Introduction xlv Chapter 1 Security and Risk Management 2 Security Terms 5 CIA 5 Auditing and Accounting 6 Non-Repudiation 7 Default Security Posture 7 Defense in Depth 7 Abstraction 8 Data Hiding 8 Encryption 8 Security Governance Principles 8 Security Function Alignment 9 Organizational Processes 12 Organizational Roles and Responsibilities 14 Security Control Frameworks 17 Due Care and Due Diligence 32 Compliance 33 Contractual, Legal, Industry Standards, and Regulatory Compliance 34 Privacy Requirements Compliance 35 Legal and Regulatory Issues 35 Computer Crime Concepts 36 Major Legal Systems 38 Licensing and Intellectual Property 40 Cyber Crimes and Data Breaches 44 Import/Export Controls 45 Trans-Border Data Flow 45 Privacy 45 Professional Ethics 52 (ISC)2 Code of Ethics 52 Computer Ethics Institute 53 Internet Architecture Board 54 Organizational Code of Ethics 54 Security Documentation 54 Policies 55 Processes 57 Procedures 57 Standards 57 Guidelines 58 Baselines 58 Business Continuity 58 Business Continuity and Disaster Recovery Concepts 58 Scope and Plan 61 BIA Development 65 Personnel Security Policies and Procedures 68 Candidate Screening and Hiring 69 Employment Agreements and Policies 70 Employee Onboarding and Offboarding Policies 71 Vendor, Consultant, and Contractor Agreements and Controls 72 Compliance Policy Requirements 72 Privacy Policy Requirements 72 Job Rotation 73 Separation of Duties 73 Risk Management Concepts 73 Asset and Asset Valuation 73 Vulnerability 74 Threat 74 Threat Agent 74 Exploit 75 Risk 75 Exposure 75 Countermeasure 75 Risk Appetite 76 Attack 76 Breach 76 Risk Management Policy 77 Risk Management Team 77 Risk Analysis Team 77 Risk Assessment 78 Implementation 82 Control Categories 83 Control Types 84 Controls Assessment, Monitoring, and Measurement 89 Reporting and Continuous Improvement 89 Risk Frameworks 90 Geographical Threats 108 Internal Versus External Threats 108 Natural Threats 109 System Threats 110 Human-Caused Threats 111 Politically Motivated Threats 114 Threat Modeling 115 Threat Modeling Concepts 116 Threat Modeling Methodologies 116 Identifying Threats 119 Potential Attacks 120 Remediation Technologies and Processes 121 Security Risks in the Supply Chain 121 Risks Associated with Hardware, Software, and Services 121 Third-party Assessment and Monitoring 122 Minimum Service-Level and Security Requirements 123 Service-Level Requirements 123 Security Education, Training, and Awareness 124 Levels Required 124 Methods and Techniques 125 Periodic Content Reviews 126 Exam Preparation Tasks 126 Chapter 2 Asset Security 140 Asset Security Concepts 141 Data Policy 141 Roles and Responsibilities 143 Data Quality 144 Data Documentation and Organization 145 Identify and Classify Information and Assets 146 Data and Asset Classification 146 Sensitivity and Criticality 146 Private Sector Classifications 151 Military and Government Classifications 152 Information Life Cycle 153 Databases 155 Data Audit 160 Information and Asset Ownership 160 Protect Privacy 161 Owners 161 Data Processors 162 Data Remanence 162 Collection Limitation 163 Asset Retention 164 Data Security Controls 166 Data Security 166 Data States 166 Data Access and Sharing 167 Data Storage and Archiving 168 Baselines 169 Scoping and Tailoring 170 Standards Selection 170 Data Protection Methods 171 Information and Asset Handling Requirements 172 Marking, Labeling, and Storing 172 Destruction 173 Exam Preparation Tasks 173 Chapter 3 Security Architecture and Engineering 178 Engineering Processes Using Secure Design Principles 180 Objects and Subjects 181 Closed Versus Open Systems 182 Security Model Concepts 182 Confidentiality, Integrity, and Availability 182 Confinement 183 Bounds 183 Isolation 183 Security Modes 183 Defense in Depth 185 Security Model Types 185 Security Models 188 System Architecture Steps 192 ISO/IEC 42010:2011 193 Computing Platforms 193 Security Services 196 System Components 196 System Security Evaluation Models 205 TCSEC 206 ITSEC 209 Common Criteria 211 Security Implementation Standards 213 Controls and Countermeasures 217 Certification and Accreditation 217 Control Selection Based upon Systems Security Requirements 218 Security Capabilities of Information Systems 219 Memory Protection 219 Virtualization 220 Trusted Platform Module 220 Interfaces 221 Fault Tolerance 221 Policy Mechanisms 222 Encryption/Decryption 223 Security Architecture Maintenance 223 Vulnerabilities of Security Architectures, Designs, and Solution Elements 224 Client-Based Systems 224 Server-Based Systems 225 Database Systems 226 Cryptographic Systems 227 Industrial Control Systems 227 Cloud-Based Systems 230 Large-Scale Parallel Data Systems 236 Distributed Systems 237 Grid Computing 237 Peer-to-Peer Computing 237 Internet of Things 238 Vulnerabilities in Web-Based Systems 242 Maintenance Hooks 242 Time-of-Check/Time-of-Use Attacks 243 Web-Based Attacks 243 XML 244 SAML 244 OWASP 244 Vulnerabilities in Mobile Systems 244 Device Security 245 Application Security 246 Mobile Device Concerns 246 NIST SP 800-164 248 Vulnerabilities in Embedded Devices 250 Cryptography 250 Cryptography Concepts 250 Cryptography History 253 Cryptosystem Features 256 NIST SP 800-175A and B 257 Cryptographic Mathematics 258 Cryptographic Life Cycle 261 Cryptographic Types 262 Running Key and Concealment Ciphers 263 Substitution Ciphers 263 Transposition Ciphers 265 Symmetric Algorithms 266 Asymmetric Algorithms 268 Hybrid Ciphers 269 Symmetric Algorithms 269 DES and 3DES 270 AES 274 IDEA 274 Skipjack 274 Blowfish 275 Twofish 275 RC4/RC5/RC6/RC7 275 CAST 275 Asymmetric Algorithms 276 Diffie-Hellman 277 RSA 277 El Gamal 278 ECC 278 Knapsack 279 Zero-knowledge Proof 279 Public Key Infrastructure 279 Certification Authority and Registration Authority 279 Certificates 280 Certificate Life Cycle 281 Certificate Revocation List 283 OCSP 284 PKI Steps 284 Cross-Certification 285 Key Management Practices 285 Message Integrity 293 Hashing 294 Message Authentication Code 297 Salting 299 Digital Signatures 299 DSS 300 Applied Cryptography 300 Link Encryption Versus End-to-End Encryption 300 Email Security 300 Internet Security 300 Cryptanalytic Attacks 301 Ciphertext-Only Attack 302 Known Plaintext Attack 302 Chosen Plaintext Attack 302 Chosen Ciphertext Attack 302 Social Engineering 302 Brute Force 302 Differential Cryptanalysis 303 Linear Cryptanalysis 303 Algebraic Attack 303 Frequency Analysis 303 Birthday Attack 303 Dictionary Attack 303 Replay Attack 304 Analytic Attack 304 Statistical Attack 304 Factoring Attack 304 Reverse Engineering 304 Meet-in-the-Middle Attack 304 Ransomware Attack 304 Side-Channel Attack 305 Digital Rights Management 305 Document DRM 306 Music DRM 306 Movie DRM 306 Video Game DRM 306 E-book DRM 307 Site and Facility Design 307 Layered Defense Model 307 CPTED 307 Physical Security Plan 308 Facility Selection Issues 309 Site and Facility Security Controls 312 Doors 312 Locks 313 Biometrics 315 Glass Entries 315 Visitor Control 315 Wiring Closets/Intermediate Distribution Facilities 316 Work Areas 316 Environmental Security 317 Equipment Security 321 Exam Preparation Tasks 323 Chapter 4 Communication and Network Security 334 Secure Network Design Principles 335 OSI Model 335 TCP/IP Model 340 IP Networking 345 Common TCP/UDP Ports 346 Logical and Physical Addressing 347 IPv4 348 Network Transmission 353 IPv6 357 Network Types 370 Protocols and Services 372 ARP/RARP 372 DHCP/BOOTP 373 DNS 374 FTP, FTPS, SFTP, TFTP 374 HTTP, HTTPS, S-HTTP 375 ICMP 375 IGMP 376 IMAP 376 LDAP 376 LDP 376 NAT 376 NetBIOS 376 NFS 377 PAT 377 POP 377 CIFS/SMB 377 SMTP 377 SNMP 377 SSL/TLS 378 Multilayer Protocols 378 Converged Protocols 379 FCoE 379 MPLS 380.