Introduction I Part I: Security Architecture Chapter 1 Ensuring a Secure Network Architecture 3 Services 3 Load Balancer 3 Intrusion Detection System (IDS)/Network Intrusion Detection System (NIDS)/Wireless Intrusion Detection System (WIDS) 3 Intrusion Prevention System (IPS)/Network Intrusion Prevention System (NIPS)/Wireless Intrusion Prevention System (WIPS) 6 Web Application Firewall (WAF) 6 Network Access Control (NAC) 8 Virtual Private Network (VPN) 10 Domain Name System Security Extensions (DNSSEC) 11 Firewall/Unified Threat Management (UTM)/Next-Generation Firewall (NGFW) 11 Network Address Translation (NAT) Gateway 19 Internet Gateway 21 Forward/Transparent Proxy 21 Reverse Proxy 22 Distributed Denial-of-Service (DDoS) Protection 22 Routers 22 Mail Security 26 Application Programming Interface (API) Gateway/Extensible Markup Language (XML) Gateway 30 Traffic Mirroring 30 Sensors 32 Segmentation 39 Microsegmentation 40 Local Area Network (LAN)/Virtual Local Area Network (VLAN) 40 Jump Box 43 Screened Subnet 44 Data Zones 44 Staging Environments 45 Guest Environments 45 VPC/Virtual Network (VNET) 45 Availability Zone 46 NAC Lists 47 Policies/Security Groups 47 Regions 49 Access Control Lists (ACLs) 49 Peer-to-Peer 49 Air Gap 49 De-perimeterization/Zero Trust 49 Cloud 50 Remote Work 50 Mobile 50 Outsourcing and Contracting 52 Wireless/Radio Frequency (RF) Networks 53 Merging of Networks from Various Organizations 58 Peering 59 Cloud to on Premises 59 Data Sensitivity Levels 59 Mergers and Acquisitions 60 Cross-domain 61 Federation 61 Directory Services 61 Software-Defined Networking (SDN) 62 Open SDN 63 Hybrid SDN 64 SDN Overlay 64 Exam Preparation Tasks 66 Chapter 2 Determining the Proper Infrastructure Security Design 73 Scalability 73 Vertically 73 Horizontally 74 Resiliency 74 High Availability/Redundancy 74 Diversity/Heterogeneity 75 Course of Action Orchestration 75 Distributed Allocation 76 Replication 76 Clustering 76 Automation 76 Autoscaling 76 Security Orchestration, Automation, and Response (SOAR) 77 Bootstrapping 77 Performance 77 Containerization 78 Virtualization 79 Content Delivery Network 79 Caching 80 Exam Preparation Tasks 81 Chapter 3 Securely Integrating Software Applications 85 Baseline and Templates 85 Baselines 85 Create Benchmarks and Compare to Baselines 85 Templates 86 Secure Design Patterns/Types of Web Technologies 87 Container APIs 88 Secure Coding Standards 89 Application Vetting Processes 90 API Management 91 Middleware 91 Software Assurance 92 Sandboxing/Development Environment 92 Validating Third-Party Libraries 93 Defined DevOps Pipeline 93 Code Signing 94 Interactive Application Security Testing (IAST) vs. Dynamic Application Security Testing (DAST) vs. Static Application Security Testing (SAST) 95 Considerations of Integrating Enterprise Applications 100 Customer Relationship Management (CRM) 100 Enterprise Resource Planning (ERP) 100 Configuration Management Database (CMDB) 101 Content Management System (CMS) 101 Integration Enablers 101 Integrating Security into Development Life Cycle 103 Formal Methods 103 Requirements 103 Fielding 104 Insertions and Upgrades 104 Disposal and Reuse 104 Testing 105 Development Approaches 109 Best Practices 117 Exam Preparation Tasks 119 Chapter 4 Securing the Enterprise Architecture by Implementing Data Security Techniques 125 Data Loss Prevention 125 Blocking Use of External Media 125 Print Blocking 126 Remote Desktop Protocol (RDP) Blocking 126 Clipboard Privacy Controls 127 Restricted Virtual Desktop Infrastructure (VDI) Implementation 128 Data Classification Blocking 128 Data Loss Detection 129 Watermarking 129 Digital Rights Management (DRM) 129 Network Traffic Decryption/Deep Packet Inspection 130 Network Traffic Analysis 130 Data Classification, Labeling, and Tagging 130 Metadata/Attributes 130 Obfuscation 131 Tokenization 131 Scrubbing 131 Masking 132 Anonymization 132 Encrypted vs. Unencrypted 132 Data Life Cycle 132 Create 132 Use 133 Share 133 Store 133 Archive or Destroy 133 Data Inventory and Mapping 133 Data Integrity Management 134 Data Storage, Backup, and Recovery 134 Redundant Array of Inexpensive Disks (RAID) 138 Exam Preparation Tasks 143 Chapter 5 Providing the Appropriate Authentication and Authorization Controls 149 Credential Management 149 Password Repository Application 149 Hardware Key Manager 150 Privileged Access Management 151 Privilege Escalation 151 Password Policies 151 Complexity 153 Length 153 Character Classes 153 History 154 Maximum/Minimum Age 154 Auditing 155 Reversable Encryption 156 Federation 156 Transitive Trust 156 OpenID 156 Security Assertion Markup Language (SAML) 157 Shibboleth 158 Access Control 159 Mandatory Access Control (MAC) 160 Discretionary Access Control (DAC) 160 Role-Based Access Control 161 Rule-Based Access Control 161 Attribute-Based Access Control 161 Protocols 162 Remote Authentication Dial-in User Service (RADIUS) 162 Terminal Access Controller Access Control System (TACACS) 163 Diameter 164 Lightweight Directory Access Protocol (LDAP) 164 Kerberos 165 OAuth 166 802.1X 166 Extensible Authentication Protocol (EAP) 167 Multifactor Authentication (MFA) 168 Knowledge Factors 169 Ownership Factors 169 Characteristic Factors 170 Physiological Characteristics 170 Behavioral Characteristics 171 Biometric Considerations 172 2-Step Verification 173 In-Band 174 Out-of-Band 174 One-Time Password (OTP) 175 HMAC-Based One-Time Password (HOTP) 175 Time-Based One-Time Password (TOTP) 175 Hardware Root of Trust 176 Single Sign-On (SSO) 177 JavaScript Object Notation (JSON) Web Token (JWT) 178 Attestation and Identity Proofing 179 Exam Preparation Tasks 180 Chapter 6 Implementing Secure Cloud and Virtualization Solutions 185 Virtualization Strategies 185 Type 1 vs. Type 2 Hypervisors 186 Containers 187 Emulation 188 Application Virtualization 189 VDI 189 Provisioning and Deprovisioning 189 Middleware 190 Metadata and Tags 190 Deployment Models and Considerations 190 Business Directives 191 Cloud Deployment Models 192 Hosting Models 193 Multitenant 193 Single-Tenant 194 Service Models 194 Software as a Service (SaaS) 194 Platform as a Service (PaaS) 194 Infrastructure as a Service (IaaS) 195 Cloud Provider Limitations 196 Internet Protocol (IP) Address Scheme 196 VPC Peering 196 Extending Appropriate On-premises Controls 196 Storage Models 196 Object Storage/File-Based Storage 197 Database Storage 197 Block Storage 198 Blob Storage 198 Key-Value Pairs 198 Exam Preparation Tasks 199 Chapter 7 Supporting Security Objectives and Requirements with Cryptography and Public Key Infrastructure (PKI) 203 Privacy and Confidentiality Requirements 203 Integrity Requirements 204 Non-repudiation 204 Compliance and Policy Requirements 204 Common Cryptography Use Cases 205 Data at Rest 205 Data in Transit 205 Data in Process/Data in Use 205 Protection of Web Services 206 Embedded Systems 206 Key Escrow/Management 207 Mobile Security 209 Secure Authentication 209 Smart Card 209 Common PKI Use Cases 210 Web Services 210 Email 210 Code Signing 211 Federation 211 Trust Models 212 VPN 212 Enterprise and Security Automation/Orchestration 213 Exam Preparation Tasks 214 Chapter 8 Managing the Impact of Emerging Technologies on Enterprise Security and Privacy 219 Artificial Intelligence 219 Machine Learning 220 Quantum Computing 220 Blockchain 220 Homomorphic Encryption 221 Secure Multiparty Computation 221 Private Information Retrieval 221 Secure Function Evaluation 221 Private Function Evaluation 221 Distributed Consensus 221 Big Data 222 Virtual/Augmented Reality 223 3-D Printing 224 Passwordless Authentication 224 Nano Technology 225 Deep Learning 225 Natural Language Processing 225 Deep Fakes 226 Biometric Impersonation 226 Exam Preparation Tasks 227 Part II: Security Operations Chapter 9 Performing Threat Management Activities 231 Intelligence Types 231 Tactical 231 Strategic 232 Operational 232 Actor Types 233 Advanced Persistent Threat (APT)/Nation-State 233 Insider Threat 234 Competitor 234 Hacktivist 234 Script Kiddie 235 Organized Crime 235 Threat Actor Properties 235 Resource 235 Supply Chain Access 235 Create Vulnerabilities 236 Capabilities/Sophistication 236 Identifying Techniques 237 I.