Raymond Pompon

IT Security Risk Control Management

An Audit Preparation Plan

Raymond Pompon

Seattle, Washington, USA

Any source code or other supplementary materials referenced by the author in this text is available to readers at www.apress.com . For detailed information about how to locate your book’s source code, go to www.apress.com/source-code/ .

ISBN 978-1-4842-2139-6

e-ISBN 978-1-4842-2140-2

DOI 10.1007/978-1-4842-2140-2

Library of Congress Control Number: 2016952621

© Raymond Pompon 2016

IT Security Risk Control Management: An Audit Preparation Plan

Managing Director: Welmoed Spahr

Acquisitions Editor: Susan McDermott

Developmental Editor: Laura Berendson

Technical Reviewer: Mike Simon, Dena Solt

Editorial Board: Steve Anglin, Pramila Balen, Laura Berendson, Aaron Black, Louise Corrigan, Jonathan Gennick, Robert Hutchinson, Celestin Suresh John, Nikhil Karkal, James Markham, Susan McDermott, Matthew Moodie, Natalie Pao, Gwenan Spearing

Coordinating Editor: Rita Fernando

Copy Editor: Kim Burton-Weisman

Compositor: SPi Global

Indexer: SPi Global

For information on translations, please e-mail [email protected] , or visit www.apress.com .

Apress and friends of ED books may be purchased in bulk for academic, corporate, or promotional use. eBook versions and licenses are also available for most titles. For more information, reference our Special Bulk Sales–eBook Licensing web page at www.apress.com/bulk-sales .

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed.

Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights.

While the advice and information in this book are believed to be true and accurate at the date of publication, neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions that may be made. The publisher makes no warranty, express or implied, with respect to the material contained herein.

Printed on acid-free paper

Distributed to the book trade worldwide by Springer Science+Business Media New York, 233 Spring Street, 6th Floor, New York, NY 10013. Phone 1-800-SPRINGER, fax (201) 348-4505, e-mail [email protected], or visit www.springer.com. Apress Media, LLC is a California LLC and the sole member (owner) is Springer Science + Business Media Finance Inc (SSBM Finance Inc). SSBM Finance Inc is a Delaware corporation.

To all the defenders out there working unnoticed to keep us safe.

Introduction

Far and away the best prize that life has to offer is the chance to work hard at work worth doing.

—Theodore Roosevelt

Growing up before the Internet invaded everything, my discovery of computers in my teen years was akin to discovering and exploring a new hidden alien world. That shiny TRS-80 in my high school library was a magical portal of unlimited possibilities. I’m happy to say that that magic still tickles my brain. As I grew in knowledge and skill, I delved deeper into technology’s sorcerous mysteries: programming, dial-up communities, the Internet, hacking culture. It was here that I found IT security: the most engaging, most challenging, most thought-provoking aspect of computing. Security feels like a never-ending undersea duel between remote-controlled fleets of submarines during uncertain weather conditions.

Congratulations for choosing to work in IT security—doing combat engineering in the war zone of the Internet. It’s exciting and exacting work, where a single lapse can mean a hole that an invisible intruder can creep into. Security can also be the kind of work that not everyone appreciates. Much like airport security, IT security gets in the way, slows us down, and creates a hassle. Many people see security as overhead that apparently contributes nothing to revenue or growing the customer base.

Security defines its best successes to be when nothing happens. After a long period of these kinds of successes, an organization ponders whether you are necessary or not. Then you have to deal with the bothersome chore of justifying what you’ve done to an auditor and the budget axe.

When things do go wrong, many quickly accuse the security team of negligence and ineptitude. Breaches often end up as headlines, embarrassing the whole organization. IT security teams can be trotted out by their own organization as the scapegoats. All of this humiliation is suffered while knowing that the bad guys have outspent, outlasted, and outwitted you.

It’s not enough to discourage me, though. There is the thrill of the chase and arrest of the perpetrators. I’ve helped take down a tiny fraction of them, but that’s ancillary to what matters. What IT security does is protect privacy, bolster confidence, and keep vital systems up. It feels good to make critical systems more durable and predictable—and maybe knowing that you’ve deprived some creep of one less victim. I am energized by designing new systems and making them resilient in the face of a horde of attackers. There’s joy in digging deep and figuring out where the holes are, where the best place to bolster the defenses is, and then untangling all of this for the financial decision makers. It’s more compelling than all the puzzles and video games in the world. IT security is an interesting and challenging field, which rewards dedication and open-mindedness.

An Audit Focus

This book is framed to walk you through building a security program for an organization about to be audited. Even if you don’t think you’re going to be audited, this is still a useful way to approach a security program. If you think you’re not going to be audited, think again.

Even if you aren’t being audited, it’s useful to act as if you will. The threat of outside scrutiny focuses your attention and keeps you from getting sloppy. For some, the fear of an audit is greater than a fear of hackers. Audits force you to be thorough and organized in your work.

What Technological Knowledge Should You Pursue?

Where do you begin with all of this? IT security requires practitioners to have a strong working knowledge of the fundamental mechanisms of a wide area of technology. This includes experience with the implementation and management of those systems. IT operations such as help desk support, asset inventory, patching, and system configuration are all key components of an organization’s defense. Since a majority of attacks come in via the Internet, a good understanding of Internet protocols and network technology is essential.

As you will be risk analyzing software and systems of software components and strapping controls onto them, IT security professionals should at least have a fundamental grasp of programming. A good measure of this is being able create something simple but useful in a basic scripting language like PERL, Bash, or PowerShell. Bonus points for doing something in Ruby/Python/Java.

IT security professionals also benefit from a basic knowledge of databases. Since most large IT systems are built upon a database of some sort, it’s helpful to know a little SQL. You should at least be able to write queries and understand how tables and indices work. You don’t need to become a DBA, but tinker with something like SQLite or MySQL.

As you can see, IT security professionals need to keep up with technology. Keeping up is part of the job. Since you’re reading this book, it’s likely that you already don’t mind doing homework to improve your skillset. That’s first lesson of IT security: never ever be complacent.

What Other Knowledge Should You Pursue?

One of the most interesting things about IT security is the requirement to study a diverse range of related disciplines. To be effective, IT security professionals need to branch out of technology. Within an organization, IT security works with many different departments at an operational level, including human resources, physical security, accounting, legal, business development, software development, and sales. This means helping these departments modify and redesign business processes to accommodate security and audit requirements. IT security professionals need to have knowledge of key organizational financial processes, such as budgeting, revenue flows (sales), disbursements, and the related business cycles. This book gets into how this happens.

Knowing the organization’s sector and competitive space is also important, as you may be sharing and comparing information on common risks and regulations amongst your industry peers. Nearly every major organizational sector has peer groups dedicated to security that you should consider joining and subscribing to information feeds. Just plug ISAC (Information Sharing and Analysis Center) and your industry name into a search engine and see what you get.

Since many of the things that IT security does are projects, it’s helpful to have project management skills. I’ve been managing projects for decades and I’m still not satisfied on how well I run a project. Many organizations get hacked because they’ve skipped a few simple but tedious details somewhere in the implementation or routine process.

IT security professionals should understand how corporate culture works and how it differs from organization to organization. This understanding is crucial in being a change agent and educator. It means being able to present orally and in writing. In addition, we should have a good working of the psychology of risk. This means understanding how people react to risk and how to frame risk so that they can make optimal decisions. You should also be aware of the common fallacies and traps people fall into when weighing risky decisions. We’ll get into this a lot more in the book.

IT security professionals need to know something about the law. This includes obvious things like security and privacy regulations, including US federal and state laws, as well as international regulations, since the Internet is global. IT security professionals benefit from an understanding of contract law and liability, as well as the legal implications and requirements of commercial compliance standards and internal organizational policies. This is covered in more detail in the chapters of this book.

While IT security professionals should understand areas outside of technology, they should expect everyone else to be ignorant of security. So IT security professionals need to continually explain and justify IT security concepts for executives, project managers, human resource officers, legal counsel, physical security officers, and law enforcement.

How this Book Is Laid Out

This book follows a chronological progression of building a security program and getting ready for audit.

Part I: Getting a Handle on Things . A good way to develop a security program is to design with an audit in mind to focus attention and to ensure that all controls work as described. This section covers the audit focus, asset analysis, risk assessment, and scope design.

Part II : Wrangling the Organization . This section includes chapters on how to design, nurture, and incorporate an IT security program into a dynamic organization over time. You rarely have a chance to design a program when a new company is formed. Most companies are born without security and need it added later as they grow and experience more security incidents. A security professional is always growing and trimming their program to fit the needs of their organization. These chapters cover everything from high-level governance to how you work with the various teams.

Part III : Managing Risk with Controls . Once the risk and scope are fleshed out, controls can be applied to reduce the risk. These series of chapters cover the various types of controls and how you can best implement them. This is the biggest section, starting with control design and moving into the implementation details of technical and physical controls.

Part IV : Being Audited . This section covers the process of being audited. Its chapters describe how to hire an auditor and the mechanics of various types of formal audits. It also covers the healing power of internal audits and the auditing of your organization’s critical partners and suppliers.

Acknowledgments

A huge thank you to my family for the boundless encouragement, love, and support. Thank you and I love you Rebecca, August, and Theo. Thank you to my mom and Jim, who nudged me to do this.

Dad, I wish you could read this. Maybe in some way you are. You taught me so much.

Much gratitude to all my teachers and fellow artists who inspired and taught me at the Richard Hugo House. Special thanks to you, Frances for opening up this geek’s world.

To the rest of the Conjungi gang: Cory, Mark, Sara, and Julie. I learned so much from all of you and I miss the heck out of you.

Thank you to everyone who worked hard and fast to make this book a reality: Mike for showing me the way and going above and beyond to help get this book done. Dena, who set me straight on the audit details. Kyle for giving me pointers along the way. Jana for a rocking author photo. Rita, for keeping me and everyone on track. Susan for taking a chance on a new author. Light is the task where many share the toil.

Contents

  1. Part I: Getting a Handle on Things
    1. Chapter 1:​ Why Audit?​
      1. You Will Be Audited
        1. What Is an Audit?​
        2. Regulated Industries That Require Audits
        3. Regulated Industries Without Explicit Audits
        4. Business Transactions Can Loop You into an Audit
        5. A Lawsuit May Drag You into Something Worse Than an Audit
        6. Business-to-Business Audits
        7. Will/​Should You Audit Your IT Security Controls?​
      2. Audit Misconceptions
        1. The Burden of Audit Is on You
        2. Aim Higher Than Compliance
      3. Audits Are Useful
        1. Audits Make You Look Good
        2. The Audit as a Forcing Function
      4. Audit Types
        1. ISO 27001
        2. The SSAE 16
        3. PCI DSS
        4. Auditors Auditing
      5. What Is the Right Audit for You?​
    2. Chapter 2:​ Assume Breach
      1. The Lesson of Fort Pulaski
        1. The Invincible
        2. Ownership Changes Hand
        3. New Exploit Technology Is Introduced
      2. The Complexity of IT Systems
        1. A Tangled Web of Code
        2. Complexity and Vulnerability
        3. Technical Vulnerabilities
      3. Attackers Are Motivated
      4. The Assume Breach Mindset
        1. Living in Assume Breach World
    3. Chapter 3:​ Risk Analysis:​ Assets and Impacts
      1. Why Risk
        1. Risk Is Context Sensitive
      2. Components of Risk
        1. Calculating Likelihood
      3. Calculating Impact
        1. IT Asset Inventory
        2. Asset Value Assessment
        3. Assessing Impact
        4. Indirect Impacts
        5. Compliance Impacts
      4. Qualitative vs.​ Quantitative
        1. Qualitative Analysis
        2. Clarifying Your Qualitative
        3. Quantitative Analysis
        4. Annualized Loss Expectancy
      5. Formalizing Your Risk Process
    4. Chapter 4:​ Risk Analysis:​ Natural Threats
      1. Disaster Strikes
      2. Risk Modeling
      3. Modeling Natural Threats
      4. Modeling Impact with Failure Mode Effects Analysis
        1. Simple FMEA Example
        2. Breaking down a System
        3. Analyzing Functions
        4. Determining Failure Effects
      5. Business Impact Analysis
      6. Documenting Assumptions
    5. Chapter 5:​ Risk Analysis:​ Adversarial Risk
      1. A Hospital under Attack
      2. Adversarial Risk
        1. Overview of Attacker Types
      3. Understanding Attacker Capability
        1. Technical Capability
        2. Trickery Capability
        3. Time
        4. Techniques
      4. Understanding Attacker Incentives
        1. Monetary Incentives
        2. Political Incentives
        3. Personal Incentives
      5. Common Attack Techniques
        1. Kill Chain
        2. Stealing Authentication
        3. Exfiltration
      6. Building the Adversarial Risk Model
        1. Qualitative Example
        2. Quantitative Example
  2. Part II: Wrangling the Organization
    1. Chapter 6:​ Scope
      1. Developing Scope
      2. Compliance Requirement Gathering
        1. Zero in on PII
        2. PCI DSS scoping
        3. SSAE SOC 1 Scoping
        4. Supporting Non-IT Departments
        5. Double Check
      3. Writing Scope Statements
      4. Control Inventory
        1. Control Effectiveness and Efficiency
      5. Scoping Adjacent Systems
      6. Scope Barriers
        1. Technical Barriers
        2. Physical Barriers
        3. Process Barriers
      7. Scoping Hints
        1. Start Small and Expand
        2. But Not Too Small
        3. Simplification
    2. Chapter 7:​ Governance
      1. Governance Frameworks
        1. The ISMS
      2. Establish the ISMS
        1. The ISMS Steering Committee
        2. Duties of the ISMS Committee
        3. Key Roles
        4. ISMS Charter
        5. Obtain Executive Sponsorship
      3. Plan:​ Implement and Operate a Security Program
        1. Decide upon and Publish the Goals
      4. Do:​ Risk Treatment
        1. Risk Treatment
      5. Check:​ Monitor and Review Security Program
      6. Act:​ Maintain and Improve Security Program
    3. Chapter 8:​ Talking to the Suits
      1. When Security Appears to be Anti-Business
        1. Who Really Decides?​
      2. Understanding the Organization
        1. How to Ask
        2. Who Do You Ask
        3. What to Ask
        4. What to Do with This
      3. Answering Questions
        1. Do the Research
        2. Don’t Wander Outside Your Area of Expertise
        3. How to Talk Their Talk
      4. Explaining Risk
        1. Proposing a Course of Action
    4. Chapter 9:​ Talking to the Techs
      1. IT Security vs.​ IT
      2. Techie Traps
        1. The Infinitely Long IT Work Queue
        2. Perpetual Design
        3. Dragging Projects
        4. Other Tools
      3. Working with Other Security Pros
        1. IT Security Roles
        2. Hiring for Security
    5. Chapter 10:​ Talking to the Users
      1. Specific Challenges for the Users
        1. Complexity
        2. Different Paradigm, Different Goals
        3. Culture Clashes
      2. Tools for Helping Users
        1. Empathy
        2. Let the Work Flow Smoothly
        3. Work with the Users
        4. Get Users on Your Side
      3. Security Awareness Training
  3. Part III: Managing Risk with Controls
    1. Chapter 11:​ Policy
      1. What Is Policy?​
        1. What Isn’t Policy
      2. Writing Policy
        1. Policy and the Law
        2. Keep It Simple
        3. Policies Don’t Have to Be Perfect
      3. Key Policy:​ Security Policy
        1. Components of the Policy
        2. Scope
        3. Policy Goal
        4. Governance
        5. Risk Management
        6. Expectations for User Behavior
        7. Sample Security Policy
      4. Key Policy:​ Acceptable Usage Policy
        1. Goal
        2. Scope
        3. Privacy Disclaimers
        4. Handling the Data
        5. Handling the Machines
        6. Define Misuse
        7. Social Media
        8. Security Responsibilities​
        9. Sanctions
        10. Sample Acceptable Usage Policy
      5. Policy Rollout
    2. Chapter 12:​ Control Design
      1. A Control Not Used Is a Control Wasted
        1. What Is a Control?​
      2. What Is a Good Control?​
        1. Proportionate to Risk
        2. Standardized and Measured
        3. Documented
      3. Control Lists
      4. Controls in Combination
        1. Key Controls
        2. Compensating Controls
        3. Control Functions and Failures
      5. Control Cost
        1. Reducing the Cost of Controls
    3. Chapter 13:​ Administrative Controls
      1. Control Maturity
        1. Capability Maturity Model
        2. The Power of Good Admin Controls
      2. Differences in Documents
      3. Critical Admin Control:​ Asset Management
        1. Sample Asset Management Policy
        2. Sample Asset Management Standard
      4. Critical Admin Control:​ Change Control
        1. Sample Change Control Policy
        2. Change Control Standards
        3. Change Control Tracking
      5. Critical Admin Control:​ Application Security
        1. Sample Application Security Policy
        2. Application Security Standards
        3. Software Acquisition
      6. Critical Manual Control:​ Record and Media Management
        1. Sample Record and Media Management Policy
    4. Chapter 14:​ Vulnerability Management
      1. Organizing Vulnerability Management
        1. Sample Vulnerability Management Policy
        2. Vulnerability Management Breakdown of Responsibilities​
      2. Hardening Standards
        1. Sample Hardening and Vulnerability Management Standard
        2. How to Fill in the Hardening Standards?​
      3. Vulnerability Discovery
        1. Vulnerability Notification
        2. Discovery Scanning
        3. Vulnerability Scanning
        4. Penetration Testing
        5. Dynamic Application Testing
      4. Prioritization and Risk Scoring
        1. Higher Priority
        2. Lower Priority
        3. More Food for Thought
      5. Patching
        1. Scan Again
    5. Chapter 15:​ People Controls
      1. Policy for the People
        1. Sample Human Resource Security Policy
      2. Employee Role Changes
      3. Background Screening
        1. When to Check
        2. Who to Check
        3. What to Check
        4. What to Do When There’s a Problem
      4. Employment Agreements
      5. Security Training
      6. Sanctions for Policy Violations
      7. Managing the Insider Threat
        1. Monitoring
        2. Least Privilege
        3. Strong User Management
        4. Segregation of Duties
        5. Know Your User
        6. Filtering
      8. Processes, Not Individuals
    6. Chapter 16:​ Logical Access Control
      1. Defining Access Control
        1. Sample Logical Access Control Policy
      2. Authentication
        1. Something You Know
        2. Something You Have
        3. Something You Are
        4. Multifactor Authentication
        5. Authentication Standards
      3. Authorization
        1. Role-based Access Control
        2. System Authorization
        3. Sample Authorization Standards
      4. Accountability
      5. Access Control Tools
    7. Chapter 17:​ Network Security
      1. Understand Networking Technology
      2. Network-based Attacks
        1. Remote Exploits
        2. Remote Password Guessing
        3. Drive-by-Download Attacks
        4. Network Denial of Service
        5. Sniffing
        6. Impersonation
        7. Man-in-the-Middle
        8. Exfiltration of Data
      3. Network Controls
        1. Sample Network Security Policy
        2. Network Security Standards
        3. Network Security Procedures
        4. Firewalls
        5. IDS/​IPS
        6. Transmission Encryption
    8. Chapter 18:​ More Technical Controls
      1. Internet Services Security
        1. Web Services
        2. E-mail Security
        3. DNS Security
      2. Encrypting Data at Rest
        1. Why Is Encryption Hard to Do?​
        2. Storage Crypto Policy and Standards
        3. Tokenization
      3. Malware Controls
        1. Anti-Malware Policy and Standards
        2. Malware Defense in Depth
      4. Building Custom Controls
    9. Chapter 19:​ Physical Security Controls
      1. Getting a Handle on Physical Security
        1. Physical Risk Assessments
      2. Physical Security Policy
        1. Sample Physical Security Policy
      3. Personnel Security
        1. Visitor Security
        2. Training
      4. Security in the Offices
        1. Clean Desk Policies
        2. Network Access Controls
      5. Secured Facilities Controls
        1. Racks and Cages
        2. Cameras
        3. Alarms
        4. Guards
        5. Environmental Controls
      6. Media and Portable Media Controls
        1. Media Destruction
        2. Laptop Controls
      7. Convergence of IT and Physical Security Controls
    10. Chapter 20:​ Response Controls
      1. Logging
        1. Sample Logging Policy
        2. What You Must Log
        3. Look at Your Logs
        4. Protecting Your Logs
      2. Backup and Failover
        1. Keep Backups Offsite and Safe
        2. What to Back Up
        3. Backup Policy
        4. Failover Systems
      3. Business Continuity Planning
        1. Sample Business Continuity Policy
        2. Expectations for Recovery
        3. Disaster Recovery Planning
      4. Incident Response Planning
        1. Incident Response Policy
      5. Incident Response Plan
        1. A Team Effort
        2. Communication Strategies
        3. Procedures for Common Scenarios
        4. Gathering Data
        5. Hunting and Fixing
        6. Legal Reporting Requirements
        7. Working with Law Enforcement
        8. Human Side of Incident Response
      6. After Action Analysis
        1. Root Cause Analysis
        2. Executive Summary
        3. Practicing
  4. Part IV: Being Audited
    1. Chapter 21:​ Starting the Audit
      1. Getting Ready for Audit
      2. Picking an Auditor
        1. We’re All on the Same Side
      3. What Happens During Audit
        1. Scope Review
        2. Control Review
        3. Audit Evidence Gathering
        4. Roles During an Audit
      4. Specific Audits
        1. SSAE 16 Audits
        2. ISO 27001 Audits
        3. PCI DSS Audit
      5. Disagreeing with Auditors
    2. Chapter 22:​ Internal Audit
      1. The Role of Internal Audit
        1. Internal Auditor Independence
        2. Internal Auditor Competence
        3. How Small Can the Role Go?​
      2. To Heal, Not to Punish
        1. Check Before the Auditors Check
      3. The Internal Audit Process
        1. Measuring a Control
        2. Publish to Management
        3. Keep Records
    3. Chapter 23:​ Third-Party Security
      1. Which Third Parties Are Relevant?​
      2. Analysis of Third Parties
        1. Risk Analysis
        2. Control Gap Analysis Approach
        3. Getting Answers
        4. Reading Their Audit Reports
        5. Analyzing It All
      3. Controlling Third-Party Risk
        1. Sample Policy for Third-Party Management
        2. Software Procurement
        3. Security Service Agreements
        4. Technical Controls
      4. Document Your Work
    4. Chapter 24:​ Post Audit Improvement
      1. Reviewing Everything
        1. Reviewing What Worked
        2. Reviewing What Didn’t Work
      2. Analyzing the Data
        1. Looking for Systematic Issues
        2. Look for Things that Aren’t Broken yet, but Will Be
      3. Making Changes
        1. Look Before You Leap
        2. Improving the Controls
        3. Bridge Letters
        4. Rolling out a Change Plan
      4. We Can Never Stop Trying to Improve
  5. Index

About the Author and About the Technical Reviewer

About the Author

A417436_1_En_BookFrontmatter_Figb_HTML.jpg

Raymond Pompon is currently the director of security at a global solutions provider in the financial services industry. With over 20 years of experience in Internet security, he has worked closely with federal investigators in cyber-crime investigations and apprehensions. He has been directly involved in several major intrusion cases, including the FBI undercover Flyhook operation and the Northwest Hospital botnet prosecution. For six years, Raymond was president and founder of the Seattle chapter of InfraGard, the FBI public-private partnership. He is a lecturer and on the board of advisors of three information assurance certificate programs at the University of Washington. Raymond has written many articles and white papers on advanced technology topics and is frequently asked to speak as a subject matter expert on Internet security issues. National journalists have solicited and quoted his thoughts and perspective on the topic of computer security. He is a certified information systems security professional as well as GIAC certified in the Law of Data Security & Investigations (GLEG).

About the Technical Reviewer

A417436_1_En_BookFrontmatter_Figc_HTML.jpg

Mike Simon has an education in computer science and 25 years’ experience designing and securing information systems. Mike is a well-known and highly respected member of the Northwest’s information security community. Mike is faculty at the University of Washington Information School, a published author, an active collaborator in the PRISEM project and other regional initiatives, and a subject matter expert in the energy and finance sectors. He has also integrated with law enforcement through contacts with the FBI, the Department of Homeland Security, and InfraGard.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset