Index
A
ABAC (attribute-based access control), 243
absorption in wireless technologies, 198
access audits for facilities, 385–386
access control
authentication. See authentication
CPTED, 174
IAM. See identity and access management (IAM)
media, 316
accidental threats, 71
accountability
description, 12
overview, 231–232
accounts
access review, 249–250
deprovisioning, 246–247
registration, 246
security process data, 274
accuracy in threat intelligence, 299
acoustical detection systems, 384
acquired software security, 416–420
acquisition phase in SDLC, 394
ad hoc networks, 199
Address Resolution Protocol (ARP), 189
administrative access in cloud-based systems, 145
administrative controls, 65
administrative investigations, 35
adversarial threats, 71
AES algorithm, 153
Agile methodology, 397–398
agreements
contractual compliance, 25
employment, 50–51
third parties, 52–53
AHs (Authentication Headers), 190
AI (artificial intelligence), 336
AIKs (attestation identity keys) in TPMs, 136
ALE (annualized loss expectancy), 63
algorithms, cryptographic, 150
alignment of security functions to business requirements
business strategy and security strategy, 17
due care/due diligence, 20–21
organizational processes, 18
organizational roles and responsibilities, 18–19
security control frameworks, 19–20
allow-listing, 327–328
amplifiers, 209
amplitude in wireless technologies, 198
analyses
BIA. See business impact analysis (BIA)
evidence life cycle, 288
risk, 61–63
security tests, 277–281
annualized loss expectancy (ALE), 63
annualized rate of occurrence (ARO), 63
anomaly-based intrusion analysis, 296, 332
antennas, 198
anti-malware, 334–335
appetite, risk, 60
application-layer firewalls, 210, 330
application programming interfaces (APIs) security, 421–422
applications
description, 227
security testing, 408–411
architectures
asset life cycle, 106
networks, 208–209
security. See security architecture and engineering
ARO (annualized rate of occurrence), 63
ARP (Address Resolution Protocol), 189
artifacts, 289–290
artificial intelligence (AI), 336
AS (Authentication Service), 255
assemblers, 405
assembly programming language, 404
assessments
controls, 66–67
definition, 260–261
disaster recovery plans, 363
risk, 60–61
security. See security assessment and testing
software development security, 416–420
third parties, 76
assessors for security evaluations, 262–263
asset security
classification, 86–90
data life cycle, 99–105
data security controls, 109–114
handling requirements, 90–95
management, 97–98
objectives, 85–86
resource provisioning, 96–99
retention, 105–109
asset value (AV), 62
assets, 57
assisted password reset, 234
asymmetric encryption, 152–154
asynchronous attacks, 164
atomic execution, 138
attenuation in wireless technologies, 198
attestation identity keys (AIKs) in TPMs, 136
attribute-based access control (ABAC), 243
audits
changes, 413
cloud-based systems, 145
conducting, 281–284
definition, 260–261
description, 12
facility access, 385–386
review and questions, 284
authentication, 229–230
accountability, 231–232
attribute-based access control, 243
credential management systems, 233–234
data communications, 221
discretionary access control, 241
identity proofs, 232–233
just-in-time, 234–235
mandatory access control, 241–242
mechanisms, 239–244
overview, 11–12
pass-through, 165
review and questions, 235–236, 243–244
risk-based access control, 243
role-based access control, 242
rule-based access control, 242–243
session management, 232
single and multifactor, 230–231
single sign-on, 234
Authentication Headers (AHs), 190
authentication servers, 192
Authentication Service (AS), 255
authentication systems
Kerberos, 254–255
Open Authorization, 253
OpenID Connect, 253
overview, 252–253
remote access, 256–257
review and questions, 257–258
SAML, 253–254
authenticators in IEEE 802.1X, 192
authenticity in authorization, 12
authorization
data communications, 221
description, 12
Open Authorization, 253
remote access, 256–257
automating configuration management, 306
AV (asset value), 62
awareness
disaster recovery plans, 364
methods and techniques, 80–81
periodic content reviews, 82
personnel security, 389
presentation techniques, 81–82
program effectiveness evaluation, 82
review and questions, 82–84
security process data, 274
B
backup power strategies, 180
backup storage
cloud, 350
direct-attached storage, 349
electronic vaulting and remote journaling, 351
network-attached storage, 350
offline, 350
storage area networks, 350
strategies, 348–349
verification data, 274
badge readers, 384
bandwidth in wireless technologies, 198
bare-metal hypervisors, 145
barriers, 380
baselines
configuration management, 305–306
internal governance, 42
bastion hosts, 208
BC. See business continuity (BC)
BCPs. See business continuity plans (BCPs)
behavior-based analysis
anti-malware, 334–335
IDS/IPS, 332
intrusion detection, 296
Bell-LaPadula model, 126–127
BIA. See business impact analysis (BIA)
Biba model, 127
binding hard disk drives, 136
biometric factors in authentication, 231
bit-flipping in sandboxing, 335
black box penetration tests, 267
black-hat (unethical) hackers, 266
blacklisting, 327–328
blind penetration tests, 267
block ciphers, 152
Blowfish algorithm, 153
Bluejacking, 202
Bluesnarfing, 202
Bluetooth standard, 202
breaches
attack simulations, 270
data, 29–30
Brewer and Nash model, 128
bridges, 209
brouters, 209
brownouts, 180
brute force cryptanalytic attacks, 162
bus encryption, 137
business continuity (BC)
business impact analysis, 45–47, 373–374
introduction, 45
overview, 372–373
plans. See business continuity plans (BCPs)
security process data, 274
business continuity plans (BCPs)
developing, 374
metrics, 374–375
review and questions, 376–377
testing, 375–376
business impact analysis (BIA)
asset criticality, 87
description, 46
developing, 46
documenting, 47
overview, 373–374
review and questions, 47–48
scope, 46–47
business strategy and security strategy, 17
C
cable modems, 216
CABs (change advisory boards), 345
California Consumer Privacy Act (CCPA), 24, 30
candidates, screening and hiring, 49
Capability Maturity Model (CMM), 399
Capability Maturity Model Integration (CMMI), 399
capacitance detectors, 385
CAs (certificate authorities), 156–157
CASBs (cloud access security brokers), 112–113
CCPA (California Consumer Privacy Act), 24, 30
CCTV (closed-circuit television) cameras, 381
CDMA (code division multiple access), 204
CDNs (content distribution networks), 147, 205–206
CEI (Computer Ethics Institute), 5
cellular networks, 204–205
Center for Internet Security (CIS) Controls, 20
certificate authorities (CAs), 156–157
certificate revocation lists (CRLs), 159
certificates, 156–157
chain of custody for evidence, 287
Challenge Handshake Authentication Protocol (CHAP), 220
change advisory boards (CABs), 345
change management
life cycle, 345–346
policies, 344–345
processes, 344–346
review and questions, 347–348
security considerations, 346–347
software development life cycle, 401
software development security, 413
channels
cellular networks, 204
communications. See communications channels
CHAP (Challenge Handshake Authentication Protocol), 220
chief information officers (CIOs), 19
chief information security officers (CISOs), 19
chief privacy officers (CPOs), 19
chief security officers (CSOs), 19
Chinese Wall model, 128
chosen ciphertext and chosen plaintext attacks, 163
CI/CD (continuous integration and continuous delivery), 407
CIOs (chief information officers), 19
cipher locks, 384
ciphers, 149
ciphertext, 149
ciphertext-only cryptanalytic attacks, 162
circuit-level firewalls, 210, 330
CIS (Center for Internet Security) Controls, 20
CISOs (chief information security officers), 19
civil investigations, 35–36
Clark-Wilson model, 127–128
classification
assets, 86–87
data, 87–88
information, 93–94
client-based system vulnerabilities, 140
client-to-site VPNs, 219
Clipper Chip algorithm, 150
closed-circuit television (CCTV) cameras, 381
closed-source intelligence, 300
cloud access security brokers (CASBs), 112–113
cloud-based firewalls, 330
cloud-based identity services, 238
cloud-based system vulnerabilities, 144–145
cloud sites, 354
cloud storage, 350
clustering cryptographic keys, 150
CMM (Capability Maturity Model), 399
CMMI (Capability Maturity Model Integration), 399
COBIT framework, 20
code, cryptography, 149
code, software
guidelines and standards, 420–425
repositories, 408
review and testing, 268–269
code division multiple access (CDMA), 204
code modules, 405
cohesion in programming, 405
cold sites, 353
collection
data, 102
evidence, 287–290
security data, 272–276
collisions, hash, 155
collusion, 310
columns in database tables, 141
combination locks, 384
commercial classification systems, 93
commercial-off-the-shelf (COTS) software, 416–417
commodity malware, 334
communication and network security
channels. See communications channels
network components, 207–214
network security application, 193–207
networking concepts, 184–192
objectives, 183–184
communication in disaster recovery plans, 361–362
communications channels
data communications, 220–222
introduction, 215
multimedia collaboration, 218–219
remote access, 219–220
review and questions, 223–224
third-party connectivity, 222–223
virtualized networks, 222
voice, 215–218
community clouds, 144
compartmented security mode, 125
compensating controls, 66
compilers, 405
compliance
contractual, 25
controls, 66–67
data security, 109–114
industry standards, 25
legal and regulatory, 24
overview, 23–24
personnel policy requirements, 53
privacy requirements, 25–26
review and questions, 26–28
compliance checks, 270
Computer Ethics Institute (CEI), 5
concentrators, 209
confidence levels in threat intelligence, 299
confidential classification, 93
confidentiality
description, 10
models, 126–127
configuration management
automating, 306
baselining, 305–306
cloud-based systems, 145
introduction, 304
patches, 341–342
provisioning, 305
review and questions, 306–307
software, 408
confusion in cryptographic methods, 151
constrained interfaces, 240
consultants, agreements and controls with, 52–53
containerization vulnerabilities, 146
content-dependent access authentication, 240
content distribution networks (CDNs), 147, 205–206
content reviews in security awareness, 82
context-dependent access, 240
continuous improvement in risk management, 68
continuous integration and continuous delivery (CI/CD), 407
continuous monitoring, 296
contractual compliance, 25
control planes in SDN, 196
controllers of data, 101–102
controls. See security controls
converged protocols, 194
copyrights, 30–31
corrective controls, 66
cost savings in third-party security services, 333
COTS (commercial-off-the-shelf) software, 416–417
countermeasure selection and implementation in risk management, 64–65
coupling in programming, 405
CPOs (chief privacy officers), 19
CPTED (Crime Prevention Through Environmental Design), 174
credentials, 11
crime prevention and disruption concerns in site planning, 167
Crime Prevention Through Environmental Design (CPTED), 174
criminal investigations, 36
critical changes, 346
criticality
information, 131
patch management, 340–341
CRLs (certificate revocation lists), 159
cryptanalysis, 149
cryptanalytic attacks
brute force, 162
chosen ciphertext and chosen plaintext, 163
ciphertext-only, 162
fault injection, 164
frequency analysis, 163
implementation, 163
Kerberos, 165
known plaintext, 162–163
man-in-the-middle, 164
overview, 161–162
pass the hash, 165
ransomware, 165
review and questions, 166–167
side-channel, 163–164
timing, 164
cryptographic keys in TPMs, 136
cryptographic solutions
cryptosystems, 151
digital certificates, 156
hybrid cryptography, 155–156
integrity, 154–155
introduction, 148–149
key management practices, 158–159
life cycle, 149–150
methods, 151–154
nonrepudiation and digital signatures, 158
public key infrastructure, 156–158
review and questions, 159–161
vulnerabilities, 142
cryptoprocessors, 137
cryptosystems, 151
cryptovariables, 150
CSOs (chief security officers), 19
culture, risk, 60
custodians, data, 101–102
Cyber Kill Chain threat model, 72, 301
cybercrimes, 29
cycles, wave, 197
D
DAC (discretionary access control), 241
damage concerns, 168
DAST (dynamic application security testing), 410
data
breaches, 29–30
classification, 87–88
communications, 220–222
custodian responsibilities, 19
description, 9–10
data centers, 175–176
data historians in industrial control systems, 143
data in use, 110
data life cycle
collection, 102
destruction, 103–104
location, 102
maintenance, 102–103
overview, 99–100
owners, 100–101
remanence, 103
retention, 103
review and questions, 104–105
roles, 100–102
data localization laws, 32
data loss prevention (DLP), 112
data owners
cloud-based systems, 145
responsibilities, 19
data protection requirements in control selection, 131–132
data retention in cloud-based systems, 145
data security and compliance
control scoping and tailoring, 111
control standards selection, 110–111
data at rest, 110
data in transit, 109–110
data in use, 110
data states, 109
protection methods, 111–113
review and questions, 113–114
data segmentation in cloud-based systems, 145
data sovereignty, 102
database system vulnerabilities, 141–142
DCSs (distributed control systems), 142–143
de-encapsulation in OSI model, 186
decryption, 149
dedicated security mode, 124
default-deny method of controlling access, 328
defaults
secure, 117
site and facility design, 169
defense in depth
secure design, 117
site and facility design, 169
defined maturity level in CMMI, 399
delineated responsibilities in cloud-based systems, 145
deluge water sprinkler systems, 179
demilitarized zones (DMZs)
description, 208
firewalls, 329
demotions, 51–52
deny-listing, 327–328
deprovisioning in identity and access, 245–247
DES algorithm, 153
design phase
asset life cycle, 106
software development life cycle, 394
designing evaluations, 261–264
destruction
assets, 107
data, 103–104
media, 316–317
detection
fire, 177–178
incident management, 320–321
surveillance, 381
detective and preventive controls
allow-listing and deny-listing, 327–328
anti-malware, 334–335
description, 66
firewalls, 328–330
honeypots and honeynets, 333–334
IDS/IPS, 331–332
machine learning and artificial intelligence, 336
overview, 326
review and questions, 336–338
sandboxing, 335–336
third-party provided security services, 332–333
determination, risk, 58
deterrence, surveillance for, 381
deterrent controls, 66
detonation chambers, 335
development phase in SDLC, 394
devices, 227
DevOps development, 398
DevSecOps development, 398
DHE (Diffie-Hellman) algorithm, 154
dial-up communications, 216
Diameter system, 257
Diamond Model of Intrusion Analysis, 72, 301
differential backups, 349
Diffie-Hellman (DHE) algorithm, 154
diffusion in cryptographic methods, 151
digital certificates, 156
digital forensics tools, 290–291
digital rights management (DRM), 111–112
digital signatures, 158
digital subscriber line (DSL), 216
dips, power, 180
direct-attached storage, 349
direct sequence spread spectrum (DSSS), 198
disaster recovery data in security process data, 274
disaster recovery (DR)
lessons learned, 364–365
overview, 359–360
people safety concerns, 360
plans. See disaster recovery plans (DRPs)
review and questions, 365–367
disaster recovery plans (DRPs)
assessment, 363
communications, 361–362
key points, 360–361
personnel, 361
response, 361
restoration, 363
testing, 367–372
training and awareness, 364
disciplinary activities, 51–52
discretionary access control (DAC), 241
disposal phase in asset life cycle, 106–107
distributed control systems (DCSs), 142–143
distributed system vulnerabilities, 141
distribution facilities, 175
DLP (data loss prevention), 112
DMZs (demilitarized zones)
description, 208
firewalls, 329
documentation
business impact analysis, 47
investigations, 292–293
software configuration management, 408
dogs, 381–382
door delay locks, 384
double blind penetration tests, 267
DR. See disaster recovery (DR)
drives
binding, 136
self-encrypting, 137
DRM (digital rights management), 111–112
DRPs. See disaster recovery plans (DRPs)
dry pipe water sprinkler systems, 179
DSL (digital subscriber line), 216
DSSS (direct sequence spread spectrum), 198
due care, 20–21
due diligence, 20–21
duress codes for locks, 384
duress systems for personnel safety, 390–391
duties, separation of
information security, 118
overview, 14
purpose, 309–310
site and facility design, 170
dynamic application security testing (DAST), 410
E
EAP (Extensible Authentication Protocol), 191–192, 220
EAR (Export Administration Regulation), 31
ECC (elliptic curve cryptography), 154
Economic Espionage Act, 30
edge computing system vulnerabilities, 146–147
EDLP (Endpoint DLP), 112
education for security awareness, 80–84
EF (exposure factor) in risk, 62–63
effectiveness
controls, 66–67
software development security, 412–415
egress monitoring, 297–298
EKs (endorsement keys) in TPMs, 136
El Gamal algorithm, 154
electromagnetic (EM) spectrum, 197
electromechanical intrusion detection systems, 385
electronic locks, 384
electronic vaulting, 351
elliptic curve cryptography (ECC), 154
EM (electromagnetic) spectrum, 197
embedded system vulnerabilities, 143–144
emergency changes, 346
emergency management, 389–390
emergency procedures, 360
employment agreements and policies, 50
Encapsulating Security Payload (ESP), 190
encapsulation
network security, 196–197
OSI model, 186
encryption. See also cryptographic solutions
bus, 137
data communications, 221
description, 149
end-of-life phase in asset life cycle, 106–107
end-of-support phase in asset life cycle, 106–107
endorsement keys (EKs) in TPMs, 136
Endpoint DLP (EDLP), 112
endpoint security for network components, 213
engineering security. See security architecture and engineering
enrollment for user accounts, 246
entities, 9–10
entry control points, 379
environmental issues
site and facility, 177
threats, 71
ESP (Encapsulating Security Payload), 190
establishing identity, 232–233
ethical disclosure in security test results, 279
ethical (white-hat) hackers, 266
ethics. See professional ethics
evacuation plans, 179–180
evaluations
assessors, 262–263
goals and strategies, 261–262
review and questions, 263–264
event logs, 298
evidence
collection and handling, 287–290
life cycle, 287–288
storage, 176
evolutionary prototypes, 396
exception handling in security test results, 279
explicit denies, 328
explicit permissions, 241
Export Administration Regulation (EAR), 31
exposure factor (EF) in risk, 62–63
Extensible Authentication Protocol (EAP), 191–192, 220
external assessors for security evaluations, 262–263
external governance, 16
external security auditors, 282–283
extranets, 208
Extreme Programming (XP), 398
F
facilities
access audits, 385–386
description, 227
design. See site and facility design
factors, authentication, 230–231
fail securely
secure design, 117–118
site and facility design, 169–170
fault injection cryptanalytic attacks, 164
fault tolerance, 356
faults, power, 180
FCIP (Fibre Channel over IP), 194
FCoE (Fibre Channel over Ethernet), 194
FDMA (frequency division multiple access), 204
Federal Information Security Management Act (FISMA), 24
Federated Identity Management (FIM), 233, 237–239
fencing, 379–380
FHSS (frequency hopping spread spectrum), 198
Fibre Channel over Ethernet (FCoE), 194
Fibre Channel over IP (FCIP), 194
fields in database tables, 141
fifth generation programming languages, 404
FIM (Federated Identity Management), 233, 237–239
fire prevention, 177–180
Firewall as a Service (FWaaS), 330
firewalls
cloud-based, 330
network- and host-based, 329
overview, 328–329
web application, 330
firmware in system security, 135
first generation programming languages, 404
FISMA (Federal Information Security Management Act), 24
flat-file databases, 142
footprints of satellites, 203
foreign keys in database systems, 141–142
forensic investigations
description, 287
digital tools, 290–291
forwarding planes in SDN, 196
fourth generation programming languages, 404
frameworks, risk, 64
frequencies in wireless technologies, 197–198
frequency analysis cryptanalytic attacks, 163
frequency bands in wireless technologies, 198
frequency division multiple access (FDMA), 204
frequency hopping spread spectrum (FHSS), 198
full backups, 349
full interruption tests
business continuity plans, 375
disaster recovery plans, 370
full-knowledge penetration tests, 267
functional requirements in control selection, 131
functions of controls, 65–66
fuzzing, 411
FWaaS (Firewall as a Service), 330
G
gates, 380
gateways, 209
General Data Protection Regulation (GDPR), 24, 101–102
generators, power, 180
geosynchronous satellites, 203
goals
organizational, 17
security evaluations, 261–262
governance requirements
control selection, 132
ethics, 6
Gramm-Leach-Bliley Act, 24, 30
gray box penetration tests, 267
gray-hat hackers, 266
guards, 381–382
guidelines for internal governance, 41–42
H
H.323 standard, 217
HA (high availability), 355–356
handling assets
classification systems, 93–94
overview, 90–91
review and questions, 94–95
storage, 91–92
transfer, 93
transmission, 92
transportation, 92
handling evidence, 287–290
hard disk drives, binding, 136
hardware
network components, 208–209
risks, 75
system security, 135
hardware security modules (HSMs), 136
harm to people, preventing, 360
hashes in cryptography, 155
Health Information Technology for Economic and Clinical Health (HITECH) Act, 24, 30
Health Insurance Portability and Accountability Act (HIPAA), 24
heating, ventilation, and air conditioning (HVAC) services, 177
heuristic analysis
IDS/IPS, 332
intrusion detection, 296
heuristic anti-malware, 334–335
HIDS/HIPS (host-based intrusion detection/prevention system), 331
hierarchical databases, 142
high availability (HA), 355–356
high-level programming languages, 404
high-performance computing (HPC) system vulnerabilities, 146
HIPAA (Health Insurance Portability and Accountability Act), 24
hiring candidates, 49
HITECH (Health Information Technology for Economic and Clinical Health) Act, 24, 30
HMIs (human–machine interfaces), 143
honeypots and honeynets, 333–334
horizontal enactments, 33
host-based firewalls, 329
host-based intrusion detection/prevention system (HIDS/HIPS), 331
hot sites, 353
HPC (high-performance computing) system vulnerabilities, 146
HSMs (hardware security modules), 136
HTTP (Hypertext Transfer Protocol), 189–190
hubs, 209
human–machine interfaces (HMIs), 143
HVAC (heating, ventilation, and air conditioning) services, 177
hybrid clouds, 144
hybrid cryptography, 155–156
hybrid identity services, 238
Hypertext Transfer Protocol (HTTP), 189–190
hypervisors, 145
I
IaaS (Infrastructure as a Service), 144
IAM. See identity and access management (IAM)
ICMP (Internet Control Message Protocol), 188
ICSs (industrial control systems), 142–143
IDE (integrated development environment), 406
identification
data communications, 220
description, 11
threats and vulnerabilities, 59–60
identity and access management (IAM)
authentication systems, 252–258
authorization mechanisms, 239–244
federated identity, 237–239
identification and authentication, 229–236
logical and physical access control, 226–229
objectives, 225–226
provisioning life cycle, 245–252
Identity management (IdM), 230
identity providers in SAML, 254
IDFs (intermediate distribution facilities), 175
IdM (Identity management), 230
IDS/IPSs (intrusion detection and prevention systems)
categories, 331–332
models, 296
physical IDSS, 384–385
IEEE (Institute of Electrical and Electronics Engineers)
Code of Ethics, 6
IGMP (Internet Group Management Protocol), 188
IKE (Internet Key Exchange), 190
impact, risk, 58
implementation
asset life cycle, 106
change, 345
implementation cryptanalytic attacks, 163
implicit denies, 328
implicit permissions, 241
import/export controls, 31
important changes, 346
incident concerns in site and facility design, 168
incident management
detection, 320–321
lessons learned, 324
life cycle, 319–320
mitigation, 322
overview, 318–319
preparation, 320
recovery, 323
remediation, 323
reporting, 322–323
response, 321–322
review and questions, 324–326
incomplete maturity level in CMMI, 399
incremental backups, 349
Incremental methodology, 396
indexes in database systems, 142
indicators of compromise (IoCs)
incident management, 320–321
threats, 71
industrial control systems (ICSs), 142–143
industry standards
compliance, 25
investigations, 37
information, description, 9–10, 227
information flow models, 127
information systems (IS)
capabilities, 135–138
review and questions, 138–139
Infrastructure as a Service (IaaS), 144
infrastructure mode in Wi-Fi, 199
initial maturity level in CMMI, 399
initial response phase in evidence life cycle, 288
initiators in iSCSI, 195
inrush current, power, 180
Institute of Electrical and Electronics Engineers (IEEE)
Code of Ethics, 6
integrated development environment (IDE), 406
integrated product teams (IPTs), 401
Integrated Services Digital Network (ISDN), 216
integration tests in application security, 409
integrity
cryptography, 154–155
data communications, 221
overview, 11
integrity models, 127–128
intellectual property (IP) requirements, 30–31
interface requirements in control selection, 132
interface tests
application security, 409
security issues, 269–270
interference in wireless technologies, 198
intermediate CAs, 157
intermediate distribution facilities (IDFs), 175
internal assessors for security evaluations, 262–263
internal governance
baselines, 42
description, 16–17
guidelines, 41–42
overview, 39–40
policies, 40
procedures, 40–41
review and questions, 42–44
standards, 41
internal security auditors, 282
internal security controls
locks, 383–384
overview, 382–383
personnel entry requirements, 383
International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27002, 20
International Traffic in Arms Regulations (ITAR), 31
Internet Control Message Protocol (ICMP), 188
Internet Group Management Protocol (IGMP), 188
Internet Key Exchange (IKE), 190
Internet of Things (IoT) vulnerabilities, 143
Internet Protocol (IP), 187–188
Internet Protocol (IP) telephony, 217
Internet Security Association and Key Management Protocol (ISAKMP), 190
Internet Small Computer Systems Interface (iSCSI), 194–195
interpreters, 405
intranets, 208
intrusion detection and prevention systems (IDS/IPSs)
categories, 331–332
models, 296
physical IDSS, 384–385
inventory of assets, 96–97
investigations
administrative, 35
civil, 35–36
criminal, 36
digital forensics tools, 290–291
evidence collection and handling, 287–290
forensic, 287
industry standards, 37
overview, 286
regulatory, 36–37
reporting and documentation, 292–293
review and questions, 37–39, 293–294
techniques, 291–292
invocation rule in Biba model, 127
IoCs (indicators of compromise)
incident management, 320–321
threats, 71
IoT (Internet of Things) vulnerabilities, 143
IP (intellectual property) requirements, 30–31
IP (Internet Protocol), 187–188
IP (Internet Protocol) telephony, 217
IP Security (IPSec), 190–191
IPTs (integrated product teams), 401
IS (information systems)
capabilities, 135–138
review and questions, 138–139
ISAKMP (Internet Security Association and Key Management Protocol), 190
(ISC)2 Code of Ethics
canons, 3–4
preamble, 3
iSCSI (Internet Small Computer Systems Interface), 194–195
ISDN (Integrated Services Digital Network), 216
ISO (International Organization for Standardization)/International Electrotechnical Commission (IEC) 27002, 20
ITAR (International Traffic in Arms Regulations), 31
iterative methodology, 396
J
job rotation, 311–312
journaling, remote, 351
just-in-time access control, 234–235
K
Kanban methodology, 398
KCIs (key control indicators), 275
KDCs (Key Distribution Centers), 254–255
keep it simple principle
secure design, 119
site and facility design, 170
Kerberos
characteristics, 220
components, 254–255
cryptanalytic attacks, 165
description, 192
Kerckhoffs, Auguste, 150
Kerckhoffs’ principle, 150
key control indicators (KCIs), 275
Key Distribution Centers (KDCs), 254–255
key goal indicators (KGIs), 275
key management practices, 158–159
key override for locks, 384
key performance indicators (KPIs), 275
key risk indicators (KRIs), 275
keys
asymmetric encryption, 152–153
cryptographic, 150
database systems, 141–142
hybrid cryptography, 156
symmetric encryption, 151–152
Zigbee, 203
KGIs (key goal indicators), 275
knowledge-based intrusion detection, 332
known plaintext cryptanalytic attacks, 162–163
KPIs (key performance indicators), 275
KRIs (key risk indicators), 275
L
Layer 2 Tunneling Protocol (L2TP), 221
layered security in site and facility design, 169
least privilege principle
description, 13
secure design, 116–117
security operations, 309
site and facility design, 169
legal and regulatory requirements
cybercrimes, 29
data breaches, 29–30
import/export controls, 31
licensing and intellectual property, 30–31
privacy issues, 32–33
review and questions, 33–34
transborder data flow, 32
legal compliance, 24
legal holds, 289
legal liability
cloud-based systems, 145
third-party provided security services, 333
LEO (Low Earth orbit) satellites, 203
lessons learned
disaster recovery, 364–365
incident management, 324
Li-Fi technology, 203–204
libraries, software, 405–406
licensing requirements, 30–31
life cycle
assets, 106
change management, 345–346
cryptographic, 149–150
data, 99–105
evidence, 287–288
identity and access provisioning, 245–252
incident management, 319–324
software development, 394–395
light in intrusion detection systems, 384
lighting, 380–381
likelihood, risk, 58
link keys in Zigbee, 203
lives, saving, 360
location of data, 102
locks, 383–384
log management, 298
log reviews, 267–268
logging and monitoring
changes, 413
continuous monitoring, 296
egress monitoring, 297–298
intrusion detection and prevention, 296
log management, 298
overview, 295
review and questions, 302–304
SIEM systems, 297
threat hunting, 300
threat intelligence, 298–300
threat modeling, 300–301
user and entity behavior analytics, 301–302
logical controls
description, 65
IAM, 226–229
loose coupling in programming, 405
Low Earth orbit (LEO) satellites, 203
lumens, 380
M
m-of-n control, 310
MAC (mandatory access control), 122, 241–242
machine learning (ML), 336
machine programming languages, 404
main distribution facilities (MDFs), 175
maintenance
asset life cycle, 106
CPTED, 174
data, 102–103
software development life cycle, 395
malware, 334–335
man-in-the-middle (MITM) attacks, 164
managed maturity level in CMMI, 399
managed security services (MSSs), 332
managed service accounts, 249
managed services, 418
management review and approval for security process data, 275
managerial controls, 65
mandatory access control (MAC), 122, 241–242
mandatory vacations, 312
master keys for locks, 384
master keys in Zigbee, 203
maturity models, 398–399
maximum tolerable downtime (MTD), 374
MDFs (main distribution facilities), 175
mean time between failures (MTBF), 375
mean time to failure (MTTF), 375
mean time to repair (MTTR), 375
measuring risk, 67
mechanical locks, 383–384
media management, 315–317
media storage facilities, 176
memory protection in trusted execution environments, 137
message digests in cryptography, 155
metrics in business continuity plans, 374–375
MFA (multifactor authentication), 230–231
micro-segmentation, 195
microservices vulnerabilities, 146
Microsoft MS-CHAPv2, 220
minimum security requirements in supply chain risk management, 77
missions, organizational, 17
misuse case testing, 269
mitigation
incident management, 322
software development security, 413–414
MITM (man-in-the-middle) attacks, 164
MITRE ATT&CK Framework, 72, 301
ML (machine learning), 336
mobile code, 406
mobile sites, 355
modulation in wireless technologies, 198
monitoring
and logging. See logging and monitoring
risk, 67
third parties, 76
motion in intrusion detection systems, 385
MSSs (managed security services), 332
MTBF (mean time between failures), 375
MTD (maximum tolerable downtime), 374
MTTF (mean time to failure), 375
MTTR (mean time to repair), 375
multicasting in IGMP, 188
multifactor authentication (MFA), 230–231
multilayer protocols, 186, 193–197
multilevel security mode, 125–126
multimedia collaboration, 218–219
multiperson control, 309–310
multiple processing sites, 352
multistate systems, 124
N
NAC (network access control) devices, 211
NAS (network-attached storage), 350
National Institute of Standards and Technology (NIST)
incident response life cycle, 319
Risk Management Framework, 61
Special Publication 800-18, 100
Special Publication 800-37, 100
Special Publication 800-53, 20, 26
natural access control in CPTED, 174
natural programming languages, 404
NDLP (Network DLP), 112
need-to-know principle
authentication, 240
description, 13
security models, 123
security operations, 308
network access control (NAC) devices, 211
network-attached storage (NAS), 350
network-based firewalls, 329
network-based IDS/IPS (NIDS/NIPS), 331
network components
controls, 211–212
endpoint security, 213
firewalls, 210–211
hardware, 208–209
network access control devices, 211
review and questions, 214
transmission media, 212–213
Network DLP (NDLP), 112
network keys in Zigbee, 203
network security application
content distribution networks, 205–206
introduction, 193
multilayer protocols, 193–197
review and questions, 206–207
wireless technologies, 197–205
networking concepts
ARP, 189
EAP, 191–192
ICMP, 188
IEEE 802.1X, 192
IGMP, 188
Internet Protocol, 187–188
introduction, 184
IPSec, 190–191
Kerberos, 192
OSI model, 185–187
secure protocols, 189
Secure Shell, 191
SSL, TLS, and HTTPS, 189–190
TCP/IP stack, 186–188
next-generation firewalls (NGFWs), 210, 330
NIDS/NIPS (network-based IDS/IPS), 331
NIST. See National Institute of Standards and Technology (NIST)
nonces, 151
noninterference model, 128
nonrepudiation
cryptography, 158
data communications, 221
description, 12–13
nontechnical vulnerabilities, 340
NoSQL database systems, 142
O
O&M (operation and maintenance) in software development life cycle, 400
OAuth (Open Authorization), 253
objects
entities, 10
IAM, 226
security models, 122
OCSP (Online Certificate Status Protocol), 159
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) threat model, 72, 301
OFDM (orthogonal frequency division multiplexing), 198, 204
OFDMA (orthogonal frequency division multiple access), 204
offline storage, 350
OIDC (OpenID Connect), 253
on-path attacks, 164
on-premise identity management, 237–238
onboarding, 51
one-way cryptographic functions, 151
Online Certificate Status Protocol (OCSP), 159
Open Authorization (OAuth), 253
open-source intelligence (OSINT), 299–300
open-source software, 417
Open Systems Interconnection (OSI) model, 185–187
open trust model in Zigbee, 203
Open Web Application Security Project (OWASP), 400
OpenID Connect (OIDC), 253
OpenIOC threat model, 301
operation and maintenance (O&M) in software development life cycle, 400
operational controls, 65
operational goals, organizational, 17
operational prototypes, 396
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) threat model, 72, 301
operations phase in software development life cycle, 395
optimizing maturity level in CMMI, 399
organizational code of ethics, 4
review and questions, 7–8
sources, 5–6
workplace ethics statements and policies, 4–6
organizational processes, 18
organizational roles and responsibilities, 18–19
orthogonal frequency division multiple access (OFDMA), 204
orthogonal frequency division multiplexing (OFDM), 198, 204
OSI (Open Systems Interconnection) model, 185–187
OSINT (open-source intelligence), 299–300
OWASP (Open Web Application Security Project), 400
owners
assets, 96
cloud-based systems, 145
data life cycle, 100–101
responsibilities, 19
P
PaaS (Platform as a Service), 144
packet-filtering firewalls, 210, 329
padlocks, 383
pair programming, 398
pairing in Bluetooth, 202
PAP (Password Authentication Protocol), 220
parallel testing
business continuity plans, 375
disaster recovery plans, 370
partial-knowledge penetration tests, 267
pass the hash cryptanalytic attacks, 165
passive infrared systems, 384
Password Authentication Protocol (PAP), 220
password management and synchronization, 234
PASTA (Process for Attack Simulation and Threat Analysis), 72, 301
patch management, 339–340
cloud-based systems, 145
criticality, 340–341
review and questions, 342–344
schedules, 341
testing, 341–342
patents, 30–31
pathping utility, 188
pattern-based anti-malware, 334–335
pattern-based intrusion detection, 296, 332
Payment Card Industry (PCI) Data Security Standards (DSS), 20
PBX (Private Branch Exchange) systems, 215–216
PCRs (platform configuration registers), 136
penetration testing
application security, 410
security control, 265–267
people safety concerns in disaster recovery, 360
performance requirements in control selection, 131
Perimeter Intrusion Detection and Assessment Systems (PIDASs), 379–380
perimeter security controls, 378
barriers, 380
entry control points, 379
fencing, 379–380
guards and dogs, 381–382
lighting, 380–381
surveillance, 381
zones, 378–379
periodic content reviews for security awareness, 82
permissions, 240–241
persistent memory in TPM, 136
personnel
communications, 361
entry requirements, 383
privacy policy requirements, 53–54
personnel safety
duress, 390–391
emergency management, 389–390
review and questions, 391–392
security training and awareness, 389
travel, 388–389
personnel security, 48
candidate screening and hiring, 49
compliance policy requirements, 53
employment agreements and policies, 50
onboarding, 51
practices, 49
review and questions, 54–56
terminations, 52
third parties, 52–53
transfers, promotions, and disciplinary activities, 51–52
photometric sensors, 384
physical security
description, 65
facility access audits, 385–386
IAM, 226–229
internal controls, 382–387
intrusion detection systems, 384–385
overview, 377–378
perimeter security controls, 378–382
review and questions, 386–387
physical Wi-Fi standards, 199–201
PIDASs (Perimeter Intrusion Detection and Assessment Systems), 379–380
ping utility, 188
PKI (public key infrastructure), 156–158
plain old telephone service (POTS), 215
plaintext, 149
Plan of Action and Milestones (POA&M), 67
Platform as a Service (PaaS), 144
platform configuration registers (PCRs), 136
PLCs (programmable logic controllers), 143
POA&M (Plan of Action and Milestones), 67
Point-to-Point Protocol (PPP), 221
Point-to-Point Tunneling Protocol (PPTP), 221
poisoning, ARP, 189
policies
change management, 344–345
compliance, 53
employment, 50
internal governance, 40
workplace ethics, 4–5
portable code, 406
post-change activities, 345
POTS (plain old telephone service), 215
power for site and facility, 180
PPP (Point-to-Point Protocol), 221
PPTP (Point-to-Point Tunneling Protocol), 221
preaction water sprinkler systems, 179
preparation in incident management, 320
presentation
evidence life cycle, 288
security awareness, 81–82
preventive controls, 66
primary keys in database systems, 141
principals
Kerberos, 254
SAML, 254
principle of least privilege
description, 13
secure design, 116–117
security operations, 309
site and facility design, 169
privacy
compliance, 25–26
legal and regulatory requirements, 32–33
personnel requirements, 53–54
policy requirements, 53–54
privacy by design
secure design, 119
site and facility design, 171
Private Branch Exchange (PBX) systems, 215–216
private clouds, 144
private keys in asymmetric encryption, 152–153
private organizations in classification systems, 93
privilege creep, 51
privilege escalation, 248–249
privileged account management, 310–311
privileges, 240–241
procedures in internal governance, 40–41
Process for Attack Simulation and Threat Analysis (PASTA), 72, 301
processing modes in security models, 124–126
processor security extensions, 138
processors, data, 101–102
professional ethics
introduction, 2
(ISC)2 Code of Ethics, 3–4
organizational, 4–6
program effectiveness evaluation for security awareness, 82
programmable logic controllers (PLCs), 143
programming languages, 404–405
promotions, 51–52
proofing identity, 232–233
proprietary classification, 93
proprietary intelligence, 300
protection methods for data, 111–113
prototyping methodology, 396
provisioning
configuration management, 305
resources, 96–99
provisioning in identity and access
account access review, 249–250
deprovisioning, 245–247
initial, 245–246
managed service accounts, 249
overview, 245
privilege escalation, 248–249
review and questions, 251–252
role definitions, 247–248
proxies, 209
proximity badges, 384
proximity detectors, 385
PSTNs (public switched telephone networks), 215
public classification, 93
public clouds, 144
public key infrastructure (PKI), 156–158
public keys in asymmetric encryption, 152–153
public switched telephone networks (PSTNs), 215
Q
QKD (quantum key distribution), 154
qualitative risk analysis, 62
quality of service (QoS), 356
quantitative risk analysis, 62
quantitatively managed maturity level in CMMI, 399
quantum cryptography, 154
quantum key distribution (QKD), 154
R
RAD (Rapid Application Development), 397
RADIUS (Remote Authentication Dial-In User Service), 221, 256
ransomware, 165
Rapid Application Development (RAD), 397
rapid prototyping, 396
RAs (registration authorities) for certificates, 157
ratings for threat intelligence, 299
RBAC (role-based access control), 242, 248
RC4 algorithm, 153
read-through tests
business continuity plans, 375
disaster recovery plans, 368–369
Real-time Transport Protocol (RTP), 217
realms, Kerberos, 254
reciprocal sites, 354
records in database tables, 141
recovery
controls, 66
incident management, 323
recovery point objective (RPO), 375
recovery sites
cloud, 354
cold, 353
hot, 353
mobile, 355
multiple processing, 352
reciprocal, 354
strategies, 351–352
warm, 353
recovery strategies
backup storage, 348–351
fault tolerance, 356
high availability, 355–356
quality of service, 356
recovery sites, 351–355
resiliency, 355
review and questions, 357–359
recovery time objective (RTO), 374
reflection in wireless technologies, 198
registration
identity, 232–233
user accounts, 246
registration authorities (RAs) for certificates, 157
regulatory compliance, 24
regulatory investigations, 36–37
relational databases, 141–142
relevance in threat intelligence, 299
relying parties in OpenID Connect, 253
remanence, data, 103
remediation
incident management, 323
security test results, 278–279
remote access
authentication and authorization, 256–257
overview, 219–220
Remote Authentication Dial-In User Service (RADIUS), 221, 256
remote journaling, 351
repeaters, 209
replacement phase
asset life cycle, 106–107
software development life cycle, 395
reporting
incident management, 322–323
investigations, 292–293
risk, 67–68
security tests, 277–278
reputation-based anti-malware, 334–335
requests for change, 345
residual risk, 64
resiliency, 355
resource protection
media management, 315–317
overview, 314–315
review and questions, 317–318
resource provisioning, 96–99
response
disaster recovery plans, 361
incident management, 321–322
risk, 63–64
responsibilities
alignment of security functions to business requirements, 18–19
cloud-based systems, 145
restoration in disaster recovery plans, 363
restricted area security, 176
retention
assets, 105–109
cloud-based systems, 145
data, 103
retirement phase
asset life cycle, 106
software development life cycle, 395
rights, 240–241
risk analysis in software development security, 413–414
risk-based access control, 243
risk management
continuous improvement, 68
controls, 65–67
countermeasure selection and implementation, 64–65
monitoring, 66–67
reporting, 67–68
review and questions, 68–70
risk analysis, 61–63
risk assessment, 60–61
risk elements, 57–58
risk frameworks, 64
risk response, 63–64
threats and vulnerabilities identification, 59–60
Risk Management Framework (RMF), 61
risk registers, 67
risk response in control selection, 133
risk sharing in third-party provided security services, 333
Rivest, Shamir, Adleman (RSA) algorithm, 154
RMF (Risk Management Framework), 61
role-based access control (RBAC), 242, 248
roles
alignment of security functions to business requirements, 18–19
data, 100–102
IAM, 247–248
root CAs, 157
routers, 209
routine changes, 346
rows in database tables, 141
RPO (recovery point objective), 375
RSA (Rivest, Shamir, Adleman) algorithm, 154
RTO (recovery time objective), 374
RTP (Real-time Transport Protocol), 217
rule-based access control, 242–243
rule-based intrusion detection, 296, 332
rules in Bell-LaPadula model, 126–127
runtime environments, 406–407
S
SaaS (Software as a Service), 144
safety, personnel, 388–392
sags, power, 180
SAML (Security Assertion Markup Language), 253–254
SAMM (Software Assurance Maturity Model), 400
sandboxing, 335–336
sanitizing media, 316–317
SANs (storage area networks), 350
Sarbanes-Oxley (SOX) Act, 24
SAST (static application security testing), 410
satellites in wireless technologies, 203
saving lives, 360
SCADA (supervisory control and data acquisition) systems, 142–143
schedules for patch updates, 341
SCM (software configuration management), 408
scope in business impact analysis, 46–47
scoping and tailoring controls, 111
screened subnets, 329
screening candidates, 49
SCRM. See supply chain risk management (SCRM)
Scrum methodology, 397
SD-WAN (software-defined wide area networking), 196, 222
SDLC. See software development life cycle (SDLC)
SDN (software-defined networking), 195–196, 222
sealing process in TPM, 136
second generation programming languages, 404
secret keys
asymmetric encryption, 152–154
symmetric encryption, 151–152
secure defaults, 117
secure processing, 137
secure protocols, 189
Secure Real-time Transport Protocol (SRTP), 217
Secure Sockets Layer/Transport Layer Security (SSL/TLS), 221
security and risk management
business continuity, 45–48
compliance, 23–28
internal governance, 39–44
investigations, 35–39
legal and regulatory requirements, 29–34
objectives, 1–2
personnel security policies and procedures, 48–56
professional ethics, 2–8
risk management, 57–70
security awareness, 80–84
security concepts, 9–11
security governance principles, 16–22
supply chain risk management, 74–79
tenets of information security, 11–16
threat modeling, 70–74
security architecture and engineering
control selection, 130–134
cryptanalytic attacks, 161–167
cryptographic solutions, 148–161
defense in depth, 117
fail securely, 117–118
information systems, 135–139
least privilege principle, 116–117
objectives, 115–116
principles, 115–122
privacy by design, 119
secure defaults, 117
security models, 122–130
separation of duties, 118
shared responsibility, 120
simplicity, 119
site and facility controls, 173–181
site and facility design, 167–172
threat modeling, 116
trust but verify principle, 119–120
vulnerabilities, 139–148
zero trust, 119
Security as a Service, 332
Security Assertion Markup Language (SAML), 253–254
security assessment and testing
analyses, 277–281
audits, 281–284
definitions, 260–261
evaluations, 261–264
external auditors, 282–283
internal auditors, 282
objectives, 259–260
security control testing, 264–272
security process data collection, 272–276
third-party auditors, 283–284
security auditor responsibilities, 19
security awareness
methods and techniques, 80–81
periodic content reviews, 82
presentation techniques, 81–82
program effectiveness evaluation, 82
review and questions, 82–84
security clearances, 240
security concepts
availability, 11
confidentiality, 10
data, information, systems, and entities, 9–10
integrity, 11
introduction, 9
tenets of information security, 13–14
security control frameworks, 19–20
security control selection
data protection requirements, 131–132
governance requirements, 132
interface requirements, 132
overview, 130–131
performance and functional requirements, 131
review and questions, 133–134
risk response requirements, 133
standards selection, 110–111
security control testing
breach attack simulations, 270
code review and testing, 268–269
compliance checks, 270
interface testing, 269–270
log reviews, 267–268
misuse cases, 269
overview, 264
penetration testing, 265–267
review and questions, 271–272
synthetic transactions, 268
test coverage analysis, 269
vulnerability assessments, 265
security controls
assessments, 66–67
data security, 109–114
functions, 65–66
network, 211–212
site and facility, 173–181
software development security, 403–412
third parties, 52–53
types, 65
security governance
alignment of security functions to business requirements, 17–21
external, 16
internal, 16–17
introduction, 16
review and questions, 21–22
security information and event management (SIEM) systems, 297
security models, 122
confidentiality models, 126–127
integrity models, 127–128
review and questions, 128–130
system states and processing modes, 124–126
terms and concepts, 123–124
security operations
business continuity, 372–377
change management, 344–348
concepts, 308–314
configuration management, 304–307
detective and preventive controls, 326–338
disaster recovery, 359–367
incident management, 318–326
investigations, 286–294
job rotation, 311–312
logging and monitoring, 295–304
mandatory vacations, 312
need-to-know principle, 308
objectives, 285–286
patch and vulnerability management, 339–344
physical security, 377–387
principle of least privilege, 309
privileged account management, 310–311
recovery strategies, 348–359
resource protection, 314–318
review and questions, 313–314
separation of duties, 309–310
service level agreements, 312–313
security orchestration, automation, and response (SOAR), 407
security process data, collecting, 272–276
security services by third parties, 332–333
security strategy and business strategy, 17
security tests for application security, 409
security through obscurity, 150
self-encrypting drives (SEDs), 137
self-service password reset, 234
sensitive classification, 93
sensitivity levels in security models, 122
sensitivity of information, 131
separation of duties (SoD)
information security, 118
overview, 14
purpose, 309–310
site and facility design, 170
server-based system vulnerabilities, 140–141
server rooms, 175–176
serverless function vulnerabilities, 146
service level agreements (SLAs)
security operations, 312–313
supply chain risk management, 77
third-party provided security services, 333
third-party software, 418
service providers in SAML, 254
service risks, 75–76
Service Set Identifiers (SSIDs), 199
Session Initiation Protocol (SIP), 217
session keys
hybrid cryptography, 156
symmetric encryption, 151–152
session management, 232
shared responsibility
secure design, 120
site and facility design, 171–172
side-channel cryptanalytic attacks, 163–164
SIEM (security information and event management) systems, 297
signaling in wireless technologies, 197–198
signature-based anti-malware, 334–335
signature-based intrusion detection, 296, 332
signatures in cryptography, 158
simple integrity rule in Biba model, 127
simple security rule in Bell-LaPadula model, 126
simplicity
design principle, 119
site and facility design, 170
simulations
breach attacks, 270
business continuity plans, 375
disaster recovery plans, 369–370
sine waves in wireless technologies, 197
single-factor authentication, 230–231
single loss expectancy (SLE), 62–63
single sign-on (SSO), 234
single-state systems, 124
SIP (Session Initiation Protocol), 217
site and facility controls
areas of concern, 174–176
CPTED, 174
fire, 177–180
overview, 173–174
power, 180
review and questions, 181–182
utilities, 177
site and facility design
defaults, 169
defense in depth, 169
fail securely, 169–170
least privilege, 169
privacy by design, 171
review and questions, 172–173
separation of duties, 170
shared responsibility, 171–172
simplicity, 170
site planning, 167–168
threat modeling, 168–169
trust but verify principle, 171
zero trust principle, 171
site recovery. See recovery sites
site-to-site VPNs, 219
Skipjack algorithm, 150
SLAs. See service level agreements (SLAs)
SLE (single loss expectancy), 62–63
SOAR (security orchestration, automation, and response), 407
SoD. See separation of duties (SoD)
Software as a Service (SaaS), 144
Software Assurance Maturity Model (SAMM), 400
software configuration management (SCM), 408
software-defined networking (SDN), 195–196, 222
software-defined security, 424
software-defined wide area networking (SD-WAN), 196, 222
software development life cycle (SDLC)
change management, 401
integrated product teams, 401
life cycle, 394–395
maturity models, 398–400
methodologies, 395–398
operation and maintenance, 400
review and questions, 401–403
software development security
application security testing, 408–411
assets, 416–420
code repositories, 408
coding guidelines and standards, 420–425
continuous integration and continuous delivery, 407
controls, 403–412
DAST, 410
effectiveness, 412–415
integrated development environment, 406
libraries, 405–406
objectives, 393–394
programming languages, 404–405
runtime, 406–407
SAST, 410
SOAR, 407
software configuration management, 408
software development life cycle, 394–403
tool sets, 406
software risks, 75
software version control, 401
sound in intrusion detection systems, 384
source-code level weaknesses and vulnerabilities, 420–421
sources for security process data, 273
SOX (Sarbanes-Oxley) Act, 24
spikes, power, 180
Spiral developmental methodology, 396
Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege (STRIDE) threat model, 72, 301
spread-spectrum wireless technology, 198
sprints, 397
SRKs (storage root keys) in TPM, 136
SRTP (Secure Real-time Transport Protocol), 217
SSIDs (Service Set Identifiers), 199
SSL/TLS (Secure Sockets Layer/Transport Layer Security), 221
SSO (single sign-on), 234
standards
control, 110–111
internal governance, 41
NIST. See National Institute of Standards and Technology (NIST)
software code, 420–425
Wi-Fi, 199–201
star integrity rule in Biba model, 127
star property rule in Bell-LaPadula model, 126
stateful inspection firewalls, 210, 330
states
data, 109
system, 124–126
static application security testing (SAST), 410
steganography, 112
STIX (Structured Threat Information eXpression) threat model, 301
storage
assets, 91–92
backup. See backup storage
evidence, 176
media, 316
storage area networks (SANs), 350
storage keys in TPM, 136
storage root keys (SRKs) in TPM, 136
strategic goals, organizational, 17
strategies for security evaluations, 261–262
stream ciphers, 152
STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege) threat model, 72, 301
strong authentication, 231
strong star property rule in Bell-LaPadula model, 126
structural threats, 71
Structured Threat Information eXpression (STIX) threat model, 301
subjects
certificates, 157
data, 101–102
entities, 10
IAM, 226
security models, 122
subordinate CAs, 157
substitution ciphers, 149
supervisor responsibilities, 19
supervisory control and data acquisition (SCADA) systems, 142–143
supplicants in IEEE 802.1X, 192
supply chain risk management (SCRM)
description, 74
hardware, 75
minimum security requirements, 77
review and questions, 77–79
service level requirements, 77
services, 75–76
software, 75
third-party assessment and monitoring, 76
suppression, fire, 177–178
surges, power, 180
surveillance
CPTED, 174
perimeter security controls, 381
sustainment phase in asset life cycle, 106
switches, 209
symmetric encryption, 151–152
synchronization, code, 408
synthetic transactions, 268
system criticality, 340
system-high security mode, 125
system owner responsibilities, 19
system/security administrators responsibilities, 19
system states in security models, 124–126
systems, description, 9–10, 227
T
tables in database systems, 141–142
tabletop tests
business continuity plans, 375
disaster recovery plans, 368–369
TACACS, TACACS+ (Terminal Access Controller Access Control System), 221, 256
tactical goals, 17
targeted penetration tests, 267
targets in iSCSI, 195
TAXII (Trusted Automated eXchange of Indicator Information) threat model, 301
TCP/IP stack, 186–188
TDMA (time division multiple access), 204
technical controls, 65
technical vulnerabilities, 339
TEEs (trusted execution environments), 137
temperature in intrusion detection systems, 384
Temporal Key Integrity Protocol (TKIP), 200
temporary privilege escalation, 248–249
Ten Commandments of Computer Ethics, 5
tenets of information security
auditing and accountability, 12
authentication, 11–12
authenticity, 12
authorization, 12
identification, 11
nonrepudiation, 12–13
review and questions, 14–16
security concepts, 13–14
Terminal Access Controller Access Control System (TACACS, TACACS+), 221, 256
terminations, personnel, 52
territorial reinforcement in CPTED, 174
test coverage analysis in security control testing, 269
tests
application security, 408–411
asset life cycle, 106
business continuity plans, 375–376
change approval, 345
definition, 260–261
disaster recovery plans, 367–372
patches, 341–342
security control, 264–272
software development life cycle, 395
TGS (ticket granting service) in Kerberos, 255
TGTs (ticket granting tickets) in Kerberos, 254–255
third generation programming languages, 404
third parties
agreements and controls, 52–53
assessment and monitoring, 76
communications channels connectivity, 222–223
identity services, 237–239
security auditors, 283–284
security evaluation assessors, 262–263
security services, 332–333
software, 417–418
threat hunting, 300
threat intelligence, 298–300
threat modeling
characteristics, 71
components, 70–71
overview, 70
review and questions, 73–74
secure design, 116
site and facility design, 168–169
threat-vulnerability pairs, 58
threats
description, 58
identification, 59
3DES algorithm, 153
ticket granting service (TGS) in Kerberos, 255
ticket granting tickets (TGTs) in Kerberos, 254–255
tickets in Kerberos, 254–255
tight coupling in programming, 405
time division multiple access (TDMA), 204
time-of-check to time-of-use (TOC/TOU) attacks, 138, 164
timeliness in threat intelligence, 299
timing cryptanalytic attacks, 164
TLS (Transport Layer Security), 189–190
TOC/TOU (time-of-check to time-of-use) attacks, 138, 164
tolerance, risk, 60
tool sets in software development, 406
TPMs (Trusted Platform Modules), 135–136
traceroute utility, 188
trade secrets, 30–31
trademarks, 30–31
training
disaster recovery plans, 364
personnel security, 389
security awareness, 80–84
security process data, 274
transactions
Clark-Wilson model, 127–128
synthetic, 268
transborder data flow, 32
transfers
assets, 93
personnel, 51–52
transmission media in networks, 212–213
transmission of assets, 92
Transport Layer Security (TLS), 189–190
transportation
assets, 92
media, 316
transposition ciphers, 149
travel safety, 388–389
trust but verify principle
secure design, 119–120
site and facility design, 171
Trusted Automated eXchange of Indicator Information (TAXII) threat model, 301
trusted execution environments (TEEs), 137
Trusted Platform Modules (TPMs), 135–136
tumbler locks, 384
turnstiles, 380
Twofish algorithm, 153
Type I hypervisors, 145
Type II hypervisors, 145
U
U.S. government classification systems, 94
UEBA (user and entity behavior analytics), 301–302
unethical (black-hat) hackers, 266
uninterruptible power supplies, 180
unit tests for application security, 409
updates
criticality, 340–341
managing, 340
patches, 341
urgent changes, 346
use case tests in application security, 409
user accounts
access review, 249–250
deprovisioning, 246–247
registration, 246
security process data, 274
user and entity behavior analytics (UEBA), 301–302
user stories in Agile methodology, 397
users
data, 101–102
responsibilities, 19
utilities in site and facility controls, 177
V
vacations, mandatory, 312
validating evaluations, 261–264
VAST (Visual, Agile, and Simple Threat) modeling, 72, 301
vaulting, electronic, 351
vectors, threat, 300
vendors, agreements and controls with, 52–53
verification, backup, 274
versatile memory in TPM, 136
version control
software, 401
software configuration management, 408
vertical enactments, 32
very high-level programming languages, 404
Virtual eXtensible Local Area Network (VxLAN), 196, 222
virtual LANs (VLANs), 208, 222
virtual private networks (VPNs), 219–220
virtual storage area networks (VSANs), 222
virtualized networks communications channels, 222
virtualized system vulnerabilities, 145
Visual, Agile, and Simple Threat (VAST) modeling, 72, 301
VLANs (virtual LANs), 208, 222
voice communications, 215–218
Voice over Internet Protocol (VoIP), 195, 217
VPNs (virtual private networks), 219–220
VSANs (virtual storage area networks), 222
vulnerabilities
client-based systems, 140
cloud-based systems, 144–145
containerization, 146
cryptographic systems, 142
database systems, 141–142
description, 57–58
distributed systems, 141
edge computing systems, 146–147
embedded systems, 143–144
high-performance computing systems, 146
identifying, 59–60
industrial control systems, 142–143
Internet of Things, 143
microservices, 146
review and questions, 147–148
server-based systems, 140–141
serverless functions, 146
source-code level, 420–421
virtualized systems, 145
vulnerability management
nontechnical, 340
review and questions, 342–344
technical, 339
vulnerability testing in application security, 410
VxLAN (Virtual eXtensible Local Area Network), 196, 222
W
WAFs (web application firewalls), 330
walk-through tests
business continuity plans, 375
disaster recovery plans, 369
warded locks, 383
warm sites, 353
Wassenaar Arrangement, 31
water sprinkler systems, 179
Waterfall methodology, 395–396
wave pattern motion detectors, 385
weaknesses in source-code level, 420–421
web application firewalls (WAFs), 330
well-formed transactions in Clark-Wilson model, 127–128
WEP (Wired Equivalent Privacy), 200
wet pipe water sprinkler systems, 179
white-box penetration tests, 267
white-hat (ethical) hackers, 266
whitelisting, 327–328
Wi-Fi
fundamentals, 199
overview, 199
physical standards, 199–201
security, 200–202
Wi-Fi Protected Access (WPA), 200
Wired Equivalent Privacy (WEP), 200
wireless technologies
Bluetooth, 202
cellular networks, 204–205
introduction, 197
Li-Fi, 203–204
satellites, 203
theory and signaling, 197–198
Wi-Fi, 199–202
Zigbee, 202–203
wiring closets, 175
work area security, 176
work functions in cryptosystems, 151
workplace ethics statements and policies, 4–5
WPA (Wi-Fi Protected Access), 200
X
XP (Extreme Programming), 398
Z
zero-knowledge penetration tests, 267
zero trust principle
secure design, 119
site and facility design, 171
Zigbee technology, 202–203
zones in perimeter security, 378–379