(ISC)2 SSCP Systems Security Certified Practitioner Official Study Guide

The only SSCP study guide officially approved by (ISC)2

The (ISC)2 Systems Security Certified Practitioner (SSCP) certification is a well-known vendor-neutral global IT security certification. The SSCP is designed to show that holders have the technical skills to implement, monitor, and administer IT infrastructure using information security policies and procedures.

This comprehensive Official Study Guide—the only study guide officially approved by (ISC)2—covers all objectives of the seven SSCP domains.

• Security Operations and Administration
• Access Controls
• Risk Identification, Monitoring, and Analysis
• Incident Response and Recovery
• Cryptography
• Network and Communications Security
• Systems and Application Security

This updated Third Edition covers the SSCP exam objectives effective as of November 2021. Much of the new and more advanced knowledge expected of an SSCP is now covered in a new chapter "Cross-Domain Challenges." If you're an information security professional or student of cybersecurity looking to tackle one or more of the seven domains of the SSCP, this guide gets you prepared to pass the exam and enter the information security workforce with confidence.

ABOUT THE AUTHOR

Michael S. Wills, SSCP, CISSP, CAMS, is Assistant Professor of Applied Information Technologies in the College of Business at the Embry-Riddle Aeronautical University’s Worldwide Campus. He has many years of experience designing, building, and operating cutting-edge secure systems, and wrote (ISC)²’s official training courses for both the SSCP and CISSP. He is also the creator of ERAU’s Master of Science in Information Security and Assurance degree program.

Introduction xxv

Assessment Test xlviii

Part I Getting Started as an SSCP 1

Chapter 1 The Business Case for Decision Assurance and Information Security 3

Information: The Lifeblood of Business 4

Data, Information, Knowledge, Wisdom… 5

Information Is NotInformation Technology 8

Policy, Procedure, and Process: How Business Gets Business Done 10

Who Is the Business? 11

“What’s the Business Case for That?” 12

Purpose, Intent, Goals, Objectives 13

Business Logic and Business Processes: Transforming Assets into Opportunity, Wealth, and Success 14

The Value Chain 15

Being Accountable 17

Who Runs the Business? 20

Owners and Investors 20

Boards of Directors 20

Managing or Executive Directors and the “C-Suite” 21

Layers of Function, Structure, Management, and Responsibility 21

Plans and Budgets, Policies, and Directives 23

Summary 24

Exam Essentials 24

Review Questions 26

Chapter 2 Information Security Fundamentals 33

The Common Needs for Privacy, Confidentiality, Integrity, and Availability 34

Privacy 34

Confidentiality 38

Integrity 39

Availability 40

Privacy vs. Security, or Privacy and Security? 41

CIANA+PS Needs of Individuals 43

Private Business’s Need for CIANA+PS 44

Government’s Need for CIANA+PS 45

The Modern Military’s Need for CIA 45

Do Societies Need CIANA+PS? 46

Training and Educating Everybody 47

SSCPs and Professional Ethics 47

Summary 49

Exam Essentials 50

Review Questions 54

Part II Integrated Risk Management and Mitigation 61

Chapter 3 Integrated Information Risk Management 63

It’s a Dangerous World 64

What Is Risk? 66

Risk: When Surprise Becomes Disruption 69

Information Security: Delivering Decision Assurance 71

“Common Sense” and Risk Management 74

The Four Faces of Risk 75

Outcomes-Based Risk 77

Process-Based Risk 78

Asset-Based Risk 79

Threat-Based (or Vulnerability-Based) Risk 79

Getting Integrated and Proactive with Information Defense 83

Lateral Movement: Mitigate with Integrated C3 86

Trust, but Verify 87

Due Care and Due Diligence: Whose Jobs Are These? 87

Be Prepared: First, Set Priorities 88

Risk Management: Concepts and Frameworks 89

The SSCP and Risk Management 92

Plan, Do, Check, Act 93

Risk Assessment 95

Establish Consensus about Information Risk 95

Information Risk Impact Assessment 96

Information Classification and Categorization 97

Risk Analysis 99

The Business Impact Analysis 105

From Assessments to Information Security Requirements 106

Four Choices for Limiting or Containing Damage 107

Deter 109

Detect 110

Prevent 110

Avoid 111

Summary 114

Exam Essentials 114

Review Questions 120

Chapter 4 Operationalizing Risk Mitigation 127

From Tactical Planning to Information Security Operations 128

Operationally Outthinking Your Adversaries 130

Getting Inside the Other Side’s OODA Loop 132

Defeating the Kill Chain 133

Operationalizing Risk Mitigation: Step by Step 134

Step 1: Assess the Existing Architectures 135

Step 2: Assess Vulnerabilities and Threats 142

Step 3: Select Risk Treatment and Controls 152

Step 4: Implement Controls 159

Step 5: Authorize: Senior Leader Acceptance and Ownership 163

The Ongoing Job of Keeping Your Baseline Secure 164

Build and Maintain User Engagement with Risk Controls 165

Participate in Security Assessments 166

Manage the Architectures: Asset Management and Change Control 169

Ongoing, Continuous Monitoring 174

Exploiting What Monitoring and Event Data Is Telling You 177

Incident Investigation, Analysis, and Reporting 181

Reporting to and Engaging with Management 182

Summary 183

Exam Essentials 183

Review Questions 189

Part III The Technologies of Information Security 197

Chapter 5 Communications and Network Security 199

Trusting Our Communications in a Converged World 200

CIANA+PS: Applying Security Needs to Networks 203

Threat Modeling for Communications Systems 205

Internet Systems Concepts 206

Datagrams and Protocol Data Units 207

Handshakes 208

Packets and Encapsulation 209

Addressing, Routing, and Switching 211

Network Segmentation 212

URLs and the Web 212

Topologies 213

“Best Effort” and Trusting Designs 217

Two Protocol Stacks, One Internet 218

Complementary, Not Competing, Frameworks 218

Layer 1: The Physical Layer 222

Layer 2: The Data Link Layer 223

Layer 3: The Network Layer 225

Layer 4: The Transport Layer 226

Layer 5: The Session Layer 230

Layer 6: The Presentation Layer 231

Layer 7: The Application Layer 232

Cross-Layer Protocols and Services 233

IP and Security 234

Layers or Planes? 235

Network Architectures 236

DMZs and Botnets 237

Software-Defined Networks 238

Virtual Private Networks 239

Wireless Network Technologies 240

Wi-Fi 241

Bluetooth 242

Near-Field Communication 242

IP Addresses, DHCP, and Subnets 243

DHCP Leases: IPv4 and IPv6 243

IPv4 Address Classes 245

Subnetting in IPv4 247

IPv4 vs. IPv6: Important Differences and Options 248

CIANA Layer by Layer 251

CIANA at Layer 1: Physical 251

CIANA at Layer 2: Data Link 254

CIANA at Layer 3: Network 256

CIANA at Layer 4: Transport 257

CIANA at Layer 5: Session 258

CIANA at Layer 6: Presentation 260

CIANA at Layer 7: Application 260

Securing Networks as Systems 262

Network Security Devices and Services 263

Wireless Network Access and Security 264

CIANA+PS and Wireless 265

Monitoring and Analysis for Network Security 267

A SOC Is Not a NOC 269

Tools for the SOC and the NOC 270

Integrating Network and Security Management 271

Summary 273

Exam Essentials 273

Review Questions 280

Chapter 6 Identity and Access Control 285

Identity and Access: Two Sides of the Same CIANA+PS Coin 286

Identity Management Concepts 288

Identity Provisioning and Management 289

Identity and AAA 293

Access Control Concepts 295

Subjects and Objects—Everywhere! 296

Data Classification and Access Control 297

Bell-LaPadula and Biba Models 299

Role-Based 302

Attribute-Based 303

Subject-Based 303

Object-Based 304

Rule-Based Access Control 304

Risk-Based Access Control 304

Mandatory vs. Discretionary Access Control 305

Network Access Control 305

IEEE 802.1X Concepts 307

RADIUS Authentication 308

TACACS and TACACS+ 309

Implementing and Scaling IAM 310

Choices for Access Control Implementations 311

“Built-in” Solutions? 313

Other Protocols for IAM 314

Multifactor Authentication 315

Server-Based IAM 319

Integrated IAM systems 320

Single Sign-On 321

OpenID Connect 322

Identity as a Service (IDaaS) 322

Federated IAM 322

Session Management 323

Kerberos 325

Credential Management 326

Trust Frameworks and Architectures 328

User and Entity Behavior Analytics (UEBA) 329

Zero Trust Architectures 332

Summary 333

Exam Essentials 334

Review Questions 343

Chapter 7 Cryptography 349

Cryptography: What and Why 350

Codes and Ciphers: Defining Our Terms 352

Cryptography, Cryptology, or…? 357

Building Blocks of Digital Cryptographic Systems 358

Cryptographic Algorithms 359

Cryptographic Keys 360

Hashing as One-Way Cryptography 362

A Race Against Time 365

“The Enemy Knows Your System” 366

Keys and Key Management 367

Key Storage and Protection 367

Key Revocation and Disposal 368

Modern Cryptography: Beyond the “Secret Decoder Ring” 370

Symmetric Key Cryptography 370

Asymmetric Key Cryptography 370

Hybrid Cryptosystems 371

Design and Use of Cryptosystems 371

Cryptanalysis, Ethical and Unethical 372

Cryptographic Primitives 373

Cryptographic Engineering 373

“Why Isn’t All of This Stuff Secret?” 373

Cryptography and CIANA+PS 375

Confidentiality 376

Authentication 376

Integrity 376

Nonrepudiation 377

“But I Didn’t Get That Email…” 378

Availability 379

Privacy 380

Safety 381

Public Key Infrastructures 381

Diffie-Hellman-Merkle Public Key Exchange 382

RSA Encryption and Key Exchange 385

ElGamal Encryption 385

Elliptical Curve Cryptography (ECC) 386

Digital Signatures 387

Digital Certificates and Certificate Authorities 387

Hierarchies (or Webs) of Trust 388

Pretty Good Privacy 392

TLS 393

HTTPS 394

Symmetric Key Algorithms and PKI 395

Encapsulation for Security: IPSec, ISAKMP, and Others 396

Applying Cryptography to Meet Different Needs 399

Message Integrity Controls 399

S/MIME 400

DKIM 400

Blockchain 401

Data Storage, Content Distribution, and Archiving 403

Steganography 404

Access Control Protocols 404

Managing Cryptographic Assets and Systems 405

Measures of Merit for Cryptographic Solutions 407

Attacks and Countermeasures 408

Social Engineering for Key Discovery 409

Implementation Attacks 410

Brute Force and Dictionary Attacks 410

Side Channel Attacks 411

Numeric (Algorithm or Key) Attacks 412

Traffic Analysis, “Op Intel,” and Social Engineering Attacks 413

Massively Parallel Systems Attacks 414

Supply Chain Vulnerabilities 414

The “Sprinkle a Little Crypto Dust on It” Fallacy 415

Countermeasures 416

PKI and Trust: A Recap 418

On the Near Horizon 420

Pervasive and Homomorphic Encryption 420

Quantum Cryptography and Post–Quantum Cryptography 421

AI, Machine Learning, and Cryptography 422

Summary 423

Exam Essentials 424

Review Questions 429

Chapter 8 Hardware and Systems Security 435

Infrastructure Security Is Baseline Management 437

It’s About Access Control… 437

It’s Also About Supply Chain Security 439

Do Clouds Have Boundaries? 439

Securing the Physical Context 442

Facilities Security 442

Services Security 443

OT-Intensive (or Reliant) Contexts 444

Infrastructures 101 and Threat Modeling 444

Protecting the Trusted Computing Base 447

Hardware Vulnerabilities 447

Firmware Vulnerabilities 449

Operating Systems Vulnerabilities 451

Virtual Machines and Vulnerabilities 454

Network Operating Systems 455

Endpoint Security 457

MDM, COPE, and BYOD 459

BYOI? BYOC? 460

Malware: Exploiting the Infrastructure’s Vulnerabilities 462

Countering the Malware Threat 465

Privacy and Secure Browsing 466

“The Sin of Aggregation” 469

Updating the Threat Model 469

Managing Your Systems’ Security 470

Summary 471

Exam Essentials 472

Review Questions 478

Chapter 9 Applications, Data, and Cloud Security 483

It’s a Data-Driven World…At the Endpoint 484

Software as Appliances 487

Applications Lifecycles and Security 490

The Software Development Lifecycle (SDLC) 491

Why Is (Most) Software So Insecure? 494

Hard to Design It Right, Easy to Fix It? 497

CIANA+PS and Applications Software Requirements 498

Positive and Negative Models for Software Security 502

Is Negative Control Dead? Or Dying? 503

Application Vulnerabilities 504

Vulnerabilities Across the Lifecycle 505

Human Failures and Frailties 506

“Shadow IT:” The Dilemma of the User as Builder 507

Data and Metadata as Procedural Knowledge 509

Information Quality and Information Assurance 511

Information Quality Lifecycle 512

Preventing (or Limiting) the “Garbage In” Problem 513

Protecting Data in Motion, in Use, and at Rest 514

Data Exfiltration I: The Traditional Threat 516

Detecting Unauthorized Data Acquisition 518

Preventing Data Loss 519

Detecting and Preventing Malformed Data Attacks 521

Into the Clouds: Endpoint App and Data Security Considerations 522

Cloud Deployment Models and Information Security 524

Cloud Service Models and Information Security 525

Edge and Fog Security: Virtual Becoming Reality 527

Clouds, Continuity, and Resiliency 528

Clouds and Threat Modeling 529

Cloud Security Methods 531

Integrate and Correlate 532

SLAs, TORs, and Penetration Testing 532

Data Exfiltration II: Hiding in the Clouds 533

Legal and Regulatory Issues 533

Countermeasures: Keeping Your Apps and Data Safe and Secure 535

Summary 536

Exam Essentials 537

Review Questions 548

Part IV People Power: What Makes or Breaks Information Security 555

Chapter 10 Incident Response and Recovery 557

Defeating the Kill Chain One Skirmish at a Time 558

Kill Chains: Reviewing the Basics 560

Events vs. Incidents 562

Harsh Realities of Real Incidents 564

MITRE’s ATT&CK Framework 564

Learning from Others’ Painful Experiences 566

Incident Response Framework 566

Incident Response Team: Roles and Structures 568

Incident Response Priorities 570

Preparation 571

Preparation Planning 572

Put the Preparation Plan in Motion 574

Are You Prepared? 575

Detection and Analysis 578

Warning Signs 578

Initial Detection 580

Timeline Analysis 581

Notification 582

Prioritization 583

Containment and Eradication 584

Evidence Gathering, Preservation, and Use 585

Constant Monitoring 586

Recovery: Getting Back to Business 587

Data Recovery 588

Post-Recovery: Notification and Monitoring 589

Post-Incident Activities 590

Learning the Lessons 591

Orchestrate and Automate 592

Support Ongoing Forensics Investigations 592

Information and Evidence Retention 593

Information Sharing with the Larger IT

Security Community 594

Summary 594

Exam Essentials 595

Review Questions 601

Chapter 11 Business Continuity via Information Security and People Power 607

What Is a Disaster? 608

Surviving to Operate: Plan for It! 609

Business Continuity 610

IS Disaster Recovery Plans 610

Plans, More Plans, and Triage 611

Timelines for BC/DR Planning and Action 615

Options for Recovery 617

Backups, Archives, and Image Copies 618

Cryptographic Assets and Recovery 620

“Golden Images” and Validation 621

Scan Before Loading: Blocking Historical Zero-Day Attacks 622

Restart from a Clean Baseline 622

Cloud-Based “Do-Over” Buttons for Continuity, Security, and Resilience 623

Restoring a Virtual Organization 625

People Power for BC/DR 626

Threat Vectors: It Is a Dangerous World Out There 628

“Blue Team’s” C3I 631

Learning from Experience 632

Security Assessment: For BC/DR and Compliance 633

Converged Communications: Keeping Them Secure During BC/DR Actions 634

POTS and VoIP Security 635

People Power for Secure Communications 636

Summary 637

Exam Essentials 637

Review Questions 641

Chapter 12 Cross-Domain Challenges 647

Operationalizing Security Across the Immediate and Longer Term 648

Continuous Assessment and Continuous Compliance 650

SDNs and SDS 651

SOAR: Strategies for Focused Security Effort 653

A “DevSecOps” Culture: SOAR for Software Development 655

Just-in-Time Education, Training, and Awareness 656

Supply Chains, Security, and the SSCP 657

ICS, IoT, and SCADA: More Than SUNBURST 658

Extending Physical Security: More Than Just Badges and Locks 660

All-Source, Proactive Intelligence: The SOC as a Fusion Center 661

Other Dangers on the Web and Net 662

Surface, Deep, and Dark Webs 662

Deep and Dark: Risks and Countermeasures 664

DNS and Namespace Exploit Risks 665

On Our Way to the Future 666

Cloud Security: Edgier and Foggier 667

AI, ML, and Analytics: Explicability and Trustworthiness 667

Quantum Communications, Computing, and Cryptography 669

Paradigm Shifts in Information Security? 669

Perception Management and Information Security 671

Widespread Lack of Useful Understanding of Core Technologies 672

Enduring Lessons 672

You Cannot Legislate Security (But You Can Punish Noncompliance) 673

It’s About Managing Our Security and Our Systems 673

People Put It Together 674

Maintain Flexibility of Vision 675

Accountability—It’s

Personal. Make It So 675

Stay Sharp 676

Your Next Steps 677

At the Close 678

Exam Essentials 678

Review Questions 683

Appendix Answers to Review Questions 689

Chapter 1: The Business Case for Decision Assurance and Information Security 690

Chapter 2: Information Security Fundamentals 693

Chapter 3: Integrated Information Risk Management 695

Chapter 4: Operationalizing Risk Mitigation 698

Chapter 5: Communications and Network Security 701

Chapter 6: Identity and Access Control 704

Chapter 7: Cryptography 707

Chapter 8: Hardware and Systems Security 709

Chapter 9: Applications, Data, and Cloud Security 712

Chapter 10: Incident Response and Recovery 715

Chapter 11: Business Continuity via Information Security and People Power 718

Chapter 12: Cross-Domain Challenges 722

Index 727

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.