Introduction xxxiii Assessment Test xlii Chapter 1 Security Governance Through Principles and Policies 1 Understand and Apply Concepts of Confidentiality, Integrity, and Availability 3 Confidentiality 4 Integrity 5 Availability 6 Other Security Concepts 8 Protection Mechanisms 12 Layering 12 Abstraction 12 Data Hiding 13 Encryption 13 Apply Security Governance Principles 13 Alignment of Security Function to Strategy, Goals, Mission, and Objectives 14 Organizational Processes 16 Security Roles and Responsibilities 22 Control Frameworks 23 Due Care and Due Diligence 24 Develop and Implement Documented Security Policy, Standards, Procedures, and Guidelines 25 Security Policies 25 Security Standards, Baselines, and Guidelines 26 Security Procedures 27 Understand and Apply Threat Modeling 28 Identifying Threats 30 Determining and Diagramming Potential Attacks 32 Performing Reduction Analysis 33 Prioritization and Response 34 Integrate Security Risk Considerations into Acquisition Strategy and Practice 35 Summary 36 Exam Essentials 38 Written Lab 41 Review Questions 42 Chapter 2 Personnel Security and Risk Management Concepts 47 Contribute to Personnel Security Policies 49 Employment Candidate Screening 52 Employment Agreements and Policies 53 Employment Termination Processes 54 Vendor, Consultant, and Contractor Controls 56 Compliance 57 Privacy 57 Security Governance 59 Understand and Apply Risk Management Concepts 60 Risk Terminology 61 Identify Threats and Vulnerabilities 63 Risk Assessment/Analysis 64 Risk Assignment/Acceptance 72 Countermeasure Selection and Assessment 73 Implementation 74 Types of Controls 75 Monitoring and Measurement 76 Asset Valuation 77 Continuous Improvement 78 Risk Frameworks 78 Establish and Manage Information Security Education, Training, and Awareness 81 Manage the Security Function 82 Summary 83 Exam Essentials 84 Written Lab 88 Review Questions 89 Chapter 3 Business Continuity Planning 93 Planning for Business Continuity 94 Project Scope and Planning 95 Business Organization Analysis 96 BCP Team Selection 96 Resource Requirements 98 Legal and Regulatory Requirements 100 Business Impact Assessment 101 Identify Priorities 101 Risk Identification 102 Likelihood Assessment 104 Impact Assessment 104 Resource Prioritization 106 Continuity Planning 107 Strategy Development 107 Provisions and Processes 108 Plan Approval 109 Plan Implementation 110 Training and Education 110 BCP Documentation 110 Continuity Planning Goals 111 Statement of Importance 111 Statement of Priorities 111 Statement of Organizational Responsibility 111 Statement of Urgency and Timing 112 Risk Assessment 112 Risk Acceptance/Mitigation 112 Vital Records Program 113 Emergency-Response Guidelines 113 Maintenance 114 Testing and Exercises 114 Summary 114 Exam Essentials 115 Written Lab 117 Review Questions 118 Chapter 4 Laws, Regulations, and Compliance 123 Categories of Laws 124 Criminal Law 124 Civil Law 126 Administrative Law 126 Laws 127 Computer Crime 127 Intellectual Property 132 Licensing 138 Import/Export 139 Privacy 139 Compliance 146 Contracting and Procurement 147 Summary 148 Exam Essentials 149 Written Lab 151 Review Questions 152 Chapter 5 Protecting Security of Assets 157 Classifying and Labeling Assets 158 Defining Sensitive Data 158 Defining Classifications 160 Defining Data Security Requirements 163 Understanding Data States 164 Managing Sensitive Data 165 Protecting Confidentiality with Cryptography 172 Identifying Data Roles 174 Data Owners 174 System Owners 175 Business/Mission Owners 176 Data Processors 176 Administrators 177 Custodians 178 Users 178 Protecting Privacy 178 Using Security Baselines 179 Scoping and Tailoring 180 Selecting Standards 180 Summary 181 Exam Essentials 182 Written Lab 183 Review Questions 184 Chapter 6 Cryptography and Symmetric Key Algorithms 189 Historical Milestones in Cryptography 190 Caesar Cipher 190 American Civil War 191 Ultra vs. Enigma 192 Cryptographic Basics 192 Goals of Cryptography 192 Cryptography Concepts 194 Cryptographic Mathematics 196 Ciphers 201 Modern Cryptography 208 Cryptographic Keys 208 Symmetric Key Algorithms 209 Asymmetric Key Algorithms 210 Hashing Algorithms 213 Symmetric Cryptography 214 Data Encryption Standard 214 Triple DES 216 International Data Encryption Algorithm 217 Blowfish 217 Skipjack 217 Advanced Encryption Standard 218 Symmetric Key Management 219 Cryptographic Life Cycle 222 Summary 222 Exam Essentials 223 Written Lab 225 Review Questions 226 Chapter 7 PKI and Cryptographic Applications 231 Asymmetric Cryptography 232 Public and Private Keys 232 RSA 233 El Gamal 235 Elliptic Curve 235 Hash Functions 236 SHA 237 MD2 238 MD4 238 MD5 239 Digital Signatures 240 HMAC 241 Digital Signature Standard 242 Public Key Infrastructure 242 Certificates 243 Certificate Authorities 243 Certificate Generation and Destruction 245 Asymmetric Key Management 246 Applied Cryptography 247 Portable Devices 247 Email 248 Web Applications 249 Digital Rights Management 252 Networking 255 Cryptographic Attacks 258 Summary 261 Exam Essentials 261 Written Lab 264 Review Questions 265 Chapter 8 Principles of Security Models, Design, and Capabilities 269 Implement and Manage Engineering Processes Using Secure Design Principles 270 Objects and Subjects 271 Closed and Open Systems 271 Techniques for Ensuring Confidentiality, Integrity, and Availability 272 Controls 274 Trust and Assurance 274 Understand the Fundamental Concepts of Security Models 275 Trusted Computing Base 276 State Machine Model 278 Information Flow Model 279 Noninterference Model 279 Take-Grant Model 280 Access Control Matrix 280 Bell-LaPadula Model 282 Biba Model 284 Clark-Wilson Model 286 Brewer and Nash Model (aka Chinese Wall) 287 Goguen-Meseguer Model 288 Sutherland Model 288 Graham-Denning Model 288 Select Controls and Countermeasures Based on Systems Security Evaluation Models 289 Rainbow Series 290 ITSEC Classes and Required Assurance and Functionality 295 Common Criteria 296 Industry and International Security Implementation Guidelines 299 Certification and Accreditation 300 Understand Security Capabilities of Information Systems 303 Memory Protection 303 Virtualization 303 Trusted Platform Module 303 Interfaces 304 Fault Tolerance 304 Summary 305 Exam Essentials 305 Written Lab 307 Review Questions 308 Chapter 9 Security Vulnerabilities, Threats, and Countermeasures 313 Assess and Mitigate Security Vulnerabilities 314 Hardware 315 Input/Output Structures 335 Firmware 336 Client-Based 337 Applets 337 Local Caches 339 Server Based 341 Database Security 341 Aggregation 341 Inference 342 Data Mining and Data Warehousing 342 Data Analytics 343 Large-Scale Parallel Data Systems 344 Distributed Systems 344 Cloud Computing 346 Grid Computing 347 Peer to Peer 348 Industrial Control Systems 348 Assess and Mitigate Vulnerabilities in Web-Based Systems 349 Assess and Mitigate Vulnerabilities in Mobile Systems 350 Device Security 352 Application Security 355 BYOD Concerns 357 Assess and Mitigate Vulnerabilities in Embedded Devices and Cyber-Physical Systems 360 Examples of Embedded and Static Systems 360 Methods of Securing 362 Essential Security Protection Mechanisms 364 Technical Mechanisms 364 Security Policy and Computer Architecture 367 Policy Mechanisms 367 Common Architecture Flaws and Security Issues 369 Covert Channels 369 Attacks Based on Design or Coding Flaws and Security Issues 370 Programming 373 Timing, State Changes, and Communication Disconnects 373 Technology and Process Integration 374 Electromagnetic Radiation 374 Summary 375 Exam Essentials 376 Written Lab 379 Review Questions 380 Chapter 10 Physical Security Requirements 385 Apply Secure Principles to Site and Facility Design 386 Secure Facility Plan 387 Site Selection 387 Visibility 388 Natural Disasters 388 Facility Design 388 Design and Implement Physical Security 389 Equipment Failure 390 Wiring Closets 391 <.