Information Systems Security Professional (CISSP): The CISSP is an experienced professional who holds the most globally recognized standard of achievement in the industry and is the first information security credential to meet the strict conditions of ISO/IEC Standard 17024. The CISSP certification has three concentrations: Certified Information Systems Security Professional: Information Systems Security Architecture Professional (CISSP: ISSAP): The CISSP-ISSAP is a chief security architect, analyst, or other professional who designs, builds, and oversees the implementation of network and computer security for an organization. The CISSP-ISSAP may work as an independent consultant or other professional who provides operational guidance and direction to support business strategies. Certified Information Systems Security Professional: Information Systems Security Engineering Professional (CISSP-ISSEP): The CISSP-ISSEP can effectively incorporate security into all facets of business operations. Certified Information Systems Security Professional: Information Systems Security Management Professional (CISSP-ISSMP): The CISSP-ISSMP is a cybersecurity manager who demonstrates deep management and leadership skills and excels at establishing, presenting, and governing information secu- rity programs. Systems Security Certified Practitioner (SSCP): The SSCP is a high-value practitioner who demonstrates technical skills in implementing, monitoring, and administering IT infrastructure using information security policies and proce- dures. The SSCP’s commitment to continuous learning and practice ensures con- sistent information assurance. Certified Cloud Security Professional (CCSP): The CCSP is a globally recog- nized professional who demonstrates expertise and implements the highest stan- dards in cloud security. Introduction xxxiii Certified Authorization Professional (CAP): The CAP is a leader in information security and aligns information systems with the risk management framework (RMF). The CAP certification covers the RMF at an extensive level, and it’s the only certification under the DoD 8570/DoD 8140 Approved Baseline Certifica- tions that aligns to each of the RMF steps. Certified Secure Software Lifecycle Professional (CSSLP): The CSSLP is an internationally recognized professional with the ability to incorporate security practices—authentication, authorization, and auditing—into each phase of the software development lifecycle (SDLC). HealthCare Information Security and Privacy Practitioner (HCISPP): The HCISSP is a skilled practitioner who combines information security with health- care security and privacy best practices and techniques. Each of these certifications has its own requirements for documented full-time experi- ence in its requisite topic areas. Newcomers to information security who have not yet had supervised work experience in the topic areas can take and pass the SSCP exam and then become recognized as Associates of (ISC)2. Associates then have two years to attain the required experience to become full members of (ISC)2. Maintaining the SSCP Certification SSCP credentials are maintained in good standing by participating in various activities and gaining continuing professional education credits (CPEs). CPEs are obtained through numerous methods such as reading books, attending seminars, writing papers or articles, teaching classes, attending security conventions, and participating in many other qualifying activities. Visit the (ISC)2 website for additional information concerning the definition of CPEs. Join a Local Chapter As an SSCP, you’ve become one of more than 160,000 members worldwide. They, like you, are there to share in the knowledge, experience, and opportunity to help accomplish the goals and objectives of being an information security professional. Nearly 12,500 of your fellow members participate in local area chapters, and (ISC)2 has over 140 local chapters around the world. You can find one in your area by visiting www.isc2.org/Chapters. Being an active part of a local chapter helps you network with your peers as you share knowledge, exchange information about resources, and work on projects together. You can engage in leadership roles and participate in co-sponsored local events with other industry associations. You might write for or speak at (ISC)2 events and help support other xxxiv Introduction (ISC)2 initiatives. You can also be a better part of your local community by participating in local chapter community service outreach projects. Chapter membership earns you CPE credits and can make you eligible for special discounts on (ISC)2 products and programs. LET’S GET STARTED! This book is for you. This is your journey map, your road atlas, and your handbook. Make it work for you. Choose your own course through it, based on what you need on the job today and every day. Go for it. HOW TO CONTACT THE PUBLISHER If you believe you’ve found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts an error may occur. In order to submit your possible errata, please email it to our Customer Service Team at [email protected] with the subject line “Possible Book Errata Submission”. Introduction xxxv CHAPTER 1 Security Operations and Administration THIS IS WHERE THE planning hits reality; it’s in the day to day of informa- tion security operations that you see every decision made during the threat assessments and the risk mitigation plans being live-fire tested by your co-workers, customers, legitimate visitors, and threat actors alike. Whether you’re an on-shift watch-stander in a security operations center (SOC) or net- work operations center (NOC) or you work a pattern of normal business hours and days, you’ll be exposed to the details of information security in action. Security operations and administration entail a wide breadth of tasks and functions, and the security professional is expected to have a working famil- iarity with each of them. This can include maintaining a secure environment for business functions and the physical security of a campus and, specifically, the data center. Throughout your career, you will likely have to oversee and participate in incident response activities, which will include conducting investigations, handling material that may be used as evidence in criminal prosecution and/or civil suits, and performing forensic analysis. The Systems Security Certified Practitioner (SSCP) should also be familiar with common 1 tools for mitigating, detecting, and responding to threats and attacks; this includes knowledge of the importance and use of event logging as a means to enhance security efforts. Another facet the security practitioner may have to manage could be how the organization deals with emergencies, including disaster recovery. There is a common thread running through all aspects of this topic: support- ing business functions by incorporating security policy and practices with normal daily activities. This involves maintaining an accurate and detailed asset inventory, tracking the security posture and readiness of information technology (IT) assets through the use of configuration/change management, and ensuring personnel are trained and given adequate support for their own safety and security. This chapter will address all these aspects of security operations. The practi- tioner is advised, however, to not see this as a thorough treatment of all these concepts, each of which could be (and has been) the subject of an entire book (or books) by themselves; for each topic that is unfamiliar, you should look at the following content as an introduction only and pursue a more detailed review of related subject matter. Note  The countries and regions that an organization operates in may have varying, distinct, and at times conflicting legal systems. Beyond considerations of written laws and regulations, the active functioning of court systems and regulatory bodies often has intricate, myriad appli- cations in the real world that extend far beyond how things are codified in written laws. These factors become even more varied and complex when an organization functions in multiple countries and needs to deal with actual scenarios that directly involve international law and the laws of each respective nation. With that in mind, it is always imperative to get the input of a professional legal team to fully understand the legal scope and ramifications of security oper- ations (and basically all operations and responsibilities beyond security as well). COMPLY WITH CODES OF ETHICS Your day-to-day journey along the roadmap of security operations and administration must keep one central ideal clearly in focus. Every day that you serve as an information security professional, you make or influence decisions. Every one of those decision moments is an opportunity or a vulnerability; it is a moment in which you can choose to 2 CHAPTER 1 Security Operations and Administration do the technically and ethically correct thing or the expedient thing. Each of those deci- sion moments is a test for you. 1 Those decisions must be ethically sound; yes, they must be technically correct, cost-effective, and compliant with legal and regulatory requirements, but at their heart Security Operations and Administration they must be ethical. Failure to do so puts your professional and personal integrity at risk, as much as it puts your employer’s or your clients’ reputation and integrity at risk. Being a security professional requires you to work, act, and think in ways that comply with and support the codes of ethics that are fundamental parts of your workplace, your profession, and your society and culture at large. Those codes of ethics should harmonize with if not be the fundamental ethical values and principles you live your life by—if they do not, that internal conflict in values may make it difficult if not impossible to achieve a sense of personal and professional integrity! Professional and personal integrity should be wonderfully, mutually self-reinforcing. Let’s first focus on what ethical decision-making means. This provides a context for how you, as an SSCP, comply with and support the (ISC)2 Code of Ethics in your daily work and life. We’ll see that this is critical to being able to live up to and fulfill the “three dues” of your responsibilities: due care, due diligence, and due process. Understand, Adhere to, and Promote Professional Ethics Let’s start with what it means to be a professional: It means that society has placed great trust and confidence in you, because you have been willing to take on the responsibility to get things done right. Society trusts in you to know your practice, know its practical limits, and work to make sure that the services you perform meet or exceed the best prac- tices of the profession. This is a legal and an ethical responsibility. Everything you do requires you to understand the needs of your employers or clients. You listen, observe, gather data, and ask questions; you think about what you’ve learned, and you come to conclusions. You make recommendations, offer advice, or take action within the scope of your job and responsibilities. Sometimes you take action outside of that scope, going above and beyond the call of those duties. You do this because you are a professional. You would not even think of making those conclusions or taking those actions if they violently conflicted with what known technical standards or recognized best technical practice said was required. You would not knowingly recommend or act to violate the law. Your professional ethics are no different. They are a set of standards that are both constraints and freedoms that you use to inform, shape, and then test your con- clusions and decisions with before you act. As a professional—in any profession—you learned what that profession requires of you through education, training, and on-the-job experience. You learned from teachers, mentors, trainers, and the people working alongside of you. They shared their hard- earned insight and knowledge with you, as their part of promoting the profession you had Comply with Codes of Ethics 3 in common. In doing so they strengthened the practice of the ethics of the profession, as well as the practice of its technical disciplines. (ISC)2 Code of Ethics (ISC)2 provides a Code of Ethics, and to be an SSCP, you agree to abide by it. It is short and simple. It starts with a preamble, which is quoted here in its entirety: The safety and welfare of society and the common good, duty to our princi- pals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Therefore, strict adherence to this Code is a condition of certification. Let’s operationalize that preamble—take it apart, step-by-step, and see what it really asks of us. Safety and welfare of society: Allowing information systems to come to harm because of the failure of their security systems or controls can lead to damage to property or injury or death of people who were depending upon those systems operating correctly. The common good: All of us benefit when our critical infrastructures, providing common services that we all depend upon, work correctly and reliably. Duty to our principals: Our duties to those we regard as leaders, rulers, or our supervisors in any capacity. Our duty to each other: To our fellow SSCPs, others in our profession, and to others in our neighborhood and society at large. Adhere and be seen to adhere to: Behave correctly and set the example for others to follow. Be visible in performing your job ethically (in adherence with this code) so that others can have confidence in us as a profession and learn from our example. The code is equally short, containing just four canons or principles to abide by. Protect society, the common good, necessary public trust and confidence, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession. The canons do more than just restate the preamble’s two points. They show you how to adhere to the preamble. You must take action to protect what you value; that action should be done with honor, honesty, and with justice as your guide. Due care and due diligence are what you owe to those you work for (including the customers of the busi- nesses that employ us!). 4 CHAPTER 1 Security Operations and Administration The final canon talks to your continued responsibility to grow as a professional. You are on a never-ending journey of learning and discovery; each day brings an opportunity 1 to make the profession of information security stronger and more effective. You as an SSCP are a member of a worldwide community of practice—the informal grouping of Security Operations and Administration people concerned with the safety, security, and reliability of information systems and the information infrastructures of the modern world. In ancient history, there were only three professions—those of medicine, the military, and the clergy. Each had in its own way the power of life and death of individuals or soci- eties in its hands. Each as a result had a significant burden to be the best at fulfilling the duties of that profession. Individuals felt the calling to fulfill a sense of duty and service, to something larger than themselves, and responded to that calling by becoming a mem- ber of a profession. This, too, is part of being an SSCP. Visit https://www.isc2.org for more information. Organizational Code of Ethics Most businesses and nonprofit or other types of organizations have a code of ethics that they use to shape their policies and guide them in making decisions, setting goals, and taking actions. They also use these codes of ethics to guide the efforts of their employees, team members, and associates; in many cases, these codes can be the basis of decisions to admonish, discipline, or terminate their relationship with an employee. In most cases, organizational codes of ethics are also extended to the partners, customers, or clients that the organization chooses to do business with. Sometimes expressed as values or statements of principles, these codes of ethics may be in written form, established as policy directives upon all who work there; sometimes, they are implicitly or tacitly understood as part of the organizational culture or shaped and driven by key personalities in the organization. But just because they aren’t written down doesn’t mean that an ethical code or framework for that organization doesn’t exist. Fundamentally, these codes of ethics have the capacity to balance the conflicting needs of law and regulation with the bottom-line pressure to survive and flourish as an organization. This is the real purpose of an organizational ethical code. Unfortunately, many organizations let the balance go too far toward the bottom-line set of values and take shortcuts; they compromise their ethics, often end up compromising their legal or regulatory responsibilities, and end up applying their codes of ethics loosely if at all. As a case in point, consider that risk management must include the dilemma that sometimes there are more laws and regulations than any business can possibly afford to comply with and they all conflict with each other in some way, shape, or form. What’s a chief execu- tive or a board of directors to do in such a circumstance? It’s actually quite easy to incorporate professional and personal ethics, along with the organization’s own code of ethics, into every decision process you use. Strengths, Comply with Codes of Ethics 5 weaknesses, opportunities, and threats (SWOT) analyses, for example, focus your atten- tion on the strengths, weaknesses, opportunities, and threats that a situation or a problem presents; being true to one’s ethics should be a strength in such a context, and if it starts to be seen as a weakness or a threat, that’s a danger signal you must address or take to management and leadership. Cost/benefits analyses or decision trees present the same opportunity to include what sometimes is called the New York Times or the Guardian test: How would each possible decision look if it appeared as a headline on such newspapers of record? Closer to home, think about the responses you might get if you asked your par- ents, family, or closest friends for advice about such thorny problems—or their reactions if they heard about it via their social media channels. Make these thoughts a habit; that’s part of the practice aspect of being a professional. As the on-scene information security professional, you’ll be the one who most likely has the first clear opportunity to look at an IT security posture, policy, control, or action, and challenge any aspects of it that you think might conflict with the organization’s code of ethics, the (ISC)2 Code of Ethics, or your own personal and professional ethics. UNDERSTAND SECURITY CONCEPTS What does it mean to “keep information secure?” What is a good or adequate “security posture?” Let’s take questions like these and operationalize them by looking for character- istics or attributes that measure, assess, or reveal the overall security state or condition of our information. Confidentiality: Limits are placed on who is allowed to view the information, including copying it to another form. Integrity: The information stays complete and correct when retrieved, displayed, or acted upon. Availability: The information is presented to the user in a timely manner when required and in a form and format that meets the user’s needs. Authenticity: Only previously approved, known, and trusted users or processes have been able to create, modify, move, or copy the information. Utility: The content of the information, its form and content, and its presentation or delivery to the user meet the user’s needs. Possession or control: The information is legally owned or held by a known, authorized user, such that the user has authority to exert control over its use, access, modification, or movement. 6 CHAPTER 1 Security Operations and Administration Safety: The system and its information, by design, do not cause unauthorized harm or damage to others, their property, or their lives. 1 Privacy: Information that attests to or relates to the identity of a person, or links Security Operations and Administration specific activities to that identity, must be protected from being accessed, viewed, copied, modified, or otherwise used by unauthorized persons or systems. Nonrepudiation: Users who created, used, viewed, or accessed the information, or shared it with others, cannot later deny that they did so. Transparency: The information can be reviewed, audited, and made visible or shared with competent authorities for regulatory, legal, or other processes that serve the public good. Note that these are characteristics of the information itself. Keeping information authentic, for example, levies requirements on all of the business processes and systems that could be used in creating or changing that information or changing anything about the information. All of these attributes boil down to one thing: decision assurance. How much can we trust that the decisions we’re about to make are based on reliable, trustworthy information? How confident can we be that the competitive advantage of our trade secrets or the deci- sions we made in private are still unknown to our competitors or our adversaries? How much can we count on that decision being the right decision, in the legal, moral, or ethi- cal sense of its being correct and in conformance with accepted standards? Another way to look at attributes like these is to ask about the quality of the information. Bad data—data that is incomplete, incorrect, not available, or otherwise untrustworthy— causes monumental losses to businesses around the world; an IBM study reported that in 2017 those losses exceeded $3.1 trillion, which may be more than the total losses to busi- ness and society due to information security failures. Paying better attention to a number of those attributes would dramatically improve the reliability and integrity of information used by any organization; as a result, a growing number of information security practitioners are focusing on data quality as something they can contribute to. Conceptual Models for Information Security There are any number of frameworks, often represented by their acronyms, which are used throughout the world to talk about information security. All are useful, but some are more useful than others. The CIA triad (sometimes written as CIA) combines confidentiality, integrity, and availability and dates from work being done in the 1960s to develop theoretical models for information systems security and then implement those technologies into operating systems, applications programs, and communications and network systems. Understand Security Concepts 7 CIANA combines confidentiality, integrity, availability, nonrepudiation, and authentication. The greater emphasis on nonrepudiation and authentication provides a much stronger foundation for both criminal and civil law to be able to ascertain what actions were taken, by whom, and when, in the context of an incident, dispute, or conflicting claims of ownership or authorship. CIANA+PS expands CIANA to include privacy and safety. Cyberattacks in the Ukraine since 2014 and throughout the world from 2017 to present highlight the need for far more robust operational technology (OT) safety and resiliency. At the same time, regulators and legislators continue to raise the standards for protecting privacy-related data about individuals, with over 140 countries having privacy data protection laws in effect. The Parkerian hexad includes confidentiality, integrity, availability, authenticity, utility, and possession or control. These frameworks, and many more, have their advocates, their user base, and their value. That said, in the interest of consistency, we’ll focus throughout this book on CIANA+PS, as its emphasis on both nonrepudiation and authentication have perhaps the strongest and most obvious connections to the vitally important needs of e-commerce and our e-society to be able to conduct personal activities, private business, and gover- nance activities in ways that are safe, respectful of individual rights, responsible, trust- worthy, reliable, and transparent. It’s important to keep in mind that these attributes of systems performance or effec- tiveness build upon each other to produce the overall degree of trust and confidence we can rightly place on those systems and the information they produce for us. We rely on high-reliability systems because their information is correct and complete (high integrity), it’s where we need it when we need it (availability), and we know it’s been kept safe from unauthorized disclosure (it has authentic confidentiality), while at the same time we have confidence that the only processes or people who’ve created or modified it are trusted ones. Our whole sense of “can we trust the system and what it’s telling us” is a greater conclusion than just the sum of the individual CIANA+PS, Parkerian, or triad attributes. Let’s look further at some of these attributes of information security. Confidentiality Often thought of as “keeping secrets,” confidentiality is actually about sharing secrets. Confidentiality is both a legal and ethical concept about privileged communications or privileged information. Privileged information is information you have, own, or create, and that you share with someone else with the agreement that they cannot share that knowl- edge with anyone else without your consent or without due process in law. You place your trust and confidence in that other person’s adherence to that agreement. Relationships between professionals and their clients, such as the doctor-patient or attorney-client ones, 8 CHAPTER 1 Security Operations and Administration are prime examples of this privilege in action. In rare exceptions, courts cannot compel parties in a privileged relationship to violate that privilege and disclose what was shared in 1 confidence. Confidentiality refers to how much we can trust that the information we’re about to use Security Operations and Administration to make a decision with has not been seen by unauthorized people. The term unauthorized people generally refers to any person or any group of people who could learn something from our confidential information and then use that new knowledge in ways that would thwart our plans to attain our objectives or cause us other harm. Confidentiality needs dictate who can read specific information or files or who can download or copy them; this is significantly different from who can modify, create, or delete those files. One way to think about this is that integrity violations change what we think we know; confidentiality violations tell others what we think is our private knowledge. Business has many categories of information and ideas that it needs to treat as confi- dential, such as the following: Proprietary, or company-owned information, whether or not protected by patent, copyright, or trade secret laws Proprietary or confidential information belonging to others but shared with the company under the terms of a nondisclosure agreement (NDA) Company private data, which can include business plans, budgets, risk assessments, and even organizational directories and alignments of people to responsibilities Data required by law or regulation to be kept private or confidential Privacy-related information pertaining to individual employees, customers, pro- spective customers or employees, or members of the public who contact the firm for any reason Customer transaction and business history data, including the company’s credit ratings and terms for a given customer Customer complaints, service requests, or suggestions for product or service improvements In many respects, such business confidential information either represents the results of investments the organization has already made or provides insight that informs deci- sions they’re about to make; either way, all of this and more represent competitive advantage to the company. Letting this information be disclosed to unauthorized persons, inside or outside of the right circles within the company, threatens to reduce the value of those investments and the future return on those investments. It could, in the extreme, put the company out of business! Let’s look a bit closer at how to defend such information. Understand Security Concepts 9 Intellectual Property Our intellectual property are the ideas that we create and express in tangible, explicit form; in creating them, we create an ownership interest. Legal and ethical frameworks have long recognized that such creativity benefits a society and that such creativity needs to be encouraged and incentivized. Incentives can include financial reward, recogni- tion and acclaim, or a legally protected ownership interest in the expression of that idea and its subsequent use by others. This vested interest was first recognized by Roman law nearly 2,000 years ago. Recognition is a powerful incentive to the creative mind, as the example of the Pythagorean theorem illustrates. It was created long before the concept of patents, rights, or royalties for intellectual property were established, and its creator has certainly been dead for a long time, and yet no ethical person would think to attempt to claim it as their own idea. Having the author’s name on the cover of a book or at the masthead of a blog post or article also helps to recognize creativity. Financial reward for ideas can take many forms, and ideally, such ideas should pay their own way by generating income for the creator of the idea, recouping the expenses they incurred to create it, or both. Sponsorship, grants, or the salary associated with a job can provide this; creators can also be awarded prizes, such as the Nobel Prize, as both recognition and financial rewards. The best incentive for creativity, especially for corporate-sponsored creativity, is in how that ownership interest in the new idea can be turned into profitable new lines of business or into new products and services. The vast majority of intellectual property is created in part by the significant invest- ment of private businesses and universities in both basic research and product-focused developmental research. Legal protections for the intellectual property (or IP) thus cre- ated serve two main purposes. The first is to provide a limited period of time in which the owner of that IP has a monopoly for the commercial use of that idea and thus a sole claim on any income earned by selling products or providing services based on that idea. These monopolies were created by an edict of the government or the ruling monarchy, with the first being issued by the Doge of Venice in the year 1421. Since then, nation after nation has created patent law as the body of legal structure and regulation for estab- lishing, controlling, and limiting the use of patents. The monopoly granted by a patent is limited in time and may even (based on applicable patent law) be limited in geographic scope or the technical or market reach of the idea. An idea protected by a patent issued in Colombia, for example, may not enjoy the same protection in Asian markets as an idea protected by U.S., U.K., European Union, or Canadian patent law. The second purpose is to publish the idea itself to the marketplace so as to stimulate rapid adoption of the idea, leading to widespread adoption, use, and influence upon the marketplace and upon society. Patents may be monetized by selling the rights to the patent or by licensing the use of the patent to another person or business; income from such licensing or sale has 10 CHAPTER 1 Security Operations and Administration long been called the royalties from the patent (in recognition that it used to take an act of a king or a queen to make a patent enforceable). 1 Besides patents and patent law, there exist bodies of law regarding copyrights, trade- marks, and trade secrets. Each of these treats the fruits of one’s intellectually creative labors Security Operations and Administration differently, and like patent law, these legal and ethical constructs are constantly under review by the courts and the cultures they apply to. Patents protect an idea, a process, or a procedure for accomplishing a practical task. Copyrights protect an artistic expression of an idea, such as a poem, a painting, a photograph, or a written work (such as this book). Trademarks identify an organization or company and its products or services, typically with a symbol, an acronym, a logo, or even a caricature or character (not necessarily of a person). Trade secrets are the unpublished ideas, typically about step-by-step details of a process, or the recipe for a sauce, paint, pigment, alloy, or coating, that a company or individual has developed. Each of these represent a competitive advantage worthy of pro- tection. Note the contrast in these forms, as shown in Table 1.1. TABLE 1.1 Forms of Intellectual Property Protection LEGAL CONCEPT PUBLIC DISCLOSURE MONETIZE BY COMPROMISE BY Patent Mandatory, detailed License to use Failure to develop or monetize; failure

Use Quizgecko on...
Browser
Browser