WIXLIB

and advance the standard of cybersecurity practice. To this end, Paul continuously collaborates with experts across many disciplines, ranging from cybersecurity to acceleratedlearning to mind-body medicine, to create and share the most effective strategies torapidly learn cybersecurity and information technology subject matter. Most of all, Paulenjoys his life with his wife and young son, both of whom are the inspirations for hispassion.George E. Pajari, CISSP-ISSAP, CISM, CIPP/E, is a fractional CISO, providingcybersecurity leadership on a consulting basis to a number of cloud service providers.Previously he was the chief information security officer (CISO) at Hootsuite, the mostwidely used social media management platform, trusted by more than 16 millionpeople and employees at 80 percent of the Fortune 1000. He has presented at conferencesincluding CanSecWest, ISACA CACS, and BSides Vancouver. As a volunteer, he helpswith the running of BSides Vancouver, the (ISC)² Vancouver chapter, and the Universityof British Columbia’s Cybersecurity Summit. He is a recipient of the ISACA CISMWorldwide Excellence Award.Jeff Parker, CISSP, CySA , CASP, is a certified technical trainer and security consultantspecializing in governance, risk management, and compliance (GRC). Jeff began hisinformation security career as a software engineer with an HP consulting group out ofBoston. Enterprise clients for which Jeff has consulted on site include hospitals,universities, the U.S. Senate, and a half-dozen UN agencies. Jeff assessed these clients’security posture and provided gap analysis and remediation. In 2006 Jeff relocated toPrague, Czech Republic, for a few years, where he designed a new risk managementstrategy for a multinational logistics firm. Presently, Jeff resides in Halifax, Canada, whileconsulting primarily for a GRC firm in Virginia.David Seidl, CISSP, GPEN, GCIH, CySA , Pentest , is the vice president for information technology and CIO at Miami University of Ohio. During his IT career, he hasserved in a variety of technical and information security roles, including serving as thesenior director for Campus Technology Services at the University of Notre Dame andleading Notre Dame’s information security team as director of information security.David has taught college courses on information security and writes books on informationsecurity and cyberwarfare, including CompTIA CySA Study Guide: Exam CS0-001,CompTIA PenTest Study Guide: Exam PT0-001, CISSP Official (ISC)2 PracticeTests, and CompTIA CySA Practice Tests: Exam CS0-001, all from Wiley, and Cyberwarfare: Information Operations in a Connected World from Jones and Bartlett. David holdsa bachelor’s degree in communication technology and a master’s degree in informationsecurity from Eastern Michigan University.Contributing Authorsix

Michael Neal Vasquez has more than 25 years of IT experience and has held severalindustry certifications, including CISSP, MCSE: Security, MCSE I, MCDBA, andCCNA. Mike is a senior security engineer on the red team for a Fortune 500 financialservices firm, where he spends his days (and nights) looking for security holes. Afterobtaining his BA from Princeton University, he forged a security-focused IT career, bothworking in the trenches and training other IT professionals. Mike is a highly sought-afterinstructor because his classes blend real-world experience and practical knowledge withthe technical information necessary to comprehend difficult material, and his studentspraise his ability to make any course material entertaining and informative. Mike hastaught CISSP, security, and Microsoft to thousands of students across the globe throughlocal colleges and online live classes. He has performed penetration testing engagementsfor healthcare, financial services, retail, utilities, and government entities. He also runshis own consulting and training company and can be reached on LinkedIn ing Authors

Technical ReviewersBill Burke, CISSP, CCSP, CRISC, CISM, CEH, is a security professional with more than35 years serving the information technology and services community. He specializes in securityarchitecture, governance, and compliance, primarily in the cloud space. He previously servedon the board of directors of the Silicon Valley (ISC)2 chapter, in addition to the boardof directors of the Cloud Services Alliance – Silicon Valley. Bill can be reached via email atbillburke@cloudcybersec.com.Charles Gaughf, CISSP, SSCP, CCSP, is both a member and an employee of (ISC)², theglobal nonprofit leader in educating and certifying information security professionals. For morethan 15 years, he has worked in IT and security in different capacities for nonprofit, higher education, and telecommunications organizations to develop security education for the industryat large. In leading the security team for the last five years as the senior manager of security at(ISC)², he was responsible for the global security operations, security posture, and overall security health of (ISC)². Most recently he transitioned to the (ISC)² education team to developimmersive and enriching CPE opportunities and security training and education for the industryat large. He holds degrees in management of information systems and communications.Dr. Meng-Chow Kang, CISSP, is a practicing information security professional with morethan 30 years of field experience in various technical information security and risk management roles for organizations that include the Singapore government, major global financialinstitutions, and security and technology providers. His research and part of his experiencein the field have been published in his book Responsive Security: Be Ready to Be Secure fromCRC Press. Meng-Chow has been a CISSP since 1998 and was a member of the (ISC)2 boardof directors from 2015 through 2017. He is also a recipient of the (ISC)2 James Wade ServiceAward.Aaron Kraus, CISSP, CCSP, Security , began his career as a security auditor for U.S. federalgovernment clients working with the NIST RMF and Cybersecurity Framework, and thenmoved to the healthcare industry as an auditor working with the HIPAA and HITRUST frameworks. Next, he entered the financial services industry, where he designed a control and auditprogram for vendor risk management, incorporating financial compliance requirements andindustry-standard frameworks including COBIT and ISO 27002. Since 2016 Aaron has beenxi

working with startups based in San Francisco, first on a GRC SaaS platform and morerecently in cyber-risk insurance, where he focuses on assisting small- to medium-sizedbusinesses to identify their risks, mitigate them appropriately, and transfer risk via insurance. In addition to his technical certifications, he is a Learning Tree certified instructorwho teaches cybersecurity exam prep and risk management.Professor Jill Slay, CISSP, CCFP, is the optus chair of cybersecurity at La Trobe University, leads the Optus La Trobe Cyber Security Research Hub, and is the director ofcyber-resilience initiatives for the Australian Computer Society. Jill is a director of theVictorian Oceania Research Centre and previously served two terms as a director of theInternational Information Systems Security Certification Consortium. She has established an international research reputation in cybersecurity (particularly digital forensics)and has worked in collaboration with many industry partners. She was made a memberof the Order of Australia (AM) for service to the information technology industry throughcontributions in the areas of forensic computer science, security, protection of infrastructure, and cyberterrorism. She is a fellow of the Australian Computer Society and a fellowof the International Information Systems Security Certification Consortium, both for herservice to the information security industry. She also is a MACS CP.xiiTechnical Reviewers

Contents at a GlanceForewordxxvIntroduction xxviiDomain 1:Security and Risk ManagementDomain 2:Asset Security131Domain 3:Security Architecture and Engineering213Domain 4:Communication and Network Security363Domain 5:Identity and Access Management483Domain 6:Security Assessment and Testing539Domain 7:Security Operations597Domain 8:Software Development Security695Index1875xiii

ContentsForewordxxvIntroduction xxviiDomain 1: Security and Risk Management1Understand and Apply Concepts of Confidentiality, Integrity, and AvailabilityInformation SecurityEvaluate and Apply Security Governance PrinciplesAlignment of Security Functions to Business Strategy, Goals, Mission,and ObjectivesVision, Mission, and StrategyGovernanceDue CareDetermine Compliance RequirementsLegal ComplianceJurisdictionLegal TraditionLegal Compliance ExpectationsUnderstand Legal and Regulatory Issues That Pertain to Information Security in aGlobal ContextCyber Crimes and Data BreachesPrivacyUnderstand, Adhere to, and Promote Professional EthicsEthical Decision-MakingEstablished Standards of Ethical Conduct(ISC)² Ethical PracticesDevelop, Document, and Implement Security Policy, Standards, Procedures,and GuidelinesOrganizational DocumentsPolicy DevelopmentPolicy Review Process2366671011121212131314364949515657586161xv

Identify, Analyze, and Prioritize Business Continuity Requirements62Develop and Document Scope and Plan62Risk Assessment70Business Impact Analysis71Develop the Business Continuity Plan73Contribute to and Enforce Personnel Security Policies and Procedures80Key Control Principles80Candidate Screening and Hiring82Onboarding and Termination Processes91Vendor, Consultant, and Contractor Agreements and Controls96Privacy in the Workplace97Understand and Apply Risk Management Concepts99Risk 99Risk Management Frameworks99Risk Assessment Methodologies108Understand and Apply Threat Modeling Concepts and Methodologies111Threat Modeling Concepts111Threat Modeling Methodologies112Apply Risk-Based Management Concepts to the Supply Chain116Supply Chain Risks116Supply Chain Risk Management119Establish and Maintain a Security Awareness, Education, and Training Program121Security Awareness Overview122Developing an Awareness Program123Training127Summary128xviDomain 2: Asset Security131Asset Security ConceptsData PolicyData GovernanceData QualityData DocumentationData OrganizationIdentify and Classify Information and AssetsAsset ClassificationDetermine and Maintain Information and Asset OwnershipAsset Management LifecycleSoftware Asset s

Protect PrivacyCross-Border Privacy and Data Flow ProtectionData OwnersData ControllersData ProcessorsData StewardsData CustodiansData RemanenceData SovereigntyData Localization or ResidencyGovernment and Law Enforcement Access to DataCollection LimitationUnderstanding Data StatesData Issues with Emerging TechnologiesEnsure Appropriate Asset RetentionRetention of RecordsDetermining Appropriate Records RetentionRetention of Records in Data LifecycleRecords Retention Best PracticesDetermine Data Security ControlsTechnical, Administrative, and Physical ControlsEstablishing the Baseline SecurityScoping and TailoringStandards SelectionData Protection MethodsEstablish Information and Asset Handling RequirementsMarking and LabelingHandlingDeclassifying 09210211212Domain 3: Security Architecture and Engineering213Implement and Manage Engineering Processes Using Secure Design PrinciplesSaltzer and Schroeder’s PrinciplesISO/IEC 19249Defense in DepthUsing Security Principles215216221229230Contentsxvii

Understand the Fundamental Concepts of Security ModelsBell-LaPadula ModelThe Biba Integrity ModelThe Clark-Wilson ModelThe Brewer-Nash ModelSelect Controls Based upon Systems Security RequirementsUnderstand Security Capabilities of Information SystemsMemory ProtectionVirtualizationSecure CryptoprocessorAssess and Mitigate the Vulnerabilities of Security Architectures, Designs, andSolution ElementsClient-Based SystemsServer-Based SystemsDatabase SystemsCryptographic SystemsIndustrial Control SystemsCloud-Based SystemsDistributed SystemsInternet of ThingsAssess and Mitigate Vulnerabilities in Web-Based SystemsInjection VulnerabilitiesBroken AuthenticationSensitive Data ExposureXML External EntitiesBroken Access ControlSecurity MisconfigurationCross-Site ScriptingUsing Components with Known VulnerabilitiesInsufficient Logging and MonitoringCross-Site Request ForgeryAssess and Mitigate Vulnerabilities in Mobile SystemsPasswordsMultifactor AuthenticationSession LifetimeWireless VulnerabilitiesMobile MalwareUnpatched Operating System or 5286286287287288288289290290290

Insecure DevicesMobile Device ManagementAssess and Mitigate Vulnerabilities in Embedded DevicesApply CryptographyCryptographic LifecycleCryptographic MethodsPublic Key InfrastructureKey Management PracticesDigital SignaturesNon-RepudiationIntegrityUnderstand Methods of Cryptanalytic AttacksDigital Rights ManagementApply Security Principles to Site and Facility DesignImplement Site and Facility Security ControlsPhysical Access ControlsWiring Closets/Intermediate Distribution FacilitiesServer Rooms/Data CentersMedia Storage FacilitiesEvidence StorageRestricted and Work Area SecurityUtilities and Heating, Ventilation, and Air ConditioningEnvironmental IssuesFire Prevention, Detection, and 1325339342343343345346348349349351355358362Domain 4: Communication and Network Security363Implement Secure Design Principles in Network ArchitecturesOpen Systems Interconnection and Transmission ControlProtocol/Internet Protocol ModelsInternet Protocol NetworkingImplications of Multilayer ProtocolsConverged ProtocolsSoftware-Defined NetworksWireless NetworksInternet, Intranets, and ExtranetsDemilitarized ZonesVirtual LANs364365382392394395396409410410Contentsxix

xxSecure Network ComponentsFirewallsNetwork Address TranslationIntrusion Detection SystemSecurity Information and Event ManagementNetwork Security from Hardware DevicesTransmission MediaEndpoint SecurityImplementing Defense in DepthContent Distribution NetworksImplement Secure Communication Channels According to DesignSecure Voice CommunicationsMultimedia CollaborationRemote AccessData CommunicationsVirtualized 9452458466470481Domain 5: Identity and Access Management483Control Physical and Logical Access to AssetsInformationSystemsDevicesFacilitiesManage Identification and Authentication of People, Devices, and ServicesIdentity Management ImplementationSingle Factor/Multifactor AuthenticationAccountabilitySession ManagementRegistration and Proofing of IdentityFederated Identity ManagementCredential Management SystemsIntegrate Identity as a Third-Party ServiceOn-PremiseCloudFederatedImplement and Manage Authorization MechanismsRole-Based Access ControlRule-Based Access 26527527528528529Contents

Mandatory Access ControlDiscretionary Access ControlAttribute-Based Access ControlManage the Identity and Access Provisioning LifecycleUser Access ReviewSystem Account Access ReviewProvisioning and DeprovisioningAuditing and n 6: Security Assessment and Testing539Design and Validate Assessment, Test, and Audit StrategiesAssessment StandardsConduct Security Control TestingVulnerability AssessmentPenetration TestingLog ReviewsSynthetic TransactionsCode Review and TestingMisuse Case TestingTest Coverage AnalysisInterface TestingCollect Security Process DataAccount ManagementManagement Review and ApprovalKey Performance and Risk IndicatorsBackup Verification DataTraining and AwarenessDisaster Recovery and Business ContinuityAnalyze Test Output and Generate ReportConduct or Facilitate Security AuditsInternal AuditsExternal AuditsThird-Party AuditsIntegrating Internal and External AuditsAuditing PrinciplesAudit entsxxi

xxiiDomain 7: Security Operations597Understand and Support InvestigationsEvidence Collection and HandlingReporting and DocumentationInvestigative TechniquesDigital Forensics Tools, Techniques, and ProceduresUnderstand Requirements for Investigation TypesAdministrativeCriminalCivilRegulatoryIndustry StandardsConduct Logging and Monitoring ActivitiesDefine Auditable EventsTimeProtect LogsIntrusion Detection and PreventionSecurity Information and Event ManagementContinuous MonitoringIngress MonitoringEgress MonitoringSecurely Provision ResourcesAsset InventoryAsset ManagementConfiguration ManagementUnderstand and Apply Foundational Security Operations ConceptsNeed to Know/Least PrivilegeSeparation of Duties and ResponsibilitiesPrivileged Account ManagementJob RotationInformation LifecycleService Level AgreementsApply Resource Protection Techniques to MediaMarkingProtectingTransportSanitization and 4647647647648649Contents

Conduct Incident ManagementAn Incident Management yRemediationLessons LearnedThird-Party ConsiderationsOperate and Maintain Detective and Preventative MeasuresWhite-listing/Black-listingThird-Party Security ServicesHoneypots/HoneynetsAnti-MalwareImplement and Support Patch and Vulnerability ManagementUnderstand and Participate in Change Management ProcessesImplement Recovery StrategiesBackup Storage StrategiesRecovery Site StrategiesMultiple Processing SitesSystem Resilience, High Availability, Quality of Service, and Fault ToleranceImplement Disaster Recovery RestorationTraining and AwarenessTest Disaster Recovery rallelFull InterruptionParticipate in Business Continuity Planning and ExercisesImplement and Manage Physical SecurityPhysical Access ControlThe Data 87687687688688689689692Contentsxxiii

xxivAddress Personnel Safety and Security ConcernsTravelDuressSummary693693693694Domain 8: Software Development Security695Understand and Integrate Security in the Software Development LifecycleDevelopment MethodologiesMaturity ModelsOper

CCSP (ISC)2 Certified Cloud Security Professional Official Study Guide, also from Sybex/ Wiley, and How to Pass Your INFOSEC Certification Test: A Guide to Passing the CISSP, CISA, CISM, Network , Security , and CCSP, available from Amazon Direct. In addi-tion to other consulting and teaching, Ben is a certified instructor