Index

A

AAA protocols, 695

AAA services, risks of, 8–11 Abagnale, Frank (author)

Scam Me If You Can: Simple Strategies to Outsmart Today’s Ripoff Artists, 98

abstraction, 12

abuse case testing, 751–752

acceptable use policy (AUP), 24, 47, 48, 424 accepting risk. See risk acceptance

access abuses, 462

access control list (ACL), 327–328, 679–680

access control matrix, 327–328, 679 access control triplet, 333

access control vestibules, 477–479 access controls

about, 640–641, 678, 714–715 attacks on, 699–714

in CIA Triad, 321 comparing models, 678–690 exam essentials, 715–717 implementing authentication

systems, 690–699 models, 681–682

review question answers, 1080–1082 review questions, 718–721

written lab, 717

written lab answers, 1111 accessibility, availability and, 7 account access review, 667–668 account lockout controls, 714 account maintenance, 667 account management, 754 account revocation, 666

accountability about, 644–645 integrity and, 6

monitoring and, 838–839

as a provision of the GDPR, 167 in security process, 10–11

accounting, in security process, 8 accuracy, 6, 166

ACID model, 978

acquisitions, mergers and, 19–20 acting, in IDEAL model, 962 active monitoring, 752

active response, to intrusion detection systems (IDSs), 824

active-­active system, 596 active-­passive system, 596 ActiveX controls, 373 activity, monitoring, 839 acts of terrorism, 870

ad hoc level, of Risk Maturity Model (RMM), 78

ad hoc mode, 528

Address Resolution Protocol (ARP), 510, 519–520

Adleman, Leonard, 265, 273 administrative controls, 73 administrative investigations,

910–911 administrative law, 146–147

administrative physical security controls, 452

administrators, 207–208 admissible evidence, 913 Adobe Flash, 374

Advanced Encryption Standard with 256-­bit keys (AES 256), 187

advanced persistent threats (APTs), 770, 925, 995

advanced threat protection, 1008–1009 adversarial approach, to threat

modeling, 26 adware, 1004

Affected Users, in DREAD system, 31 agent-­based system, 550

agentless system, 550 aggregation, in databases, 980 aggregators, 548

Agile Software Development, 958–959 air gap, 318

algorithm, 223. See also specific algorithms allowable interruption window (AIW), 453 alternate keys, 976

alternate processing sites, 883–888 alternate sites, 130

alternative systems, 131 always-on VPN, 606–607

Amazon Web Service (AWS) Simple Storage Service (S3), 192

American Civil Liberties Union (ACLU), 160

amplifiers, 547

analog communications, 566

analysis, in Electronic Discovery Reference Model (EDRM), 912

analytic attack, 297 AND operation, 225 Andersen, Arthur, 730 Android devices, 407–408

annual cost of the safeguard (ACS), 69–70 annualized loss expectancy (ALE)

about, 127

quantitative risk analysis and, 65–66 annualized rate of occurrence (ARO),

65, 125–126 anonymization, 202–204 antenna management, 534–535

antimalware, 829–830, 1007–1008 antispam software, 89

anything as a service (XaaS), 402 applets, 372

application allow listing (whitelisting), 414 application attacks

about, 1009 backdoors, 1011

buffer overflows, 1009–1010 privilege escalation, 1011 rootkits, 1011

time of check to time of use (TOCTTOU), 1010–1011

application cells/containers, 405 application control/management, 414 Application layer (layer 7), 501, 506–507 application logs, 836

Application Programming Interfaces (APIs), 312, 751, 967–968, 1020

application resilience, 1031 application roles, 685 application security controls

about, 1025

code security, 1029–1031 controlling access to, 640 database security, 1028–1029 input validation, 1025–1027 web application firewalls

(WAFs), 1027–1028 application-­level firewall, 552 applied cryptography

about, 285 blockchain, 295–296 circuit encryption, 294 dark web, 291–292 email, 286–287

emerging applications, 295–297 homomorphic encryption, 297

IP security (IPsec) protocol, 294–295 lightweight cryptography, 296 networking, 294–295

portable devices, 285–286

Pretty Good Privacy (PGP), 287–289 Secure Sockets Layer (SSL), 290

Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol, 289

steganography, 292–293 Tor, 291–292

Transport Layer Security (TLS), 290–291 watermarking, 292–293 web applications, 290–292

approving patches, 790 architecture

common flaws and issues, 428–432 of database management system

(DBMS), 973–977 of mobile devices, 424

Arduino, 387

Argon2, 707

arithmetic-­logical unit (ALU), 364 ARP cache poisoning, 520

ARP spoofing, 520

“Arrangement on the Recognition of Common Criteria Certificates in the Field of IT Security,” 337

artifacts, 850–851, 913, 916–919 artificial intelligence (AI), 846–847 Asia-­Pacific Economic Cooperation

(APEC), 167 ASREPRoast, 711 assertions, 692

Assess phase, in Risk Management Framework (RMF), 79–81

assessment, in disaster recovery planning (DRP), 892

assessment test, lix–lxxiv asset owner role, 21, 56, 205 asset security

about, 180, 211

data protection methods, 199–204 data roles, 204–208

data states, 185–186

defining asset classifications, 185 defining data classifications, 182–185 determining compliance

requirements, 186

determining data security controls, 186–188

establishing handling requirements, 188–198

exam essentials, 211–213

identifying and classifying information and assets, 180–188

review question answers, 1053–1056 review questions, 214–218

security baselines, 208–210 written lab, 213

written lab answers, 1102–1103 asset value (AV), 123

assets

classifying, 185

controlling access to, 639–641 focused on, 27

managing, 774–776 ownership of, 774 tracking, 416 valuation of, 56, 58–59

assigning risk. See risk assignment assurance

about, 948

in CIA Triad, 321–322 asymmetric cryptography

about, 264

Diffie-­Hellman algorithm, 269–270 ElGamal algorithm, 267–268

elliptic curve cryptography (ECC), 268 private keys, 264–265

public keys, 264–265

quantum cryptography, 270–271 RSA algorithm, 265–266

asymmetric cryptosystems, 221 asymmetric key algorithms, 241–244 asymmetric key management, 284 asymmetric multiprocessing (AMP), 376 asynchronous communications, 567 asynchronous dynamic password

tokens, 651

atomicity, in ACID model, 978

attack phase, in penetration testing, 743

attack vector. See threat vector attackers

about, 699 defined, 924 focused on, 27

attacks. See also specific types access control, 699–714

based on design/coding flaws, 430 determining potential, 28

attenuation, 562

Attribute-­Based Access Control (ABAC), 526, 682, 686–687

audit logging. See logging audit trails, 838 auditing, 8, 10, 731 auditor role, 22 authenticated relay, 597 authentication

as a goal of cryptography, 222 implementing systems of, 690–699 on internal networks, 694–697 on Internet, 691–694

protocols for, 582–585

Remote Authentication Dial-­in User

Service (RADIUS), 697–698 in security process, 8, 9

session management and, 949 Terminal Access Controller

Access Control System Plus (TACACS+), 698–699

Authentication Header (AH), 295, 609 authentication protection, 592 authentication service, Kerberos, 696 authenticity, risks of, 8

authoritative passwords, 648–650 authority, as a social engineering

principle, 83 authorization

about, 644–645

exploiting vulnerabilities, 1017–1020 mechanisms for, 679–681

in security process, 8, 10

Authorization to Operate (ATO), 16, 340–341

Authorize phase, in Risk Management Framework (RMF), 79–81

Authorizing Official (AO), 340 automated indicator sharing (AIS), 355 automated recovery, 879

automatic expiration, DRM and, 199 Automatic Private IP Addressing

(APIPA), 617–618 automation

in configuration management (CM), 784–785

of incident response, 845–851 auxiliary alarm system, 460 availability

in CIA Triad, 7, 641 high, 875–880

AV-Test, 995–996 awareness

about, 96–99

in disaster recovery planning (DRP), 898–899

in security management process, 755 AWS buckets, 192

B

backbone distribution system, 454 backdoor attacks, 1011

backdoor vulnerability, 1033–1034 background checks, 46

backups, in disaster recovery planning (DRP), 892–896

badges, 456–457 baiting, 92 bandwidth, 880 barricades, 479 baseband cables, 560 baseband radio, 544

baseband technology, 567

baselines about, 24–25

in configuration management (CM), 783–784

base+offset addressing, 365

basic input/output systems (BIOS), 371 basic service set identifier (BSSID), 529 bastion host, 551

bcrypt, 707 beacon frame, 529 behavior, 947

behavior modification, 96 behavior-­based detection, 821–823 Behr, Kevin

The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win, 967

Bell-­LaPadula model, 328–332 benign DoS, 383

Biba model, 330–332 biometrics, 409, 651, 653–655 birthday attacks, 300, 706–707 birthday paradox, 706

bit flipping, 749 Bitcoin, 296, 380–381 bits, 500

Black-­Box Penetration Test, 744, 969 blacklisting, 831–832

blind content-­based SQL injection, 1013–1015

blind timing-­based SQL injection, 1015–1016

block cipher, 237

blockchain, 295–296, 380–381 Blowfish, 249

Blue Screen of Death (BSOD), 950–951 Bluebugging, 537

Bluejacking, 537

Bluesmacking, 537

Bluesnarfing, 537

Bluesniffing, 537

Bluetooth (802.15), 537–538

Boehm, Barry, 957 Boeing, 198 Boldon James, 188 bombings, 870 book cipher, 236

Boolean mathematics, 224 boot attestation, 371 boot sector, 996–997

Border Gateway Protocol (BGP), 503 botnets (bots), 812–813, 1001 bottom-­up approach, 17

bounds, in CIA Triad, 320–321 branch coverage, 752

breach, 57

breach and attack simulation (BAS), 745 Brewer and Nash model, 334–335 bridge mode, 529

bridges, 548

bring your own device (BYOD), 420 broadband cables, 560

broadband technology, 567 broadcast domains, 547 broadcast storm, 611 broadcast technology, 567

browser wrap license agreements, 158 brute-­force attack, 297, 704–705 buffer overflow errors, 817

buffer overflows, 1009–1010 buildings, BCP and, 130 bumping, 481

burglar alarms, 458 bus topology, 564

business associate agreement (BAA), 162 business attacks, 925

business continuity planning (BCP) about, 114–115, 136–137 benefits of, 119–120

business impact analysis (BIA), 121–128

continuity planning, 128–131 documentation for, 132–136 exam essentials, 137–138

plan approval and implementation, 131–136

project scope, 115–121

review question answers, 1049–1051 review questions, 139–142

in security management process, 754–755

selecting your team, 117–118 written lab, 138

written lab answers, 1101 business email compromise (BEC), 87 business impact analysis (BIA)

about, 121–122 Cloud and, 124–125

identifying priorities, 122–123 impact analysis, 126–128 likelihood assessment, 125–126 resource prioritization, 128 risk identification, 123–124

business strategy, aligning security function with, 17–19

business unit, 881–882 business/mission owners, 206

C

cable lock, 453

cable plant management policy, 454 cabling, 559–563

cache RAM, 363

Caesar cipher, 232–234, 235

California Consumer Privacy Act (CCPA, 2018), 168–169

California SB 1386, 162 Caller ID, 525

cameras, 460–461 camouflage, 1028–1029

campus area network (CAN), 606 Canadian privacy laws, 167–168 candidate keys, 975

candidate screening, 46–47

capabilities

about, 310, 322–323, 343–344 access control matrix, 327–328 Bell-­LaPadula model, 328–330 Biba model, 330–332

Brewer and Nash model, 334–335 capabilities of information

systems, 341–343 Clark-­Wilson model, 333–334 design principles, 310–320 ensuring CIA Triad, 320–322 exam essentials, 344–347 fundamental concepts of, 322–336 Goguen-­Meseguer model, 335 Graham-­Denning model, 335–336 Harrison-Ruzzo-Ullman (HRU)

model, 336

information flow model, 325 noninterference model, 326

review question answers, 1060–1062 review questions, 348–352

state machine model, 325 Sutherland model, 335 systems requirements, 337–341 take-­grant model, 326–327

trusted computing base (TCB) design principle, 323–325

written lab, 347

written lab answers, 1104–1105 Capability Maturity Model (CMM), 78,

955, 960–961

Capability Maturity Model Integration (CMMI), 961

capability table, 679–680 capacitance motion detector, 459 captive portals, 535

capture filters, 506 cardinality, 974–975

carrier network connections, 623 carrier unlocking, 418 Carrier-Sense Multiple Access

(CSMA), 567

Carrier-­Sense Multiple Access with Collision Avoidance (CSMA/CA), 568

Carrier-­Sense Multiple Access with Collision Detection (CSMA/CD), 568

cascading, 326

CAST algorithm, 250–251

Categorize phase, in Risk Management Framework (RMF), 79–81

Cavoukian, Ann

“Privacy by Design -­The 7 Foundational Principles: Implementation and Mapping of Fair Information Practices,” 319

cell suppression, 981 cellular networks, 544

Center for Internet Security (CIS), 22 central processing unit (CPU), 356 central station system, 460 centralized access control, 659, 660 CEO fraud, 87

CEO spoofing, 87

certificate authority (CA), 278, 279–280 certificate chaining, 280

Certificate Practice Statement (CPS), 282 certificate revocation list (CRL),

280–281, 282

certificate signing request (CSR), 280 certificate stapling, 282–283 certificates

digital, 278 formats of, 283

lifecycle of, 280–283 pinning, 281

certification process, xliii chain of custody, 914–915 chain of evidence, 914–915

Challenge Handshake Authentication Protocol (CHAP), 583

change control, 965 change logs, 836 change management

about, 785–786

configuration documentation, 788 maintenance and, 955

process of, 787–788

software development lifecycle (SDLC) and, 964–966

versioning, 788 chat, 594–595 checklists, 891–892

chief information officer (CIO), 17, 18 chief information security officer

(CISO), 17

chief security officer (CSO), 17 chief technical officer (CTO), 18

Children’s Online Privacy Protection Act (COPPA, 1998), 163

choose your own device (CYOD), 421 chosen ciphertext attacks, 300 chosen plaintext attacks, 300

CIA Triad

about, 4–7, 320, 640–641 access controls and, 321 assurance and, 321–322 bounds and, 320–321 confinement and, 320 isolation and, 321

trust and, 321–322

Cipher Block Chaining (CBC) mode, 244 Cipher Feedback (CFB) mode, 244 ciphers, 230–238

ciphertext-­only attack, 298–299 circuit encryption, 294

circuit proxies, 553 circuit switching, 620

circuit-­level gateway firewalls, 553, 833 circular logging, 844

CISSP exam about, xxxix–xl

advice for, xli–xlii question types, xl–xli

study and preparation tips for, xlii civil investigations, 911

civil law, 146

Clark-­Wilson model, 333–334, 680 classification levels, 329, 947 Classless Inter-­Domain Routing

(CIDR), 518 clean-­desk policy, 464 clearing media, 196 clickjacking, 94, 515

click-­through license agreements, 158 client-based systems

about, 372

local caches, 375 mobile code, 372–374

client/server model, 556 clipping levels, 842 closed head system, 474 Closed port, 733 closed relay, 597 closed source, 313

closed systems, 312–313

closed-­circuit television (CCTV), 460–461 cloud access security broker (CASB), 200 cloud computing

about, 397

business impact analysis (BIA) and, 124–125

integration with, 403

managed services in the, 779–782 protecting, 878

recovery strategy and, 887

cloud services license agreements, 158 cloud-­based federation, 661

coaxial cable, 559–560 code

about, 954

ciphers compared with, 231 flaws in, 430

practices of coding, 1031–1034 reuse of, 1029–1030

review of, 746–747

review walk-­through of, 954 security of, 1029–1031 signing, 1029

code injection attacks, 1016 Code of Fair Information

Practices, 932–933 Code Red worm, 1001–1002

code repositories, 970–971, 1030 cognitive password, 643 cohesion, 947

cold aisle, 468 cold sites, 883–884 collection

in Electronic Discovery Reference Model (EDRM), 912

of evidence, 916–919 collector, 548

collision attack. See birthday attacks collision domains, 547

collisions, 244 collusion, 49

columnar transposition, 231 combination locks, 481–482 command injection attacks, 1016–1017 Commerce Control List (CCL), 159 commercial off-the-shelf (COTS)

software, 972

Committee of Sponsoring Organizations (COSO) of the Treadway Commission, 81

Common Configuration Enumeration (CCE), 732

Common Criteria (CC), 337–340 Common Gateway Interface (CGI), 1010 common mode noise, 467

Common Platform Enumeration (CPE), 732

Common Vulnerabilities and Exposures (CVE), 731, 792–793

Common Vulnerability Scoring System (CVSS), 731

communications and network attacks about, 582, 626–628 communication protection,

410–411

communication protocols, 521, 543–544

email security, 596–602 exam essentials, 628–630 fiber-­optic links, 624 load balancing, 595–596

multimedia collaboration, 593–595 network address translation

(NAT), 614–618 preventing/mitigating, 625–626 protocol security mechanisms, 582–585 remote access security

management, 590–593

review question answers, 1075–1077 review questions, 631–635

security control characteristics, 624–625 switching, 610–614

switching technologies, 620–622 third-­party connectivity, 618–619 virtual LANs, 610–614

virtual private network (VPN), 602–609 voice communications, 586–590

wide area network (WAN) technologies, 622–623

wireless communication, 536–539 written lab, 630

written lab answers, 1109–1110 Communications Assistance for Law

Enforcement Act (CALEA, 1994), 161 community cloud deployment

model, 782–783 compartmentalized environment, 689 compensation control, 75

compiler, 944

completeness, integrity and, 6 compliance

determining requirements for, 186 testing, 68

compliance checks, 745–746 compliance policy requirements, 53 compliant mobile devices, 690 composition theories, 326

comprehensiveness, integrity and, 6 computer architecture, 354 computer crime

categories of, 923–929 laws for, 147–152

Computer Ethics Institute, 932

Computer Fraud and Abuse Act (CFAA, 1984), 148–149, 164, 1003

computer incident response team (CIRT) role, 21

computer security incident, 803 computing minimalism, 317 concealment, confidentiality and, 5 concentrators, 547

conceptual definition, 952–953 concurrency, in databases, 979–980 condition coverage, 752 conductors, 561–562

confidential label, 182, 184 confidentiality

in CIA Triad, 5, 640

as a goal of cryptography, 220–221 configuration documentation, in change

management, 788 configuration management (CM)

automation, 784–785 baselining, 783 provisioning, 783

software development lifecycle (SDLC) and, 964–966

using images for baselining, 783–784 confinement, in CIA Triad, 320 confusion, 237–238

connection methods, 417 connection oriented, 508

connectionless “best effort” communication protocol, 509

consensus, as a social engineering principle, 83

consistency, in ACID model, 978 constrained data item (CDI), 333 constrained interface model, 343, 680

consultant agreements, 52–53 contactless payment methods, for mobile

devices, 425–426 containerization, 400, 405–406 content delivery network, 545

content distribution network (CDN), 545 content filtering, 554, 555–556

content inspection, 555–556

content management system (CMS), 414 content-­dependent access control, 680 content/URL filter, 555–556 context-­aware authentication, 646 context-­dependent access control, 680 continuity of operations plan (COOP), 129 continuous audit trail, DRM and, 199 continuous improvement, 77–78 continuous integration/continuous delivery

(CI/CD), 966–967 contracting, 171

contractor agreements, 52–53 contractual license agreements, 158 Control Objectives for Information and

Related Technology (COBIT), 15, 22–23, 206, 731

control specifications development, 953–954

control zone, 369 controls gap, 68–69

converged protocols, 523–524 Copyright law, 152–154

core protection methods, 713–714 corporate espionage, 925

corporate policies, for mobile devices, 423 corporate-­owned, personally enabled

(COPE), 420–421 corporate-owned business-only (COBO)

strategy, 421 corporate-­owned mobile strategy

(COMS), 421 corrective control, 75

cost, of security controls vs. benefit of security controls, 69–72

cost/benefit calculation/analysis, 70 Counter (CTR) mode, 245

Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) (Counter-Mode/CBC-MAC Protocol), 532

Counter with Cipher Block Chaining Message Authentication Code Mode (CCM), 245

countermeasures about, 354, 432–433

architecture flaws and issues, 428–432 assessing, 355–372

client-­based systems, 372–375 containerization, 405–406 cyber-­physical systems, 386–393 distributed systems, 380–382 edge computing, 385–386 embedded devices, 386–393 essential security protection

mechanisms, 426–428 exam essentials, 433–439 fog computing, 385–386

high-­performance computing (HPC) systems, 382–383

industrial control systems, 378–380 infrastructure as code (IaC), 395–396 Internet of Things (IoT), 383–385 managing, 791

microservices, 394–395 mitigating, 355–372 mobile devices, 406–426

review question answers, 1062–1067 review questions, 441–445

selecting and implementing, 72–74 server-­based systems, 375–378 serverless architecture, 406 shared responsibility, 354–355 specialized devices, 393–394 virtualized systems, 397–405 written lab, 440

written lab answers, 1105–1106

countries of concern, 159 coupling, 947

covert channels, 428–429 covert storage channel, 429 covert timing channel, 429 crackers, 699

Creating Defensible Space (Newman), 452 credential hijacking, 93

credential management systems, 419, 662–663

credential manager apps, 663 credential stuffing attack, 706

Crime Prevention Through Environmental Design (CPTED), 450–451

criminal investigations, 911 criminal law, 144–146 crisis management, 882

critical path analysis, 448–449 criticality, confidentiality and, 5 cross-­border information sharing, 167 crossover error rate (CER), 654 cross-­site request forgery

(CSRF/XSRF), 1024 cross-­site scripting (XSS),

1016, 1021–1023 cryptanalysis, 224 cryptocurrency, 296 cryptographic algorithms, 156

cryptographic applications. See PKI and cryptographic applications

cryptographic attacks, 297–301 cryptographic erasure, 197 cryptographic keys, 238–239 cryptographic mathematics, 224–230 cryptographic modes of

operation, 244–246 cryptographic salt, 298 cryptography and symmetric key

algorithms

about, 220, 239–241, 255–256 ciphers, 230–238

concepts of cryptography, 223–224

cryptographic lifecycle, 255 cryptographic mathematics, 224–230 exam essentials, 256–257

goals of cryptography, 220–222 modern cryptography, 238–244 review question answers, 1056–1057 review questions, 258–261 symmetric cryptography, 244–254 written lab, 257

written lab answers, 1103–1104 cryptology, 224

cryptomalware, 1001 cryptosystems, 224 cryptovariables, 224 custodian role, 21 cybercrime for hire, 926 cyber-­physical systems, 389

Cybersecurity Enhancement Act, 151 “Cyberwarfare: Origins, Motivations and

What You Can Do in Response,” 95

D

DAD Triad, 7–8

Damage Potential, in DREAD system, 31 dark web, 291–292

DARPA model. See TCP/IP model data at rest, 221

data breach notification laws, 162–163 data centers, 455–458

data classifications, 182–185

data collection limitation, 192–193 data controllers, 206–207

data custodians, 207

data destruction, 194–197 data diddling, 431–432

Data Encryption Standard (DES) about, 239, 247

advanced encryption standard, 250 Blowfish, 249

CAST algorithm, 250–251

comparing symmetric encryption algorithms, 251–252

International Data Encryption Algorithm (IDEA), 248–249

Rivest ciphers, 249–250 Skipjack algorithm, 249

symmetric key management, 252–254 Triple DES (3DES), 247–248

data exposure, 1028 data extraction, 842 data flow control, 375 data hiding, 12–13 data in motion, 221 data in transit, 185 data in use, 185, 221 data integrity, 922–923

Data Link layer (layer 2), 503–504 data location, 193

data loss prevention (DLP), 188, 189–190 data maintenance, 189

data minimization, 166, 1028 data owners, 204–205

data ownership, for mobile devices, 422 data processors, 206–207

Data Protection Directive (DPD), 165–166 data protection methods

about, 199 anonymization, 202–204

cloud access security broker (CASB), 200

digital rights management (DRM), 199–200

pseudonymization, 200–201, 202 tokenization, 201–202

data remanence, 194–195, 367 data remnants, 462

data retention, 197–198, 922–923 data roles

about, 204 administrators, 207–208 asset owners, 205

business/mission owners, 206

data controllers, 206–207 data custodians, 207 data owners, 204–205 data processors, 206–207 subjects, 208

users, 208

data security controls, determining, 186–188

data sovereignty, 382 data states, 185

data storage devices, 366–367

data warehousing, establishing, 973–983 database contamination, 978

database management system (DBMS) architecture, 973–977

Open Database Connectivity (ODBC), 982–983

security for multilevel databases, 978–982

transactions, 977–978 database normalization, 976 database recovery, 888–889

database vulnerability scanning, 741–742 databases

establishing, 973–983 security of, 1028–1029

dataflow paths, in decomposition process, 29

datagram, 500 dead code, 1030

deauthentication packet, 541 debugging, 949

decentralized access control, 659 declassification of media, 197 decompiler, 944

decomposing. See reduction analysis decryption, 223, 343

dedicated line, 622 deencapsulation, 498–500

deep packet inspection (DPI), 554 defense in depth, 11

defensive approach, to threat modeling, 26

defined level, of Risk Maturity Model (RMM), 78

degaussing media, 196 degrees, 974 delegating

about, 947

incident response, 809 Delphi technique, 63 Delpy, Benjamin, 708 Delta rule, 986

deluge system, 475 demarcation point, 454 demilitarized zone (DMZ), 545 demonstrative evidence, 916

Denial of service (DoS), in STRIDE threat model, 27

denial-of-service (DoS) attacks, 376, 813–817

deny by default, 414

Department of Commerce Bureau of

Industry and Security (BIS), 159

deploying patches, 790 deployment policies, for mobile

devices, 420–426 deprovisioning, 666–667 design

about, 310, 322–323, 343–344 access control matrix, 327–328 Bell-­LaPadula model, 328–330 Biba model, 330–332

Brewer and Nash model, 334–335 capabilities of information

systems, 341–343 Clark-­Wilson model, 333–334 design principles, 310–320 ensuring CIA Triad, 320–322 exam essentials, 344–347 flaws in, 430

fundamental concepts of, 322–336 Goguen-­Meseguer model, 335 Graham-­Denning model, 335–336

Harrison-Ruzzo-Ullman (HRU) model, 336

information flow model, 325 noninterference model, 326 review of, 954

review question answers, 1060–1062 review questions, 348–352

in Software Assurance Maturity Model (SAMM), 961

state machine model, 325 Sutherland model, 335 systems requirements, 337–341 take-­grant model, 326–327

trusted computing base (TCB) design principle, 323–325

written lab, 347

written lab answers, 1104–1105 design patents, 156

design principles about, 310

closed systems, 312–313 KISS principle, 316–317 objects, 311–312

open systems, 312–313 Privacy by Design (PbD), 319 secure defaults, 314

subjects, 311–312 system failures, 314–316 trust, but verify, 319–320 zero trust, 317–319

destination network address translation (DNAT). See NAT traversal (NAT-­T)

destruction about, 197

of symmetric keys, 253–254 detection

of incidents, 805–806

in vulnerability scanning, 742 detective control, 75, 810 deterrent alarms, 459

deterrent control, 74, 452–453 development toolsets, 945–946

device authentication, 409–410, 657–658 device lockout, 411

devices, controlling access to, 639. See also mobile devices

DevOps approach, 966–967 diagnosing, in IDEAL model, 962 dictionary attack, 704 differential backups, 893

Diffie-­Hellman algorithm, 156, 253, 269–270, 291

diffusion, 237–238

digital certificates, 278, 283 digital communications, 566 Digital Millennium Copyright Act

(DMCA, 1998), 153–154 digital motion detector, 459 digital rights management

(DRM), 199–200

Digital Signature Algorithm (DSA), 277 Digital Signature Standard (DSS), 277 digital signatures

about, 222, 275–276

Digital Signature Standard (DSS), 277 hashed message authentication code (HMAC) algorithm, 276–277

digital watermarking, 845 direct addressing, 365 direct evidence, 915

direct inward system access (DISA), 590 Direct Sequence Spread Spectrum

(DSSS), 537 directed graph, 326–327 directional antenna, 534 directive control, 76

directory traversal attacks, 1018–1019 dirty reads, 979

disassociation, 541

Disaster, Reproducibility, Exploitability, Affected Users, and Discoverability (DREAD) system, 30–31

disaster recovery planning (DRP) about, 114–115, 863, 902

acts of terrorism, 870 assessment, 892 backups, 892–896 bombings, 870 earthquakes, 864–865 emergency response, 891 exam essentials, 902–903 explosions, 870

fault tolerance, 875–880 fires, 868, 869–870 floods, 865–867

hardware/software failures, 872 high availability, 875–880 human-­made disasters, 869–874 infrastructure failures, 871–872 logistics, 897

natural disasters, 864–869 nature of disaster, 863–874 network failures, 871–872 offsite storage, 892–896 pandemics, 869

personnel and communications, 891–892

picketing, 873 power outages, 871

recovery plan development, 890–898 recovery strategy, 880–889

recovery vs. restoration, 897–898 review question answers, 1089–1091 review questions, 904–907

in security management process, 754–755

software escrow agreements, 896–897 storms, 867–868

strikes, 873 supplies, 897

system resilience, 875–880 testing and maintenance, 899–902 theft, 873–874

training, awareness, and documentation, 898–899

utilities, 897

utility failures, 871–872 vandalism, 873–874 written lab, 903

written lab answers, 1113–1114 disasters, nature of, 863–874 Discoverability, in DREAD system, 31 discretion, confidentiality and, 5 Discretionary Access Control (DAC),

681, 682–683

Discretionary Security Property, 329 disk-to-disk backup, 895

display filters, 506

distance vector routing protocols, 503 Distinguished Encoding Rules (DER)

format, 283 distributed architecture, 556

distributed computing environment (DCE). See distributed system

distributed control systems (DCSs), 378–380

distributed databases, 973–974 distributed denial-of-service (DDoS)

attacks, 814 distributed ledger, 381

Distributed Network Protocol 3 (DNP3), 523

distributed reflective denial-of-service (DRDoS) attack, 814

distributed system, 380–382, 556 distributed virtual switches, 611 DLL injection attack, 1016

DNS cache poisoning, 512 DNS over HTTPS (DoH), 511 DNS pharming, 512

DNS poisoning, 511–514 DNS query spoofing, 513 DNS sinkhole, 514 documentary evidence, 914

documenting investigations, 923 documents

business continuity planning (BCP), 132–136

disaster recovery planning (DRP), 898–899

exchanging and reviewing, for evaluation of third parties, 20

reviewing, 15–16 storing, 983

DOD model. See TCP/IP model domain hijacking, 514–515

Domain Message Authentication Reporting and Conformance (DMARC), 600

domain name, 509

domain name system (DNS) about, 509–511

DNS pharming, 512 DNS poisoning, 511–514 DNS query spoofing, 513

Domain Name System Security Extensions (DNSSEC), 511

domain theft, 514–515

Domain Validation (DV) certificates, 280 DomainKeys Identified Mail (DKIM),

600

domains, xxxviii, 974

“Don’t Repeat Yourself” (DRY), 317 double conversion UPS, 465

Double DES (2DES), 300 doxing, 95

Dragonfly Key Exchange, 532–533 drive-­by download, 86

DRM license, 199 dry pipe system, 474 dual stack, 517

due care, 23 due diligence, 23 dumb card, 456

dumpster diving, 92–93 durability, in ACID model, 978 duress, 771–772

dynamic application security testing (DAST), 748

Dynamic Host Configuration Protocol (DHCP), 507

dynamic packet filtering firewall, 553 dynamic ports, 508

dynamic RAM, 363–364

E

E911 location tracking, 413 EAP Transport Layer Security

(EAP-TLS), 584

EAP Tunneled Transport Layer Security (EAP-TTLS), 584

EAP-MD5, 584 earthquakes, 864–865 east-­west traffic, 546 eavesdropping, 626

Economic Espionage Act (1996), 157, 161

edge computing, 385–386 education, 98, 132 effectiveness evaluation, 99–100 egress monitoring, 844–845 802.11x, 528, 533, 584 elasticity, 398–399, 783

electromagnetic interference (EMI), 467 electronic access control (EAC)

lock, 481–482

Electronic Code Book (ECB) mode, 244 Electronic Communications Privacy Act

(1986), 161

electronic discovery (eDiscovery), 912 Electronic Discovery Reference Model

(EDRM), 912 electronic vaulting, 888–889

electronically erasable programmable read-­only memory (EEPROM), 362

electrostatic discharge (ESD), 469 Elevation of privilege, in STRIDE

threat model, 27 Elgamal, Taher, 267 ElGamal algorithm, 267–268 eliciting information, 85

elliptic curve cryptography (ECC), 268, 291

Elliptic Curve DSA (ECDSA), 277 email security

about, 286–287, 596–597 email data, 187

goals for, 597–598 issues with, 599 solutions for, 599–602

email spoofing, 713 emanation security, 367–369 embedded systems

about, 386–387, 813 elements related to, 389–390 security concerns of, 390–393

emergency communications, 882–883 emergency management, 773 emergency response

in disaster recovery planning (DRP), 891

guidelines in BCP documentation, 135 employee oversight, 48–49

employment agreements, 47–48 Encapsulating Security Payload

(ESP), 295, 609 encapsulation, 498–500 encrypted traffic, monitoring, 826 encrypted viruses, 999 encryption

about, 13, 343 defined, 223

of sensitive data, 194 encryption export controls, 159 end user role, 22

end-­of-­life (EOL), 78, 198, 397 end-­of-­service life (EOSL), 78, 198, 397 end-­of-­support (EOS), 78, 198, 397 endpoint detection and response (EDR),

558, 1008–1009 endpoint security, 556–559 endpoint-­based DLP, 190

end-to-end encrypted VPN, 605

end-to-end encryption, 294 Enhanced Interior Gateway Routing

Protocol (EIGRP), 503 Enigma codes, 299

enrollment, digital certificate and, 280

Enron Corporation, 730 enterprise (ENT), 532 enterprise extended mode, 528

enterprise risk management (ERM) program, 78

entity behavior analytics (UEBA) functions, 822

entrance facility, 454 entrapment, 829 environment safety, 482

environmental monitoring, 470 ephemeral key, 240

ephemeral ports, 508 equal error rate (ERR), 654 equipment failure, 453–454 equipment room, 454

erasable programmable read-­only memory (EPROM), 362

erasing media, 195

error handling, 949, 1032–1033 escaping input, 948

escrowed encryption standard, 254 Ethernet, 565–566

Ethernet address, 503 ethical disclosure, 749 ethics

about, 929, 933

exam essentials, 934–935 Internet and, 931–933

(ISC)2 Code of Ethics, 930–931 organizational code of, 929–930 review question answers, 1091–1093 review questions, 936–939

written lab, 935

written lab answers, 1114 European Union

Data Protection Directive (DPD), 165–166

General Data Protection Regulation (GDPR), 166–167

evaluation assurance levels (EALs), 338 evidence

about, 913 admissible, 913 artifacts, 916–919 collection of, 916–919

forensic procedures, 916–919 gathering, 919–920

storage of, 463–464 types, 913–916

evil twin attacks, 540–541 exam essentials

access control, 715–717 asset security, 211–213 business continuity planning

(BCP), 137–138 communications and network

attacks, 628–630 cryptography and symmetric key

algorithm, 256–257 disaster recovery planning (DRP), 902–903

ethics, 934–935

identity and authentication, 669–670 incident response, 852–855 investigations, 934–935

laws, regulations, and compliance, 172–173

malicious code and application attacks, 1035–1036

network architecture, 570–573 personnel security and risk

management, 101–106 physical security, 484–488 PKI and cryptographic

applications, 302–303 security and assessment testing

program, 756–757

1134  exception handling  –  fences

security governance, 33–36 security models, 344–347 security operations, 794–796

software development security, 987–988 vulnerabilities, threats, and

countermeasures, 433–439 exception handling, 314–315 excessive privilege, 668

exclusive OR operation, 227 exercises, in BCP documentation, 136 exigent circumstances, 920

exit interview, 19, 50 expert systems, 984–985 exploit Wednesday, 791

Exploitability, in DREAD system, 31 explosions, 870

Export Administration Regulations (EAR), 159

exposure, 56 exposure factor (EF)

about, 127

quantitative risk analysis and, 64 extended service set identifier (ESSID), 529 Extended Validation (EV) certificates, 280 Extensible Authentication Protocol (EAP),

533, 583–584

Extensible Configuration Checklist Description Format (XCCDF), 732

Extensible Markup Language (XML), 691 external audits, 729

F

face scans, 652 Facebook, 658 facilities

BCP and, 130 controlling access to, 639

Factor Analysis of Information Risk (FAIR), 81

fail-closed, 316

fail-­open state/system, 316, 879, 950–951 failover, 877

fail-safe, 315–316

fail-­secure failure state, 950–951 fail-­secure system, 879

fail-soft, 315

fair cryptosystems, 254

fairness, as a provision of the GDPR, 166 false acceptance rate (FAR), 653

false alarms, 823

false positive, 822–823

false rejection rate (FRR), 653 familiarity, as a social engineering

principle, 84

Family Educational Rights and Privacy Act (FERPA), 54, 164

Faraday cage, 368

Fast Identity Online (FIDO) Alliance, 657 fat access point, 529

fault injection attack, 297

fault tolerance, 343, 623, 875–880 fax security, 602

Federal Cybersecurity Laws (2014), 151–152

Federal Emergency Management Agency (FEMA), 126, 866

Federal Information Processing Standard (FIPS)

140-­2, “Security Requirements for Cryptographic Modules,” 224

185, the Escrowed Encryption Standard (EES), 249

Federal Information Security Management Act (FISMA, 2002), 150–151

Federal Information Systems Modernization Act (FISMA, 2014), 151

Federal Sentencing Guidelines, 150 federated identities, 660–662 feedback, 326

feedback loop characteristics, 956–957 fences, 477–479

fiber-­optic cables, 562–563 fiber-­optic links, 624

Fibre Channel over Ethernet (FCoE), 523–524

Fibre Channel over I (FCIP), 524 field-­powered proximity device, 458 field-­programmable gate array

(FPGA), 387 fields, in databases, 974

file inclusion attacks, 1020 file infector viruses, 997

File Transfer Protocol (FTP), 294, 506 Filtered port, 733

filters, 682

financial attacks, 926 fingerprints, 652

finite state machine (FSM), 325 fire detection systems, 473–474 fire extinguishers, 472–473 fire prevention, detection, and

suppression, 470–476 fire triangle, 470–471 fires, 868, 869–870 firewall logs, 836 firewalls

about, 550–554

basic guidelines for, 832–833

as Rule-­Based Access Controls, 686 firmware

about, 370–372 custom, 418

firmware over-the-air (OTA) updates, 418–419

First Street Foundation’s Flood Factor, 126 5-4-3- rule, 562

500-­year floodplain, 866 fixed-­temperature detection systems, 473 Flame Stage, of fire, 471–472 flame-­actuated systems, 473

flash memory, 362, 374

Flexible Authentication via Secure Tunneling (EAP-­FAST), 584

floods, 865–867

fog computing, 385–386

for official use only (FOUO), 182 foreign keys, 976

forensics

for mobile devices, 423 procedures for, 916–919

forward proxy, 555

Fourth Amendment, 160, 921 fraggle attacks, 816–817 frame, 500

Freedom of Information Act (FOIA), 182 frequency analysis, 233, 298–299 Frequency Hopping Spread Spectrum

(FHSS), 537 full backups, 893 full tunnel VPN, 607

full-­device encryption (FDE), 410 full-­disk encryption (FDE), 286 Full-­duplex mode, 501 full-­interruption test, 900

fully qualified domain names (FQDN), 510 function as a service (FaaS), 406

function coverage, 752 function recovery, 879 functional priorities, 881–882

functional requirements determination, 953 FutureWave, 374

fuzz testing, 26, 749–751

G

gait analysis, 461 Galbraith’s Star Model, 336

Galois/Counter Mode (GCM), 245 gamification, 98–99

Gantt charts, 964

gas discharge systems, 475–476 gates, 477–479

General Data Protection Regulation (GDPR), 54, 166–167, 207

generational (intelligent) fuzzing, 749 Generic Routing Encapsulation (GRE), 608 geofencing, 413

geolocation data, 412 geostationary orbit (GEO), 543 geotagging, 412–413

Global Positioning System (GPS), 412–413 Global Privacy Standard (GPS), 319

goals

aligning security function with, 17–19 of business continuity planning

(BCP), 133

for email security, 597–598 Goguen-­Meseguer model, 335 Golden Ticket, 710–711

Good Practice Guidelines (GPG), 890 Google, 591, 658, 663

Google Authenticator, 655

Google v. Oracle, 156 governance, in Software Assurance

Maturity Model (SAMM), 961 Graham-­Denning model, 335–336 Gramm-Leach-Bliley Act (GLBA,

1999), 54, 163 Grandfather-­Son (GFS) strategy, 896 graph databases, 983

gratuitous ARP, 520

Gray-­Box Penetration Test, 744, 969–970 greatest lower bound (GLB), 329

grid computing, 377–378 grudge attacks, 927–928 guard dogs, 480–481 guidelines, 24–25

H

hackers, 699 hacktivists, 928–929 Half-­duplex mode, 501 halon, 475–476

hard drives, protecting, 875–877

hard-­coded credentials, 1033–1034 hardening provisions, 130 hardware

about, 356

asset inventories for, 774–775 data storage devices, 366–367 emanation security, 367–369 failures of, 872

input/output devices, 369–370 memory, 362–366

processor, 356–361

replacement options for, 886–887 secure operation of, 546–547

hardware address, 503

hardware security modules (HSMs), 284 hardware segmentation, 427 hardware/embedded device

analysis, 918–919 Harrison-­Ruzzo-­Ullman (HRU) model, 336 hash functions

about, 271–272

comparing value lengths, 274 MD5 algorithm, 273

RIPE Message Digest (RIPEMD), 273–274

Secure Hash Algorithm (SHA), 272–273 Hash-­based Message Authentication Code

(HMAC), 276–277, 609 hashing, 1029

hashing algorithms, 244

Health Information Technology for Economic and Clinical Health Act (HITECH, 2009), 162

Health Insurance Portability and Accountability Act (HIPAA, 1996), 54, 161, 181, 838

hearsay rule, 915–916 heartbeat sensor, 458 heat map, 531

Heat Stage, of fire, 471–472 heat-­based motion detector, 459 Hertz (Hz), 536

hierarchical databases, 973–974 hierarchical environment, 689 hierarchical storage management

(HSM), 896 high-­impact baseline, 209

high-­performance computing (HPC) systems, 382–383

HMAC-based One-Time Password (HOTP), 656

hoax messages, 90–91 hoaxes, 999 homograph attack, 515

homomorphic encryption, 297 honeynets, 828–829 honeypots, 828–829

hookup, 326

hop limit field, 517

horizontal distribution system, 454 host-­based firewall, 554

host-­based intrusion detection systems (HIDSs), 825–827

hostname, 510 host-to-host VPN, 605 hot aisle, 468

hot sites, 884–885

hotspots, for mobile devices, 425 hubs, 547

human-­made disasters, 869–874 humidity considerations, 467–470 hurricanes, 867–868

hybrid assessment/analysis, 62 hybrid attack, 704

hybrid cloud deployment model, 783 hybrid cryptography, 243, 269, 285 hybrid environment, 689

hybrid federation, 661–662 hybrid warfare, 95

“Hybrid Warfare” report, 95

Hypertext Transfer Protocol (HTTP), 507 Hypertext Transfer Protocol Secure

(HTTPS), 290, 507 hypervisor, 397, 403–405

I

iBeacon, 413

IDEAL model, 962–963 identification

in Electronic Discovery Reference Model (EDRM), 912

in security process, 8, 9 identification cards, 456–457 identity and access management

(IAM), 47, 318 identity and authentication

about, 639, 668–669 accountability, 644–645 authorization, 644–645 comparing subjects and

objects, 642–643

controlling access to assets, 639–641 defining new roles, 667–668 deprovisioning, 666–667

device authentication, 657–658 establishment of, 643–644 exam essentials, 669–670

implementing identity management (IdM), 659–664

managing, 641–659

multifactor authentication (MFA), 655 mutual authentication, 659 offboarding, 666–667

onboarding, 665–666

passwordless authentication, 656–657 proofing, 643–644

provisioning lifecycle, 664– 668, 664–680

registration, 643–644

review question answers, 1078–1080 review questions, 672–675

service authentication, 658 something you are factor of

authentication, 645, 651–655 something you have factor of

authentication, 645, 650–651

something you know factor of authentication, 645, 647–650

two-­factor authentication with Authenticator apps, 655–656

written lab, 671

written lab answers, 1110–1111 identity as a service (IDaaS), 662–663 identity fraud, 93–94

identity management (IdM) about, 659

credential management systems, 662–663

credential manager apps, 663 federated identities, 660–662 scripted access, 663

session management, 663–664 single sign-­on (SSO), 659–662

identity theft, 93–94

Identity Theft and Assumption Deterrence Act (1998), 164

Identity Theft Resource Center (ITRC), 186

immediate addressing, 364 immutable architecture, 396 impact analysis, 126–128 impersonation. See spoofing

Implement phase, in Risk Management Framework (RMF), 79–81

implementation attack about, 297

in Software Assurance Maturity Model (SAMM), 961

implementing countermeasures, 72–74 implicit deny, 414, 551, 679

Implicit SMTPS, 601 importance, statement of, 133 import/export laws, 158–159 incident prevention and response

about, 803, 851–852 automating, 845–851 conducting incident

management, 803–809 exam essentials, 852–855

implementing detective and preventive measures, 809–834

logging and monitoring, 834–845 review question answers, 1086–1089 review questions, 856–859

written lab, 855

written lab answers, 1113

incipient smoke detection systems, 474 Incipient Stage, of fire, 471–472 incremental attacks, 431–432 incremental backups, 893 independent service set identifier

(ISSID), 529 indirect addressing, 365

industrial camouflage, 450

industrial control system (ICS), 378–380 industrial espionage, 925

Industrial Internet of Things (IIoT), 385 industry standards, 912

inference, in databases, 980–981 influence campaigns, 94–96 information

controlling access to, 639 eliciting, 85

ownership of, 774

Information disclosure, in STRIDE threat model, 27

information flow model, 325

information gathering and discovery phase, in penetration testing, 743

information governance, in Electronic Discovery Reference Model (EDRM), 912

information security officer (ISO), 17 information security (InfoSec)

officer role, 21

information security (InfoSec) team, 17 information systems (IS), 3 information technology (IT), 3 Information Technology Infrastructure

Library (ITIL), 23 Information Technology Security

Evaluation Criteria (ITSEC), 337

InfraGard program, 923 infrastructure

BCP and, 130–131 failures of, 871–872 for mobile devices, 424

infrastructure as a service (IaaS), 782 infrastructure as code (IaC), 395–396 infrastructure mode, 528

inherent risk, 68 inheritance, 947 initialization vector (IV), 542

initiating, in IDEAL model, 962 injection vulnerabilities

about, 1012

code injection attacks, 1016

command injection attacks, 1016–1017 SQL injection attacks, 1012–1016

in-­memory analysis, 917 input blacklisting, 1025

input points, in decomposition process, 29 input validation, 948–949,

1021, 1025–1027 input whitelisting, 1025

input/output devices, 369–370 insecure direct object reference, 1018 insider threat, 927–928

instance, 947

instant messaging (IM), 594–595 Institute of Electrical and Electronics

Engineers (IEEE), 503 intangible inventories, 775–776 integrated development environment

(IDE), 945–946

integrated level, of Risk Maturity Model (RMM), 78

Integrated Product Teams (IPTs), 959 Integrated Services Digital Network

(ISDN), 623

integration platform as a service (iPaaS), 403

integrity

in CIA Triad, 6, 641

as a goal of cryptography, 221–222 measurement of, 1030–1031 monitoring, 1008

integrity verification procedure (IVP), 333 intellectual property (IP) laws, 152–157 interactive application security testing

(IAST), 748 interactive online learning

environment, xliv interconnection security agreement

(ISA), 619

Interface Definition Language (IDL), 381 interfaces

about, 343 testing, 751 interference, 880

Interior Gateway Routing Protocol (IGRP), 503

intermediate distribution facilities, 454 intermediate distribution frame (IDF), 454 Intermediate System to Intermediate

System (IS-­IS), 503 internal audits, 728

internal networks, implementing authentication on, 696–697

internal security controls about, 481

combination locks, 481–482 environment safety, 482 keys, 481–482

life safety, 482

regulatory requirements, 482 internal segmentation firewalls

(ISFWs), 318, 554

International Data Encryption Algorithm (IDEA), 248–249

International Electrotechnical Commission (IEC), 23, 380

International Organization for Standardization (ISO), 23, 340, 731

International Traffic in Arms Regulations (ITAR), 159

1140  Internet  –  isolation

Internet

ethics and, 931–933 files cache, 375

implementing authentication on, 691–694

Internet Architecture Board (IAB), 932 Internet Assigned Numbers Authority

(IANA), 833

Internet Control Message Protocol (ICMP), 519

Internet Group Management Protocol (IGMP), 519

Internet Key Exchange (IKE), 609 Internet Message Access Protocol

(IMAP), 506, 597

Internet of Things (IoT), 383–385, 813 Internet Protocol (IP) networking

about, 516

Internet Control Message Protocol (ICMP), 519

Internet Group Management Protocol (IGMP), 519

IP classes, 517–519 IPv4 vs. IPv6, 516–517

Internet Protocol Security (IPsec), 521, 609 Internet Security Association and Key

Management Protocol (ISAKMP), 609 internet service providers (ISPs), 164 Internet Small Computer System Interface

(iSCSI), 524

interrogations, during investigations, 922 interviews, during investigations, 922 intimidation, as a social engineering

principle, 83 intrusion alarms, 459–460

intrusion detection systems (IDSs) about, 458–459, 820–821 behavior-­based detection, 821–823 host-based, 825–827

intrusion alarms, 459–460 knowledge-­based detection, 821–823 motion detector/motion sensor, 459 network-based, 825–827

response to, 824

secondary verification mechanisms, 460 intrusion prevention systems (IPSs),

820–821, 827–828 inventory control, 416 investigations

about, 910, 933

computer crime categories, 923–929 evidence, 913–919

exam essentials, 934–935 monitoring and, 839 process for, 919–923

review question answers, 1091–1093 review questions, 936–939

types, 910–913 written lab, 935

written lab answers, 1114 invoice scams, 90

iOS devices, 408 IP address, 509

IP configuration, 513

IP Payload Compression (IPComp), 609 IP security (IPsec) protocol, 294–295 iris scans, 652

ISACA

Risk IT Framework, 81 website, 22

(ISC)2

about, xxxvii–xxxviii Code of Ethics, 930–931

(ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests, 3rd Edition, xlii

ISO/IEC 15408, 337

ISO/IEC 27005 “Information technology -­ Security techniques -­Information security risk management,” 80

ISO/IEC 31000 document “Risk management -­Guidelines,” 80

ISO/IEC 31004 “Risk management -­ Guidance for the implementation of ISO 31000,” 80

isolation

in ACID model, 978 in CIA Triad, 321 confidentiality and, 5

IT as a service (ITaaS), 402 IT closets, 455–458

ITIL Core, 786

J

jailbreaking, 417–418, 832 jamming, 542

Japanese Purple Machine, 299 Java, 373

JavaScript, 373–374

JavaScript Object Notation (JSON) Web Token (JWT), 693

jitter, 880

job descriptions/responsibilities, 45–46 job rotation, 768, 769

jump server, 548 jumpbox, 548

just-­in-­time (JIT) provisioning, 662

K

KeePass, 663 Kerberoasting, 711

Kerberos, 521, 695–697, 710–711 Kerberos Brute-­Force, 711 Kerberos Principal, 696

Kerberos Realm, 696 Kerckhoffs’s Principle, 223 kernel mode, 359

kernels, 324, 358

key distribution, symmetric key algorithms and, 240

Key Distribution Center (KDC), 695 key escrow, 230, 254

key performance indicators (KPIs) of physical security, 483

in security management process, 755–756

key space, 223

keyboards, as input/output devices, 370 keys

about, 481–482 length of, 266–267 management of, 419 recovery of, 254

keystroke monitoring, 843 key/value stores, 983

kill chain model, 847–848 Kim, Gene

The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win, 967

KISS principle, 316–317 knowledge-­based detection, 821–823 knowledge-based systems

about, 984

expert systems, 984–985 machine learning (ML), 985–986 neural networks, 986

known plaintext attacks, 299

L

L3 switch, 610 labels, 322

LAN extenders, 548 land attack, 817

large-­scale parallel data systems, 376–377 last login notification, 714

latency, 880

lattice-­based access control, 329 law enforcement, calling in, 920 lawfulness, as a provision of

the GDPR, 166

laws, regulations, and compliance about, 144, 171–172

Canadian privacy laws, 167–168

categories of laws, 144–147 compliance, 169–170 computer crime, 147–152 contracting, 171

European Union privacy law, 165–167 exam essentials, 172–173 import/export, 158–159

intellectual property (IP), 152–157 licensing, 158

privacy, 160–168 procurement, 171

review question answers, 1051–1053 review questions, 174–178

state privacy laws, 168–169 written lab, 173

written lab answers, 1102

Layer 2 Tunneling Protocol (L2TP), 608 layering. See defense in depth

LDAP injection attack, 1016 learning, in IDEAL model, 962 learning rule, 986

leased line, 622

least significant bit (LSB), 292 least upper bound (LUB), 329 legacy attacks, 817

legal concerns, for mobile devices, 424 legal requirements, for BCP, 120–121 Let’s Encrypt!, 279

libraries, 945 licensing laws, 158 life safety, 482

light fidelity (LiFi), 543 lighting, 479–480 lightweight cryptography, 296

Lightweight Directory Access Protocol (LDAP), 660

Lightweight Extensible Authentication Protocol (LEAP), 531, 533, 583

likelihood assessment, 125–126 limit check, 948

Line Printer Daemon (LPD), 507 line-­interactive UPS, 466

link encryption, 294

link encryption VPN, 605

link state routing protocols, 503 load balancing, 376, 595–596 load persistence, 596

local alarm system, 460

local area network (LAN), 559, 567–569 local file inclusion attacks, 1020 location services, 412–413

lock picking, 481 Lockheed Martin, 848

lockout, for mobile devices, 411 locks, 481–482

log analysis, 840 log cycling, 844

log management, 844 log reviews, 753–754 logging

about, 834, 950 common types, 835–836 data protection, 836–837 techniques for, 834–835

logic bombs, 999–1000 logical access, controlling, 640 logical controls, 73

logical operations, 225–227 logical topology, 563

logistics, in disaster recovery planning (DRP), 897

loop coverage, 752 loopback address, 518, 618 lost updates, 979

low Earth orbit (LEO), 543 low-­impact baseline, 208

M

MAC address, 509

MAC cloning, 613–614

MAC filtering, 534, 613

MAC flooding attack, 613

MAC limiting, 613

MAC spoofing, 509, 613

machine language, 944

machine learning (ML), 846–847, 850–851, 985–986

macro viruses, 997–998 magnetic stripe cards, 457 mail storm, 599

main distribution frame (MDF), 454 maintenance

in BCP documentation, 136 change management and, 955 for disaster recovery planning

(DRP), 899–902

malicious code and application attacks about, 994, 1035

application attacks, 1009–1011 application security controls,

1025–1031

authorization vulnerabilities, 1017–1020 exam essentials, 1035–1036

injection vulnerabilities, 1012–1017 malware, 994–1006

malware prevention, 1006–1009 review question answers, 1095–1097 review questions, 1037–1040

secure coding practices, 1031–1034 web application

vulnerabilities, 1020–1025 written lab, 1036

written lab answers, 1115 malicious scripts, 1005–1006 malicious software, 831 malware

about, 772, 994 adware, 1004

logic bombs, 999–1000 malicious scripts, 1005–1006 preventing, 1006–1009 ransomware, 1004–1005 sources of malicious code, 995 spyware, 1004

Trojan horses, 1000–1001 viruses, 995–999

worms, 1001–1004

zero-­day attacks, 1006 malware inspection, 555

managed detection and response (MDR) services, 1009

managed services accounts for, 701

in the cloud, 779–782 management controls. See

administrative controls managerial controls. See

administrative controls Mandatory Access Control (MAC),

682, 687–689 mandatory vacations, 48, 768 Manifesto for Agile Software

Development, 958–959 man-in-the-middle (MiTM) attack, 300,

513, 819–820 manual recovery, 879

marking sensitive data, 190–192 masquerading. See spoofing massive parallel processing

(MPP), 376–377

master boot record (MBR), 996–997 maximum tolerable downtime

(MTD), 123, 453 maximum tolerable outage (MTO), 123, 453

MD5 algorithm, 273 mean time between failures

(MTBF), 453–454

mean time to failure (MTTF), 453–454, 778–779

mean time to repair (MTTR), 453 measured boot, 371

media

analysis of, 916–917 management of, 776 managing lifecycle of, 778–779

protection techniques for, 776–777 storage facilities for, 462–463

Media Access Control (MAC) address, 503 mediated-­access model, 359

medium Earth orbit (MEO), 543 meet in the middle attacks, 300 Meltdown memory error, 341–342

memorandum of agreement (MOA), 619 memorandum of understanding

(MOU), 619 memory

random access, 363 read-only, 362 secondary, 365–366

memory addressing, 364–365 memory dump file, 917 memory leaks, 1034 memory management, 1034 memory pointers, 1034 memory protection, 341–342

memory security issues, 366–367 mergers and acquisitions, 19–20

Merkle-­Hellman Knapsack algorithm, 266 mesh topology, 565

message, 947 message digest, 271 metacharacters, 1026

Metasploit Framework, 743–744 method, 947

metropolitan area network (MAN), 606 mice, as input/output devices, 370 microcode. See firmware microcontrollers, 386

microprocessor, 356 MicroSD, 410

microsegmentation, 318, 526–527 microservices, 394–395 Microsoft Security Development

Lifecycle (SDL), 26

military and intelligence attacks, 924–925 Mimikatz, 708–709

Mirai malware, 813 mirroring, 876

mission, aligning security function with, 17–19

misuse case testing, 751–752

mitigation, of incidents, 806–807 MITRE ATT&CK Matrix, 848–849 mnemonics, 500

mobile application management (MAM), 414

mobile code, 372–374

mobile content management (MCM) system, 414

mobile device management (MDM), 409 mobile devices

about, 406–407 Android, 407–408

application control/management, 414 asset tracking, 416

bring your own device (BYOD), 420 carrier unlocking, 418

choose your own device (CYOD), 421 communication protection, 410–411 connection methods, 417

content management system (CMS), 414 corporate-­owned, personally enabled

(COPE), 420–421 corporate-owned business-only (COBO)

strategy, 421 corporate-­owned mobile strategy

(COMS), 421 credential management, 419 custom firmware, 418

deployment policies, 420–426 device authentication, 409–410 device lockout, 411

disabling unused features, 417 firmware over-the-air (OTA)

updates, 418–419 full-­device encryption (FDE), 410 Global Positioning System

(GPS), 412–413 inventory control, 416 iOS, 408 jailbreaking, 417–418 key management, 419

location services, 412–413

mobile device management (MDM), 409 protecting, 778

push notifications, 415 remote wiping, 411 removable storage, 416 rooting, 417–418 screen locks, 411–412

security features for, 408–420 sideloading, 418

storage segmentation, 415–416 text messaging, 419–420 third-­party application stores, 415 with Wi-­Fi capabilities, 539

mobile sites, 886 modems, 370, 547–548

moderate-­impact baseline, 209 modification attacks, 626 modulo function, 227–228

Monitor phase, in Risk Management Framework (RMF), 79–81

monitoring

accountability and, 838–839 activity, 839

audit trails, 838 devices for, 772 encrypted traffic, 826 investigation and, 839

measurement and, 76–77 problem identification and, 840 role of, 837

security information and event management (SIEM), 841

techniques for, 840–843

monitors, as an input/output device, 369 Morana, Marco M. (author)

Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis, 27–28

Morris, Robert Tappan, 1002–1003 motion detector/motion sensor, 459 multicast technology, 567 multicasting, 519

multicore, 357

multifactor authentication (MFA), 318, 409–410, 646, 655, 690, 713–714 multifunction devices (MFDs), 390, 554

multifunction printers (MFPs), 369 multilayer protocols

about, 522–523

converged protocols, 523–524 implications of, 522–526 software-defined networking

(SDN), 525–526

Voice over Internet Protocol (VoIP), 524–525

multilayer switch, 610

multimedia collaboration, 593–595 multipartite viruses, 998 multiparty risk, 52 multiprocessing, 357 multiprogramming, 357 Multiprotocol Label Switching

(MPLS), 524 multitasking, 356–357 multithreading, 357 mutation (dumb) fuzzing, 749 mutual assistance agreements

(MAAs), 887–888 mutual authentication, 659

N

narrow-­band wireless, 543

NAT traversal (NAT-­T), 555, 616 National Cybersecurity Protection Act, 152 National Information Infrastructure

Protection Act (1996), 149–150 National Institute of Standards and

Technology (NIST) Cybersecurity Framework (CSF),

23, 79, 151

Federal Information Processing

Standards (FIPS), 837

FISMA implementation guidelines, 150–151

Risk Management Framework (RMF), 23, 79–81

SMS for 2FA, 656 SP800-18, 205

SP800-30r1 Appendix D, “Threat sources,” 60

SP800-30r1 Appendix E, “Threat events,” 60

SP 800-­34, Contingency Planning Guide for Federal Information Systems, 890

SP800-53, 14–15

SP 800-­53 Rev. 5, “Security and Privacy Controls for Information Systems and Organizations,” 22, 76, 151, 208

SP800-53A: Assessing Security and Privacy Controls in federal

Information Systems Organizations: Building Effective Assessment Plans, 727

SP800-53B, 209–210

SP 800-­61, Computer Security Incident Handling Guide, 803–804, 805, 901

SP800-63B, “Digital Identity Guidelines: Authentication and Lifecycle Management,” 644, 648–649

SP 800-­86, Guide to Integrating Forensic Techniques into Incident Response, 913

SP 800-­88 Rev. 1, “Guidelines for Media Sanitization,” 194

SP 800-­94, Guide to Intrusion Detection and Prevention Systems, 821, 824

SP800-100, 14–15

SP 800-­115, FedRAMP Penetration Test Guidance, 745

SP 800-­122, Guide to Protecting the Confidentiality of Personally Identifiable Information

(PII), 180, 181

SP 800-­145, The NIST Definition of Cloud Computing, 782

SP800-171: Protecting Controlled

Unclassified Information in Nonfederal Information Systems and Organizations, 151

SP800-207, “Zero Trust Architecture,” 318–319

website, 732

National Software Reference Library (NSRL), 918

natural access control, 451 natural disasters, 864–869 natural surveillance, 451

natural territorial reinforcement, 451–452 “Navigating Digital Information” YouTube

series, 96

near-­field communication (NFC), 539 need-­to-­know principle, 680, 765–766 network access control (NAC), 549–550 network address and port translation

(NAPT). See port address translation (PAT)

network address translation (NAT) about, 614–616

Automatic Private IP Addressing (APIPA), 617–618

private IP addresses, 616–617 stateful NAT, 617

Network Address Translation-­Protocol Translation (NAT-­PT), 517

network analyzer. See protocol analyzer network and port address translation

(NPAT). See port address translation (PAT)

network architecture about, 497, 569–570

Address Resolution Protocol (ARP), 519–520

analyzing network traffic, 505–506 Application layer protocols, 506–507 cellular networks, 544 communication protocols,

521, 543–544

content distribution network (CDN), 545

domain name system (DNS), 509–515 exam essentials, 570–573 implications of multilayer

protocols, 522–526 Internet Protocol (IP)

networking, 516–519 microsegmentation, 526–527 network components, 545–569 Open Systems Interconnection (OSI)

Reference Model, 497–504 review questions, 575–579 TCP/IP model, 504–505

Transport layer protocols, 508–509 wireless networks, 527–542 written lab, 574

network architecture and components review question answers, 1071–1074 written lab answers, 1108

network components about, 545–546 cabling, 559–563

common equipment, 547–549 content/URL filter, 555–556 endpoint security, 556–559 Ethernet, 565–566

firewalls, 550–554

hardware operation, 546–547

network access control (NAC), 549–550 proxy, 554–555

sub-technologies, 566–569 topology, 559, 563–566 transmission media technology, 559

network discovery scanning, 732–737 network evaluator. See protocol analyzer network failures, 871–872

Network File System (NFS), 507 network flow (NetFlow), 754 Network layer (layer 3), 502 network segmentation, 527

Network Time Protocol (NTP), 753, 839 network traffic, analyzing, 505–506 network vulnerability scanning, 737–739 network-­based DLP, 190

network-­based intrusion detection systems (NIDSs), 825–827

network-­enabled devices, 388 neural networks, 986 Newman, Oscar (author)

Creating Defensible Space, 452 next-­generation firewall (NGFW),

374, 554, 833

next-­generation secure web gateway (SWG), 553

NIC address, 503 nnn-nn-nnnn pattern, 189 noise considerations, 467 nonce, 228, 651 nondedicated line, 623

nondisclosure agreement (NDA), 48, 157 Nondiscretionary Access Control, 683–685 noninterference model, 326

non-­IP protocols, 502 nonlinear warfare, 95 nonrepudiation

as a goal of cryptography, 222 risks of, 8

symmetric key algorithms and, 240 nontransparent proxy, 555 nonvolatility, of storage devices, 366 north-­south traffic, 546

NoScript, 374

NoSQL databases, 982–983 NOT operation, 226

notification alarms, 459 nuisance alarm rate (NAR), 477 NULL pointer, 1034

O

OAuth, 692, 694 obfuscation, 1028–1029 object evidence, 913–914

objectives, aligning security function with, 17–19

object-­oriented programming (OOP), 946–948, 974

objects

compared with subjects, 642–643 defined, 678

in secure design, 311–312 Oblivious DoH (ODoH), 511 occupant emergency plans (OEPs),

482

offboarding, 49–52, 423, 666–667 offline distribution, 252–253 offsite storage, in disaster recovery

planning (DRP), 892–896 off-the-shelf solutions, 354 omnidirectional antenna, 534 onboard camera/video, for mobile

devices, 424–425 onboarding, 47–48, 423, 665–666 100-­year floodplain, 866 one-­time pads, 234–236

onetime passwords, 651 one-­way functions, 228

Online Certificate Status Protocol (OCSP), 280–281, 282

on-path attack. See man-in-the-middle (MiTM) attack

on-­premises federated identity management system, 661

on-­site assessment, for evaluation of third parties, 20

Open Database Connectivity (ODBC), 982–983

Open port, 733 open relay, 597

Open Shortest Path First (OSPF), 503

open source, 313

open source software (OSS), 972 open system authentication (OSA),

531

open systems, 312–313

Open Systems Interconnection (OSI) Reference Model

deencapsulation, 498–500 encapsulation, 498–500 functionality of, 498 history of, 497

layers, 500–504

Open Vulnerability and Assessment Language (OVAL), 732

Open Web Application Security Project (OWASP), 664, 739, 950, 961, 1017

OpenID, 693

OpenID Connect (OIDC), 693–694 OpenPGP, 601

OpenSSL library, 945 OpenVPN, 608

operating modes, for processors, 361

operating states, 359–361 operational plan, 19

operational technology (OT), 378–380 Operationally Critical Threat, Asset, and Vulnerability Evaluation

(OCTAVE), 81

operations, in Software Assurance Maturity Model (SAMM), 961

operator role, 22

Optical Carrier (OC), 624 optimized level, of Risk Maturity

Model (RMM), 78

OR operations, 225–226 Organization for the Advancement of

Structured Information Standards (OASIS), 691

organizational code of ethics, 929–930 organizational processes, 19–20 organizational responsibility, statement

of, 133–134 organizational review, 116 organizational roles and

responsibilities, 21–22 organizationally unique identifier

(OUI), 503

Orthogonal Frequency-Division Multiplexing (OFDM), 537

OS-virtualization. See containerization out-of-band pathway, 527

output encoding, 1022

Output Feedback (OFB) mode, 245 outsourcing, 53

overloaded NAT. See port address translation (PAT)

Overpass the Hash, 710 overprotection, 8 overwriting media, 196

P

P7B certificates, 283 packet loss, 880

packet switching, 620–621 packet-capturing utility. See protocol analyzer

Padding Oracle On Downgraded Legacy Encryption (POODLE), 290–291

pagefile, 365–366 paging, 365–366 palm scans, 652

pan, tilt, and zoom (PTZ), 461 pandemics, 869

parallel computing, 376–377 parallel data systems, 376–377 parallel test, 900

parameter pollution, 1026–1027 parameterized queries, 1028 Pass the Ticket, 710

passive audio detector, 459

passive infrared (PIR) motion detector, 459 passive monitoring, 752

passive proximity device, 457

passive response, to intrusion detection systems (IDSs), 824

pass-­the-­hash (PtH) attack, 709–710 password attacks

about, 703–704 birthday attack, 706–707

brute-­force attack, 704–705 credential stuffing attack, 706 dictionary attack, 704

Kerberos exploitation attack, 710–711 Mimikatz, 708–709

pass-­the-­hash (PtH) attack, 709–710 rainbow table attack, 707–708 sniffer attack, 711–712

spraying attack, 706

Password Authentication Protocol (PAP), 583

password masking, 713 password policy, 647–648 password vault, 419

Password-­Based Key Derivation Function 2 (PBKDF2), 707

passwordless authentication, 656–657 patch management

about, 789–791

for mobile devices, 422 Patch Tuesday, 791 patches, 789

patents, 155–156

path vector routing protocol, 503 pattern-­matching detection, 821–823 Payment Card Industry Data Security

Standard (PCI DSS), 53, 169–170, 210, 648, 650, 834, 912

peer layer communication, 499 peer-­to-­peer (P2P) technologies, 378 penetration testing, 742–745

1150  people  –  physical security

people, BCP and, 129–130 pepper, 708

perfect forward secrecy, 291–292 perimeter intrusion detection and

assessment system (PIDAS), 477 perimeter security controls

about, 477

access control vestibules, 477–479 fences, 477–479

gates, 477–479 guard dogs, 480–481 lighting, 479–480

security guards, 480–481 turnstiles, 477–479

period analysis, 234 permanent address, 509

permanent virtual circuits (PVCs), 621–622 permissions, 678

persistence, 596

persistent online authentication, DRM and, 199

personal (PER), 532

Personal Information Exchange (PFX) format, 283

Personal Information Protection and Electronic Documents Act (PIPEDA), 167–168

personally identifiable information (PII), 180

personnel and communications, in disaster recovery planning (DRP), 891–892

personnel safety and security about, 771

duress, 771–772

emergency management, 773 security training and awareness, 773 travel, 772–773

personnel security and risk management about, 45, 100–101

applying risk management concepts, 55–81

exam essentials, 101–106

personnel security policies and procedures, 45–54

review question answers, 1045–1049 review questions, 107–111

security awareness, education, and training program, 96–100

social engineering, 81–96 written lab, 106

written lab answers, 1100–1101 personnel security policies and procedures

about, 45

candidate screening and hiring, 46–47 compliance policy requirement, 53 consultant agreements, 52–53 contractor agreements, 52–53 employee oversight, 48–49 employment agreements, 47–48

job descriptions and responsibilities, 45–46

offboarding, 49–52 onboarding, 47–48

privacy policy requirements, 54 termination, 49–52

transfers, 49–52

vendor agreements, 52–53 phishing, 85–86

phishing simulation, 86, 755

The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win (Kim, Behr, and Spafford), 967

phone number spoofing, 713 photoelectric motion detector, 459 phreaking, 588–589

physical access, controlling, 640 physical address, 503

physical controls, 74

physical controls for physical security, 452 physical interface, 751

Physical layer (layer 1), 504 physical security

about, 448, 484

exam essentials, 484–488

implementing and managing, 476–483 review question answers, 1067–1070 review questions, 489–493

site and facility design, 448–452 site and facility security

controls, 452–476 written lab, 488

written lab answers, 1106–1107 physical topology, 563

physically hardening systems, 131 picketing, 873

piggybacking, 91–92 ping flood attacks, 817 ping-of-death attack, 817

PKI and cryptographic applications about, 264, 301–302

applied cryptography, 285–297 asymmetric cryptography, 264–271 asymmetric key management, 284 cryptographic attacks, 297–301 digital signatures, 275–277

exam essentials, 302–303 hash functions, 271–274 hybrid cryptography, 285

public key infrastructure, 277–283 review question answers, 1058–1059 review questions, 304–307

written lab, 303

written lab answers, 1104 plain view doctrine, 920 plaintext message, 223

planning phase, in penetration testing, 743

platform as a service (PaaS), 782 playbook, 846

plenum, 469 pointer, 365

pointer dereferencing, 1034 point-to-point link, 622

Point-­to-­Point Protocol (PPP), 582–583 Point-to-Point Tunneling Protocol

(PPTP), 607

policy review, for evaluation of third parties, 20

policy violation, 99–100 polling, 568–569 polyinstantiation, 981 polymorphic viruses, 999 polymorphism, 947

port address translation (PAT), 615 port forwarding. See NAT

traversal (NAT-T) port isolation, 611 port tap, 612

portable devices, 285–286 PortableDocument Format (PDF), 199 ports

defined, 584 security of, 585

position descriptions, 45–46 positive air pressure, 469

Post Office Protocol (POP3), 506, 597 postwhitening, 251

power conditioner, 465

power considerations, 465–467 power outages, 871

power sources, protecting, 878 power-­line conditioner, 465 power-­on self-­test (POST), 362

PowerShell, privilege escalation with, 702 preaction system, 474

preliminary level, of Risk Maturity Model (RMM), 78

premises wire distribution room, 454 Prepare phase, in Risk Management Framework (RMF), 79–81

prepending, 85

preponderance of the evidence, 911 prequalifications, xxviii–xxxix presentation, in Electronic Discovery

Reference Model (EDRM), 912 Presentation layer (layer 6), 501 preservation, in Electronic Discovery

Reference Model (EDRM), 912

1152  preset locks  –  project scope

preset locks, 481 preshared key (PSK), 532

Pretty Good Privacy (PGP), 287–289, 600, 601

preventative control. See preventive control preventive control

about, 74, 810

basic measures, 810–811 prewhitening, 251

primary authoritative name server, 510 primary keys, 975

primary memory/storage, 366 principle of least privilege, 47,

680, 766–767

printers, as an input/output device, 369 priorities

identifying, 122–123 response and, 30–31 statement of, 133

privacy

confidentiality and, 5 defined, 54

for mobile devices, 423

in the workplace, 164–165 Privacy Act (1974), 160–161 Privacy by Design (PbD), 319

“Privacy by Design -­The 7 Foundational Principles: Implementation and Mapping of Fair Information Practices” (Cavoukian), 319

privacy control baseline, 209

Privacy Enhanced Mail (PEM) format, 283 privacy laws, 160–168

privacy policy requirements, 54 Privacy Shield, 167

private branch exchange (PBX), 589–590 private cloud deployment model, 782 private IP addresses, 616–617

private key cryptography. See cryptography and symmetric key algorithms

private keys, 240, 264–265 private label, 184

private port, 611 privilege creep, 668, 684

privilege escalation attacks, 700–702, 1011 privileged account management

(PAM), 769–770 privileged mode, 359, 361

privileged operations, in decomposition process, 29

privileges, 679

proactive approach, to threat modeling, 26 problem identification,

monitoring and, 840 problem state, 359–361 procedural controls. See

administrative controls procedures, 25

Process for Attack Simulation and Threat Analysis (PASTA) threat model, 27–28

process isolation, 426–427 process states, 359–361 processes

for BCP, 129–131

reviewing for evaluation of third parties, 20

processing, in Electronic Discovery Reference Model (EDRM), 912

processor, 356–361 procurement, 171

production, in Electronic Discovery Reference Model (EDRM), 912

Professional Practices library (website), 890 Program Evaluation Review Technique

(PERT), 964 programmable logic controllers

(PLCs), 378–380 programmable read-­only memory

(PROM), 362

programming languages, 943–945 project scope

about, 115–116

BCP team selection, 117–118 legal requirements, 120–121

organizational review, 116 regulatory requirements, 120–121 resource requirements, 119

promiscuous mode, 505 proprietary data, 181 proprietary label, 184 proprietary system, 460 protected cable distribution, 454

Protected Extensible Authentication

Protocol (PEAP), 533, 583 protected health information

(PHI), 162, 181 protection mechanisms

about, 11 abstraction, 12 data hiding, 12–13 defense in depth, 11 encryption, 13

protection profiles (PPs), 338 protection rings, 358–359

protective distribution systems (PDSs), 454 protocol analyzer, 505, 626, 917–918 protocol data unit (PDU), 499–500 protocol security mechanisms

about, 582

authentication protocols, 582–585 port security, 585

quality of service (QoS), 585 provisioning

for BCP, 129–131

in configuration management (CM), 783 proximity devices, 457–458

proxy, 554–555

proxy auto-­config (PAC) file, 555 proxy falsification, 513

proxy logs, 836

prudent person rule, 150 pseudo-flaws, 829 pseudonymization, 200–201, 202 PsExec, 710

PsTools, 710

public cloud deployment model, 782

public data, 184

public key encryption, 253 public key infrastructure (PKI)

about, 277, 660

certificate authorities (CAs), 279–280 certificate lifecycle, 280–283 certificates, 278

public keys, 264–265 public ledger, 381

public switched telephone network (PSTN), 369, 524–525, 586

purging media, 196

purpose limitation, as a provision of the GDPR, 166

push notifications, 415

Q

qualitative impact assessment, 121–122 qualitative risk analysis, 61–63

quality of service (QoS), 585, 880 quantitative impact assessment, 121–122 quantitative risk analysis, 61, 63–66 quantum computing, 270

quantum cryptography, 270–271 quantum key distribution (QKD), 270 quantum supremacy, 270

query, 512

Quick Response (QR) codes, 425–426

R

Radio Frequency Identification (RFID), 538

radio-­frequency interference (RFI), 467 RadSec, 698

RAID, 876

rainbow table attack, 707–708 rainbow tables, 298

random access memory (RAM), 363

random access storage devices, 366 random ports, 508

ransomware, 1004–1005 Raspberry Pi, 387

rate-­of-­rise detection systems, 473 reactive approach, to threat modeling, 26 read-­only memory (ROM), 362 read-­through test, 899–900

ready state, 360

real evidence, 913–914 real memory, 363

real user monitoring (RUM), 752 Real-­Tim Transport Protocol (RTP), 525 real-­time operating system (RTOS), 383 reasonable expectation of privacy, 920 reciprocal agreements, 887–888

record retention, 197–198 recording microphone, for mobile

devices, 425

recovery agents (RAs), 230, 254 recovery controls, 75

recovery phase, of incident response, 808 recovery point objective (RPO), 123 recovery strategy

about, 880–881

alternate processing sites, 883–888 business unit, 881–882

cloud computing, 887 crisis management, 882 database recovery, 888–889

electronic vaulting, 888–889 emergency communications, 882–883 functional priorities, 881–882 mutual assistance agreements

(MAAs), 887–888 remote mirroring, 889 workgroup recovery, 883

recovery time objective (RTO), 123 reducing risk. See risk mitigation reduction analysis, performing, 28–30 reference monitors, 324–325 reference profile, 654

reference template, 654 reflected XSS, 1021–1022 regeneration, symmetric key

algorithms and, 241 register addressing, 364 registered domain name, 510 registered software ports, 508 registers, 364

registration authorities (RAs), 279 regulatory investigations, 911–912 regulatory requirements, 120–121, 482 rejecting risk. See risk rejection relational databases, 974–977

release control, 965 relying party, 693 remediation phase

in incident response, 808–809 in vulnerability scanning, 742 remote access security management

about, 590 planning, 592–593

remote connection security, 591–592 telecommuting techniques, 591

remote access Trojan (RAT), 1000–1001 remote access VPN, 605

Remote Authentication Dial-­in User Service (RADIUS), 697–698

remote connection security, 591–592 remote connectivity technique, 592 remote file inclusion attacks, 1020 remote meeting, 593–594

remote mirroring, 889 remote mode operation, 591 remote sanitization, 411

remote user assistance, 592–593 remote wiping, 411 remote-­control remote access, 591

remotely triggered black hole (RTBH), 551 removable storage, 416

repeaters, concentrators, and amplifiers (RCAs), 547

repellent alarms, 459

replay attacks, 301, 542 reporting phase

of incidents, 807–808 investigations, 923

in penetration testing, 743 Reproducibility, in DREAD system, 31 repudiation

about, 222

in STRIDE threat model, 27 reputation filtering, 602 request control, 965

request for comments (RFC), 932 request forgery attacks, 1023–1024 residual risk, 68

resource records, 510 resources

exhausting, 1034

prioritizing, in business impact analysis (BIA), 128

protecting, 776–779 requirements for BCP, 119

response, prioritization and, 30–31 responsibilities

integrity and, 6 organizational, 21–22

restoration, recovery vs., 897–898 restricted area security, 464–465 restricted interface model, 333, 343 restrictions, 682

retina scans, 652

Reverse Address Resolution Protocol (RARP), 827

reverse hash matching. See birthday attacks

reverse proxy. See NAT traversal (NAT-­T) review, in Electronic Discovery Reference

Model (EDRM), 912 review question answers

access control, 1080–1082 asset security, 1053–1056 business continuity planning (BCP), 1049–1051

cryptography and symmetric key algorithms, 1056–1057

disaster recovery planning (DRP), 1089–1091

identity and authentication, 1078–1080 incident prevention and

response, 1086–1089 investigations and ethics, 1091–1093 laws, regulations, and

compliance, 1051–1053 malicious code and application attacks, 1095–1097

personnel security and risk management, 1045–1049

physical security requirements, 1067–1070

PKI and cryptographic applications, 1058–1059

secure communications and network attacks, 1075–1077

secure network architecture and components, 1071–1074

security assessment and testing, 1082–1084

security governance, 1042–1045 security models, design, and

capabilities, 1060–1062 security operations, 1084–1086 software development

security, 1093–1095 vulnerabilities, threats, and

countermeasures, 1062–1067 review questions

access control, 718–721 asset security, 214–218 business continuity planning

(BCP), 139–142 cryptography and symmetric key

algorithm, 258–261 disaster recovery planning (DRP), 904–907

ethics, 936–939

1156  revocation  –  rogue DNS server

identity and authentication, 672–675 incident response, 856–859 investigations, 936–939

laws, regulations, and compliance, 174–178

malicious code and application attacks, 1037–1040

network architecture, 575–579 personnel security and risk

management, 107–111 physical security, 489–493 PKI and cryptographic

applications, 304–307 security and assessment testing

program, 759–762 security governance, 37–42 security models, 348–352 security operations, 797–800

software development security, 989–992 vulnerabilities, threats, and

countermeasures, 441–445 revocation, digital certificate and, 281–283 rights, 679

Rijndael block cipher, 250 ring topology, 563

RIPE Message Digest (RIPEMD), 273–274 risk acceptance, 67, 134

risk analysis. See risk assessment risk appetite, 67

risk assessment about, 60–66

in BCP documentation, 134 defined, 55

risk assignment, 67 risk avoidance, 67 risk awareness, 55 risk capacity, 67

Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis

(Velez and Morana), 27–28 risk deterrence, 67

risk frameworks, 79–81

risk identification, in business impact analysis (BIA), 123–124

risk indicators, in security management process, 755–756

risk log. See risk register risk management

about, 55

asset valuation, 58–59 continuous improvement, 77–78 cost vs. benefit of security

controls, 69–72 countermeasure selection and

implementation, 72–74 defined, 700

identifying threats and vulnerabilities, 60

monitoring and measurement, 76–77 risk assessment/analysis, 60–66

risk frameworks, 79–81

risk reporting and documentation, 77 risk responses, 66–69

security control assessment (SCA), 76 terminology and concepts, 56–58

Risk Maturity Model (RMM), 78 risk mitigation, 67, 134

risk register, 77 risk rejection, 68

risk response, 55, 66–69

Risk-­Based Access Control, 682, 689–690 risks

defined, 57

reporting and documentation of, 77 Rivest, Ronald, 265, 273

Rivest Cipher 4 (RC4), 249–250 Rivest Cipher 5 (RC5), 250 Rivest Cipher 6 (RC6), 250 Rivest ciphers, 249–250 Rivest-Shamir-Adleman (RSA)

algorithm, 277 robot sentries, 481 rogue access points, 540 rogue DNS server, 512

Role-Based Access Control (RBAC), 681–685

roles, 21–22, 667–668 rollover logging, 844 root certificate, 279 rooting, 417–418 rootkits, 431, 1011 ROT3 cipher, 233 routers, 548

Routing Information Protocol (RIP), 503 routing protocols, 503

Royce, Winston, 956

RSA algorithm, 156, 265–266 rule of least power, 317

Rule-­Based Access Control, 682, 686 rules of behavior, 205

runbook, 846

running key ciphers, 236–237 running state, 360

Runtime Application Self-protection (RASP), 748

runtime environment, 944

S

sabotage, 820 safe, 463 safeguards

applicable types of, 74–76 cost vs. benefit of, 69–72 defined, 57

selecting and implementing, 72–74 salami attack, 432

salting, 298 sampling, 754, 842 sandboxing, 320, 833

Sandvig v. Barr, 149 sanitizing, 367

Sarbanes-­Oxley Act (SOX, 2002), 54, 170, 838

satellite communications, 543, 623

scalability, 241, 399, 783

Scam Me If You Can: Simple Strategies to Outsmart Today’s Ripoff Artists

(Abagnale), 98

scarcity, as a social engineering principle, 84

scenarios, creating, 62 Schneier, Bruce, 249 Schrems II, 167

Scientific Working Group on Digital Evidence, 919

scoping, tailoring compared with, 209–210 screen locks, 411–412

screen scraper/scraping, 591 screened host, 546 screened subnet, 545 screening router, 552

script kiddies, 928, 995 scripted access, 663 Scrum approach, 959 search warrant, 920, 921

seclusion, confidentiality and, 5 secondary authoritative name server, 510 secondary memory/storage, 365–366 secondary verification mechanisms, 460 secrecy, confidentiality and, 5

secret key attacker, 231

secret key cryptography. See cryptography and symmetric key algorithms

secret label, 182 secure boot, 371 secure defaults, 314

secure facility plan, 448–449

Secure Hash Algorithm (SHA), 272–273 Secure Key Exchange Mechanism

(SKEME), 609

Secure Multipurpose Internet Mail

Extensions (S/MIME), 600

Secure Real-­Time Transport Protocol or Secure RTP (SRTP), 525

Secure Remote Procedure Call (S-RPC), 521

Secure Shell (SSH), 294, 521, 608 Secure Sockets Layer (SSL), 290, 521 secure state machine, 325 Secure/Multipurpose Internet Mail

Extensions (S/MIME) protocol, 289 security. See also specific topics

about, 3–4

applying concepts, 4–13

as a provision of the GDPR, 167 security and assessment testing program

about, 725–727, 756 building, 725–731

exam essentials, 756–757 implementing security management

processes, 753–756 performing vulnerability

assessments, 731–746

review question answers, 1082–1084 review questions, 759–762

testing software, 746–753 written lab, 758

written lab answers, 1111–1112 security as a service (SECaaS), 402 Security Assertion Markup Language

(SAML), 691–692, 694 security association (SA), 295 security audits, 727–731 security awareness, 96–99

security baselines, 24–25, 208–210 security bollards, 479

security boundaries, 13–14 security capabilities

about, 341 encryption/decryption, 343 fault tolerance, 343 interfaces, 343

memory protection, 341–342 Trusted Platform Module (TPM),

342 virtualization, 342

security champions, 98 security collector, 548

Security Content Automation Protocol (SCAP), 731

security control assessment (SCA), 76 security control characteristics, 624–625 security control frameworks, 22–23 security controls. See safeguards security function

about, 16

alignment with business strategy, goals, mission, and objectives, 17–19

due care, 23 due diligence, 23

organizational processes, 19–20 organizational roles and

responsibilities, 21–22 security control frameworks, 22–23

security governance about, 3, 14–15, 33

applying principles of, 14–16 applying security concepts, 4–13 documentation review, 15–16 exam essentials, 33–36

managing security function, 16–23 review question answers, 1042–1045 review questions, 37–42

security, 3–4

security boundaries, 13–14

security policy, standards, procedures, and guidelines, 23–25

supply chain risk management, 31–32 third-­party governance, 15

threat modeling, 26–31 written lab, 36

written lab answers, 1100 security guards, 480–481 security guidelines, 24–25 security IDs, 456–457 security incident, 803

security information and event management (SIEM), 841

security kernels, 324, 358 security logs, 835

security management processes about, 753

account management, 754 awareness, 755

business continuity, 754–755 disaster recovery, 754–755 key performance and risk

indicators, 755–756 log reviews, 753–754 training, 755

security mechanisms about, 426

hardware segmentation, 427 process isolation, 426–427 system security policy, 427–428

security models

about, 310, 322–323, 343–344 access control matrix, 327–328 Bell-­LaPadula model, 328–330 Biba model, 330–332

Brewer and Nash model, 334–335 capabilities of information

systems, 341–343 Clark-­Wilson model, 333–334 design principles, 310–320 ensuring CIA Triad, 320–322 exam essentials, 344–347 fundamental concepts of, 322–336 Goguen-­Meseguer model, 335 Graham-­Denning model, 335–336 Harrison-Ruzzo-Ullman (HRU)

model, 336

information flow model, 325 noninterference model, 326

review question answers, 1060–1062 review questions, 348–352

state machine model, 325 Sutherland model, 335 systems requirements, 337–341 take-­grant model, 326–327

trusted computing base (TCB) design principle, 323–325

written lab, 347

written lab answers, 1104–1105 security operations

about, 765, 793–794

applying resource protection, 776–779 exam essentials, 794–796 foundational concepts, 765–771

job rotation, 768, 769 managed services in the cloud,

779–782

managing change, 785–788 managing patches, 789–793 mandatory vacations, 768 need-to-know principle, 765–766

performing configuration management (CM), 782–785

personnel safety and security, 771–773 principle of least privilege, 766–767 privileged account management

(PAM), 769–770 provisioning resources securely, 773–776

reducing vulnerabilities, 789–793 review question answers, 1084–1086 review questions, 797–800 separation of duties (SoD) and

responsibilities, 767

service level agreements (SLAs), 771 two-­person control, 768

written lab, 796

written lab answers, 1112

security orchestration, automation, and response (SOAR), 845–846, 850–851

security perimeter, 324 security policy, 17, 24, 681 security procedures, 25

security product management, for mobile devices, 422

security professional role, 21 security questions, 643 security requirements

about, 337

Authorization to Operate (ATO), 340–341

Common Criteria (CC), 337–340 security stance/approach, in decomposition

process, 29

security standards, 24–25 security tests, 725–726

security through obscurity, 5, 12 security training and awareness,

97–99, 773 Security-Enhanced Android

(SEAndroid), 408 segment, 500

Select phase, in Risk Management Framework (RMF), 79–81

self-­signed certificates, 280

Sender Policy Framework (SPF), 600 Sendmail, 1002–1003

senior management, 18, 118 senior manager role, 21

sensitive compartmented information facility (SCIF), 465

sensitive data about, 184

code repositories and, 971 encryption of, 194 identifying, 180–181 marking, 190–192 storing, 193–194

sensitivity, confidentiality and, 5 sensor, 548

separation of duties (SoD) and responsibilities, 681, 767

sequential access storage devices, 366 Serial Line Internet Protocol (SLIP),

583

server rooms, 455–458 server sprawl, 404 server vaults, 455–458 server-based systems

about, 375–376

grid computing, 377–378

large-­scale parallel data systems, 376–377

peer to peer (P2P) technologies, 378 serverless architecture, 406

servers, protecting, 877–878 server-­side request forgery (SSRF), 1024 service authentication, 658

service delivery objective (SDO), 453 service delivery platform (SDP), 395 service injection viruses, 998

Service Organization Control (SOC), 125, 729–730

service ports, 508

service set identifier (SSID), 529 service-­level-­agreements (SLAs), 20, 32,

52–53, 120–121, 453, 771, 971–972 service-­oriented architecture (SOA), 394 services integration, 403

service-­specific remote access, 591 session hijacking, 1024–1025 Session layer (layer 5), 501

session management, 663–664, 949 shadow IT, 404

Shamir, Adi, 265, 273

shared key authentication (SKA), 531 shared responsibility

about, 354–355

with cloud service models, 780–782 shielded twisted-­pair (STP), 560 shimming, 481

Short Message Service (SMS) phishing, 88 shoulder surfing, 90, 464

shrink-­wrap license agreements, 158 side-­channel attack, 297 sideloading, 418

signage, 476

Signal Protocol, 521 signature-­based detection, 821–823 Silver Ticket, 710

Simple Integrity Property, 330

Simple Mail Transfer Protocol (SMTP), 506, 596

Simple Network Management Protocol (SNMP), 507

Simple Security Property, 329 Simplex mode, 501 simulation test, 900

Simultaneous Authentication of Equals (SAE), 532

single point of failure (SPOF), 875 single sign-­on (SSO), 659–662 single-­factor authentication, 646, 655 single-­loss expectancy (SLE), quantitative

risk analysis and, 64–65 site and facility design

about, 448, 450–452

secure facility plan, 448–449 site selection, 449–450

site and facility security controls about, 452–453

access abuses, 462 cameras, 460–461 equipment failure, 453–454 evidence storage, 463–464

fire prevention, detection, and suppression, 470–476

intrusion detection systems (IDSs), 458–460

media storage facilities, 462–463 restricted and work area

security, 464–465

server rooms/data centers, 455–458 utility considerations, 465–470 wiring closets, 454–455

site surveys, 530–531 site-to-site VPN, 605

Six Cartridge Weekly Backup strategy, 896 Skipjack algorithm, 249

smart devices, 383 smartcards, 296, 456–457, 650 smartphones, 286

smishing, 88

Smoke Stage, of fire, 471–472 smoke-­actuated systems, 474

smurf attacks, 816–817 sniffer. See protocol analyzer sniffer attack, 711–712 snooping attack, 711

social engineering about, 81–83 baiting, 92

dumpster diving, 92–93 eliciting information, 85 hoax, 90–91

hybrid warfare, 95 identity fraud, 93–94

impersonation and masquerading, 91 influence campaigns, 94–96

invoice scams, 90 phishing, 85–86 prepending, 85 principles of, 83–84 shoulder surfing, 90 smishing, 88

social media, 96 spam, 89

spear phishing, 87

tailgating and piggybacking, 91–92 typo squatting, 94

vishing, 88–89 whaling, 87–88

social media, 96 socket, 508 software

analysis of, 918 antimalware, 1007–1008 asset inventories for, 775 code review, 746–747 diversity of, 1030

dynamic application security testing (DAST), 748

failures of, 872 focused on, 27

fuzz testing, 749–751 interface testing, 751 misuse case testing, 751–752

protecting, 155–156

static application security testing (SAST), 747–748

test coverage analysis, 752 testing, 746–753, 969–970 website monitoring, 752–753

software as a service (SaaS), 782 Software Assurance Maturity Model

(SAMM), 961–962

software configuration management (SCM), 965–966

software development assurance, 948

development toolsets, 945–946 libraries, 945

mitigating system failure, 948–951 object-­oriented programming, 946–948 programming languages, 943–945

software development lifecycle (SDLC) about, 319, 955–956

Agile Software Development, 958–959 Application Programming Interfaces

(APIs), 967–968 Capability Maturity Model

(CMM), 960–961 change management, 964–966 code repositories, 970–971

configuration management, 964–966 DevOps approach, 966–967

Gantt charts, 964 IDEAL model, 962–963

Program Evaluation Review Technique (PERT), 964

service-level agreements (SLAs), 971–972

Software Assurance Maturity Model (SAMM), 961–962

software testing, 969–970 spiral model, 957–958

third-­party software acquisition, 972 waterfall model, 956–957

software development security

about, 943, 987

data warehousing, 973–983 databases, 973–983

exam essentials, 987–988 knowledge-­based systems, 984–986 review question answers, 1093–1095 review questions, 989–992

storage threats, 983–984

systems development controls, 943–972 written lab, 988

written lab answers, 1114–1115 software escrow agreements, 896–897 software libraries, 945 software-as-a-service (SaaS), 124 software-­defined data center (SDDC), 402 software-defined everything

(SDx), 400–402 software-defined networking

(SDN), 525–526 software-­defined security, 967 software-­defined storage (SDS), 526 software-­defined visibility (SDV), 402 software-defined wide-area networks

(SDWAN/SD-WAN), 526

something you are factor of authentication, 645, 651–655

something you have factor of authentication, 645, 650–651

something you know factor of authentication, 645, 647–650

somewhere you are authentication factor, 646

somewhere you aren’t authentication factor, 646

source code comments, 1031–1032 Source Network Address Translation

(SNAT), 615 Spafford, George

The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win, 967

spam, 89

Spam over instant messaging (SPIM), 88 Spam over Internet Telephony

(SpIT), 88–89 spear phishing, 87

specialized devices, 393–394 Spectre memory error, 341–342 speech recognition, 653

spiral model, 957–958

split knowledge, 230, 253, 768 split tunnel VPN, 607 split-­brain DNS, 514 split-­DNS system, 514 split-­horizon DNS, 514 spoofed email, 89

spoofing, 91, 93–94, 700

in STRIDE threat model, 27 spraying attack, 706

spread spectrum, 536 sprints, 959 spyware, 1004

SQL injection attacks, 741, 1012–1016 SSDs, 195, 367

standalone mode, 528

standard operating procedure (SOP), 25 standards, 24–25, 210

*(star) Integrity Property, 330 STAR program, 336

*(star) Security Property, 329 star topology, 564–565 STARTTLS, 600

state attacks, 1011

state machine model, 325 state privacy laws, 168–169 state transition, 325

stateful inspection firewalls, 553, 833 stateful NAT, 617

stateless firewall, 552 statement coverage, 752 statement of importance, 133 statement of organizational

responsibility, 133–134 statement of priorities, 133

statement of urgency and timing, 134 Statement on Standards for Attestation

Engagements, 729

static application security testing (SAST), 747–748

static considerations, 467–470 static environments, 387–393

static NAT. See NAT traversal (NAT-­T) static packet-­filtering firewall, 552 static RAM, 363–364

static systems, 387–393 statistical attack, 297

statistical intrusion detection, 821–823 stealth viruses, 998–999 steganography, 292–293, 844

stopped state, 360

Storage Area Network (SAN), 523 storage limitation, as a provision of

the GDPR, 166 storage media security, 367

storage segmentation, 415–416 storage threats, 983–984 store-and-forward device, 548 stored procedures, 1028 stored/persistent XSS, 1022–1023 storing

sensitive data, 193–194 symmetric keys, 253–254

storms, 867–868 strategic plan, 18

strategy development, for BCP, 129 stream ciphers, 237

STRIDE threat model, 27 strikes, 873

stripe of mirrors, 876 striping, 876

striping with parity, 876

Structured Threat Information eXpression (STIX), 355

structured walk-­through test, 900 Stuxnet, 379, 1003–1004

su command, 701–702

subdomain, 510 subjects

about, 208

compared with objects, 642–643 defined, 678

in secure design, 311–312 subpoena, 919–920 Subscriber Identity Module

(EAP-SIM), 583

subscriber identity module (SIM) cloning, for mobile devices, 426

substitution cipher2, 232–234 sub-technologies, 566–569 sudo command, 701–702 supervised learning, 985–986 supervisor state, 359–361

supervisory control and data acquisition (SCADA), 378–380

supervisory state, 360

supplies, in disaster recovery planning (DRP), 897

supply chain, 31

supply chain risk management (SCRM), 31–32

support ownership, for mobile devices, 422 surge protectors, 465

Sutherland model, 335 swapfile, 365–366

switch eavesdropping, 611–612 Switched Port Analyzer (SPAN) port, 611 switched virtual circuits (SVCs), 621–622 switches, 548, 826

switching, 610–614

switching technologies, 620–622 symmetric cryptography, 244–254 symmetric cryptosystems, 221 symmetric key algorithms. See

cryptography and symmetric key algorithms

symmetric key management, 252–254 symmetric multiprocessing (SMP), 376 SYN flood attack, 814–816

synchronous communications, 566 Synchronous Digital Hierarchy (SDH), 624 synchronous dynamic password

tokens, 651

Synchronous Optical Network (SONET), 624

Synchronous Transport Modules (STM), 624

Synchronous Transport Signals (STS), 624 synthetic monitoring, 752

synthetic transactions, 748 Syslog Protocol, 842 system call, 359

system failures, 314–316, 948–951 system logs, 836

system on a chip (SoC), 549 system security policy, 427–428 systems

managing, 789 resilience of, 875–880 testing, 954–955

systems development lifecycle about, 953

Application Programming Interface (API), 967–968

change management, 964–966 code repositories, 970–971 code review walk-­through, 955 coding, 955

conceptual definition, 953–954 configuration management,

964–966 control specifications

development, 954–955 design review, 955

DevOps approach, 966–967 functional requirements

determination, 954 Gantt charts, 964 maintenance and change

management, 956 models of, 956–963

Program Evaluation Review Technique (PERT), 964

service-level agreements (SLAs), 971–972 software testing, 969–970

testing, 955–956

third-­party software acquisition, 972 systems integration, 403, 639

T

tactical plan, 18–19 tailgating, 91–92

tailoring, scoping compared with, 209–210 take-­grant model, 326–327

Tampering, in STRIDE threat model, 27 tape media, 777–778

tape rotation, 896

target of evaluation (TOE), 338 task-­based access control (TBAC), 685 TCP ACK Scanning, 733

TCP Connect Scanning, 733 TCP reset attack, 816

TCP SYN Scanning, 733 TCP Wrapper, 553 TCP/IP model, 504–505 teardrop attack, 817 technical controls, 73

technical physical security controls, 452 technology convergence, 449 technology crime investigators, 145 telecommunications room, 454 telecommuting techniques, 591

Telnet, 506, 608

temperature considerations, 467–470 TEMPEST countermeasures, 368–369 Temporal Key Integrity Protocol

(TKIP), 531, 532 temporary address, 509

temporary authorization to operate (TATO), 16

temporary internet files, 375

Ten Commandments of Computer Ethics, 932

Terminal Access Controller Access Control System Plus (TACACS+), 698–699

termination, of employees, 49–52 terrorism, acts of, 870, 926

test coverage analysis, 752 test patches, 790 TestBank, xliv testimonial evidence, 915 testing

in BCP documentation, 136 for disaster recovery planning

(DRP), 899–902

software, 746–753, 954–955, 969–970 tethering, for mobile devices, 425

text messaging, 419–420 theft, 873–874

thin access point, 529 thin client, 401–402

third-­party application stores, 415 third-party audits

about, 729–730

for evaluation of third parties, 20 third-­party connectivity, 618–619 third-­party governance, 15 third-­party security services, 833–834 third-­party software acquisition, 972

Threat Agent Risk Assessment (TARA), 81 threat agents/actors, 56

threat events, 56 threat feeds, 849–851 threat hunting, 26, 850

threat intelligence, 847–850 threat modeling

about, 26

determining potential attacks, 28 identifying threats, 26–28 performing reduction analysis, 28–30 prioritization and response, 30–31

threat vector, 56, 57

threats

about, 354, 432–433

architecture flaws and issues, 428–432 assessing, 355–372, 731–746 client-­based systems, 372–375 containerization, 405–406 cyber-­physical systems, 386–393 defined, 56, 700

distributed systems, 380–382 edge computing, 385–386 embedded devices, 386–393 essential security protection

mechanisms, 426–428 exam essentials, 433–439 fog computing, 385–386

high-­performance computing (HPC) systems, 382–383

identifying, 26–28, 60

industrial control systems, 378–380 infrastructure as code (IaC), 395–396 Internet of Things (IoT), 383–385 managing, 791

microservices, 394–395 mitigating, 355–372 mobile devices, 406–426

review question answers, 1062–1067 review questions, 441–445 server-­based systems, 375–378 serverless architecture, 406

shared responsibility, 354–355 specialized devices, 393–394 virtualized systems, 397–405 written lab, 440

written lab answers, 1105–1106 three dumb routers, 384 three-­way handshake, 508

thrill attacks, 928 throughput rate, 655 THSuite, 192

ticket, 696

ticket-­granting ticket (TGT), 696 time of check (TOC), 1010–1011

time of check to time of use (TOCTTOU), 1010–1011

time of use (TOU), 1010–1011 time slice, 360

time to live (TTL), 517 Time-based One-Time Password

(TOTP), 656

timeliness, availability and, 7 timing attack, 297

TLS offloading, 596 token passing, 568

tokenization, 201–202, 1028 tokens, 322, 650–651

top secret label, 182 top-­down approach, 17 top-­level domain (TLD), 510 topology, 559, 563–566 Tor, 291–292

total risk, 68

Tower of Hanoi strategy, 896 trade secrets, 156–157 trademarks, 154–155

traffic analysis, 843

traffic monitor. See protocol analyzer training

about, 97–99

for BCP implementation, 132 for disaster recovery planning

(DRP), 898–899

for security management process, 755 transactions, database, 977–978 transborder data flow, 158

transfers, of employees, 49–52 transformation procedures (TPs), 333 transient noise, 467

transitive trust, 311

Transmission Control Protocol (TCP), 508 Transmission Control Protocol/Internet

Protocol (TCP/IP), 582 transmission error correction, 625 transmission logging, 625 transmission media technology, 559

transmission protection, 592 transparency, 166, 625 transparent proxy, 555 transponder proximity device, 458

Transport layer (layer 4), 502, 508–509 Transport Layer Security (TLS) protocol,

240, 269, 285, 290–291, 521 transport mode, 604–606 transposition ciphers, 231–232 trap messages, 507

travel, for personnel, 772–773 traverse mode noise, 467 trend analysis, 843

TrickBot, 372

Triple DES (3DES), 247–248

Trivial File Transfer Protocol (TFTP), 506, 519

Trojan horses, 1000–1001 true negative, 822–823

trust, as a social engineering principle, 84 trust boundaries, in decomposition

process, 29

trust but verify approach, 319–320 Trusted Automated eXchange of

Intelligence Information (TAXII), 355 Trusted Computer System Evaluation

Criteria (TCSEC), 337

trusted computing base (TCB) design principle, 323–325

trusted paths, 324

Trusted Platform Module (TPM), 286, 342 trusted recovery, 879

trusted shell, 324

trusted system, in CIA Triad, 321–322 trusts, 660

truthfulness, integrity and, 6 tunnel mode, 295, 604–606 tunneling, 603–604

tuples, 974 Turing, Alan, 299 turnstiles, 477–479

twisted-­pair cables, 560–561

two-­factor authentication (2FA), 655 two-­factor authentication with

Authenticator apps, 655–656 Twofish algorithm, 251 two-­person control, 768

Type 1 authentication factor, 645 Type 1 error, 653

Type 2 authentication factor, 645 Type 3 authentication factor, 645 type I hypervisor, 397

Type II error, 653 type II hypervisor, 397

Type of Service (ToS), 516 typosquatting, 94, 515

U

UBlock Origin, 374

UDP Scanning, 733

ultraviolet EPROMs (UVEPROMs), 362 unclassified label, 182

unicast technology, 567

unified endpoint management (UEM), 409 Unified Extensible Firmware Interface

(UEFI), 371

unified threat management (UTM), 554, 833

uninterruptible power supply (UPS), 465–466, 878

United States Munitions List (USML), 159 United States Patent and Trademark Office

(USPTO), 154–155 unshielded twisted-­pair (UP), 560 unsolicited ARP, 520 unsupervised learning, 986 update management, for mobile

devices, 422

urgency, as a social engineering principle, 84

urgency and timing, statement of, 134 URL filtering, 555–556

URL hijacking, 94, 515

U.S. Copyright Office (website), 153 U.S. Cybersecurity and Infrastructure Security Agency (CISA), 120

U.S. Geological Survey (USGS), 126 U.S. Government Accountability Office

(GAO), 728

U.S. National Security Agency (NSA), 195 U.S. Privacy Law, 160–164

USA PATRIOT Act (2001), 163–164 usability, availability and, 7

USB flash drives, 777

USB On-­The-­Go (OTG), 416 US-CERT, 310

use cases, 969

user acceptance, for mobile devices, 424 user acceptance testing (UAT), 955 user and entity behavior analytics

(UEBA), 49, 1009

user behavior analytics (UBA), 49 User Datagram Protocol (UDP), 508 User Interface (UI), 751

user mode, 359, 361 user role, 22

users, 208

utility considerations

in disaster recovery planning (DRP), 897

humidity, 467–470 noise, 467

power, 465–467 static, 467–470 temperature, 467–470 water, 470

utility failures, 871–872 utility patents, 155

V

validation, in vulnerability scanning, 742 validity, integrity and, 6

Van Buren v. United States, 149

Van Eck radiation, 368 vandalism, 873–874

variable length subnet masking (VLSM), 518

Velez, Tony Uceda (author)

Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis, 27–28

vendor agreements, 52–53

vendor management system (VMS), 53 VENONA project, 236

verification, 280–281, 961 Vernam, Gilbert Sandford, 235 Vernam ciphers, 235

version control, 1030

versioning, in change management, 788 views, of databases, 979

Vigenère cipher, 233–234, 235 virtual application, 399–400 virtual circuits, 621–622 virtual data center (VDC), 402 virtual desktop, 401

virtual desktop infrastructure (VDI), 401 virtual firewall, 550

virtual IP addresses, 596 virtual local area networks (VLANs), 610–614

virtual machine monitor/manager (VMM), 397

virtual memory, 365–366

virtual network segmentation, 400 virtual private network (VPN)

about, 602–603 always-on VPN, 606–607

common protocols, 607–609 full tunnel, 607

how they work, 604–606 personnel and, 773

split tunnel, 607 tunneling, 603–604

virtual SAN (VSAN), 526 virtual software, 399–400 virtual tape libraries (VTLs), 895

Virtual xEtensible LAN (VXLAN), 527 virtualization, 397

virtualization security management, 403–405

virtualization technology, 342 Virtualized Environment Neglected

Operations Manipulation (VENOM), 404

virtualized networking, 400 virtualized systems

about, 397–399 software-defined everything

(SDx), 400–402 virtual software, 399–400 virtualization security

management, 403–405 virtualized networking, 400

virus decryption routine, 999 viruses, 995–999

vishing, 88–89, 588–589 Visual, Agile, and Simple Threat

(VAST), 27–28

vital records program, in BCP documentation, 135

VLAN hopping, 612 VM escaping, 404 voice communications

about, 586 phreaking, 588–589

private branch exchange (PBX), 589–590

vishing, 588–589

Voice over Internet Protocol (VoIP), 524–525, 586–588

Voice over Internet Protocol (VoIP), 524–525, 586–588

voice pattern recognition, 653 voice-­based phishing, 88–89 volatility, of storage devices, 366 voluntarily surrender, 919

VPN appliance, 603 VPN concentrator, 603

VPN device, 603 VPN firewall, 603 VPN gateway, 603 VPN proxy, 603

VPN remote access server (RAS), 603 VPN server, 603

vulnerabilities. See also Common Vulnerabilities and Exposures (CVE)

about, 354, 432–433, 731–732 architecture flaws and issues, 428–432 assessing, 355–372, 731–746 client-­based systems, 372–375 containerization, 405–406 cyber-­physical systems, 386–393 defined, 56, 700

distributed systems, 380–382 edge computing, 385–386 embedded devices, 386–393 essential security protection

mechanisms, 426–428 exam essentials, 433–439 fog computing, 385–386

high-­performance computing (HPC) systems, 382–383

identifying, 60

industrial control systems, 378–380 infrastructure as code (IaC), 395–396 Internet of Things (IoT), 383–385 managing, 791

microservices, 394–395 mitigating, 355–372 mobile devices, 406–426

review question answers, 1062–1067 review questions, 441–445 server-­based systems, 375–378 serverless architecture, 406

shared responsibility, 354–355 specialized devices, 393–394 virtualized systems, 397–405 written lab, 440

written lab answers, 1105–1106 vulnerability scanning

about, 792

database vulnerability scanning, 741–742

management workflow, 742

web vulnerability scanning, 739–741 vulnerability scans, 732–742

W

waiting state, 360 war driving, 539 warm sites, 885–886 warning banners, 829 water issues, 470

water suppression systems, 474–475 waterfall model, 956–957 watermarking, 292–293, 845

wave pattern motion detector, 459

wearable technology, 384 wearables, 384

web application firewalls (WAFs), 374, 552–553, 833, 1027–1028

web applications, 290–292, 1020–1025 Web Authentication (WebAuth), 657 web filtering, 555–556

web security gateway, 556

web vulnerability scanning, 739–741 website monitoring, 752–753 well-­known ports, 508

wet pipe system, 474 whaling, 87–88 white noise, 368

White-­Box Penetration Test, 744, 969 whitelisting, 414, 831–832

wide area network (WAN), 559, 606, 622–623

Wi-­Fi, free, 772–773 Wi-­Fi Direct, 425, 528

Wi-­Fi positioning system (WFPS), 413 Wi-­Fi Protected Access (WPA), 531–532 Wi-­Fi Protected Access 2 (WPA2), 532

Wi-­Fi Protected Access 3 (WPA3), 532–533 Wi-­Fi Protected Setup (WPS), 533–534 wildcard certificates, 278

window of vulnerability, 1006 Windows Group Policy Objects

(GPOs), 753

Wired Equivalent Privacy (WEP), 531 wired extension mode, 528

wireless access point (WAP), 528 wireless attacks, 539–542 wireless channels, 529–530

wireless communications, 536–539 wireless controller, 529

wireless networks about, 527–529

antenna management, 534–535 captive portals, 535

general security procedure, 535–536 MAC filter, 534

service set identifier (SSID), 529 site surveys, 530–531

Wi-­Fi Protected Setup (WPS), 533–534 wireless attacks, 539–542

wireless channels, 529–530 wireless communications, 536–539 wireless security, 531–533

wireless positioning system (WiPS), 413 wireless scanners, 539

wireless security, 531–533 wiring closets, 454–455 WordPress, 685

work area security, 464–465 work function, 230 workgroup recovery, 883

workplace, privacy in the, 164–165 World Intellectual Property Organization

(WIPO) treaties, 153–154 worms, 1001–1004

“Worse Is Better” (New Jersey Style), 317

wrapper, 392 written lab answers

access control, 1111

asset security, 1102–1103 business continuity planning

(BCP), 1101

cryptography and symmetric key algorithms, 1103–1104

disaster recovery planning (DRP), 1113–1114

identity and authentication, 1110–1111 incident prevention and response, 1113 investigations and ethics, 1114

laws, regulations, and compliance, 1102 malicious code and application

attacks, 1115 personnel security and risk

management, 1100–1101 physical security

requirements, 1106–1107 PKI and cryptographic

applications, 1104

secure communications and network attacks, 1109–1110

secure network architecture and components, 1108

security assessment and testing, 1111–1112

security governance, 1100 security models, design, and

capabilities, 1104–1105 security operations, 1112 software development

security, 1114–1115 vulnerabilities, threats, and

countermeasures, 1105–1106 written labs

access control, 717 asset security, 213

business continuity planning (BCP), 138 communications and network

attacks, 630

cryptography and symmetric key algorithm, 257

disaster recovery planning (DRP), 903

ethics, 935

identity and authentication, 671 incident response, 855 investigations, 935

laws, regulations, and compliance, 173 malicious code and application

attacks, 1036 network architecture, 574 personnel security and risk

management, 106 physical security, 488

PKI and cryptographic applications, 303 security and assessment testing

program, 758 security governance, 36 security models, 347 security operations, 796

software development security, 988 vulnerabilities, threats, and

countermeasures, 440

X

X Window, 507

X.509 standard, 278

Xmas Scanning, 733

Y

“You Aren’t Gonna Need It” (YAGNI), 317

Z

zero trust, 317–319 zero-­day attacks, 818, 1006 zero-­knowledge proof, 229 Zigbee, 543

Zimmerman, Phil, 249, 287 zombies, 812–813

zzuf tool, 749