(ISC)2 SSCP Study Guide PDF
Document Details
null
(ISC)2
Michael S. Wills
Tags
Summary
This official study guide provides comprehensive information about the (ISC)2 SSCP Systems Security Certified Practitioner exam. It covers various aspects of information security, risk management, and technology.
Full Transcript
(ISC)2® SSCP® Systems Security Certified Practitioner Official Study Guide Third Edition (ISC)2® SSCP® Systems Security Certified Practitioner Official Study Guide Third Edition Michael S. Wills, SSCP, CISSP, CAMS Copyright © 2022 by John Wiley & Sons...
(ISC)2® SSCP® Systems Security Certified Practitioner Official Study Guide Third Edition (ISC)2® SSCP® Systems Security Certified Practitioner Official Study Guide Third Edition Michael S. Wills, SSCP, CISSP, CAMS Copyright © 2022 by John Wiley & Sons, Inc. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada. 978-1-119-85498-2 978-1-119-85500-2 (ebk.) 978-1-119-85499-9 (ebk.) No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission. Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Website may provide or recommendations it may make. Further, readers should be aware the Internet Websites listed in this work may have changed or disappeared between when this work was written and when it is read. For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com. Library of Congress Control Number: 2021948848 Trademarks: WILEY, the Wiley logo, Sybex and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. (ISC)2 and SSCP are trademarks or registered trademarks of International Information Systems Security Certification Consortium, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book. Cover image: © Jeremy Woodhouse/Getty Images Cover design: Wiley Acknowledgments This book owes a great deal to the many teachers, co-workers, teammates, and friends who’ve worked so hard for so long to teach me what I know about information security and insecurity and about risk management and mismanagement. Where this book works well in conveying that body of knowledge, skills, and attitudes to you is a testament to their generosity in sharing their insights with me. (And where it fails to work well, or doesn’t work at all, it’s my own darned fault.) In particular I’d like to thank the team at (ISC)2 with whom I worked these past 18 months on updates to and then complete revisions of their SSCP and CISSP courses to meet 2021’s newly updated exam outlines and content expec- tations. Countless hours on Zoom and Webex with Graham Thornburrow-Dobson, John Warsinske, Maytal Brooks-Kempler, Laural Hargadon, and Fabio Cerullo sharpened my thinking and focused my writing more toward the operational aspects of cybersecurity and less on the theoretical. A special thank-you too goes out to Kaitlyn Langenbacher, the project owner for these updates at (ISC)2, and to all of the editors and proofreaders working with her. Throughout all of that, the support, questions, and co-creativity they brought made that work a truly joint, collaborative one; their work and care color and shape this revision of this Study Guide as well. I would also like to acknowledge my faculty teammates here at Embry-Riddle Aeronautical University for sharing their frank and candid views throughout many conversations on making this body of knowledge accessible and engaging in the class- room. The ideas and experiences of Drs. Aaron Glassman and Jason Clark have profoundly affected my approach to what you see before you here in this book. The combined team at Wiley/Sybex and at (ISC)2 worked tirelessly to focus, strengthen, and clarify what I wanted to say here in this book and how I said it, all while keeping my voice and my teaching ideas authentic and on point. My thanks go out to the editorial team at Wiley/Sybex: Jim Minatel, Tracy Brown, Pete Gaughan, Nancy Carrasco, Barath Kumar Rajasekaran, Kim Wimpsett, and their technical reviewer Graham Thornburrow-Dobson, as well as to Tara Zeiler and Fabio Cerullo, our reviewers at (ISC)2. Johnna VanHoose Dinse, Wiley’s indexer, has also made the art of finding what you want in this book when you need it more of a science (and I’ve always had a soft spot for a great index!). Where this book works well for you, it works because of the efforts of all of those people to make this book the best it can be. What errors, omissions, misspeaks, and confusions that remain are mine, not theirs. Finally, I wish to thank my wife Nancy. She saved my life and brought me peace. Her strength inspired me to say “yes” the first time when Jim called me about doing this book the first time, and her patience has kept both of us healthy and happy throughout everything. Even these updates. About the Author Michael S. Wills, CAMS, CISSP, SSCP, is Assistant Professor of Applied and Innovative Information Technologies at the College of Business, Embry-Riddle Aeronautical University – Worldwide, where he continues his graduate and undergrad- uate teaching and research in cybersecurity and information assurance. Mike has also been an advisor on science and technology policy to the UK’s Joint Intelligence Committee, Ministry of Justice, and Defense Science and Technology Laboratories, helping them to evolve an operational and policy consensus relating topics from cryptography and virtual worlds, through the burgeoning surveillance society, to the proliferation of weapons of mass disruption (not just “destruction”) and their effects on global, regional, national, and personal security. For a time, this had him sometimes known as the UK’s nonresident expert on outer space law. Mike has been supporting the work of (ISC)2 by writing, editing, and updating books, study guides, and course materials for both its SSCP and CISSP programs. He wrote SSCP Official Study Guide 2nd Edition in 2019, followed quickly by SSCP Official CBK Ref- erence 5th Edition. He was lead author for the 2021 update of (ISC)2’s official CISSP and SSCP training materials, and the 2021 revisions for the SSCP Official Study Guide and to its companion Official CBK 6th Edition reference book. Mike has also contributed to sev- eral industry roundtables and white papers on digital identity and cyber fraud detection and prevention and has been a panelist and webinar presenter on these and related topics for ACAMS. Mike earned his BS and MS degrees in computer science, both with minors in electrical engineering, from Illinois Institute of Technology, and his MA in Defence Studies from King’s College, London. He is a graduate of the Federal Chief Information Officer program at National Defense University and the Program Manager’s Course at Defense Systems Management College. Mike and his wife Nancy currently call Wexford, Ireland, their home. Living abroad since the end of the last century, they find new perspectives, shared values, and wonderful people wherever they go. As true digital nomads, it’s getting time to move again. Where to? They’ll find out when they get there. If you’ve got comments, questions, errata, or ideas about this book that you’d like to share, find Mike on LinkedIn and send him a comment. Or, send those to Wiley’s Customer Service team at [email protected] with the subject line “Possible Book Errata Submission.” About the Technical Editor Graham Thornburrow-Dobson, CISSP, SSCP, is a security consultant and instructor with more than 30 years of experience in IT, with 20 years focused on IT security and related training. Graham is an authorized (ISC)2 instructor who has delivered security training to a wide range of security professionals globally via both classroom-based and online training. Graham has also been supporting the efforts of (ISC)2 in the continued development of their CISSP, SSCP, and ISSAP programs as both a writer and a technical editor. Graham currently resides in Lincolnshire, United Kingdom. Graham would add more, but this would conflict with security policies. Contents at a Glance Introduction xxv Assessment Test xlviii Part I Getting Started as an SSCP 1 Chapter 1 The Business Case for Decision Assurance and Information Security 3 Chapter 2 Information Security Fundamentals 33 Part II Integrated Risk Management and Mitigation 61 Chapter 3 Integrated Information Risk Management 63 Chapter 4 Operationalizing Risk Mitigation 127 Part III The Technologies of Information Security 197 Chapter 5 Communications and Network Security 199 Chapter 6 Identity and Access Control 285 Chapter 7 Cryptography 349 Chapter 8 Hardware and Systems Security 435 Chapter 9 Applications, Data, and Cloud Security 483 Part IV People Power: What Makes or Breaks Information Security 555 Chapter 10 Incident Response and Recovery 557 Chapter 11 Business Continuity via Information Security and People Power 607 Chapter 12 Cross-Domain Challenges 647 Appendix Answers to Review Questions 689 Index 727 Contents Introduction xxv Assessment Test xlviii Part I Getting Started as an SSCP 1 Chapter 1 The Business Case for Decision Assurance and Information Security 3 Information: The Lifeblood of Business 4 Data, Information, Knowledge, Wisdom… 5 Information Is Not Information Technology 8 Policy, Procedure, and Process: How Business Gets Business Done 10 Who Is the Business? 11 “What’s the Business Case for That?” 12 Purpose, Intent, Goals, Objectives 13 Business Logic and Business Processes: Transforming Assets into Opportunity, Wealth, and Success 14 The Value Chain 15 Being Accountable 17 Who Runs the Business? 20 Owners and Investors 20 Boards of Directors 20 Managing or Executive Directors and the “C-Suite” 21 Layers of Function, Structure, Management, and Responsibility 21 Plans and Budgets, Policies, and Directives 23 Summary 24 Exam Essentials 24 Review Questions 26 Chapter 2 Information Security Fundamentals 33 The Common Needs for Privacy, Confidentiality, Integrity, and Availability 34 Privacy 34 Confidentiality 38 Integrity 39 Availability 40 Privacy vs. Security, or Privacy and Security? 41 CIANA+PS Needs of Individuals 43 Private Business’s Need for CIANA+PS 44 xiv Contents Government’s Need for CIANA+PS 45 The Modern Military’s Need for CIA 45 Do Societies Need CIANA+PS? 46 Training and Educating Everybody 47 SSCPs and Professional Ethics 47 Summary 49 Exam Essentials 50 Review Questions 54 Part II Integrated Risk Management and Mitigation 61 Chapter 3 Integrated Information Risk Management 63 It’s a Dangerous World 64 What Is Risk? 66 Risk: When Surprise Becomes Disruption 69 Information Security: Delivering Decision Assurance 71 “Common Sense” and Risk Management 74 The Four Faces of Risk 75 Outcomes-Based Risk 77 Process-Based Risk 78 Asset-Based Risk 79 Threat-Based (or Vulnerability-Based) Risk 79 Getting Integrated and Proactive with Information Defense 83 Lateral Movement: Mitigate with Integrated C3 86 Trust, but Verify 87 Due Care and Due Diligence: Whose Jobs Are These? 87 Be Prepared: First, Set Priorities 88 Risk Management: Concepts and Frameworks 89 The SSCP and Risk Management 92 Plan, Do, Check, Act 93 Risk Assessment 95 Establish Consensus about Information Risk 95 Information Risk Impact Assessment 96 Information Classification and Categorization 97 Risk Analysis 99 The Business Impact Analysis 105 From Assessments to Information Security Requirements 106 Four Choices for Limiting or Containing Damage 107 Deter 109 Detect 110 Prevent 110 Avoid 111 Summary 114 Exam Essentials 114 Review Questions 120 Contents xv Chapter 4 Operationalizing Risk Mitigation 127 From Tactical Planning to Information Security Operations 128 Operationally Outthinking Your Adversaries 130 Getting Inside the Other Side’s OODA Loop 132 Defeating the Kill Chain 133 Operationalizing Risk Mitigation: Step by Step 134 Step 1: Assess the Existing Architectures 135 Step 2: Assess Vulnerabilities and Threats 142 Step 3: Select Risk Treatment and Controls 152 Step 4: Implement Controls 159 Step 5: Authorize: Senior Leader Acceptance and Ownership 163 The Ongoing Job of Keeping Your Baseline Secure 164 Build and Maintain User Engagement with Risk Controls 165 Participate in Security Assessments 166 Manage the Architectures: Asset Management and Change Control 169 Ongoing, Continuous Monitoring 174 Exploiting What Monitoring and Event Data Is Telling You 177 Incident Investigation, Analysis, and Reporting 181 Reporting to and Engaging with Management 182 Summary 183 Exam Essentials 183 Review Questions 189 Part III The Technologies of Information Security 197 Chapter 5 Communications and Network Security 199 Trusting Our Communications in a Converged World 200 CIANA+PS: Applying Security Needs to Networks 203 Threat Modeling for Communications Systems 205 Internet Systems Concepts 206 Datagrams and Protocol Data Units 207 Handshakes 208 Packets and Encapsulation 209 Addressing, Routing, and Switching 211 Network Segmentation 212 URLs and the Web 212 Topologies 213 “Best Effort” and Trusting Designs 217 xvi Contents Two Protocol Stacks, One Internet 218 Complementary, Not Competing, Frameworks 218 Layer 1: The Physical Layer 222 Layer 2: The Data Link Layer 223 Layer 3: The Network Layer 225 Layer 4: The Transport Layer 226 Layer 5: The Session Layer 230 Layer 6: The Presentation Layer 231 Layer 7: The Application Layer 232 Cross-Layer Protocols and Services 233 IP and Security 234 Layers or Planes? 235 Network Architectures 236 DMZs and Botnets 237 Software-Defined Networks 238 Virtual Private Networks 239 Wireless Network Technologies 240 Wi-Fi 241 Bluetooth 242 Near-Field Communication 242 IP Addresses, DHCP, and Subnets 243 DHCP Leases: IPv4 and IPv6 243 IPv4 Address Classes 245 Subnetting in IPv4 247 IPv4 vs. IPv6: Important Differences and Options 248 CIANA Layer by Layer 251 CIANA at Layer 1: Physical 251 CIANA at Layer 2: Data Link 254 CIANA at Layer 3: Network 256 CIANA at Layer 4: Transport 257 CIANA at Layer 5: Session 258 CIANA at Layer 6: Presentation 260 CIANA at Layer 7: Application 260 Securing Networks as Systems 262 Network Security Devices and Services 263 Wireless Network Access and Security 264 CIANA+PS and Wireless 265 Monitoring and Analysis for Network Security 267 A SOC Is Not a NOC 269 Tools for the SOC and the NOC 270 Integrating Network and Security Management 271 Summary 273 Exam Essentials 273 Review Questions 280 Contents xvii Chapter 6 Identity and Access Control 285 Identity and Access: Two Sides of the Same CIANA+PS Coin 286 Identity Management Concepts 288 Identity Provisioning and Management 289 Identity and AAA 293 Access Control Concepts 295 Subjects and Objects—Everywhere! 296 Data Classification and Access Control 297 Bell-LaPadula and Biba Models 299 Role-Based 302 Attribute-Based 303 Subject-Based 303 Object-Based 304 Rule-Based Access Control 304 Risk-Based Access Control 304 Mandatory vs. Discretionary Access Control 305 Network Access Control 305 IEEE 802.1X Concepts 307 RADIUS Authentication 308 TACACS and TACACS+ 309 Implementing and Scaling IAM 310 Choices for Access Control Implementations 311 “Built-in” Solutions? 313 Other Protocols for IAM 314 Multifactor Authentication 315 Server-Based IAM 319 Integrated IAM systems 320 Single Sign-On 321 OpenID Connect 322 Identity as a Service (IDaaS) 322 Federated IAM 322 Session Management 323 Kerberos 325 Credential Management 326 Trust Frameworks and Architectures 328 User and Entity Behavior Analytics (UEBA) 329 Zero Trust Architectures 332 Summary 333 Exam Essentials 334 Review Questions 343 xviii Contents Chapter 7 Cryptography 349 Cryptography: What and Why 350 Codes and Ciphers: Defining Our Terms 352 Cryptography, Cryptology, or…? 357 Building Blocks of Digital Cryptographic Systems 358 Cryptographic Algorithms 359 Cryptographic Keys 360 Hashing as One-Way Cryptography 362 A Race Against Time 365 “The Enemy Knows Your System” 366 Keys and Key Management 367 Key Storage and Protection 367 Key Revocation and Disposal 368 Modern Cryptography: Beyond the “Secret Decoder Ring” 370 Symmetric Key Cryptography 370 Asymmetric Key Cryptography 370 Hybrid Cryptosystems 371 Design and Use of Cryptosystems 371 Cryptanalysis, Ethical and Unethical 372 Cryptographic Primitives 373 Cryptographic Engineering 373 “Why Isn’t All of This Stuff Secret?” 373 Cryptography and CIANA+PS 375 Confidentiality 376 Authentication 376 Integrity 376 Nonrepudiation 377 “But I Didn’t Get That Email…” 378 Availability 379 Privacy 380 Safety 381 Public Key Infrastructures 381 Diffie-Hellman-Merkle Public Key Exchange 382 RSA Encryption and Key Exchange 385 ElGamal Encryption 385 Elliptical Curve Cryptography (ECC) 386 Digital Signatures 387 Digital Certificates and Certificate Authorities 387 Hierarchies (or Webs) of Trust 388 Pretty Good Privacy 392 TLS 393 HTTPS 394 Symmetric Key Algorithms and PKI 395 Contents xix Encapsulation for Security: IPSec, ISAKMP, and Others 396 Applying Cryptography to Meet Different Needs 399 Message Integrity Controls 399 S/MIME 400 DKIM 400 Blockchain 401 Data Storage, Content Distribution, and Archiving 403 Steganography 404 Access Control Protocols 404 Managing Cryptographic Assets and Systems 405 Measures of Merit for Cryptographic Solutions 407 Attacks and Countermeasures 408 Social Engineering for Key Discovery 409 Implementation Attacks 410 Brute Force and Dictionary Attacks 410 Side Channel Attacks 411 Numeric (Algorithm or Key) Attacks 412 Traffic Analysis, “Op Intel,” and Social Engineering Attacks 413 Massively Parallel Systems Attacks 414 Supply Chain Vulnerabilities 414 The “Sprinkle a Little Crypto Dust on It” Fallacy 415 Countermeasures 416 PKI and Trust: A Recap 418 On the Near Horizon 420 Pervasive and Homomorphic Encryption 420 Quantum Cryptography and Post–Quantum Cryptography 421 AI, Machine Learning, and Cryptography 422 Summary 423 Exam Essentials 424 Review Questions 429 Chapter 8 Hardware and Systems Security 435 Infrastructure Security Is Baseline Management 437 It’s About Access Control… 437 It’s Also About Supply Chain Security 439 Do Clouds Have Boundaries? 439 Securing the Physical Context 442 Facilities Security 442 Services Security 443 OT-Intensive (or Reliant) Contexts 444 Infrastructures 101 and Threat Modeling 444 Protecting the Trusted Computing Base 447 Hardware Vulnerabilities 447 xx Contents Firmware Vulnerabilities 449 Operating Systems Vulnerabilities 451 Virtual Machines and Vulnerabilities 454 Network Operating Systems 455 Endpoint Security 457 MDM, COPE, and BYOD 459 BYOI? BYOC? 460 Malware: Exploiting the Infrastructure’s Vulnerabilities 462 Countering the Malware Threat 465 Privacy and Secure Browsing 466 “The Sin of Aggregation” 469 Updating the Threat Model 469 Managing Your Systems’ Security 470 Summary 471 Exam Essentials 472 Review Questions 478 Chapter 9 Applications, Data, and Cloud Security 483 It’s a Data-Driven World…At the Endpoint 484 Software as Appliances 487 Applications Lifecycles and Security 490 The Software Development Lifecycle (SDLC) 491 Why Is (Most) Software So Insecure? 494 Hard to Design It Right, Easy to Fix It? 497 CIANA+PS and Applications Software Requirements 498 Positive and Negative Models for Software Security 502 Is Negative Control Dead? Or Dying? 503 Application Vulnerabilities 504 Vulnerabilities Across the Lifecycle 505 Human Failures and Frailties 506 “Shadow IT:” The Dilemma of the User as Builder 507 Data and Metadata as Procedural Knowledge 509 Information Quality and Information Assurance 511 Information Quality Lifecycle 512 Preventing (or Limiting) the “Garbage In” Problem 513 Protecting Data in Motion, in Use, and at Rest 514 Data Exfiltration I: The Traditional Threat 516 Detecting Unauthorized Data Acquisition 518 Preventing Data Loss 519 Detecting and Preventing Malformed Data Attacks 521 Into the Clouds: Endpoint App and Data Security Considerations 522 Cloud Deployment Models and Information Security 524 Cloud Service Models and Information Security 525 Contents xxi Edge and Fog Security: Virtual Becoming Reality 527 Clouds, Continuity, and Resiliency 528 Clouds and Threat Modeling 529 Cloud Security Methods 531 Integrate and Correlate 532 SLAs, TORs, and Penetration Testing 532 Data Exfiltration II: Hiding in the Clouds 533 Legal and Regulatory Issues 533 Countermeasures: Keeping Your Apps and Data Safe and Secure 535 Summary 536 Exam Essentials 537 Review Questions 548 Part IV People Power: What Makes or Breaks Information Security 555 Chapter 10 Incident Response and Recovery 557 Defeating the Kill Chain One Skirmish at a Time 558 Kill Chains: Reviewing the Basics 560 Events vs. Incidents 562 Harsh Realities of Real Incidents 564 MITRE’s ATT&CK Framework 564 Learning from Others’ Painful Experiences 566 Incident Response Framework 566 Incident Response Team: Roles and Structures 568 Incident Response Priorities 570 Preparation 571 Preparation Planning 572 Put the Preparation Plan in Motion 574 Are You Prepared? 575 Detection and Analysis 578 Warning Signs 578 Initial Detection 580 Timeline Analysis 581 Notification 582 Prioritization 583 Containment and Eradication 584 Evidence Gathering, Preservation, and Use 585 Constant Monitoring 586 Recovery: Getting Back to Business 587 Data Recovery 588 Post-Recovery: Notification and Monitoring 589 Post-Incident Activities 590 xxii Contents Learning the Lessons 591 Orchestrate and Automate 592 Support Ongoing Forensics Investigations 592 Information and Evidence Retention 593 Information Sharing with the Larger IT Security Community 594 Summary 594 Exam Essentials 595 Review Questions 601 Chapter 11 Business Continuity via Information Security and People Power 607 What Is a Disaster? 608 Surviving to Operate: Plan for It! 609 Business Continuity 610 IS Disaster Recovery Plans 610 Plans, More Plans, and Triage 611 Timelines for BC/DR Planning and Action 615 Options for Recovery 617 Backups, Archives, and Image Copies 618 Cryptographic Assets and Recovery 620 “Golden Images” and Validation 621 Scan Before Loading: Blocking Historical Zero-Day Attacks 622 Restart from a Clean Baseline 622 Cloud-Based “Do-Over” Buttons for Continuity, Security, and Resilience 623 Restoring a Virtual Organization 625 People Power for BC/DR 626 Threat Vectors: It Is a Dangerous World Out There 628 “Blue Team’s” C3I 631 Learning from Experience 632 Security Assessment: For BC/DR and Compliance 633 Converged Communications: Keeping Them Secure During BC/DR Actions 634 POTS and VoIP Security 635 People Power for Secure Communications 636 Summary 637 Exam Essentials 637 Review Questions 641 Chapter 12 Cross-Domain Challenges 647 Operationalizing Security Across the Immediate and Longer Term 648 Contents xxiii Continuous Assessment and Continuous Compliance 650 SDNs and SDS 651 SOAR: Strategies for Focused Security Effort 653 A “DevSecOps” Culture: SOAR for Software Development 655 Just-in-Time Education, Training, and Awareness 656 Supply Chains, Security, and the SSCP 657 ICS, IoT, and SCADA: More Than SUNBURST 658 Extending Physical Security: More Than Just Badges and Locks 660 All-Source, Proactive Intelligence: The SOC as a Fusion Center 661 Other Dangers on the Web and Net 662 Surface, Deep, and Dark Webs 662 Deep and Dark: Risks and Countermeasures 664 DNS and Namespace Exploit Risks 665 On Our Way to the Future 666 Cloud Security: Edgier and Foggier 667 AI, ML, and Analytics: Explicability and Trustworthiness 667 Quantum Communications, Computing, and Cryptography 669 Paradigm Shifts in Information Security? 669 Perception Management and Information Security 671 Widespread Lack of Useful Understanding of Core Technologies 672 Enduring Lessons 672 You Cannot Legislate Security (But You Can Punish Noncompliance) 673 It’s About Managing Our Security and Our Systems 673 People Put It Together 674 Maintain Flexibility of Vision 675 Accountability—It’s Personal. Make It So 675 Stay Sharp 676 Your Next Steps 677 At the Close 678 Exam Essentials 678 Review Questions 683 Appendix Answers to Review Questions 689 Chapter 1: The Business Case for Decision Assurance and Information Security 690 Chapter 2: Information Security Fundamentals 693 Chapter 3: Integrated Information Risk Management 695 Chapter 4: Operationalizing Risk Mitigation 698 Chapter 5: Communications and Network Security 701 Chapter 6: Identity and Access Control 704 xxiv Contents Chapter 7: Cryptography 707 Chapter 8: Hardware and Systems Security 709 Chapter 9: Applications, Data, and Cloud Security 712 Chapter 10: Incident Response and Recovery 715 Chapter 11: Business Continuity via Information Security and People Power 718 Chapter 12: Cross-Domain Challenges 722 Index 727 Introduction Congratulations on choosing to become a Systems Security Certified Practitioner (SSCP)! In making this choice, you’re signing up to join the professionals who strive to keep our information-based modern world safe, secure, and reliable. SSCPs and other information security professionals help businesses and organizations keep private data private and help to ensure that published and public-facing information stays unchanged and unhacked. They help ensure the safe, secure, reliable, and trustworthy operation of our financial, energy, com- munications, transportation, and many other critical infrastructure systems we all rely upon. Whether you are new to the fields of information security, information assurance, or cybersecurity, or you’ve been working with these concepts, tools, and ideas for some time now, this book is here to help you grow your knowledge, skills, and abilities as a systems security professional. Let’s see how! About This Book You’re here because you want to learn what it takes to be an SSCP. You know this will demand that you build a solid understanding of many different concepts, not only as the- ories but also as practical tasks you can do to help make information systems more secure. You know you’ll need to master a number of key definitions and be able to apply those defi- nitions to real-world situations—you’ll need to operationalize those definitions and concepts by turning them into the step-by-step operations that make security become real. This book is your study guide. It guides you along your personal journey as you learn and master these ideas and technologies. It takes you on that journey concept by concept, starting with simple, fundamental ideas and growing them to the level of power and complexity you will need, on the job, as an SSCP. That is this book’s focus, its purpose, and design. (ISC)2 periodically updates the technical scope—the breadth and depth—of their various certifications to keep them more closely aligned with the needs of the security profession and to better focus them on the current tactics, techniques, and strategies that those professionals are using, day after day. This new edition of the Study Guide has also been updated to reflect and support readers like you as you work to strengthen your own knowledge of information systems security, and the proficiency of your skills with those concepts. That means this book is also a valuable reference to have with you on the job, or as you continue to learn more about information security, information risk management, or any of a number of other related subject areas. You’ll find it more than covers the topic domains that (ISC)2 requires you to demonstrate competency in, should you want to earn your Systems Security Certified Practitioner credential. xxvi Introduction Go to https://www.wiley.com/go/sybextestprep to register and gain access to the Sybex interactive online learning environment and test bank with study tools. What Makes This the “Official” Study Guide for the SSCP? Good question! This book exists because (ISC)2 wanted a book that would teach as well as guide and explain as well as capture the common knowledge about information assurance—keeping information systems safe and secure by protecting their information assets that all SSCPs should have at their mental fingertips. As creators of the SSCP program, (ISC)2 defines that common body of knowledge, in continuous consultation with system security experts and practitioners from business, industry, government, and aca- demia from around the world. What Is an SSCP? The SSCP is actually three things in one: a standard of excellence, a credential that attests to demonstrated excellence, and a person who has earned that credential. Perhaps instead of asking “what” is an SSCP, we should also ask why, who, and how: SSCP as standard of excellence. The International Information System Security Certification Consortium, or (ISC)2, created this standard to reflect the continually evolving needs for people who can help all sorts of organizations around the world keep their information systems safe, secure, confidential, private, reliable, and trustworthy. Working with businesses, nonprofits, academic researchers, and the thought leaders of the cybersecurity and information assurance communities of practice, they developed the list of subject areas, or domains, that are the SSCP as a standard. That standard is set as the starting point for your professional journey as an information security specialist. Its focus is on hands-on technical knowledge combined with procedural and administrative awareness. The knowledge, skills, and abilities that make up the SSCP domains become the foundation for other, more advanced certifications (and hence standards). SSCP as a credential. Earning an SSCP certification attests to the fact that you have solid working knowledge of the topic domains that are the SSCP. As a published standard of excellence, this certification or credential is portable—people in the information system business, or who know the needs of their own organizations for information security, recognize and respect this credential. People can easily consult (ISC)2’s published stan- dards for the SSCP and understand what it means. It is a portable, stackable credential, meaning that it can clearly pave the way for you to take on job responsibilities that Introduction xxvii need the knowledge and skills it attests to, and demonstrates you have the foundational knowledge to earn other credentials that can build on it. SSCP as a goal or objective. The SSCP as a standard answers the needs of hiring man- agers when they seek the right kind of people to help protect their organization’s information, their information systems and processes, their IT infrastructure, and their ability to make informed decisions in reliable, timely ways. Training managers or functional department leaders in various organizations can design their own internal training and skills development programs around the SSCP, knowing that it is a reliable standard for information system security knowledge and experience. They can look at job descriptions or task designs and use the SSCP as a standard to identify whether the job and the SSCP are a good fit with each other or if other significant knowledge and skills will be needed by people filling that position. SSCP as a person. By choosing to earn an SSCP credential, you’re declaring to yourself and to others that you’re willing to hold yourself to a respected and recognized standard of excellence. You’re willing to master what that standard asks of you, not only on the technical, physical, and administrative aspects of information security and assurance, but also on its legal and ethical requirements. The Systems Security Certified Practitioner is thus a person who does the job of systems security to a level of competency that meets or exceeds that standard and who has earned a credential as testament to their knowledge and skills. It is a foundational certification, based on the knowledge and skills that people should already have when they first start out as an information security professional. Let’s operationalize that set of words by showing them in action: Systems—Generally, a system is a collection or set of elements that interconnect and interact with each other to fulfill or achieve a larger purpose or objective. In this con- text, we mean information systems. Information systems are the collected sets of hardware, software, databases, and data sets; the communications, networking, and other technologies that connect all of those elements together into a cohesive, working whole; and the people who use them and depend on them to achieve their goals and objectives. Security—Again, generally speaking, security is the set of plans, procedures, and actions that keep something safe from harm, damage, or loss, through accident, acts of nature, or deliberate actions taken by people. Applying that to information systems, we see that information systems security is everything we need to do during design, implementation, operational use, and maintenance to keep all aspects of an information system protected against accidental or deliberate damage; it includes keeping its information free from unauthorized changes or viewing; and it keeps those systems up and running so that the information is there when people need it to get their jobs done. Certified—The person holding this credential (or certification) has earned the right to do so by means of having demonstrated their mastery of the knowledge, skills, and attitudes that are defined to be the subject area or domain of the certification. Spe- cifically, an SSCP has passed the certification exam and demonstrated the required xxviii Introduction work experience in the field of information security, as specified by the SSCP subject area domains. Practitioner—A person whose professional or workplace duties, responsibilities, and tasks has them using the knowledge, skills, and abilities required by the standard to have earned the certification. There’s a degree of practice in the definition of practitioner, of course; as a practitioner, you are continually doing the stuff of your profession, and in doing so you continue to learn it better as well as refine, polish, and enrich the ways in which you do those tasks and fulfill those responsibilities. Practitioners get better with practice! (After all, if you’ve been “practicing medicine” for 20 years, we expect you are a much better medical doctor now than you were when you started.) What Can We Expect of Our SSCPs? The world of commerce, industry, and governance expects you, as an SSCP, to be a hands-on practitioner of information systems security, someone who continuously monitors information systems to safeguard against security threats, vulnerabilities, and risks while having the knowledge to apply security concepts, tools, and procedures to react to security incidents. As an SSCP, you demonstrate certain knowledge and skills, in areas such as: Information technology and cybersecurity theory and hands-on/technical practice Cybersecurity policy, procedures, standards, and guidelines Using simple coding or programming language techniques, in languages such as command-line interface, PowerShell, Java, HTML, CSS, Python, and C# You’ll also need more than just technical skills and knowledge. As an SSCP, you’ll be working with people constantly as you assist them in securing their organization’s information security needs. This takes adaptability on your part, plus strong interpersonal skills. You’ll need to be a critical thinker and to make sound judgments; you’ll have to com- municate in person and in writing as you build and manage professional relationships within your organization and the larger information security community of practice. You’ll build this social capital both through your problem-solving skills and by applying your emotional intelligence. Soft Skills: Very Strong Tickets to Success Employers, clients, and others you’ll work with value your technical knowledge and skills, but they desperately need to be able to work with and communicate with you as you bring that knowledge and skills to bear on their problems. The irony of calling these skills “soft” is that for some of us, it can be very hard work to improve on them. Investing in improving these skills will more than pay off for you in terms of salary and opportunities. Introduction xxix It’s also natural to expect that as an SSCP, you will be continually learning about your craft. You’ll keep current about the ways that threats evolve and stay informed about known vulnerabilities as they might be exploited against the systems under your care. You’ll know how to apply analytical and research skills to dig deeper into what you’re seeing in the way those systems are behaving, with an eye to identifying problems, recognizing that an information security incident might be under way, and responding to such incidents. This also means that you will periodically reflect on what you’ve been doing, how you’ve been doing it, and what you’ve been learning, and consider where improvement and growth are required to ensure continued effectiveness. Who Should Take the SSCP Certification Exam? The SSCP designation is designed for individuals who desire to learn hands-on, technical, cybersecurity fundamentals. While any individual who desires to practice cybersecurity can learn the material, there are certain requirements before sitting for the exam. SSCP candi- dates must have at least one year of cumulative work experience in one or more of the seven domains of the (ISC)2 SSCP Common Body of Knowledge (CBK). A one-year prerequisite pathway will be granted for candidates who received an accredited university degree (bach- elor’s or master’s) in a cybersecurity program. Candidates without the required experience can take and pass the SSCP exam to earn an Associate of (ISC)2 designation and will have up to two years to gain the work experience needed for the SSCP. Certificate vs. Certification vs. “Being Certified” If you’re new to formal certifications, these terms may seem interchangeable—but they are not! A certificate is an official document or proof that displays or attests to your completion of a formal program, school, or training course. Earning a certificate may require passing a formal exam, hands-on practice, or just remaining in the course until the end. Certifi- cate courses are designed to teach a skill and/or influence knowledge and understanding of a topic. A certification goes several steps further than a certificate. Typically, certifications require a minimum period of professional experience, which may include supervision by someone who also holds those same certifications. Certifications are established by professional organizations that serve a particular industry, and thus earning that certification means you’ve demonstrated what that industry needs. Certificates are defined and issued by the schools or training programs that teach them. xxx Introduction Typically, certifications have requirements for ongoing learning, experience, and skills development; certificates usually do not. Finally, consider who awards you that credential. If it’s the school or the training organiza- tion, it’s a certificate. If it’s that standards-setting body, it’s a certification. As a result, you are entitled—you have earned the right—to put the official, accepted des- ignation of that certification after your name, when used as a part of your professional correspondence, marketing, or other communications. John Doe, SSCP, or Jayne Smith, MD, are ways that these individuals rightfully declare their earned certifications. Academic programs increasingly offer sets of accredited university courses bundled as certificate programs; instead of completing 120 semester hours for a bachelor’s degree, for example, a certificate program might require only 15 to 30 semester hours of study. Thus, we see that “being certified” means that you’ve met the standards required by the professional organization that defines and controls that certification as a process and as a standard; you’ve earned the right to declare yourself “certified” in the domain of that standard. The Global Need Cyberattacks have become tremendously big business worldwide. Attackers have proven that exploiting the security weaknesses of critical infrastructures, businesses across every industry, and government agency systems around the globe can bring the attackers tremendous profit. Critical infrastructure attacks have crippled hospital and public health systems, energy dis- tribution, and water supply treatment systems. Misdirection, distortion, and malformed data attacks on news and information media as well as databases that support clinical trials of new medicines, or control the operation of manufacturing systems, provide further profit opportunities for those who carry out these attacks. The cybercrime business model does not just begin and end with the attacker, however; it includes those who perform targeting intelligence-gathering operations, resell stolen data and intellectual property, and a hundred other logistics and support tasks that sophisticated cyber attackers benefit from. Governments cannot protect all of the information systems that our modern digital age depends upon—nearly all of them are owned and operated by private businesses. Each of these owner-operators has the responsibility and the opportunity to do a far, far better job of securing their systems to protect the safety, reliability, and trustworthiness of their data, their organizations, and their people. National and international standards do exist to help guide the information security profession in accomplishing this task. From a global perspective, the International Orga- nization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have jointly issued their own family of standards designed to help private and public Introduction xxxi organizations worldwide attain minimum acceptable standards in achieving information security, information assurance, and cybersecurity. The ISO/IEC 27000 family of standards provides best-practice recommendations on information security management and the management of information risks through information security controls, within the context of an overall information security management system (ISMS). ISO/IEC 27001 is the best- known standard in the family providing requirements for an ISMS. The European Union has issued a series of regulations and policy documents that help refine and implement these ISO/ IEC standards. In the United States, the National Institute of Standards and Technology (NIST) has the lead in defining standards-based frameworks and approaches for identifying, managing, and controlling risks to information systems and infrastructures. As a part of this effort, NIST established the National Initiative for Cybersecurity Education (NICE). This partnership between government, academia, and the private sector works to continually define the stan- dards and best practices that cybersecurity professional educators and trainers need to fulfill to produce a qualified cybersecurity workforce. The US Department of Defense (DoD) has continued its efforts to professionalize its workforce (both the uniformed and civilian mem- bers) and, in a series of regulations and directives, has defined its baseline set of approved certifications in various fields. One of these, DoD Directive 8140, defines the minimum acceptable certifications someone must demonstrate to hold jobs in the information assurance technical, managerial, and systems architecture job series. DoD 8140 also defines the certifications necessary to hold jobs as a cybersecurity service provider at various levels. (ISC)2 plays a part in helping all of these standards bodies and regulatory agencies assess the current needs of the information security community of practitioners and works to update its set of certifications to support these national, international, and global needs. As a result, the SSCP certification is recognized around the world. The SSCP and Your Professional Growth Path Possibly one of the best ways to see your SSCP in the context of your professional growth and development can be seen at the CyberSeek website. CyberSeek is a partnership spon- sored by NIST that brings together the current state of the job market in cybersecurity, information security, and information risk management. It combines data on job market demand for such skills, current average salaries, and even insight on the numbers of profes- sionals holding various certifications. The real gem, however, for the new cybersecurity or information security pro is its Career Mapping tool. See this at www.cyberseek.org and use it to help navigate the options to consider and the opportunities that an earned “SSCP” after your name might open up. It’s true that CyberSeek focuses on the US job market and job descriptions as it maps those against different certifications; but a few minute’s perusal of its data, when compared with the job market in any other country, will show very similar job titles and functions. Let’s face it: a cybersecurity intelligence analyst, or a network secu- rity administrator, has much the same job functions to perform no matter where in the world their employer happens to be located. xxxii Introduction As an international, nonprofit membership association with more than 160,000 mem- bers, (ISC)2 has worked since its inception in 1989 to serve the needs for standardization and certification in cybersecurity workplaces around the world. Since then, (ISC)2’s founders and members have been shaping the information security profession and have developed the fol- lowing information security certifications: Certified Information Systems Security Professional (CISSP): The CISSP is an experi- enced professional who holds the most globally recognized standard of achievement in the industry; it was the first information security credential to meet the strict conditions of ISO/IEC Standard 17024. The CISSP certification has three concentrations: Certified Information Systems Security Professional: Information Systems Security Architecture Professional (CISSP-ISSAP): The CISSP-ISSAP is a chief security architect, analyst, or other professional who designs, builds, and oversees the imple- mentation of network and computer security for an organization. The CISSP-ISSAP may work as an independent consultant or other professional who provides opera- tional guidance and direction to support business strategies. Certified Information Systems Security Professional: Information Systems Security Engineering Professional (CISSP-ISSEP): The CISSP-ISSEP can effectively incorporate security into all facets of business operations. Certified Information Systems Security Professional: Information Systems Security Management Professional (CISSP-ISSMP): The CISSP-ISSMP is a cybersecurity man- ager who demonstrates deep management and leadership skills and excels at estab- lishing, presenting, and governing information security programs. Systems Security Certified Practitioner (SSCP): The SSCP is a high-value practitioner who demonstrates technical skills in implementing, monitoring, and administering IT infrastructure using information security policies and procedures. The SSCP’s commit- ment to continuous learning and practice ensures consistent information assurance. Certified Cloud Security Professional (CCSP): The CCSP is a globally recognized professional who demonstrates expertise and implements the highest standards in cloud security. The certification was co-created by (ISC)2 and Cloud Security Alliance—the leading stewards for information security and cloud computing security. Certified Authorization Professional (CAP): The CAP is a leader in information security and aligns information systems with the risk management framework (RMF). The CAP certification covers the RMF at an extensive level, and it’s the only certification under the DoD 8570/DoD 8140 Approved Baseline Certifications that aligns to each of the RMF steps. Certified Secure Software Lifecycle Professional (CSSLP): The CSSLP is an interna- tionally recognized professional with the ability to incorporate security practices— authentication, authorization, and auditing—into each phase of the software development lifecycle (SDLC). HealthCare Information Security and Privacy Practitioner (HCISPP): The HCISSP is a skilled practitioner who combines information security with healthcare security and pri- vacy best practices and techniques. Introduction xxxiii Each of these certifications has its own requirements for documented full-time experience in its requisite topic areas. Newcomers to information security who have not yet had supervised work experience in the topic areas can take and pass the SSCP exam and then become recognized as Associates of (ISC)2. Associates then have two years to attain the required experience to become full members of (ISC)2. The SSCP Seven Domains (ISC)2 is committed to helping members learn, grow, and thrive. The Common Body of Knowledge (CBK) is the comprehensive framework that helps it fulfill this commitment. The CBK includes all the relevant subjects a security professional should be familiar with, including skills, techniques, and best practices. (ISC)2 uses the various domains of the CBK to test a certificate candidate’s levels of expertise in the most critical aspects of information security. You can see this framework in the SSCP Exam Outline here: https://www.isc2.org/-/media/ISC2/Certifications/Exam-Outlines/2021/ SSCP-Exam-Outline-English-Nov-2021.ashx?la=en&hash=ABCB9E34548D2E8170A DA04EAAD3003F5577D3F5 Successful candidates are competent in the following seven domains: Domain 1 Security Operations and Administration Identification of information assets and documentation of policies, standards, procedures, and guidelines that ensure confi- dentiality, integrity, and availability, such as: 1.1 Comply with codes of ethics 1.2 Understand security concepts 1.3 Identify and implement security controls 1.4 Document and maintain functional security controls 1.5 Participate in asset management lifecycle (hardware, software, and data) 1.6 Participate in change management lifecycle 1.7 articipate in implementing security awareness and training (e.g., social engi- P neering/phishing) 1.8 ollaborate with physical security operations (e.g., data center C assessment, badging) Domain 2 Access Controls Policies, standards, and procedures that define users (human and nonhuman) as entities with identities that are approved to use an orga- nization’s systems and information assets, what they can do, which resources and information they can access, and what operations they can perform on a system, such as: 2.1 Implement and maintain authentication methods 2.2 Support internetwork trust architectures xxxiv Introduction 2.3 Participate in the identity management lifecycle 2.4 Understand and apply access controls Domain 3 Risk Identification, Monitoring, and Analysis Risk identification is the review, analysis, and implementation of processes essential to the identification, measurement, and control of loss associated with unplanned adverse events. Moni- toring and analysis are determining system implementation and access in accordance with defined IT criteria. This involves collecting information for identification of, and response to, security breaches or events, such as: 3.1 Understand the risk management process 3.2 nderstand legal and regulatory concerns (e.g., jurisdiction, limita- U tions, privacy) 3.3 Participate in security assessment and vulnerability management activities 3.4 Operate and monitor security platforms (e.g., continuous monitoring) 3.5 Analyze monitoring results Domain 4 Incident Response and Recovery Prevent. Detect. Respond. Recover. Inci- dent response and recovery focus on the near real time actions that must take place if the organization is to survive a cyberattack or other information security incident, get back into operation, and continue as a viable entity. In this domain, the SSCP gains an understanding of how to handle incidents using consistent, applied approaches within a framework of business continuity planning (BCP) and disaster recovery planning (DRP). These approaches are utilized to mitigate damages, recover business operations, and avoid critical business interruption: 4.1 S upport incident lifecycle e.g., National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO) 4.2 Understand and support forensic investigations 4.3 nderstand and support business continuity plan (BCP) and disaster recovery U plan (DRP) activities Domain 5 Cryptography The protection of information using techniques that ensure its integrity, confidentiality, authenticity, and nonrepudiation, and the recovery of encrypted information in its original form: 5.1 Understand reasons and requirements for cryptography 5.2 Apply cryptography concepts 5.3 Understand and implement secure protocols 5.4 Understand and support public key infrastructure (PKI) systems Domain 6 Network and Communications Security The network structure, transmis- sion methods and techniques, transport formats, and security measures used to operate both private and public communication networks: Introduction xxxv 6.1 Understand and apply fundamental concepts of networking 6.2 nderstand network attacks e.g., distributed denial of service (DDoS), man- U in-the-middle (MITM), Domain Name System (DNS) poisoning) and counter- measures (e.g., content delivery networks (CDN) 6.3 Manage network access controls 6.4 Manage network security 6.5 Operate and configure network-based security devices 6.6 Secure wireless communications Domain 7 Systems and Application Security Countermeasures and prevention tech- niques for dealing with viruses, worms, logic bombs, Trojan horses, and other related forms of intentionally created damaging code: 7.1 Identify and analyze malicious code and activity 7.2 Implement and operate endpoint device security 7.3 Administer Mobile Device Management (MDM) 7.4 Understand and configure cloud security 7.5 Operate and maintain secure virtual environments Using This Book This book is structured to take you on your learning journey through all seven subject area domains that the SSCP requires. It does this one building block at a time, starting with the fundamentals involved in a particular topic or subject and building on those to guide you toward the degree of knowledge you’ll need as an SSCP. This journey does not assume you already have broad or deep knowledge or experience in any one domain—or, for that matter, in information security at all. Instead, it starts with broad concepts that are then broken down into successively finer-grain details, which are then placed into an operational context. This journey is structured in four major parts: Part 1 provides a solid foundation of how organizations use information to drive decision making, and the role of information systems and information technologies in making that information available, reliable, and useful. It then looks to the fundamental concepts of information security and assurance, using operational definitions and exam- ples to help you apply these concepts to real-world situations you may find around you today: Business and the private sector speak their own language, and organize, direct, man- age, and lead their people in different ways than do governments or military services. If you haven’t had experience in the private sector or have no business background, start with Chapter 1. xxxvi Introduction Using the Language of Business Chapter 1 has been extensively revised in this edition to place security fundamental con- cepts into the context of business logic and organizational management processes. Even if you’ve had private sector work experience, you’ll find Chapter 1 will strengthen your under- standing of why business finds information security and assurance so important. With that as foundation, you can go on and learn how to make that security happen. Chapter 2 provides a deep look at the fundamentals of information security and assurance. It also establishes the ethical and operational framework that forms the foundation of the rest of book. Part 2 takes you deep into the practice of information risk management as part of building and maintaining a proactive information systems defensive posture: Chapter 3 defines the basic concepts of risk management and risk mitigation and familiarizes you with the processes all organizations can use to understand risks, characterize their impact on organizational objectives, and prioritize how to deal with information risks specifically. Chapter 4 dives into risk mitigation. Here’s where we make decisions about specific risks (or, rather, about the vulnerabilities we’ve discovered that could lead to such a risk becoming reality). We’ll look at choices you can make, or advise your company’s management to make, and how you can estimate the value of your mitigation choices as compared to the possible impacts if nothing is done. Part 3 gets down into the technologies of information security; we’ll start each major subject area in Part 3 first by reviewing the fundamentals of various information systems technologies and how they are used, and then look to their vulnerabilities and what choices we might have to help mitigate their associated risks. One important point that is emphasized throughout Part 3 is the need to own and manage the baseline architec- tures of our information systems—for without effective management of our systems, we have little hope of being able to keep them secure, much less operating correctly! Chapter 5 is all about communications as a people-to-people and systems-to-systems set of processes and protocols. Two protocol stacks—the Open Systems Interconnec- tion (OSI) 7-layer reference model and the Transmission Control Protocol over Inter- net Protocol (TCP/IP)—will become your highway to understanding and appreciating the different perspectives you’ll need as you seek to secure networks and systems. Chapter 6 considers identity management and access control, which are two sides of the same process: how do we know that users or processes asking to use our systems and our information are who they claim they are, and how do we control, limit, or deny their access to or use of any of our information, our systems, our knowledge, or our people? Introduction xxxvii Chapter 7 demystifies cryptography and cryptographic systems, with special emphasis on the use of symmetric and asymmetric encryption algorithms as part of our digital certificates, signatures, and public infrastructure for security. It also explores the management of cryptologic systems and assets. Chapter 8 considers the security aspects of computing and communications hardware, and the systems software, utilities, firmware, and connections that bring that all together. Chapter 9 continues on the foundation laid in Chapter 8 by investigating how we secure applications software, data, and endpoint devices. It also looks at the specific issues involved when organizations migrate their information systems to the cloud (or have developed them in the cloud from the beginning). Part 4 shifts the emphasis back onto the real driving, integrative force that we need to apply to our information security problems: the people power inherent in our work- force, their managers and leaders, and even our customers, clients, and those we partner with or share federated systems with: Chapter 10 takes us through the information security incident response process, from planning and preparation through the real-time challenges of detection, identification, and response. It then takes us through the post-response tasks and shows how attention to these can increase our organization’s chances of never having to cope with making the same mistakes twice by learning from the experiences of an incident response while they’re still fresh in our response team members’ minds. Chapter 11 addresses business continuity and disaster recovery, which are both the overriding purpose of information security and assurance and the worst-case scenario for why we need to plan and prepare if we want our organization to survive a major incident and carry on with business as usual. Chapter 12 takes a look back across all chapters and then goes further into some of the more challenging concepts and ideas, applying them to different settings. It then highlights important issues and trends that you as an SSCP may have to deal with in the very near future. It also offers some last-minute practical advice on getting ready to take your SSCP exam and ideas for what you can do after that. As you look at the chapters and the domains, you should quickly see that some domains fit neatly into a chapter all by themselves; other domains share the limelight with each other in the particular chapters that address their subject areas. You’ll also see that some chapters focus on building foundational knowledge and skills; others build applied problem-solving skills and approaches; and some provide a holistic, integrated treatment spanning CBK domains. This is intentional—the design of this book takes you on a journey of learning and mastery of those seven CBK domains. Risk identification, monitoring, and analysis as a domain is a fundamental element of two chapters (Chapters 3 and 4) almost by itself. This important topic deserves this level of attention; you might even say that the very reason we do information security at all is xxxviii Introduction because we’re trying to manage and mitigate risks to our information! Similarly, we see that Chapter 11, which focuses on the people power aspects of achieving business continuity in the face of information security incidents and disasters, must make significant use of the domains of access control, security operations and administration, and risk identification, monitoring, and analysis. Finally, the growing emphasis in the marketplace on data security, cloud security, endpoint security, and software lifecycle security dictates that we first build a strong foundation on hardware and systems security (Chapter 8), on which we build our knowledge and skills for applications, data, cloud, and mobile endpoint security. Major Changes in This Edition In putting together both the 2021 SSCP Exam Outline and its official SSCP training mate- rials, (ISC)2 has introduced new topics and put greater emphasis on some previously existing ones. These changes are reflected in this edition of the Study Guide as well. Major changes include the following: CIANA+PS: Expanding the “CIA Triad” (of confidentiality, integrity, and availability) to CIANA+PS. Adding nonrepudiation, authenticity, privacy, and safety to this mne- monic throughout the course and this study guide reflects the elevated sense of risk that many businesses, governments, consumers, and citizens alike are feeling, as cyberattacks against energy systems, medical care, food processing, and financial systems continue to escalate. Operational technology (OT): Digital control of our physical environment is every- where! From the Internet of Things to manufacturing and industrial process control, and from implanted medical devices to self-driving vehicles and drones, the bridge bet- ween the IT systems that plan these operations and the OT systems that make physical things happen affects our workplaces, our homes, and our lives. The data and control flows between IT and OT systems, and the threats that can cross those thresholds, have become lucrative targets to cyberattackers. Entities and identities, for human and nonhuman users alike: Whether it’s smartphones or OT systems elements, many organizations have already expanded their user base to include real and virtual entities alike. Just-in-time identity, third-party identity services (such as using your Google or Facebook credentials to sign on to another website), and connection management also get a deeper look. Compliance: a pathway to greater security, whether required or not: ISO, NIST, and other information security–related standards and compliance frameworks represent a valuable knowledge bank—one that any organization that does not have to achieve compliance can learn from. Individuals and smaller organizations: Many of the basic security hygiene measures, as well as cutting-edge security technologies and approaches can and must be applied to the individual, small or home office (SOHO), and small to medium business (SMB). Introduction xxxix Information classification and categorization: Clarifying these two important steps in the information risk management and mitigation process is shown to be straightforward and necessary—even beyond those involved with government and military systems. Analytics for security—more than log management: The business model for doing security—for managing risk by preventing, detecting, and responding to security incidents—has pivoted in recent years. Simply put, the data deluge from all of those devices and sensors and agents is good news—if we use state-of-the-practice tools and services to take a big-picture view of it. And since these tools are often available free or at very low cost for individual, SOHO, or SMB use, it’s time we start applying them. Cryptographic asset management: Digital certificates have become the mainstay of many online operations today; these, too, are valuable and important information assets that must be protected. Vulnerability management: Expanded coverage of this important part of the SSCP’s responsibilities now includes MITRE’s ATT&CK Framework, as part of dealing with the risks posed by advanced persistent threats. Objective Map Table I.1 contains an objective map to show you at-a-glance where you can find each objective covered. Note that all chapters except Chapters 1 and 12 cover objectives from the SSCP exam. TA B L E I. 1 Objective Map Objective Chapter Domain 1: Security Operations and Administration 1.1 Comply with codes of ethics 1, 2, 11 1.2 Understand security concepts 1, 2, 4, 11 1.3 Identify and implement security controls 4, 11, 12 1.4 Document and maintain functional security controls 4, 11 1.5 Participate in asset management lifecycle 1, 3, 4, 11, 12 1.6 Participate in change management lifecycle 4, 11 1.7 Participate in implementing security awareness and training 4, 11 xl Introduction TA B L E 1. 1 Objective Map (continued) Objective Chapter 1.8 Collaborate with physical security operations 4, 11, 12 Domain 2: Access Controls 2.1 Implement and maintain authentication methods 6 2.2 Support internetwork trust architectures 6 2.3 Participate in the identity management lifecycle 6, 11 2.4 Understand and apply access controls 6 Domain 3: Risk Identification, Monitoring, and Analysis 3.1 Understand the risk management process 3, 11, 12 3.2 Understand legal and regulatory concerns 3, 4 3.3 Participate in security assessment and vulnerability management activities 11, 12 3.4 Operate and monitor security platforms 4, 10 3.5 Analyze monitoring results 4, 10 Domain 4: Incident Response and Recovery 4.1 Support incident lifecycle 10 4.2 Understand and support forensic investigations 10 4.3 Understand and support business continuity plan (BCP) and disaster 10, 11 recovery plan (DRP) activities Domain 5: Cryptography 5.1 Understand cryptography 7 5.2 Apply cryptography concepts 7 5.3 Understand and implement secure protocols 7 5.4 Understand and support public key infrastructure (PKI) systems 7 Introduction xli Objective Chapter Domain 6: Network and Communications Security 6.1 Understand and apply fundamental concepts of networking 5, 12 6.2 Understand network attacks 5, 12 6.3 Manage network access controls 5 6.4 Manage network security 5, 12 6.5 Operate and configure network-based security devices 5 6.6 Secure wireless communications 5, 12 Domain 7: Systems and Application Security 7.1 Identify and analyze malicious code and activity 8 7.2 Implement and operate endpoint device security 8, 9, 12 7.3 Administer Mobile Device Management (MDM) 8, 12 7.4 Understand and configure cloud security 9, 12 7.5 Operate and maintain secure virtual environments 8, 9 Earning Your Certification Earning your SSCP requires that you take and pass the SSCP exam, of course; it also requires that you have at least one year of full-time work experience, in at least one of the seven domains of knowledge of the SSCP. A one-year prerequisite waiver will be granted by (ISC)2 if you have earned a degree (bachelors or masters) in a cybersecurity program. The website https://www.isc2.org/Certifications/SSCP/Prerequisite-Pathway explains this and should be your guide. Note the requirements to be able to document your work experience. No matter where you are on that pathway right now, put this book to work! Use it as a ready reference, as a roadmap, and as a learning tool. Let it help you broaden and deepen your knowledge base, while you sharpen your skills on the job or in your classes—or both! xlii Introduction Before the Exam: Grow Your Knowledge, Skills, and Experience The key to this or any personal and professional development you want to achieve is to first set your goals. SMART goals can help you plan and achieve most anything you