CISSP Certified Information Systems Security Professional

CISSP Certified Information Systems Security Professional

CISSP Certified Information Systems Security Professional Copyright 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana. Used with permission. 1 CISSP Training This course is based off of the book: (ISC)2 CISSP: Certified Information Systems Security Professional Official Study Guide, 8th Edition by Mike Chapple, James Michael

Stewart, and Darril Gibson ISBN-13: 978-1119475934 ISBN-10: 1119475937 Published: May 8, 2018 2 (ISC) 2 International Information Systems Security Certification Consortium (ISC)2 Missions:

Maintain the Common Body of Knowledge (CBK) Provide certification for IT/IS security professionals and practitioners Conduct certification training & administer exams Oversee the ongoing accreditation through continued education. www.isc2.org 3 CISSP Focus

CISSP focuses on security: Design Architecture Theory Concept Planning Managing 4 Topical Domains

5 Security and Risk Management Asset Security Security Architecture and Engineering Communication and Network Security Identity and Access Management (IAM) Security Assessment and Testing

Security Operations Software Development Security Exam Topic Outline www.isc2.org/Certifications/CISSP Download the CISSP Exam Outline Under 2: Register and Prepare for the Exam Previously known as the Candidate Information Bulletin Also, view the CISSP Ultimate Guide 6

Prequalifications For taking the CISSP exam: 5 years full-time paid work experience Or, 4 years experience with a recent college degree Or, 4 years experience with an approved security certification, such as CAP, CISM, CISA, Security+, CCNA Security, MCSA, MCSE, and GIAC Or, Associate of (ISC)2 if you dont yet have experience Agree to (ISC)2 Code of Ethics 7

CISSP Exam Overview CISSP-CAT (Computerized Adaptive Testing) Minimum 100 questions Maximum 150 questions 25 unscored items mixed in

3 hours to take the exam No score issues, just pass or fail Must achieve passing standard for each domain within the last 75 questions seen 8 Exam Retakes Take the exam a maximum of 3 times per 12-month period Wait 30 days after your first attempt Wait an additional 90 days after your second attempt Wait an additional 180 days after your third attempt

You will need to pay full price for each additional exam attempt. 9 Question Types Most questions are standard multiple choice with four answer options with a single correct answer Some questions require to select two, select three, or select all that apply Some questions may be based on a provided scenario or situation Advanced innovative questions may

require drag-and-drop, hot-spot, or reorder tasks 1 0 Exam Advice Work promptly, dont waste time, keep an eye on your remaining time It is not possible to return to a question. Try to reduce/eliminate answer options before guessing Pay attention to question format and how many answers are needed Use the provided dry-erase board for

notes 11 Updates and Changes As updates, changes, and errata are need for the book, they are posted online at: www.wiley.com/go/cissp8e Visit and write in the corrections to your book! 12 Exam Prep Recommendations

Read each chapter thoroughly Research each practice question you get wrong Complete the written labs View the online flashcards Use the 6 online bonus exams to test your knowledge across all of the domains Consider using: (ISC) CISSP Official Practice Tests, 2nd Edition (ISBN:978-1119-47592-7) 13 Completing Certification Endorsement

A CISSP certified individual in good standing Within 90 days of passing the exam After CISSP, consider the post-CISSP Concentrations: Information Systems Security Architecture Professional (ISSAP) Information Systems Security Management Professional (ISSMP) Information Systems Security Engineering Professional (ISSEP) 14 Book Organization 1/2 Security and Risk Management

Chapters 1-4 Asset Security Chapter 5 Security Architecture and Engineering Chapters 6-10 Communication and Network Security Chapters 11-12 15 Book Organization 2/2

Identity and Access Management (IAM) Chapters 13-14 Security Assessment and Testing Chapter 15 Security Operations Chapters 16-19 Software Development Security Chapters 20-21 16

Study Guide Elements 17 Exam Essentials Chapter Review Questions Written Labs Real-World Scenarios Summaries

Additional Study Tools www.wiley.com/go/cissptestprep Electronic flashcards Glossary in PDF Bonus Practice Exams: 6x 150 question practice exams covering the full range of domain topics 18 Chapter 1 Security Governance Through Principles and Policies

Copyright 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana. Used with permission. 19 Understand and Apply Concepts of Confidentiality, Integrity, and Availability CIA Triad AAA Services Protection Mechanisms 20

overview CIA Triad Confidentiality Integrity Availability 21 Confidentiality

22 Sensitivity Discretion Criticality Concealment Secrecy Privacy Seclusion Isolation

Integrity 1/3 Preventing unauthorized subjects from making modifications Preventing authorized subjects from making unauthorized modifications Maintaining the internal and external consistency of objects 23 Integrity 2/3 Accuracy: Being correct and precise

Truthfulness: Being a true reflection of reality Authenticity: Being authentic or genuine Validity: Being factually or logically sound Nonrepudiation: Not being able to deny having performed an action or activity or being able to verify the origin of a communication or event 24 Integrity 3/3 Accountability: Being responsible or

obligated for actions and results Responsibility: Being in charge or having control over something or someone Completeness: Having all needed and necessary components or parts Comprehensiveness: Being complete in scope; the full inclusion of all needed elements 25 Availability Usability: The state of being easy to use or learn or being able to be understood

and controlled by a subject Accessibility: The assurance that the widest range of subjects can interact with a resource regardless of their capabilities or limitations Timeliness: Being prompt, on time, within a reasonable time frame, or providing low latency response 26 AAA Services

27 Identification Authentication Authorization Auditing Accounting/ Accountability Protection Mechanisms

Layering/Defense in Depth Abstraction Data Hiding Security through obscurity Encryption 28 Evaluate and Apply Security Governance Principles

Alignment of Security Function Security Management Plans Organizational Processes Change Control/Management Data Classification Organizational Roles and Responsibilities Security Control Frameworks Due Care and Due Diligence

29 overview Alignment of Security Function Alignment to Strategy, Goals, Mission, and Objectives Security Policy Based on business case Top-Down Approach Senior Management Approval Security Management: InfoSec team, CISO, CSO, ISO

30 Security Management Plans Strategic Tactical Operational 31 Organizational Processes Security governance Acquisitions and divestitures risks:

32 Inappropriate information disclosure Data loss Downtime Failure to achieve sufficient return on investment (ROI) Change Control/ Management 1/2 Implement changes in a monitored and

orderly manner. Changes are always controlled. A formalized testing process is included to verify that a change produces expected results. All changes can be reversed (also known as backout or rollback plans/procedures). Users are informed of changes before they occur to prevent loss of productivity. 33 Change Control/ Management 2/2

The effects of changes are systematically analyzed to determine whether security or business processes are negatively affected. The negative impact of changes on capabilities, functionality, and performance is minimized. Changes are reviewed and approved by a change approval board (CAB). 34 Data Classification 1/2 Determines: effort, money, and resources

Government/military vs. commercial/private sector Declassification 35 Data Classification 2/2 1. Identify the custodian, define responsibilities. 2. Specify the evaluation criteria. 3. Classify and label each resource. 4. Document any exceptions. 5. Select the security controls for each level. 6. Specify declassification and external

transfer. 7. Create an enterprise-wide awareness program. 36 Organizational Roles and Responsibilities

37 Senior Manager Security Professional Data Owner Data Custodian User Auditor Security Control Frameworks COBIT (see next slide) Used to plan the IT security of an organization and as a guideline for auditors

Information Systems Audit and Control Association (ISACA) Open Source Security Testing Methodology Manual (OSSTMM) ISO/IEC 27001 and 27002 Information Technology Infrastructure Library (ITIL) 38 Control Objectives for Information and Related Technologies (COBIT)

Principle 1: Meeting Stakeholder Needs Principle 2: Covering the Enterprise End-to-End Principle 3: Applying a Single, Integrated Framework Principle 4: Enabling a Holistic Approach Principle 5: Separating Governance From Management 39 Due Care and Due Diligence Due care is using reasonable care to

protect the interests of an organization. Due diligence is practicing the activities that maintain the due care effort. 40 Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines Security Policies Security Standards, Baselines, and

Guidelines Security Procedures 41 overview Security Policies Defines the scope of security needed by the organization Organizational, issue-specific, system-specific Regulatory, advisory, informative 42

Security Standards, Baselines, and Guidelines Standards define compulsory requirements Baselines define a minimum level of security Guidelines offer recommendations on how standards and baselines are implemented 43 Security Procedures

Standard operating procedure (SOP) A detailed, step-by-step how-to To ensure the integrity of business processes 44 Understand and Apply Threat Modeling Concepts and Methodologies

Threat Modeling Identifying Threats Threat Categorization Schemes Determining and Diagramming Potential Attacks Performing Reduction Analysis Prioritization and Response 45 overview Threat Modeling Microsofts Security Development

Lifecycle (SDL) Secure by Design, Secure by Default, Secure in Deployment and Communication (also known as SD3+C) Proactive vs. reactive approach 46 Identifying Threats Focused on Assets Focused on Attackers Focused on Software

47 Threat Categorization Schemes STRIDE Process for Attack Simulation and Threat Analysis (PASTA) Trike Visual, Agile, and Simple Threat (VAST) (next slide) (later slide)

48 STRIDE 49 Spoofing Tampering

Repudiation Information disclosure Denial of service Elevation of privilege PASTA 1/2 Stage I: Definition of the Objectives (DO) for the Analysis of Risks Stage II: Definition of the Technical Scope (DTS) Stage III: Application Decomposition and Analysis (ADA) Stage IV: Threat Analysis (TA) Stage V: Weakness and Vulnerability Analysis (WVA)

Stage VI: Attack Modeling and Simulation (AMS) Stage VII: Risk Analysis and Management (RAM) 50 PASTA 2/2 51 Determining and Diagramming Potential Attacks

52 Diagram the infrastructure Identify data flow Identify privilege boundaries Identify attacks for each diagrammed element Diagramming to Reveal Threat Concerns 53

Performing Reduction Analysis 54 Decomposing Trust boundaries Data flow paths

Input points Privileged operations Details about security stance and approach Prioritization and Response Probability Damage Potential ranking High/medium/low rating DREAD system Damage potential Reproducibility Exploitability Affected users

Discoverability 55 Apply Risk-Based Management Concepts to the Supply Chain Resilient integrated security Cost of ownership Outsourcing

Integrated security assessments Monitoring and management 56 On-site assessment Document exchange and review Process/policy review Third-party audit (AICPA SOC1 and SOC2)

Conclusion 57 Read the Exam Essentials Review the Chapter Perform the Written Labs Answer the Review Questions Chapter 2

Personnel Security and Risk Management Concepts Copyright 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana. Used with permission. 58 Personnel Security Policies and Procedures

Personnel Management Candidate Screening and Hiring Employment Agreements and Policies Onboarding and Termination Processes Vendor, Consultant, and Contractor Agreements and Controls Compliance Policy Requirements Privacy Policy Requirements 59 overview Personnel Management

Job descriptions, position descriptions Separation of duties Job responsibilities Job rotation Cross-training Collusion 60 Candidate Screening and Hiring

61 Based on job description Background checks Reference checks Education verification Security clearance validation Online background checks Employment Agreements and Policies

Non-disclosure agreement Non-compete agreement Audit job descriptions, work tasks, privileges, and responsibilities Mandatory vacations 62 Onboarding and Termination Processes Onboarding vs. offboarding Maintain control and minimize risks Exit interview Terminate access

Return company property 63 Vendor, Consultant, and Contractor Agreements and Controls Define the levels of performance, expectation, compensation, and consequences Service-level agreement (SLA) Risk reduction and risk avoidance 64

Compliance Policy Requirements Conforming to or adhering to rules, policies, regulations, standards, or requirements Maintain high levels of quality, consistency, efficiency, and cost savings 65 Privacy Policy Requirements Active prevention of unauthorized access to information that is personally identifiable

Freedom from unauthorized access to information deemed personal or confidential Freedom from being observed, monitored, or examined without consent or knowledge Legislative and regulatory compliance issues HIPAA, SOX, FERPA, GLB, DPD, and GDPR PCI-DSS 66 Security Governance Maintain business processes while striving toward growth and resiliency Third-party governance

Auditing security objectives, requirements, regulations, and contractual obligations Compliance Documentation review Authorization to operate (ATO) 67 Understand and Apply Risk Management Concepts

68 Risk Terminology Identify Threats and Vulnerabilities Risk Assessment/Analysis Risk Responses Countermeasure Selection and

Implementation Types of Controls Security Control Assessment Monitoring and Measurement Asset Valuation and Reporting Continuous Improvement Risk Frameworks overview Risk Terminology

Asset Asset valuation Threats Vulnerability Exposure Risk Safeguard, security control, countermeasure Attack, breach

69 Identify Threats and Vulnerabilities 70 Inventory all threats for each asset Threat agents Threat events Include non-IT sources

Risk Assessment/Analysis Quantitative analysis Qualitative analysis 71 overview Quantitative Analysis

AV EF SLE = AV * EF ARO ALE = SLE * ARO Cost benefit: ALE before ALE after annual cost safeguard (ACS) = value of the safeguard to the company

72 Qualitative Analysis 73

Brainstorming Delphi technique Storyboarding, scenarios Focus groups Surveys Questionnaires Checklists One-on-one meetings Interviews Risk Responses

Reduce or mitigate Assign or transfer Accept Deter Avoid Reject or ignore Total risk vs. residual risk threats vulnerabilities asset value =

total risk total risk controls gap = residual risk 74 Countermeasure Selection

75 Costs and benefits Reduce attack benefit Solve a real problem Not dependent upon secrecy Testable Uniform protection No dependencies Tamperproof Countermeasure Implementation

76 Administrative Logical/technical Physical Defense in depth Types of Controls

77 Deterrent Preventive Detective Compensating Corrective Recovery Directive

Security Control Assessment Formal evaluation of a security infrastructures individual mechanisms against a baseline or reliability expectation Ensure the effectiveness Evaluate the quality and thoroughness Identify relative strengths and weaknesses of security infrastructures NIST SP 800-53A Guide for Assessing the Security Controls in Federal Information Systems 78

Monitoring and Measurement Quantified, evaluated, or compared Native/internal monitoring or external monitoring Measuring the effectiveness 79 Asset Valuation and Reporting

Used to justify protections Tangible value Intangible value Used in cost/benefit analysis Helps select safeguards Defines level of risk Risk reporting Internal or to relevant/interested third parties

80 Continuous Improvement Security is always changing Needs to be integrated into deployed security solutions Risk analysis is a point in time metric As threats change, so must security 81 Risk Frameworks 1/3 Guideline or recipe for how risk is to be

assessed, resolved, and monitored NIST SP 800-37 Risk Management Framework (RMF) 1. Categorize 3. Implement 5. Authorize 82 2. Select 4. Assess 6. Monitor Risk Frameworks 2/3

83 Risk Frameworks 3/3 Operationally Critical Threat, Asset, And Vulnerability Evaluation (OCTAVE) Factor Analysis Of Information Risk (FAIR) Threat Agent Risk Assessment (TARA) 84

Establish and Maintain a Security Awareness, Education, and Training Program Security requires changes in user behavior Seek policy compliance Awareness Training Education 85 Manage the Security Function

86 Security governance Risk assessment Craft security policy Cost effective Measurable security Resource management

Conclusion 87 Read the Exam Essentials Review the Chapter Perform the Written Labs Answer the Review Questions

Chapter 3 Business Continuity Planning Copyright 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana. Used with permission. 88 Planning for Business Continuity Assessing risks to business processes Minimize impact from disruptions Maintain continuity of being able to perform mission critical business tasks Main steps:

89 Project scope and planning Business impact assessment Continuity planning Approval and implementation Project Scope and Planning

90 Business Organization Analysis BCP Team Selection Resource Requirements Legal and Regulatory Requirements overview Business Organization Analysis

91 Identify all departments Identify critical services Identify corporate security teams Identify senior executives and key individuals BCP Team Selection Needs members from every

department/division Include members from: IT Cybersecurity Senior management Physical security and facilities Legal and PR 92 Resource Requirements BCP Development BCP Testing, Training, and Maintenance

BCP Implementation Mostly personnel, but may include IT and physical resource allocation 93 Legal and Regulatory Requirements Federal, state, and local laws or regulations Emergency services Industry regulations Country-specific laws Service level agreements

94 Business Impact Assessment Quantitative Decision Making vs. Qualitative Decision Making Identify Priorities Risk Identification Likelihood Assessment Impact Assessment Resource Prioritization 95 overview

Identify Priorities Critical prioritization of business processes Assess by department, then organization Assign an AV (asset value) to each process Determine: MTD (maximum tolerable downtime) MTO (maximum tolerable outage)

Choose a RTO (recovery time objective) 96 Risk Identification 97 Inventory-specific risks

Natural and man-made Logical and physical and social Dont overlook the cloud Get input from all departments Likelihood Assessment Determine frequency of occurrence Establish an ARO (annualized rate of occurrence) Based on history, experience, and experts 98

Impact Assessment Evaluate consequences of a breach EF (exposure factor) SLE (single loss expectancy) SLE = AV x EF ALE (annualized loss expectancy) ALE = SLE x ARO Consider non-monetary impacts 99 Resource Prioritization

Biggest ALE is biggest risk concern Combine qualitative priorities with quantitative priorities Work at addressing each item from largest ALE value first 100 Continuity Planning

101 Strategy Development Provisions and Processes Plan Approval Plan Implementation Training and Education overview Strategy Development Bridge between BIA and BCP crafting

Determine which risks to address in this BCP crafting time frame Determine acceptable risks vs. those that require mitigation Commit sufficient resources to resolve priorities 102 Provisions and Processes People Building and facilities Hardening provisions Alternate sites

Infrastructure Physically hardening systems Alternative systems 103 Plan Approval Top-level management endorsement Educate top executives about plan concepts and details Senior executive approval establishes plan credibility throughout organization

104 Plan Implementation Define an implementation schedule Use allocated implementation resources Achieve process and provisioning goals Implement BCP maintenance program 105

Training and Education Assign responsibilities Plan overview briefing Dedicated training for those with assigned responsibilities A backup or replacement person for each position 106 BCP Documentation

107 Continuity Planning Goals Statement of Importance Statement of Priorities Statement of Organizational Responsibility

Statement of Urgency and Timing Risk Assessment Risk Acceptance/Mitigation Vital Records Program Emergency-Response Guidelines Maintenance Testing and Exercises overview Continuity Planning Goals Set goals Ensure the continuous operation of the business in the face of an emergency situation

Meet organizational needs 108 Statement of Importance Reflects criticality of BCP Disclosed in a memo to all employees Should be signed by CEO to avoid compliance resistance 109 Statement of Priorities

Directly reflects designed BCP priorities Include evaluation of priorities Focus on importance to the continued operation of business functions in the event of an emergency 110 Statement of Organizational Responsibility Business continuity is everyones responsibility

Reinforces organization's commitment to BCP Informs individuals of the expectation to assist and support 111 Statement of Urgency and Timing Stresses priority of implementation Defines the roll-out timetable 112 Risk Assessment

A recap of the BCP decision-making process Summary of BIA Discloses quantitative and qualitative analysis results 113 Risk Acceptance/Mitigation Identifies those risks deemed acceptable Identifies those risks deemed unacceptable List risk management provisions

Define processes and responses Define how the risk is reduced or managed 114 Vital Records Program Determine where critical records will be stored Set procedures for backing up critical records Identity critical records Digital and paper should be considered Vital records are those needed to

reconstruct the organization in the event of a disaster 115 Emergency-Response Guidelines Define responsibilities in an emergency Details activation of BCP elements Immediate response procedures Individuals to notify of the incident Secondary response procedures Goal is to minimize response time

116 Maintenance BCP is a living document BCP should be periodically updated Drastic changes may require a complete re-design and re-crafting Practice good version control Include BCP in job descriptions/responsibilities 117 Testing and Exercises

Establish a formalized testing program Train personnel on their tasks and responsibilities See disaster recovery testing in Chapter 18 118 Conclusion

119 Read the Exam Essentials Review the Chapter Perform the Written Labs Answer the Review Questions Chapter 4 Laws, Regulations, and Compliance Copyright 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana. Used with permission. 120

Categories of Laws Criminal Law Civil Law Administrative Law 121 overview Criminal Law Preserve peace Keep society safe Penalties include:

Community service Fines Prison Enacted through legislation 122 Civil Law

123 Provide for orderly society Govern matters that are not crimes Enacted through legislation Punishment can include financial penalties Administrative Law Policies, procedures, and regulations Govern the daily operations of an entity Enacted by government agencies,

not the legislature 124 Laws 125 Computer Crime

Intellectual Property Licensing Import/Export Privacy overview Computer Crime 1/2 Computer Fraud and Abuse Act (CFAA) Federal interest computer Accessing classified information, accessing system, fraud, malicious damage, modify medical records, traffic passwords Any computer in use by the government, financial

institutions, and interstate offenses Amendments Creating malware code, interstate commerce, imprisonment, and civil action from victims Federal Sentencing Guidelines Prudent man rule Burden of proof: negligence, compliance, causal 126 Computer Crime 2/2

National Information Infrastructure Protection Act CFAA international, national infrastructure Federal Information Security Management Act (FISMA) Risk assessment, planning, training, testing, incident management Federal Information Systems Modernization Act (FISMA) Centralizing under DHS Cybersecurity Enhancement Act

127 NIST establishing voluntary cybersecurity standards Intellectual Property 1/2 Copyrights Original works of authorship Digital Millennium Copyright Act Trademarks Words, slogans, logos, etc., which identify a company, its products, and its services

Patents Intellectual property rights of inventors 128 Intellectual Property 2/2 Trade Secrets Intellectual property of an organization Non-disclosure agreement (NDA) Economic Espionage Act Stealing trade secrets to benefit a

foreign government Stealing trade secrets 129 Licensing 130 Contractual license agreements

Shrinkwrap license agreementswrap license agreements Clickwrap license agreementsthrough license agreements Cloud services license agreements Import/Export Transwrap license agreementsborder data flow of new technologies, intellectual property, and personally identifying information International Traffic in Arms Regulations (ITAR) United States Munitions List (USML) Export Administration Regulations (EAR) Commerce Control List (CCL)

Computer Export Controls Encryption Export Controls 131 Privacy 1/5 U.S. Privacy Law (1/2) Fourth Amendment Privacy Act Electronic Communications Privacy Act Communications Assistance for Law Enforcement Act (CALEA)

Economic Espionage Act Health Insurance Portability and Accountability Act (HIPAA) 132 Privacy 2/5 U.S. Privacy Law (2/2) Health Information Technology for Economic and Clinical Health Act (HITECH) Data Breach Notification Laws Childrens Online Privacy Protection Act (COPPA) Grammwrap license agreementsLeachwrap license agreementsBliley Act

USA PATRIOT Act Family Educational Rights and Privacy Act (FERPA) Identity Theft and Assumption Deterrence Act 133 Privacy 3/5 European Union Privacy Law (1/3) Consent Contract Legal obligation Vital interest of the data subject

Balance between the interests of the data holder and the interests of the data subject Key rights of individuals Privacy Shield agreement 134 Privacy 4/5 European Union Privacy Law (2/3) Privacy Shield agreement

Informing Individuals About Data Processing Providing Free and Accessible Dispute Resolution Cooperating with the Department of Commerce Maintaining Data Integrity and Purpose Limitation Ensuring Accountability for Data Transferred to Third Parties Transparency Related to Enforcement Actions Ensuring Commitments Are Kept As Long As Data Is Held 135

Privacy 5/5 European Union Privacy Law (3/3) European Union General Data Protection Regulation (GDPR) Applies to organizations that are not based in the EU 24-hour data breach notification requirement Centralized data protection authorities in each EU member state Individuals will have access to their own data Data portability provisions

The right to be forgotten 136 Compliance Security regulation as become complex Issues with regulatory agencies and contractual obligations Overlapping and often contradictory requirements May require full-time compliance staff Compliance audits and reporting Payment Card Industry Data Security Standard (PCI DSS)

137 Contracting and Procurement Use of cloud and service vendors require contract scrutiny Perform security review and vendor governance Tailor the contract and review to your specific concerns 138 Conclusion

139 Read the Exam Essentials Review the Chapter Perform the Written Labs Answer the Review Questions Chapter 5 Protecting Security of Assets

Copyright 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana. Used with permission. 140 Identify and Classify Assets

141 Defining Sensitive Data Defining Classifications Determining Data Security Controls Understanding Data States Handling Information and Assets Data Protection Methods Determining Ownership Data Processors Using Security Baselines overview

Defining Sensitive Data Personally Identifiable Information (PII) Protected Health Information (PHI)

142 NIST SP 800-122 HIPAA Proprietary Data Defining Classifications 1/3 Government/Military

Non-government 143 Top Secret

Secret Confidential Unclassified For Official Use Only (FOUO) Sensitive but Unclassified (SBU) Class 3, 2, 1, 0 Defining Classifications 2/3 144 Defining Classifications 3/3 Civilian

Defining Asset Classifications 145

Confidential or Proprietary Private Sensitive Public Asset classification should match system classifications for use/access Determining Data Security Controls

Define a policy for all forms and locations of data Encrypt all the things Consider the value of data Use labels and enforcement Use data loss prevention (DLP) Set requirements for: 146

Communications, Storage, and Backups Understanding Data States 147

Data at rest Data in motion Data in use Encryption Authentication Authorization Handling Information and Assets 1/4 Marking Sensitive Data and Assets

Handling Sensitive Information and Assets 148 Physical and logical labeling Assists with DLP and human handling Address downgrading

Be aware of common loss of control situations, such as backups and cloud storage Handling Information and Assets 2/4 Storing Sensitive Data

Destroying Sensitive Data 149 Use storage encryption Manage the environment Provide quality storage devices for long term retention NIST SP 800-88r1, Guidelines for Media Sanitization

Handling Information and Assets 3/4 Eliminating Data Remanence 150

HDD vs. SSD/flash Sanitization Erasing Clearing Purging Degaussing Destruction Declassification Handling Information and Assets 4/4 Ensuring Appropriate Asset Retention

151 Record retention Media, system retention Employees and NDAs A necessary element of a security

policy Data Protection Methods Protecting Data with Symmetric Encryption Protecting Data with Transport

Encryption 152 AES Triple DES Blowfish TLS VPN

IPSec SSH Determining Ownership 1/4 153 Data Owners Asset Owners/System Owners

Business/Mission Owners Data Processors (next slide) Determining Ownership 2/4 Data Processors The person or entity that controls processing of the data GDPR EU-US Privacy Shield 154 Notice; Choice; Accountability for Onward Transfer; Security; Data

Integrity and Purpose Limitation; Access; Recourse, Enforcement, and Liability Determining Ownership 3/4 Pseudonymization Artificial identifiers Anonymization Inferencing Data masking and randomization Administrators 155

Determining Ownership 4/4 Custodians Users Protecting Privacy HIPAA California Online Privacy Protection Act of 2003 (CalOPPA) Personal Information Protection and Electronic Documents Act (Canada) GDPR 156

Using Security Baselines NIST SP 800-53 Scoping Selecting controls that specifically apply to the protected target Tailoring Adjust security control baseline to align with organization mission Selecting Standards Contractual vs. regulation/legislation 157

Conclusion 158 Read the Exam Essentials Review the Chapter Perform the Written Labs Answer the Review Questions

Chapter 6 Cryptography and Symmetric Key Algorithms Copyright 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana. Used with permission. 159 Historical Milestones in Cryptography Caesar Cipher Substitution ROT3

American Civil War Substitution and transposition Flag signals Ultra vs. Enigma Purple Machine 160 Cryptographic Basics

161 Goals of Cryptography Cryptography Concepts Cryptographic Mathematics Ciphers overview Goals of Cryptography Confidentiality Symmetric and asymmetrics Data at rest Data in motion

Data in use Integrity Authentication Nonrepudiation 162 Cryptography Concepts

Plaintext Encrypt/decrypt Ciphertext Keys, cryptovariable Keyspace, bit size Kerckhoffss Principle Cryptography, cryptanalysis, cryptology, cryptosystem FIPS 140-2 163 Cryptographic Mathematics

Boolean mathematics/logical operations AND, OR, NOT, XOR 164 Modulo function One-way functions

Nonce Zero-knowledge proof Split knowledge Work function Ciphers 1/2 Codes vs. ciphers Transposition ciphers Substitution ciphers Ceaser cipher ROT3 Vigenere cipher One-time pads

Running key ciphers 165 Ciphers 2/2 Block ciphers Stream ciphers Confusion and diffusion 166 Modern Cryptography

167 Cryptographic Keys Symmetric Key Algorithms Asymmetric Key Algorithms Hashing Algorithms overview Cryptographic Keys

168 Security through obscurity Algorithms Keys Longer keys = better security Symmetric Key Algorithms 1/2 Shared secret Secret key cryptography/ private key cryptography

Key distribution Lack of non-repudiation Not scalable Keys must be regenerated often Fast 169 Symmetric Key Algorithms 2/2 170 Asymmetric Key Algorithms 1/3

Aka public key algorithms Key pair sets: public key and private key Digital signatures Scalable # of keys = n(n-1)/2 (sym) vs 2n (asymm) Key cancellation Regeneration only required at compromise or expiration 171

Asymmetric Key Algorithms 2/3 172 Asymmetric Key Algorithms 3/3 Supports integrity (via hashing in digital signatures), authentication, and nonrepudiation Simple key generation No preexisting secure communication link needs to exist for key exchange Slow

173 Hashing Algorithms Message digests Deriving original from hash is difficult or impossible Collisions Chapter 7 includes hashing algorithms 174 Symmetric Cryptography 1/3 Data Encryption Standard

56-bit key, 64-bit blocks, 16 rounds Electronic code book Cipher block chaining Cipher feedback Output feedback Counter mode

Triple DES 168/112-bit key, 64-bit blocks, 48 rounds Modes: -EEE3, EEE2, EDE3, EDE2 175 Symmetric Cryptography 2/3 International Data Encryption Algorithm (IDEA) 128-bit key, 64-bit blocks Blowfish 32 to 448-bit key, 64-bit blocks

Skipjack 80-bit key, 64-bit blocks RC5 0 to 2040-bit keys, 32/64/128-bit blocks 176 Symmetric Cryptography 3/3 Advanced Encryption Standard Rijndael block cipher 128-bit blocks 128-bit key, 10 rounds 192-bit key, 12 rounds

256-bit key, 14 rounds TwoFish 1 to 256-bit keys, 128-bit blocks 177 Symmetric Key Management Creation and distribution Offline Public key encryption Diffie-Hellman Storage and destruction Key escrow and recovery

Fair Cryptosystem Escrowed Encryption Standard 178 Cryptographic Life Cycle Limited life span based on Moores law Sufficient to provide sufficient protection for as long as the data is valuable Governance controls: Algorithms Key lengths Security transaction protocols

179 Conclusion 180 Read the Exam Essentials Review the Chapter Perform the Written Labs Answer the Review Questions

Chapter 7 PKI and Cryptographic Applications Copyright 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana. Used with permission. 181 Asymmetric Cryptography Public and Private Keys RSA Based on factoring difficulty Merkle-Hellman Knapsack

El Gamal An extension of the math from DiffieHellman Elliptic Curve 182 Hash Functions 1/2

183 Message digest Detects differences and/or collisions Parity, checksum Variable-length input Fixed-length output Hash is easy to compute Hash is one-way Hash is collision resistant Hash Functions 2/2 SHA

184 SHA-1 160 bit hash output SHA-2: SHA-256, -224, -512, -384 SHA-3: SHA3-256, -224, -512, -384 MD2 128-bit hash output

MD4 128-bit hash output MD5 128-bit hash output Hash of Variable Length (HAVAL) Hash Message Authenticating Code (HMAC) Digital Signatures Integrity, authentication, non-repudiation Sender encrypts hash of data with private key Recipient verifies with senders public key and hash comparison HMAC Hashing with symmetric keys used for entropy

Digital Signature Standard DSA FIPS186-4 RSA ANSI X9.31 ECDSA ANSI X9.62 185 Public Key Infrastructure Certificates Certificate Authorities Certificate Generation and Destruction 186

overview Certificates 187 X.509 version 3

Serial number Signature algorithm identifier Issuer name Validity period Subjects name Subjects public key Certificate Authorities Neutral organizations offering notarization services for digital certificates Public commercial or internal private Registration authorities

Certificate path validation 188 Certificate Generation and Destruction Enrollment Verification Revocation Compromise, erroneously issued, subjects details changed, or security association changed Certificate revocation list (CRL) Online Certificate Status Protocol (OCSP)

189 Asymmetric Key Management 190 Choose encryption scheme wisely

Random key selection Long length Keep private keys private Retire keys after useful lifetime Back up keys for recovery options Applied Cryptography 1/3 Portable devices TPM Email PGP S/MIME

Web applications SSL / TLS Steganography and watermarking 191 Applied Cryptography 2/3 Digital Rights Management Music DRM Movie DRM E-book DRM Video Game DRM Document DRM

192 Applied Cryptography 3/3 Networking Circuit encryption link (tunnel mode) or end-to-end (transport mode) Secure Shell (SSH) IPSec AH, ESP, HMAC, ISAKMP Wireless networking WEP, WPA, WPA2 IEEE 802.1x

193 Cryptographic Attacks 1/2 194

Analytic attack Implementation attack Statistical attack Brute force Rainbow tables Scalable computing hardware Salting Frequency analysis and ciphertext only attack Cryptographic Attacks 2/2

Known plaintext Chosen ciphertext Chosen plaintext Meet in the middle Man in the middle Birthday attack Collision attack or reverse hash matching Replay

195 Conclusion 196 Read the Exam Essentials Review the chapter Perform the Written Labs Answer the Review Questions

Chapter 8 Principles of Security Models, Design, and Capabilities Copyright 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana. Used with permission. 197 Implement and Manage Engineering Processes Using Secure Design Principles Objects and Subjects Closed and Open Systems Techniques for Ensuring

Confidentiality, Integrity, and Availability Controls Trust and Assurance 198 overview Objects and Subjects Subject often a user Object a resource Managing relationship between subject and object is access control Transitive trust

199 Closed and Open Systems Closed system Proprietary standards Hard to integrate Possibly more secure Open system Open or industry standards Easier to integrate Open source vs. closed source

200 Techniques for Ensuring Confidentiality, Integrity, and Availability Confinement Sandboxing Bounds Isolation 201 Controls

Discretionary access control Mandatory access control Rule-based access control 202 Trust and Assurance Integrated before and during design Security must be: Engineered, implemented, tested, audited, evaluated, certified, and accredited Trusted system Security mechanisms work together to provide

a secure computing environment Assurance Degree of confidence in satisfaction of security needs 203 Understand the Fundamental Concepts of Security Models

204 Trusted Computing Base State Machine Model Information Flow Model

Noninterference Model Take-Grant Model Access Control Matrix Bell-LaPadula Model Biba Model Clark-Wilson Model Brewer and Nash Model (aka Chinese Wall) Goguen-Meseguer Model Sutherland Model Graham-Denning Model overview Trusted Computing Base Defined in DoD 5200.28 Orange Book

Trusted Computer System Evaluation Criteria (TCSEC) Security perimeter Trusted paths Reference Monitor Security kernel 205 State Machine Model Always secure no matter what state

it is in Finite state machine (FSM) State transition Secure state machine The basis for most other security models 206 Information Flow Model Based on the state machine model Prevent unauthorized, insecure, or restricted information flow Controls flow between security

levels Can be used to manage state transitions 207 Noninterference Model Based on information flow model Separates actions of subjects at different security levels Composition theories Cascading Feedback Hookup

208 Take-Grant Model Dictates how rights can be passed between subjects Take rule Grant rule Create rule Remove rule 209 Access Control Matrix

A table of subjects, objects, and access Columns are ACLs Rows are capability lists Can be used in DAC, MAC, or RBAC 210 Bell-LaPadula Model 1/2

Based on DoD multilevel security policy Focuses only on confidentiality Lattice based access control Simple security property No read up * (star) security property No write down Discretionary security property Access control matrix for DAC 211

Bell-LaPadula Model 2/2 212 Biba Model 1/2 Based on the inverse of Bell-LaPadula Focuses only on integrity Simple integrity property No read up * (star) integrity property No write down Prevent modification by unauthorized

subjects Prevent unauthorized modifications Protect internal and external consistency 213 Biba Model 2/2 214 Clark-Wilson Model 1/2 Focuses on integrity Access control triplet Controls access through an

intermediary program or restricted interface Well-formed transactions Separation of duties 215 Clark-Wilson Model 2/2 Constrained data item (CDI) Any data item whose integrity is protected Unconstrained data item (UDI)

Any data item that is not controlled/protected Integrity verification procedure (IVP) A procedure that scans data items and confirms their integrity Transformation procedures (TPs) The only procedures allowed to modify a CDI 216

Brewer and Nash Model (aka Chinese Wall) Prevents conflicts of interest Based on dynamic access changes based on user activity Access to conflicting data is temporarily blocked 217 Goguen-Meseguer Model Focuses on integrity The basis of the noninterference model

Based on a predetermined set/ domain of objects a subject can access Based on automation theory and domain separation 218 Sutherland Model Focuses on integrity Prevent interference in support of integrity Defines a set of system states, initial states, and state transitions Commonly used to prevent covert

channels from influencing processes 219 Graham-Denning Model Secure management of objects and subjects Securely create object/subject Securely delete object/subject Securely provide read access right Securely provide grant access right Securely provide delete access right Securely provide transfer access right

220 Select Controls and Countermeasures Based on Systems Security Evaluation Models Rainbow Series ITSEC Classes and Required Assurance and Functionality Common Criteria Industry and International Security Implementation Guidelines Certification and Accreditation 221

overview Rainbow Series TCSEC Orange Book Confidentiality D, C1, C2, B1, B2, B3, A1 Red Book Trusted Network Interpretation of TCSEC Confidentiality and Integrity None, C1, C2, B2 Green Book

Password management guidelines 222 ITSEC Classes and Required Assurance and Functionality Rates functionality (F) and assurance (E) F-D through F-B3 E0 through E6 Confidentiality, integrity, and availability 223

Common Criteria Designed to replace prior systems ISO 15408 Protection profiles Security targets Evaluation Assurance Level (EAL)

Part 1: Introduction and General Model Part 2: Security Functional Requirements Part 3: Security Assurance 224 Industry and International Security Implementation Guidelines Payment Card Industry Data Security Standards (PCI-DSS) International Organization for Standardization (ISO)

225 Certification and Accreditation Certification Comprehensive evaluation of security against security requirements Accreditation Formal designation by DAA that system meets organizational security needs Risk Management Framework (RMF) Committee on National Security Systems

Policy (CNSSP) Phase 1: Definition, 2: Verification, 3: Validation, 4: Post Accreditation 226 Understand Security Capabilities of Information Systems Memory Protection Meltdown and Spectre Virtualization Trusted Platform Module Hardware security module (HSM)

Interfaces Constrained or restricted Fault Tolerance 227 Conclusion 228

Read the Exam Essentials Review the Chapter Perform the Written Labs Answer the Review Questions Chapter 9 Security Vulnerabilities, Threats, and Countermeasures Copyright 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana. Used with permission. 229 Assess and Mitigate Security

Vulnerabilities Hardware Hardware Components Protection Mechanisms Memory Memory Addressing Secondary Memory Input/Output Devices Firmware 230 overview

Hardware Components Processor / central processing unit (CPU) Execution types: Multitasking Multicore Multiprocessing: SMP and MPP Multiprogramming

Multithreading Processing types: Singles state Multistate 231 Protection Mechanisms 1/3 Protection rings Kernel mode or privileged mode User mode Mediated access/

system call 232 Protection Mechanisms 2/3 Process states/Operating states OS: supervisory or problem Processes: Ready, Waiting, Running, Supervisory, Stopped Process scheduler or program executive 233

Protection Mechanisms 3/3 Security Modes Requirements: 234 MAC Physical control over who can access console

Physical control over who can enter room Dedicated System high Compartmented Multilevel Memory Read only memory (ROM) Programmable Read-Only Memory (PROM) Erasable Programmable Read-Only Memory (EPROM) Electronically Erasable Programmable ReadOnly Memory (EEPROM) Flash

Random access memory (RAM) Real Cache Registers 235 Memory Addressing Register Immediate Related to a register or as part of an instruction Direct Actual address of memory location

Indirect An address of memory location which holds the address of the target data Base plus Offset Base address stored in a register, offset is relative location 236 Secondary Memory 1/2 Magnetic, optical, or flash media Not immediately available to CPU Virtual memory

Paging Security issues Theft, purging, physical access Primary vs. secondary Volatile vs. nonvolatile Random vs. sequential 237 Secondary Memory 2/2

238 Data remanence SSD wear leveling Theft encryption Device access control Data retention over use lifetime availaibility Input/Output Devices

239 Monitors Printers Keyboards and mice Modems Firmware Microcode Basic Input/Output System (BIOS) Unified Extensible Firmware

Interface (UEFI) Phlashing Device firmware EEPROM 240 Client-Based Systems 1/2 Applets Java and JVM ActiveX Local Caches 1/2 ARP

ARP cache poisoning 241 Client-Based Systems 2/2 Local Caches 2/2 DNS DNS cache poisoning:

HOSTS file Authorized DNS Caching DNS DNS lookup address change DNS query spoofing Defence: split DNS, IDS Internet files Temporary Internet files and cache 242 Server Based Systems Data flow control

Load balancing Management between processes, devices, networks, or communication channels Efficient transmission with minimal delays or latency Reliable throughput using hashing and confidentiality protection with encryption 243 Database Systems Security Aggregation

Inference Data Mining and Data Warehousing Data dictionary Meta data Data mart Data Analytics Big Data Large-Scale Parallel Data Systems AMP, SMP, MPP 244 Distributed Systems and

Endpoint Security Host/terminal model Client-server model Distributed architectures Endpoint security Screening/filtering email Download/upload policies Robust access controls

Restricted user-interfaces File encryption (see list in book) 245 Cloud-Based Systems and Cloud Computing 1/3 Hypervisor, virtual machine monitor (VMM) Type I hypervisor (native or bare-metal hypervisor) Type II hypervisor (hosted hypervisor)

Cloud storage Elasticity Cloud computing PaaS SaaS IaaS 246 Cloud-Based Systems and Cloud Computing 2/3 On-premise vs. hosted vs. cloud Private, public, hybrid, community Issues:

Privacy concerns Regulation compliance difficulties Use of open/closed-source solutions Adoption of open standards Whether or not cloud-based data is actually secured (or even securable) 247 Cloud-Based Systems and Cloud Computing 3/3 Cloud access security broker (CASB) Security as a service (SECaaS) Cloud shared responsibility model

248 Grid and Peer to Peer Grid Computing Parallel distributed processing Members can enter and leave at will Work content is potentially exposed publicly Work packets are sometimes not returned,

returned late, or returned corrupted Peer to Peer No central management system Services provided are usually real time VoIP, file distribution, A/V streaming/distribution 249 Internet of Things Smart devices Automation, remote control, or AI processing

Extensions or replacements of existing devices, equipment, or systems Security may not be integrated Top concerns: access and encryption Consider deploying in isolated subnet 250 Industrial Control Systems Distributed Control Systems (DCS) Manage/control industrial processes over a large-scale deployment from a single location

Programmable Logic Controllers (PLC) Single-purpose or focused-purpose digital computers Supervisory Control and Data Acquisition (SCADA) Stand-alone or internetworked Does not always properly address security 251

Assess and Mitigate Vulnerabilities in Web-Based Systems 1/2 eXtensible Markup Language (XML) Security Association Markup Language (SAML) Web-based authentication Singe sign-on Open Web Application Security Project (OWASP) Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) Injections (SQL, LDAP, XML), XML exploitation, Cross-site scripting (XSS), Cross-site request forgery (XSRF)

252 Assess and Mitigate Vulnerabilities in Web-Based Systems 2/2 Static vs. dynamic content Web applications Server side executables, scripts, databases Publicly accessed Web servers should be hosted outside of LAN DMZ [or cloud hosting] Input validation Length, patterns, metacharacters

Limit account privileges 253 Assess and Mitigate Vulnerabilities in Mobile Systems Device Security Application Security BYOD Concerns 254 overview

Device Security 1/2 255 Full device encryption Remote wiping Lockout

Screen locks GPS Application control Storage segmentation Asset tracking Device Security 2/2 256

Inventory control Mobile Device Management (MDM) Device access control Removable storage Disabling unused features Application Security

257 Key management Credential management Authentication Geotagging Encryption Application whitelisting BYOD Concerns 1/3 Bring your own device (BYOD) Company owned, personally enabled (COPE)

Choose your own device (CYOD) Corporate-owned mobile strategy Virtual desktop infrastructure (VDI) virtual mobile infrastructure (VMI) 258 BYOD Concerns 2/3

259 Data ownership Support ownership Patch management Antivirus management Forensics Privacy Onboarding/offboarding Adherence to corporate policies BYOD Concerns 3/3

User acceptance Architecture/infrastructure considerations Legal concerns Acceptable use policy Onboard camera/video 260 Assess and Mitigate Vulnerabilities in Embedded Devices and Cyber-Physical Systems Embedded system

Stand system, static environment Examples of embedded and static systems Methods of securing 261 overview Examples of Embedded and Static Systems

262 Network-enabled devices Cyber-physical systems Internet of Things (IoT) Mainframes Game consoles In-vehicle computing systems Methods of Securing

263 Network segmentation Security layers Application firewalls Manual updates

Firmware version control Wrappers Monitoring Control redundancy and diversity Essential Security Protection Mechanisms Technical Mechanisms Security Policy and Computer Architecture Policy Mechanisms 264

overview Technical Mechanisms 265 Layering Abstraction Data hiding

Process isolation Hardware segmentation Security Policy and Computer Architecture Informs and guides design, development, implementation, testing, and maintenance Define rules and practices Addresses hardware and software 266 Policy Mechanisms

Principle of least privilege Separation of privilege Accountability 267 Common Architecture Flaws and Security Issues 1/2 Covert Channels Covert timing channels Covert storage channels Attacks Based on Design or Coding

Flaws and Security Issues Trusted recovery Input and parameter checking Maintenance hooks and privileged programs Incremental attacks Data diddling, salami (aggregation) attack 268 Common Architecture Flaws and Security Issues 2/2 Programming

Sanitize input, buffer overflow, exceptions, testing Timing, State Changes, and Communication Disconnects Time of check to time of use (TOCTOU) attacks Technology and Process Integration Service-oriented architecture (SOA) Electromagnetic Radiation

TEMPEST Faraday cage Jamming, noise generators, control zones 269 Conclusion 270

Read the Exam Essentials Review the Chapter Perform the Written Labs Answer the Review Questions Chapter 10 Physical Security Requirements Copyright 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana. Used with permission. 271 Apply Secure Principles to Site and Facility Design

272 Secure Facility Plan Site Selection Visibility Natural Disasters Facility Design

overview Secure Facility Plan 273 Critical path analysis Security for basic requirements Technology convergence Include security staff in design

considerations Site Selection Cost Location Size Security requirements Pre-existing structure or custom

construction Proximity to others Weather conditions 274 Visibility Surrounding terrain Vehicle and foot traffic Residential, business, or industrial area Line of sight Crime rate Emergency services Unique local hazards

275 Natural Disasters Common local natural disasters Severe weather patterns Protection for workers and assets 276 Facility Design

Based on level of security needs Combustibility, fire rating Construction materials Load rating Intrusion, emergency access, resistance to entry Security architecture Crime Prevention through Environmental Design (CPTED) 277 Implement Site and Facility

Security Controls 278

Design concepts Equipment failure Wiring closets Cable plant management policy Server rooms/data centers Media storage facilities Evidence storage Restricted and work area security Utilities and HVAC considerations Water issues Fire prevention, detection, and suppression overview Design Concepts

Administrative physical security controls Technical physical security controls Physical controls for physical security Corporate vs. personal property Deterrence Denial Detection Delay 279 Equipment Failure Failure is inevitible Purchase replacement parts as

needed Onsite replacement warehousing SLA with vendors MTTF MTTR MTBF 280 Wiring Closets

281 Premises wire distribution room Intermediate distribution facilities (IDF) Prevent physical unauthorized access Do not use as general storage Do not store flammable materials Use video surveillance Perform regular physical inspections Cable Plant Management Policy

282 Entrance facility Equipment room Backbone distribution system Telecommunications room Horizontal distribution system

Server Rooms/Data Centers Need not be human compatible Locate in core of building One hour minimum fire rating for walls Physical access control: Smartcards, proximity readers, IDS Access abuses: Masquerade, piggyback

Emanation security Faraday cages, white noise, and control zones 283 Media Storage Facilities Store blank, reusable, and installation media Data remnants Use a locked cabinet Have a librarian or custodian Check-in/check-out process Sanitization, zeroization

284 Evidence Storage Becoming important business task Drive images and virtual machine snapshots Distinct from production Block Internet access Track all activities Calculate hashes of all files Limit access Encrypt stored data 285

Restricted and Work Area Security 286 Operations centers Distinct and controlled area access Walls or partitions

Shoulder surfing Assign classifications Track assets with RFID Sensitive Compartmented Information Facility (SCIF) Utilities and HVAC Considerations UPSes Double conversion UPS Line-interactive UPS Surge protectors Generators

Fault, blackout, sag, brownout, spike, surge, inrush, noise, transient, clean, ground EMI vs. RFI Temperature, humidity, static 287 Water Issues

288 Leakage Flooding Electrocution Water detection circuits Shutoff values Drainage locations Fire Prevention, Detection, and Suppression 1/3 Fire triangle: fire, heat, oxygen, combustion

Stages: Incipient, smoke, flame, heat 289 Fire Prevention, Detection, and Suppression 2/3 Fire extinguisher classes: 290 Class Type

Suppression Material A Common combustibles Water, soda acid B Liquids

CO2, halon*, soda acid C D Electrical Metal CO2, halon* Dry powder Fire Prevention, Detection, and

Suppression 3/3 Fire detection systems: Fixed temperature, rate-of-rise, flameactuated, smoke-actuated Water suppression Wet pipe, dry pipe, pre-action, deluge Gas suppression CO2, Halon, FM-200, alternatives Damage Smoke, heat, suppression media 291

Implement and Manage Physical Security Perimeter Security Controls Internal Security Controls 292 overview Perimeter Security Controls

293 Fences Gates Turnstiles Mantraps Lighting Security guards and dogs Internal Security Controls 1/2

Keys and combination locks Electronic access control (EAC) locks Badges Motion detectors Infrared, heat, wave pattern, capacitance, photoelectric, passive audio Intrusion alarms Deterrent alarms, repellant alarms, notification alarms

Local alarm, central station, auxiliary station 294 Internal Security Controls 2/2 Secondary verification mechanisms Environment and life safety Privacy responsibilities and legal requirements Regulatory requirements 295 Conclusion

296 Read the Exam Essentials Review the Chapter Perform the Written Labs Answer the Review Questions Chapter 11 Secure Network Architecture and

Securing Network Components Copyright 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana. Used with permission. 297 OSI Model 298

History of the OSI Model OSI Functionality Encapsulation/Deencapsulation OSI Layers overview History of the OSI Model 299

Developed after TCP/IP was created Abstract framework Theoretical model Common reference point OSI Functionality Seven layers Manages information flow Layers communicate with layers directly above and below Supports peer-layer

communication 300 Encapsulation/ Deencapsulation Flow of information up or down protocol stack Adding of headers and footers Removing of headers and footers Calculations of checksums 301 OSI Layers

1 Physical 2 Data link 3 Network 4 Transport 5 Session 6 Presentation 7 Application 302 Layer summaries Network Facts Bits, frame, packet, segment, datagram, protocol data unit (PDU)

MAC, OUI, EUI Hub, switch, router Routing Distance vector, link state Simplex, half-duplex, full-duplex 303 TCP/IP Model DoD or DARPA model 4 layers

Application/ Process Transport/Host-tohost Internet/ Internetworking Link 304 TCP/IP Protocol Suite Overview 1/2 305 TCP/IP Protocol Suite Overview 2/2

TCP and UDP Ports: 65,536 or 0 to 65,535 Well-known, registered, ephemeral TCP header flags: SYN, ACK, FIN, RST 306 IPv4 vs IPv6 ICMP

IGMP ARP Common Application Protocols 1/2 Telnet File Transfer Protocol (FTP) Trivial File Transfer Protocol (TFTP)

Simple Mail Transfer Protocol (SMTP) Post Office Protocol (POP3) Internet Message Access Protocol (IMAP) Dynamic Host Configuration Protocol (DHCP) 307 Common Application Protocols 2/2 Hypertext Transfer Protocol (HTTP) Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) Line Print Daemon (LPD) X Windows

Network File System (NFS) Simple Network Management Protocol (SNMP) 308 Implications of Multilayer Protocols Encapsulation

[ Ethernet [ IP [ TCP [ HTTP ] ] [ Ethernet [ IP [ TCP [ SSL [ HTTP ] ] [ Ethernet [ IPSec [ IP [ TCP [ SSL [ HTTP ] ] [ Ethernet [ IP [ TCP [ HTTP [ FTP ] ] [ Ethernet [ IP [ ICMP [ TCP [ HTTP ] ] Double encapsulation, VLAN hopping Encryption, flexibility, resiliency Covert channels, filter bypass, segmentation violations 309 Domain Name System 1/2

Top-level domain (TLD) Registered domain name Subdomain or hostname Country codes HOSTS Primary and secondary authoritative Zone file

310 Domain Name System 2/2 Resource records A and AAAA PTR CNAME MX NS SOA Domain Name System Security Extensions (DNSSEC) 311

DNS Poisoning Falsifying DNS Rogue DNS server, DNS spoofing, DNS pharming Query ID (QID) Altering HOSTS file Corrupt IP configuration Proxy falsification Defense: filter TCP/UDP 53, NIDS, DNSSEC 312 Domain Hijacking

Domain theft Credential theft Registration of expired domain 313 Converged Protocols Merging of specialty or proprietary protocols with standard protocols Fibre Channel over Ethernet (FCoE) MPLS (Multiprotocol Label Switching) Internet Small Computer System Interface (iSCSI) Voice over IP (VoIP)

Software-Defined Networking (SDN) Content Distribution Networks 314 Wireless Networks

315 Securing Wireless Access Points Securing the SSID Conducting a Site Survey Using Secure Encryption Protocols Determining Antenna Placement Antenna Types Adjusting Power Level Controls Using Captive Portals General Wi-Fi Security Procedure Wireless Attacks overview

Securing Wireless Access Points 802.11, 11a, 11b, 11g, 11n, 11ac 802.1x Infrastructure vs. ad hoc mode Service set identifier (SSID) Independent SSID (ISSID) Stand-alone

Wired extension Bridge 316 Securing the SSID 317 Basic SSID (BSSID) Extended SSID (ESSID)

Disable SSID broadcast Beacon frame Conducting a Site Survey Signal strength measurements Used to optimize deployment of base stations Minimize external access 318 Using Secure Encryption Protocols 1/2 Open system authentication (OSA) and

shared key authentication (SKA) Wired Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA) Temporal Key Integrity Protocol (TKIP) W i-Fi Protected Access 2 (WPA2) or 802.11i Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) KRACK (Key Reinstallation AttaCKs) 319 Using Secure Encryption Protocols

2/2 802.1x/EAP Extensible Authentication Protocol (EAP) Protected Extensible Authentication Protocol (PEAP) Lightweight Extensible Authentication Protocol (LEAP) MAC filter 320 Determining Antenna Placement

321 Based on site survey Centrally located Avoid emanation obstructions Avoid emanation reflective surfaces Antenna Types

322 Omnidirectional Unidirectional Yagi Cantenna Panel Parabolic

Adjusting Power Level Controls Set by manufacturer May be adjustable in software Based on site survey results Maintain reliable connections internally Minimize connections externally 323

WPS 324 Wi-Fi Protected Setup (WPS) Base station button or 8-digit PIN Enabled by default Brute-force guessing possible in under 6 hours

Using Captive Portals Authorization system Forced interaction with control page May require payment, logon credentials, or access code Displays use policies Often found on public access wireless networks 325 General Wi-Fi Security Procedure

326 Change default password Disable SSID broadcast Change SSID Enable MAC filtering Consider using static IP addresses

Use WPA2 Use 802.1x Use a firewall, VPN, IDS Wireless Attacks 327

War driving War chalking Replay IV Rogue access points Evil twin Secure Network Components

328 Intranets, extranets Network segmentation Boost performance Reduce communication issues Provide security VLANs, routers, firewalls DMZ Network Access Control Prevent/reduce zero day attacks Enforce security policy

Use identities to perform access control Preadmission vs. postadmission 329 Firewalls

330 Filtering between network segments Static packet filtering Application-level gateway Circuit-level gateway Stateful inspection Deep packet inspection firewalls Next-gen firewalls Multihomed Deployment architectures

Firewall Deployment Architectures 1/2 331 Firewall Deployment Architectures 2/2 332 Endpoint Security Local security on each device Reduce network weaknesses

Use appropriate security measures on every system 333 Secure Operation of Hardware

334 Collisions vs. broadcasts Repeaters, concentrators, amplifiers Hubs Modems Bridges, switches Routers, brouters Gateways Proxies LAN extenders

Cabling, Wireless, Topology, and Communications Technology Transmission media Network topologies Wireless communications and security LAN technologies 335 overview Transmission Media

LAN vs. WAN Coax Baseband and broadband cables Twisted pair STP, UTP, categories Fiber optic Conductors 5-4-3 rule 336

Network Topologies 337 Ring Bus Star Mesh

Wireless Communications and Security Radio wave based communications Frequency, Hertz (Hz) 338

FHSS, DSSS, OFDM Cell phones Bluetooth (IEEE 802.15) Radio Frequency Identification (RFID) Near-field communication (NFC) Cordless phones Mobile devices LAN Technologies

Ethernet Token Ring Fiber Distributed Data Interface (FDDI) Analog vs. Digital Synchronous vs. Asynchronous Baseband vs. Broadband Broadcast, Multicast, Unicast LAN Media Access CSMA, CSMA/CD, CSMA/CA, Token passing,

Polling 339 Conclusion 340 Read the Exam Essentials Review the chapter

Perform the Written Labs Answer the Review Questions Chapter 12 Secure Communications and Network Attacks Copyright 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana. Used with permission. 341 Network and Protocol Security Mechanisms Secure Communications Protocols Authentication Protocols

342 overview Secure Communications Protocols IPSec Kerberos

Secure Shell (SSH) Signal Protocol Secure Remote Procedure Call (SRPC) Secure Sockets Layer (SSL) Transport Layer Security (TLS) 343 Authentication Protocols Challenge Handshake Authentication Protocol (CHAP) Password Authentication Protocol (PAP) Extensible Authentication Protocol (EAP)

344 Secure Voice Communications Voice over Internet Protocol (VoIP) Weaknesses and attacks Secure Real-Time Transport Protocol (SRTP) Social Engineering In person, over the phone, e-mail, IM, social networks PBX Fraud and Abuse Direct Inward System Access (DISA)

Phreakers Black box, Red box, Blue box, White box (DTMF) 345 Multimedia Collaboration Remote Meeting Instant Messaging 346 Manage Email Security Email Security Goals

Understand Email Security Issues Email Security Solutions 347 overview Email Security Goals SMTP, POP, IMAP Open relay, closed relay, authenticated relay Nonrepudiation Restrict access Integrity

Verify delivery Confidentiality 348 Understand Email Security Issues 349 Lack of encryption

Delivery vehicle for malware Lack of source verification Flooding Attachments Email Security Solutions Secure Multipurpose Internet Mail Extensions (S/MIME) MIME Object Security Services (MOSS) Privacy Enhanced Mail (PEM) DomainKeys Identified Mail (DKIM) Pretty Good Privacy (PGP) Opportunistic TLS for SMTP Gateways Sender Policy Framework (SPF)

Reputation filtering 350 Remote Access Security Management Remote Access and Telecommuting Techniques Plan Remote Access Security Dial-Up Protocols Centralized Remote Authentication Services 351

overview Remote Access and Telecommuting Techniques 352 Service specific Remote control

Screen scraper/scraping Remote node operation Plan Remote Access Security POTS/PSTN, VoIP, VPN Authentication, remote access justification, encrypted for confidentiality Monitor for abuses Remote connectivity technology Transmission protection Authentication protection Remote user assistance 353

Dial-Up Protocols Point-to-Point Protocol (PPP) Serial Line Internet Protocol (SLIP) 354 Centralized Remote Authentication Services Remote Authentication Dial-In User Service (RADIUS) Terminal Access Controller AccessControl System (TACACS+) TACACS, XTACACS

355 Virtual Private Network Tunneling How VPNs Work Common VPN Protocols PPTP, L2F, L2TP, IPSec SSH, TLS Virtual LAN 356 Virtualization Hypervisors

VM escaping Virtual Software Virtual applications Virtual desktop Virtual Networking Software Defined Network (SDN) Network virtualization Virtual SAN 357 Network Address Translation Private IP Addresses (RFC 1918)

10.0.0.0 10.255.255.255 (a full Class A range) 172.16.0.0172.31.255.255 (16 Class B ranges) 192.168.0.0192.168.255.255 (256 Class C ranges) Stateful NAT Port Address Translation (PAT) Static and Dynamic NAT Automatic Private IP Addressing (APIPA)

169.254.x.y Loopback Address 358 Switching Technologies Circuit Switching Packet Switching Constant traffic Bursty traffic Fixed known delays Variable delays Connection oriented Connectionless Sensitive to

Sensitive to connection loss data loss Used primarily for voice Used for any type of traffic Virtual Circuits PVCs and SVCs 359 WAN Technologies 1/2 WAN Connection Technologies 1/2

Dedicated vs. Nondedicated DS-0, DS-1, DS-3, T1, T3 ISDN BRI vs. PRI Channel Service Unit/Data Service Unit (CSU/DSU) Data Terminal Equipment/Data CircuitTerminating Equipment (DTE/DCE) X.25 360 WAN Technologies 2/2 WAN Connection Technologies 2/2

Frame Relay Committed Information Rate (CIR) ATM Switched Multimegabit Data Service (SMDS) Synchronous Digital Hierarchy (SDH) Synchronous Optical Network (SONET) SDLC, HDLC 361 Miscellaneous Security Control Characteristics

Transparency Verify Integrity Transmission Mechanisms Logging Error correction 362 Security Boundaries Areas of different security requirements Classifications Physical vs. logical Should be clearly defined

363 Prevent or Mitigate Network Attacks

364 DoS and DDoS Eavesdropping Impersonation/masquerading Replay attacks Modification attacks Address resolution protocol spoofing DNS poisoning, spoofing, and hijacking Hyperlink spoofing Conclusion

365 Read the Exam Essentials Review the chapter Perform the Written Labs Answer the Review Questions Chapter 13 Managing Identity and Authentication Copyright 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

Used with permission. 366 Controlling Access to Assets Assets: Information, systems, devices, facilities, personnel Comparing Subjects and Objects The CIA Triad Types of Access Control

367 Preventative Detective Corrective Deterrent Recovery Directive Compensating Administrative, logical/technical, physical

Comparing Identification and Authentication 1/5 Identification and Authentication Registration and Proofing of Identity Authorization and Accountability Authentication Factors

368 Type 1: Something you know Type 2: Something you have Type 3: Something you are Somewhere you are Context-aware authentication Comparing Identification and Authentication 2/5

Passwords Strong passwords Age, complexity, length, history Passphrases Cognitive Smartcards Common Access Card (CAC) Personal Identity Verification (PIV) card 369 Comparing Identification and

Authentication 3/5 Tokens One-time passwords Synchronous Dynamic Password Tokens Asynchronous Dynamic Password Tokens Two-step authentication Hash message authentication code (HMAC) Time-based One-Time Password (TOTP) Email or SMS PIN challenge 370 Comparing Identification and

Authentication 4/5 Biometrics Fingerprints, face, retina, iris, palm, hand geometry, heart/pulse, voice, signature, keystroke Errors: 371

Type 1: False Rejection Rate (FRR) Type 2: False Acceptance Rate (FAR) Crossover error rate (CER) Enrollment Reference profile/template Throughput rate Comparing Identification and Authentication 5/5 Multifactor Authentication Device Authentication Device fingerprinting 802.1x

Service Authentication Application accounts 372 Implementing Identity Management 1/2 Centralized vs. decentralized Single Sign-On LDAP and PKI Kerberos KDC, TGT, ST

Federated Identity Management Security Assertion Markup Language (SAML), Service Provisioning Markup Language (SPML), Extensible Access Control Markup Language (XACML) OAuth 2.0, OpenID, OpenID Connect Scripted access 373 Implementing Identity Management 2/2 Credential Management Systems

Integrating Identity Services Identity and access as a service (IDaaS) Managing Sessions AAA Protocols Remote Authentication Dial-in User Service (RADIUS) Terminal Access Controller Access-Control System (TACACS) Diameter 374 Managing the Identity and Access Provisioning Lifecycle

Provisioning Account Review Excessive privilege Privilege creep Account Revocation 375 Conclusion

376 Read the Exam Essentials Review the chapter Perform the Written Labs Answer the Review Questions Chapter 14 Controlling and Monitoring Access Copyright 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana. Used with permission. 377

Comparing Access Control Models Comparing Permissions, Rights, and Privileges Understanding Authorization Mechanisms Defining Requirements with a Security Policy Implementing Defense in Depth Summarizing Access Control Models Discretionary Access Controls Nondiscretionary Access Controls 378

overview Comparing Permissions, Rights, and Privileges Permissions Access granted for an object Rights Ability to take action on an object Privileges Combination of rights and permissions 379

Understanding Authorization Mechanisms 380

Implicit deny Access control matrix Capability tables Constrained interface Content-dependent control Context-dependent control Need to know Least privilege Separation of duties and responsibilities Defining Requirements with a Security Policy

Clarifies requirements Shows senior leadership support Sets guidelines and parameters 381 Implementing Defense in Depth Protects against single-focused attacks Document in security policy Personnel are key Uses combined solution approach

382 Summarizing Access Control Models Discretionary Access Control (DAC) Role Based Access Control (RBAC) Rule-based access control (rule BAC) Attribute Based Access Control

(ABAC) Mandatory Access Control (MAC) 383 Discretionary Access Controls Owner, create, custodian define access Based on identity Uses ACLs on each object Not centrally managed Supports change 384

Nondiscretionary Access Controls Centrally administered Changes affect entire environment Not based on identity, instead uses rules Less flexible 385 Role Based Access Control Based on subjects role or assigned tasks Enforces principle of least privilege

Related to job descriptions and work functions Useful in dynamic environments Often implemented using groups (via DAC) Task based access control (TBAC) 386 Rule-Based Access Controls Rules, restrictions, filters Global rules apply to all subjects Firewall and router rules/filters 387

Attribute Based Access Controls Characteristics are used to determine rule applications Can relate to users, groups, network, or devices 388 Mandatory Access Control Based on classifications Top Secret, Secret, Confidential Confidential/Proprietary, Private, Sensitive, Public

Need to know Prohibitive rather than permissive Hierarchical Compartmentalization Hybrid 389 Understanding Access Control Attacks

390 Risk Elements Identifying Assets Identifying Threats Threat Modeling Approaches Identifying Vulnerabilities Common Access Control Attacks Summary of Protection Methods overview Risk Elements

391 Risk Assets Threat Vulnerability Risk Management

Identifying Assets 392 Asset valuation Tangible value Intangible value Cost-benefit analysis Identifying Threats

Threat modeling Secure by Design, Secure by Default, Secure in Deployment and Communication (SD3+C) Goals: Reduce number of defects Reduce severity of remaining defects Advanced Persistent Threat (APT) 393 Threat Modeling Approaches Focused on assets Focused on attackers

Focused on software 394 Identifying Vulnerabilities 395 Vulnerability analysis Weakness to threat

Technical and administrative Vulnerability scans Common Access Control Attacks 1/2 Impersonation Access aggregation Password Dictionary Brute force Birthday Rainbow table Sniffer

396 Common Access Control Attacks 2/2 Spoofing Social engineering Phishing Drive-by download Spear phishing Whaling Vishing Smartcard

Side-channel attack 397 Summary of Protection Methods Control physical access and electronic access Create a strong password policy Hash and salt passwords Use password masking Deploy multifactor authentication Use account lockout controls Use last logon notification Educate users about security 398

Conclusion 399 Read the Exam Essentials Review the chapter Perform the Written Labs Answer the Review Questions

Chapter 15 Security Assessment and Testing Copyright 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana. Used with permission. 400 Building a Security Assessment and Testing Program Security Testing Verify controls are functioning properly Security Assessments

Comprehensive review of security infrastructure Security Audits Independent assessment of security by third party 401 Review Security Controls 1/2 Availability of security testing resources Criticality of the systems and applications protected by the tested controls Sensitivity of information contained on tested systems and applications

Likelihood of a technical failure of the mechanism implementing the control Likelihood of a misconfiguration of the control that would jeopardize security 402 Review Security Controls 2/2 Risk that the system will come under attack Rate of change of the control configuration Other changes in the technical environment that may affect the

control performance Difficulty and time required to perform a control test Impact of the test on normal business operations 403 Security Audits 1/2 Internal audits External audits Third-party audits American Institute of Certified Public Accountants (AICPA): Statement on

Standards for Attestation Engagements document 16 ( SSAE 16 ), Reporting on Controls Type I reports provide a description of the controls Type II reports address effectiveness of controls 404 Security Audits 2/2 Auditing Standards Control Objectives for Information and related Technologies (COBIT)

International Organization for Standardization (ISO) ISO 27001 405 Performing Vulnerability Assessments 1/3 Describing Vulnerabilities: Security Content Automation Protocol (SCAP)

Common Vulnerabilities and Exposures (CVE) Common Vulnerability Scoring System (CVSS) Common Configuration Enumeration (CCE) Common Platform Enumeration (CPE) Extensible Configuration Checklist Description Format (XCCDF) Open Vulnerability and Assessment Language (OVAL) 406 Performing Vulnerability Assessments 2/3

Vulnerability Scans Network discovery scans TCP SYN, TCP Connect, TCP ACK, XMAS Network vulnerability scans False positive vs. false negative Web application vulnerability scans Database vulnerability scanning Vulnerability Management Workflow Detection, validation, remediation 407 Performing Vulnerability

Assessments 3/3 Penetration Testing Phases: Planning, information gathering and discovery, vulnerability scanning, exploitation, reporting Forms: White box Gray box Black box 408

Testing Your Software 409 Code Review and Testing Interface Testing Misuse Case Testing Test Coverage Analysis Website Monitoring

overview Code Review and Testing Code review Peer review Fagan inspections When code flaws may have catastrophic impact Planning, overview, preparation, inspection, rework, follow-up Static testing vs. dynamic testing

Fuzz testing Mutation, generational, bit flipping 410 Interface Testing Needed with complex software Application programming interfaces (APIs) User interfaces Physical interfaces Design flexible interfaces without introducing more security risks

411 Misuse Case Testing 412 User activity prediction Abuse case testing Known misuses

Manual and automated misuse attacks Test Coverage Analysis Impossible to completely test software Too many ways to malfunction or undergo attack Estimate the degree of testing conducted Test coverage analysis: Branch, condition, function, loop, statement 413

Website Monitoring Performance management, troubleshooting, identification of potential security issues Passive monitoring Real user monitoring (RUM) Detect issues after occurrence Synthetic monitoring (active monitoring) Detect issues before occurrence 414

Implementing Security Management Processes Log Reviews Security information and event management (SIEM) Account Management Review/audit of accounts and privileges Backup Verification Key Performance and Risk Indicators

Open vulnerabilities, time to resolve, reoccurrence, number of compromised accounts, number of flaws, repeated findings, visits of malicious sites 415 Conclusion 416

Read the Exam Essentials Review the chapter Perform the Written Labs Answer the Review Questions Chapter 16 Managing Security Operations Copyright 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana. Used with permission. 417 Applying Security Operations

Concepts Need to Know and Least Privilege Separation of Duties and Responsibilities Job Rotation Mandatory Vacations Privileged Account Management Managing the Information Life Cycle Service-Level Agreements Addressing Personnel Safety and Security 418 overview

Need to Know and Least Privilege Need to Know Work task related access Often related to clearance 419 The Principle of Least Privilege

Entitlement Aggregation Transitive Trust Separation of Duties and Responsibilities No single person with total control Separation of privilege Applications and processes Segregation of duties Avoids conflicts of interest See Figure 16.1

Two-person control 420 Job Rotation 421 Related to privilege management

Rotation of duties Peer review Reduce fraud Cross-training Mandatory Vacations 422

One or two week increments No local or remote access Peer review Detect fraud Deterrent and detection Privileged Account Management Special access or elevated rights Administrative and sensitive job tasks Privileged entities Monitoring is essential Trusted employees

423 Managing the Information Lifecycle 424 Creation or capture

Classification Storage Usage Archive Destruction or purging Service-Level Agreements SLAs Memorandum of understanding (MOU) Interconnection Security Agreement (ISA) NIST SP 800-47 Security Guide for Interconnecting

Information Technology Systems 425 Addressing Personnel Safety and Security Exit doors Fail-safe vs. fail-secure doors Duress systems and code phrases Travel safety Sensitive data Malware and monitoring devices Free WiFi and VPNs

Emergency management Security training and awareness 426 Securely Provisioning Resources Managing Hardware and Software Assets Protecting Physical Assets Managing Virtual Assets Managing Cloud-Based Assets Media Management 427

overview Managing Hardware and Software Assets 428 Hardware inventories RFID tracking

Sanitize before disposal Portable media management Software licensing Protecting Physical Assets 429

Includes building and contents Fences Barricades Locked doors Guards Security cameras / CCTV Building design and layout Managing Virtual Assets

Virtualization Software-defined assets Virtual machines (VMs) Virtual desktop infrastructure (VDI) Software-defined networks (SDN) Virtual storage area networks (VSAN) Hypervisor 430 Managing Cloud-based Assets Resources are located outside of direct

control DoD Cloud Computing Security Requirements Guide Cloud service provider (CSP) Software as a service (SaaS) Platform as a service (PaaS) Infrastructure as a service (IaaS) Public, private, hybrid, community 431 Media Management Protect media itself and data stored on media Tape media

USB flash drives Mobile devices Choose your own device (CYOD) Bring your own device (BYOD) Mobile device management (MDM) Media life cycle Mean time to failure (MTTF) 432 Managing Configuration Baselining

Using Images for Baselining 433 Managing Change Change management helps reduce unanticipated outages caused by unauthorized changes Security impact analysis Request, review, approve/reject, test, schedule/implement, document Security assurance requirements (SAR) Versioning

Configuration documentation 434 Managing Patches and Reducing Vulnerabilities Systems to Manage End devices, servers, network devices, embedded devices, IoT Patch Management Evaluate, Test, Approve, Deploy, Verify Vulnerability Management Scanners and assessments

Vulnerability assessments Common Vulnerabilities and Exposures (CVE) 435 Conclusion 436

Read the Exam Essentials Review the chapter Perform the Written Labs Answer the Review Questions Chapter 17 Preventing and Responding to Incidents Copyright 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana. Used with permission. 437 Managing Incident Response Defining an Incident

Incident Response Steps 438 overview Defining an Incident 1/2 Any negative effect on CIA Unplanned interruption to IT

Computer security incident RFC 2350 Expectations for Computer Security Incident Response Any adverse event which compromises some aspect of computer or network security. NIST SP 800-61 Computer Security Incident Handling Guide 439

Defining an Incident 2/2 Any attempted network intrusion Any attempted denial-of-service attack Any detection of malicious software Any unauthorized access of data Any violation of security policies 440 Incident Response Steps

441 Detection Response Mitigation Reporting Recovery Remediation Lessons Learned

overview IR Step: Detection Detecting actual or potential incidents IDSes, AV, audits, automated tools, end users First responders 442 IR Step: Response Based on severity of incident Computer incident response team

(CIRT)/computer security incident response team (CSIRT) Faster response limits damage 443 IR Step: Mitigation Contain the incident Limit the effect or scope May involve disconnecting from the network Actions in this step may be noticed by an attacker

444 IR Step: Reporting Internal and external notification May be mandated by regulation PII violations are of critical concern in many jurisdictions Relevant training is need to properly recognize and report incidents 445 IR Step: Recovery

Evidence collection should be completed before recovery efforts Recovery is to return the environment to a normal state or condition Security should be restored to an equal or greater level than before the incident 446 IR Step: Remediation Analyze the incident to determine the cause Implement countermeasures to

prevent a recurrence Root-cause analysis 447 IR Step: Lessons Learned Determine what can be learned from the incident and the response Focus on improving future reponse May highlight need for additional training May require adjustment of security infrastructure CIRT submits analysis and

recommendations report to management 448 Implementing Detective and Preventive Measures Basic Preventive Measures Understanding Attacks Intrusion Detection and Prevention Systems Specific Preventive Measures 449

overview Basic Preventive Measures Keep systems and applications up-to-date Remove or disable unneeded services and protocols Use intrusion detection and prevention systems Use up-to-date anti-malware software Use firewalls Implement configuration and system management processes

450 Understanding Attacks 1/2 Botnets Denial of service 451 Distributed denial-of-service (DDoS)

Distributed reflective denial-of-service (DRDoS) SYN flood attack Smurf and Fraggle attacks Ping flood Ping of Death Teardrop Understanding Attacks 2/2 LAND attack Zero-day exploit Malicious code Drive-by download

Malvertising 452 Man-in-the-middle War dialing Sabotage Espionage Intrusion Detection and

Prevention Systems IDS, IPS, IDPS NIST SP 800-94 Guide to Intrusion Detection and Prevention Systems Knowledge and behavior-based detection SIEM systems IDS response Active vs. passive Host and network IDS Intrusion prevention systems 453

Specific Preventive Measures 454 Honeypots/honeynets Pseudo flaw Padded cell

Warning banners Anti-malware Whitelisting and blacklisting Firewalls Sandboxing Third-Party Security Services Payment Card Industry Data Security Standard (PCI DSS) SaaS cloud security Penetration testing Risks Obtaining permission Black box, white box, gray box

Reports Ethical hacking 455 Logging, Monitoring, and Auditing 456

Logging and Monitoring Monitoring Techniques Egress Monitoring Auditing to Assess Effectiveness Security Audits and Reviews Reporting Audit Results overview Logging and Monitoring Security logs, system logs, application logs, firewall logs, proxy logs, change logs Protecting log data FIPS 200, audit log security requirements

Audit trails Monitoring and accountability Monitoring and investigations Monitoring and problem identification 457 Monitoring Techniques Log analysis Security Information and Event Management (SIEM) Security Event Management (SEM) Security Information Management (SIM)

Sampling or data extration Clipping levels Keystroke monitoring Traffic and trend analysis 458 Egress Monitoring Data loss prevention (DLP) Network-based DLP Endpoint-based DLP Steganography Watermarking

459 Auditing to Assess Effectiveness Auditing, auditors Methodical examination Compliance

Inspection audits Access review audits User entitlement audits Audits of privileged groups High-level administrators Dual administrator accounts 460 Security Audits and Reviews

461 Patch management Vulnerability management Configuration management Change management Reporting Audit Results

Purpose, scope, results Problems, events, and conditions Standards, criteria, and baselines Causes, reasons, impact, and effect Recommended solutions and safeguards Protecting audit results Distributing audit reports Using external auditors 462 Conclusion

463 Read the Exam Essentials Review the chapter Perform the Written Labs Answer the Review Questions Chapter 18 Disaster Recovery Planning

Copyright 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana. Used with permission. 464 The Nature of Disaster Natural Disasters Earthquakes Floods, storms, fires Regional events Man-Made Disasters

465 Fires Acts of terrorism Bombings/explosions Power outages Network/utility/infrastructure failures

Hardware/software failures Strikes/picketing Theft/vandalism Understand System Resilience and Fault Tolerance 466

Fault Tolerance and System Resilience Protecting Hard Drives Protecting Servers Protecting Power Sources Trusted Recovery Quality of Service overview Fault Tolerance and System Resilience Single point of failure (SPOF) Fault tolerance

System resilience 467 Protecting Hard Drives 468

RAID-0 RAID-1 RAID-5 RAID-10 Hardware vs. software Hot swapping vs. cold swapping Protecting Servers 469

Failover clusters Load balancing Scalability Replication between members Protecting Power Sources 470

UPS Spike, sag, surge, brownout Transient Generators Trusted Recovery Assurance after failure or crash Fail-secure, fail-open Preparation

System recovery Reboot into non-privileged state, restore all affected files to pre-failure settings/values Manual recovery, automated recovery Automated recovery without undue loss Function recovery 471 Quality of Service

472 Bandwidth Latency Jitter Packet loss Interference Prioritization Recovery Strategy

Business Unit and Functional Priorities Crisis Management Emergency Communications Workgroup Recovery Alternate Processing Sites Mutual Assistance Agreements Database Recovery 473 overview Business Unit and Functional Priorities

Prioritization Mission critical business functions/units Detailed ordered list of business processes Priority based on:

474 Risk Cost assessment Mean time to recovery (MTTR) Maximum tolerable outage (MTO) Recovery objectives Crisis Management Mitigate with disaster recovery plan Training on disaster recovery procedures Train and document to counter

panic Crisis training 475 Emergency Communications Internal and external Keep outside informed of recovery process Support recovery through internal communications Alternatives in the event of infrastructure collapse during major disasters

476 Workgroup Recovery Each department needs to be recovered Restore workers ability to perform work tasks DRP is not IT only May require numerous strategies Independent recovery of work divisions 477 Alternate Processing Sites

478 Cold site Hot site Warm site Mobile site Service bureaus

Cloud computing Mutual Assistance Agreements 479 Reciprocal agreements Difficult to enforce Requires close proximity Confidentiality concerns

Database Recovery Electronic vaulting Remote journaling Remote mirroring 480 Recovery Plan Development

481 Emergency response Personnel and communications Assessment Backups and offsite storage (see next slide) Software escrow arrangements External communications Utilities

Logistics and supplies Recovery vs. restoration Training, awareness, and documentation Backups and Offsite Storage 482

Full, incremental, differential Onsite and offsite Media rotation schemes Backup tape formats Disk to disk backup Best practices Tape rotation Testing and Maintenance

483 Read-through test Structured walk-through Simulation test Parallel test Full-interruption test Maintenance Conclusion

484 Read the Exam Essentials Review the chapter Perform the Written Labs Answer the Review Questions Chapter 19 Investigations and Ethics Copyright 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

Used with permission. 485 Investigations Investigation Types Evidence Investigation Process 486 overview Investigation Types 1/2 Administrative

Operational Root-cause analysis Criminal Beyond a reasonable doubt Civil Preponderance of the evidence Regulatory 487 Investigation Types 2/2 Electronic discovery

488 Information governance Identification Preservation

Collection Processing Review Analysis Production Presentation Evidence 1/3 Admissible Real Documentary Best evidence rule, parol evidence rule

Chain of evidence/chain of custody Testimonial 489 Evidence 2/3 Evidence collection International Organization on Computer Evidence (IOCE)

Follow general forensic and procedural principles Actions taken should not change that evidence Only trained personnel All activity must be fully documented, preserved, and available for review Individual is responsible for digital evidence while in their possession The agency is responsible for compliance with these principles 490 Evidence 3/3 Forensic procedures

Media analysis Network analysis Software analysis Hardware/embedded device analysis 491 Investigation Process 1/3 Rules of engagement Gathering evidence Voluntary surrender Subpoena Search warrant

Calling in law enforcement 492 Investigation Process 2/3 Conducting the investigation Dont use compromised systems Dont hack back Call in the experts for assistance Interviewing individuals Interview vs. interrogation Trained investigators

493 Investigation Process 3/3 Data Integrity and Retention Maintain integrity of all evidence Archiving policy Log file sanitization/destruction Remote logging

Digital signatures Reporting and Documenting Investigations When to report and to whom to report Escalation and legal action may require reporting Documentation of all incidents 494 Major Categories of Computer Crime Military and intelligence attacks Advanced Persistent Threat (APT)

Business attacks Corporate espionage or industrial espionage 495 Financial attacks Terrorist attacks Grudge attacks

Insider threats Thrill attacks script kiddies, hacktivists Ethics (ISC)2 Code of Ethics Ethics and the Internet 496 overview (ISC)2 Code of Ethics Protect society, the common good, necessary public trust and confidence,

and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession. 497 Ethics and the Internet RFC 1087: Activity is unacceptable and unethical that Seeks to gain unauthorized access to the resources of the Internet

Disrupts the intended use of the Internet Wastes resources (people, capacity, computer) through such actions Destroys the integrity of computer-based information Compromises the privacy of users 498 Conclusion

499 Read the Exam Essentials Review the chapter Perform the Written Labs Answer the Review Questions Chapter 20 Software Development Security Copyright 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana. Used with permission. 500

Introducing Systems Development Controls

501 Software Development Systems Development Lifecycle Lifecycle Models Gantt Charts and PERT Change and Configuration Management The DevOps Approach Application Programming Interfaces Software Testing Code Repositories Service-Level Agreements Software Acquisition

overview Software Development 1/2 Programming languages Machine language Compiled code and Interpreted code Compiler, decompiler Object-oriented programming Message, method, behavior, class, instance, inheritance, delegation, polymorphism, cohesion, coupling

Assurance 502 Software Development 2/2 Avoiding and mitigating system failure Input validation Limit check Authentication and session Management Error handling Logging

Fail-secure and fail-open 503 Systems Development Life Cycle Conceptual definition Functional requirements determination 504

Inputs, behavior, outputs Control specifications development Design review Code review walk-through User acceptance testing Maintenance and change management Life Cycle Models 1/3 Waterfall model (view next slide) Feedback loop characteristic Spiral model Metamodel

Prototyping 505 Waterfall Lifecycle Model 506 Life Cycle Models 2/3 Agile software development Agile Manifesto defines 12 principles Individuals and interactions over processes and tools Working software over comprehensive

documentation Customer collaboration over contract negotiation Responding to change over following a plan 507 Life Cycle Models 3/3 Software capability maturity model (SCMM)

Initial Repeatable Defined Managed Optimized IDEAL model

508 Initiating Diagnosing Establishing Acting Learning Gantt Charts and PERT 1/2 Scheduling of projects Gantt relates project elements and time schedules

509 Gantt Charts and PERT 2/2 Program Evaluation Review Technique (PERT) Focuses on software size Goal: more efficient software 510 Change and Configuration Management Request control

Change control Release control 511 Configuration identification Configuration control Configuration status accounting Configuration audit The DevOps Approach

Development and operations Combines: software development, quality assurance, and technology operations Aligned with Agile 512 Application Programming Interfaces Balance opportunities with security Authentication requirements Public vs. limited use

Tested for security flaws 513 Software Testing Reasonableness check Handling of types, values, bounds, and conditions Separation of duties White-box, black-box, gray-box Static testing Dynamic testing 514

Code Repositories 515 Collaboration Large-scale software projects Central storage point

Version control Bug tracking Hosting Release management Communications functions Service-Level Agreements Defines service requirements between provider and customer Necessary for all critical outsourced tasks/processes Should address: Uptime, downtime, peak load, average load, diagnostics, failover/redundancy

Financial and contractual remedies for noncompliance 516 Software Acquisition On-premises deployment or cloud SaaS, PaaS, IaaS Security is top concern 517 Establishing Databases and Data Warehousing

Database Management System Architecture Database Transactions Security for Multilevel Databases Open Database Connectivity (ODBC) NoSQL 518 overview Database Management System Architecture

Hierarchical Distributed Relational 519 Fields, attributes, cells Tuple, row

Cardinality and degree Domain, range of values Candidate keys, primary key, foreign keys Schema, DDL, DML Database Transactions 520 Atomicity

Consistency Isolation Durability Security for Multilevel Databases

521 Database contamination Restricting access with views Concurrency Time stamps Granular access control, contentdependent Cell suppression Database partitioning Polyinstantiation Noise and perturbation Open Database Connectivity Open Database Connectivity

(ODBC) Proxy between database and application Freedom from direct DBMS programming 522 NoSQL

Nonrelational databases Key/value stores Graph databases Document stores Extensible Markup Language (XML) and JavaScript Object Notation (JSON) 523 Storing Data and Information Types of Storage Storage Threats 524

overview Types of Storage 525

Primary/real Secondary Virtual memory Virtual storage Random access storage Sequential access storage Volatile storage Nonvolatile storage Storage Threats Illegitimate access Access controls Prevent OS control bypass Encryption

Prevent cross-level exploitation Covert channel attacks 526 Understanding Knowledge-Based Systems 1/2 Expert Systems If/then statement knowledge base, inference engine, fuzzy logic Machine Learning Supervised learning

Unsupervised learning Neural Networks Deep learning or cognitive systems Delta rule, learning rule 527 Understanding Knowledge-Based Systems 2/2 Security Applications Capability to rapidly make consistent decisions Thoroughly analyze massive amounts of data

528 Conclusion 529 Read the Exam Essentials Review the chapter Perform the Written Labs

Answer the Review Questions Chapter 21 Malicious Code and Application Attacks Copyright 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana. Used with permission. 530 Malicious Code

531 Sources of Malicious Code Viruses Logic Bombs Trojan Horses Worms Spyware and Adware Zero-Day Attacks overview

Sources of Malicious Code Skilled malicious software developers Script kiddies Amateur code developers Advanced persistent threat (APT) 532 Viruses 1/2 Propagation techniques Master boot record File infector

Macro virus Service injection virus Platforms vulnerable to viruses Mostly Windows All OSs have some malware 533 Viruses 2/2 Antivirus mechanisms Signature, heuristic/behavior Virus technologies Multipartite viruses

Stealth viruses Polymorphic viruses Encrypted viruses Hoax 534 Logic Bombs Lie dormant Wait for triggering event Time, program launch, website logon, . . . 535

Trojan Horses Benign host delivers malicious payload Rogue antivirus software Ransomware Cryptolocker Botnet 536 Worms Self-propagation

Code Red Stuxnet 537 Spyware and Adware Spyware Monitors your actions Transmits details to remote system May include keystroke logging Adware Displays advertising Pop-up ads

Monitor shopping, redirects to competitor sites 538 Zero-Day Attacks Security flaws discovered by hackers that have not been thoroughly addressed by the security community Window of vulnerability Defense-in-depth approach Overlapping security controls 539

Password Attacks Password Guessing Dictionary Attacks Rainbow table Brute force Social Engineering Spear phishing, whaling, vishing Dumpster diving Countermeasures Longer, more complex 540

Application Attacks Buffer overflows Time of check to time of use (TOCTOU or TOC/TOU) Back doors Escalation of privilege and rootkits 541 Web Application Security Cross-site scripting (XSS) Input validation

Cross-site request forgery (XSRF/ CSRF) SQL Injection Dynamic Web applications Use prepared statements Perform input validation Limit account privileges 542 Reconnaissance Attacks IP probes IP sweeps, ping sweeps Port scans

Vulnerability scans 543 Masquerading Attacks IP spoofing Session hijacking 544 Conclusion

545 Read the Exam Essentials Review the chapter Perform the Written Labs Answer the Review Questions

Recently Viewed Presentations

  • Globalization and Family Relationships: A few Notes

    Globalization and Family Relationships: A few Notes

    Globalization in a Diversified World. Aspects of globalization have numerous influences on family relationships. Today's families live in a world that is complex, interconnected, and continuously evolving… Continuous changes are evident in the economy, environment, technology, and migration shifts
  • Crystal Ball : On the Future High Energy

    Crystal Ball : On the Future High Energy

    Crystal Ball : On the Future High Energy Colliders * Vladimir Shiltsev. Fermilab, Batavia, IL , USA. Accelerator Physics Center. August 4, 2015 *FRA, LLC operates Fermilab under contract No. DE-AC02-07CH11359 with the U.S. DOE
  • A Fully Featured Cloud For The Distributed Edge

    A Fully Featured Cloud For The Distributed Edge

    In gravida vulputatenisl, necposuere ante rutrum vel. Interdum et malesuada fames ac ante ipsum primis in faucibus. Mauris cursus lorem euvenenatisposuere. Aliquamlobortis vitae massa sit amet dictum. ... Chart Information Goes Here. StarlingX provides a deployment-ready, scalable, highly ...
  • Concussion: Symptoms, Signs, Measurement, Forces in Concussion, and

    Concussion: Symptoms, Signs, Measurement, Forces in Concussion, and

    Summary of 18 studies of heading soccer balls: higher accelerations of head if low head/neck mass. lower accelerations if align head and torso . and follow through with head. Heading a ball: 28.7g head acceleration if ball 6psi (pounds/square inch...
  • Welcome to Grade 3 - Mr. J. Gill's Grade 5 Class Site

    Welcome to Grade 3 - Mr. J. Gill's Grade 5 Class Site

    Student Expectations. Bring Gym clothes to school every Monday, and take them home every Friday. Non-marking indoor shoes. 2 . Healthy. Lunches and/or Snacks. Re-useable water bottle. Raz-Kids and IXL
  • Chapter 9: Intermolecular Attractions and the Properties of ...

    Chapter 9: Intermolecular Attractions and the Properties of ...

    Slide 42 Slide 43 Constant Volume Calorimetry e.g. Bomb Calorimeters Heat and Work in Energy Changes Slide 46 Slide 47 Slide 48 Slide 49 Slide 50 Slide 51 Reactions at Constant Volume e.g. Bomb Calorimeters DH = Enthalpy Change Heat...
  • Spring 2019 Changes What should you expect?   A

    Spring 2019 Changes What should you expect? A

    [email protected]) or on Workplace . Carey Hatch. New Platform. Chat Integration in Groups. Better Quick Chat Option. More Compact Quick Chat. Chat Threads With More Info. Pronounced Group Access. A New Notifications Inbox. Filter Notifications.
  • Section 2.2 - Woodbridge Township School District

    Section 2.2 - Woodbridge Township School District

    End Behavior Model. Notice that the Rational Function Theorem only considers the degree of the function. The other terms become insignificant as ? →±∞. For example, 4x5 is an . end behavior model . for the function f(x) = 4x5...