Title Details

With over 20 years of experience as both an educator and IT professional, Adam Gordon holds numerous Professional IT Certifications including CISSP, CISA, CRISC, CHFI, CEH, SCNA, VCP, and VCI. He is the author of several books and has achieved many awards, including EC-Council Instructor of Excellence for 2006-07 and Top Technical Instructor Worldwide, 2002-2003. Adam holds his Bachelor's Degree in International Relations and his Master's Degree in International Political Affairs from Florida International University. Adam has held a number of positions during his professional career including CISO, CTO, Consultant, and Solutions Architect. He has worked on many large implementations involving multiple customer program teams for delivery. Adam has been invited to lead projects for companies such as Microsoft, Citrix, Lloyds Bank TSB, Campus Management, US Southern Command (SOUTHCOM), Amadeus, World Fuel Services, and Seaboard Marine.

Foreword xvii

Introduction xix

DOMAIN 1: ACCESS CONTROLS 1

Objectives 3

Access Control Concepts 3

Applying Logical Access Control in Terms of Subjects 4

Applying Logical Access Control in Terms of Objects or Object Groups 9

Implementing Access Controls 11

Discretionary Access Control 11

Role-Based Access Controls 14

Nondiscretionary Access Control 21

Mandatory Access Control 21

Attribute-Based Access Control 22

Security Architecture and Models 23

Bell–LaPadula Confidentiality Model 23

Biba and Clark–Wilson Integrity Models 24

Additional Models 26

Implementing Authentication Mechanisms—Identification, Authentication, Authorization, and Accountability 27

Identification (Who Is the Subject?) 27

Authentication (Proof of Identity) 29

Authorization 51

Authentication Using Kerberos 55

User/Device Authentication Policies 58

Comparing Internetwork Trust Architectures 59

Internet 59

Intranet 60

Extranet 60

Demilitarized Zone (DMZ) 60

Trust Direction 61

One-Way Trust 62

Two-Way Trust 62

Trust Transitivity 62

Administering the Identity Management Lifecycle 62

Authorization 62

Proofing 63

Provisioning 63

Maintenance 63

Entitlement 63

Summary 63

Sample Questions 64

Notes 67

DOMAIN 2: SECURITY OPERATIONS 71

Objectives 73

Code of Ethics 74

Code of Ethics Preamble 74

Code of Ethics Canons 75

Applying a Code of Ethics to Security Practitioners 76

Security Program Objectives: The C-I-A Triad and Beyond 77

Confidentiality 77

Integrity 78

Availability 79

Non-Repudiation 80

Privacy 80

Security Best Practices 82

Designing a Security Architecture 82

Secure Development and Acquisition Lifecycles 95

System Vulnerabilities, Secure Development, and Acquisition Practices 101

Hardware/Software 104

Data 106

Disclosure Controls: Data Leakage Prevention 118

Technical Controls 119

Operational Controls 121

Managerial Controls 121

Implementation and Release Management 130

Systems Assurance and Controls Validation 132

Change Control and Management 132

Configuration Management 135

Security Impact Assessment 139

System Architecture/Interoperability of Systems 139

Patch Management 140

Monitoring System Integrity 142

Security Awareness and Training 142

Interior Intrusion Detection Systems 146

Building and Inside Security 152

Securing Communications and Server Rooms 166

Restricted and Work Area Security 169

Data Center Security 170

Summary 177

Sample Questions 178

Notes 181

DOMAIN 3: RISK IDENTIFICATION, MONITORING, AND ANALYSIS 185

Objectives 187

Introduction to Risk Management 187

Risk Management Concepts 187

Security Auditing Overview 203

Responding to an Audit 208

Exit Interview 208

Presentation of Audit Findings 208

Management Response 208

Security Assessment Activities 209

Vulnerability Scanning and Analysis 209

Penetration Testing 224

Operating and Maintaining Monitoring Systems 239

Security Monitoring Concepts 239

Attackers 245

Intrusions 246

Events 247

Types of Monitoring 247

Log Files 249

Source Systems 257

Security Analytics, Metrics, and Trends 258

Visualization 260

Event Data Analysis 261

Communication of Findings 266

Going Hands-on—Risk Identification Exercise 266

Virtual Testing Environment 267

Creating the Environment 268

Summary 279

Sample Questions 280

Notes 283

DOMAIN 4: INCIDENT RESPONSE AND RECOVERY 285

Objectives 287

Incident Handling 287

Preparation 289

Detection and Analysis 296

Containment, Eradication, and Recovery 306

Post-Incident Activity 308

Recovery and Business Continuity 319

Business Continuity Planning 319

Disaster Recovery Planning 326

Plan Testing 330

Plan Review and Maintenance 333

Summary 340

Sample Questions 341

Notes 344

DOMAIN 5: CRYPTOGRAPHY 345

Objectives 346

Encryption Concepts 347

Key Concepts and Definitions 347

Foundational Concepts 350

Evaluation of Algorithms 355

Hashing 356

Encryption and Decryption 361

Symmetric Cryptography 361

Asymmetric Cryptography 376

Hybrid Cryptography 381

Message Digests 382

Message Authentication Code 382

HMAC 383

Digital Signatures 383

Non-Repudiation 384

Methods of Cryptanalytic Attack 385

Data Sensitivity and Regulatory Requirements 390

Legislative and Regulatory Compliance 390

End-User Training 394

Public Key Infrastructure (PKI) 395

Fundamental Key Management Concepts 397

Management and Distribution of Keys 404

Secure Protocols 413

Going Hands-on with Cryptography—Cryptography Exercise 417

Requirements 417

Setup 418

Key Exchange and Sending Secure E-mail 431

Conclusion 439

Summary 439

Sample Questions 440

End Notes 443

DOMAIN 6: NETWORKS AND COMMUNICATIONS SECURITY 447

Objectives 449

Security Issues Related to Networks 449

OSI and TCP/IP Models 450

IP Networking 460

Network Topographies and Relationships 467

Commonly Used Ports and Protocols 477

Telecommunications Technologies 496

Converged Communications 496

VoIP 499

POTS and PBX 500

Cellular 501

Attacks and Countermeasures 501

Control Network Access 503

Hardware 507

Wired Transmission Media 509

Endpoint Security 513

Voice Technologies 513

Multimedia Collaboration 515

Open Protocols, Applications, and Services 516

Remote Access 517

Data Communication 522

LAN-Based Security 522

Separation of Data Plane and Control Plane 522

Segmentation 523

Media Access Control Security (IEEE 802.1AE) 526

Secure Device Management 527

Network-Based Security Devices 530

Network Security Objectives and Attack Modes 531

Firewalls and Proxies 534

Network Intrusion Detection/Prevention Systems 537

IP Fragmentation Attacks and Crafted Packets 544

DoS/DDoS 547

Spoofing 551

Wireless Technologies 555

Wireless Technologies, Networks, and Methodologies 555

Transmission Security and Common Vulnerabilities and Countermeasures 558

Summary 563

Sample Questions 564

End Notes 568

DOMAIN 7: SYSTEMS AND APPLICATION SECURITY 577

Objectives 580

Identifying and Analyzing Malicious Code and Activity 580

CIA Triad: Applicability to Malcode 581

Malcode Naming Conventions and Types 582

Malicious Code Countermeasures 598

Vectors of Infection 611

Malicious Activity 614

How to Do It for Yourself: Using the Social Engineer Toolkit (SET) 615

Long File Extensions 619

Double File Extensions 619

Fake Related Extension 622

Fake Icons 623

Password-Protected ZIP Files/RAR 624

Hostile Codecs 624

E-mail 624

Insider Human Threats 626

Insider Hardware and Software Threats 628

Spoofing, Phishing, Spam, and Botnets 630

Spoofing 630

Phishing 631

Spam 633

Botnets 635

Malicious Web Activity 638

Cross-Site Scripting (XSS) Attacks 639

Zero-Day Exploits and Advanced Persistent Threats (APTs) 639

Brute-Force Attacks 641

Instant Messaging 643

Peer-to-Peer Networks 643

Internet Relay Chat 644

Rogue Products and Search Engines 645

Infected Factory Builds and Media 645

Web Exploitation Frameworks 645

Payloads 646

Backdoor Trojans 646

Man-in-the-Middle Malcode 647

Identifying Infections 649

Malicious Activity Countermeasures 652

Third-Party Certifi cations 655

The Wildlist 656

Questionable Behavior on a Computer 656

Inspection of Processes 658

Inspection of the Windows Registry 659

How to Do It for Yourself: Installing Strawberry Perl in Windows 7 or Windows 8 659

Inspection of Common File Locations 661

Behavioral Analysis of Malcode 666

Static File Analysis 669

Testing Remote Websites Found in Network Log Files 677

Testing of Samples in Virtualized Environments 683

Free Online Sandbox Solutions 686

Interactive Behavioral Testing 687

Malcode Mitigation 687

Strategic 687

Tactical 689

Implementing and Operating End-Point Device Security 691

Host-Based Intrusion Detection System 691

Host-Based Firewalls 692

Application Whitelisting 692

Endpoint Encryption 693

Trusted Platform Module 693

Mobile Device Management 694

Secure Browsing 695

Operating and Confi guring Cloud Security 696

The Five Essential Characteristics of Clouds 696

Deployment Models 697

Service Models 699

Virtualization 702

Legal and Privacy Concerns 704

Classifi cation of Discovered Sensitive Data 709

Mapping and Defi nition of Controls 710

Application of Defined Controls for Personally Identifiable Information (PII) 711

Data Storage and Transmission 712

Threats to Storage Types 716

Technologies Available to Address Threats 716

DLP 716

Encryption 719

Sample Use Cases for Encryption 720

Cloud Encryption Challenges 720

Encryption Architecture 722

Data Encryption in IaaS 722

Key Management 724

Encryption Alternatives and Other Data Protection Technologies 726

Data Masking/Data Obfuscation 726

Data Anonymization 727

Tokenization 728

Third-Party/Outsourcing Implications 729

Data Retention Policies 729

Data Deletion Procedures and Mechanisms 730

Data Archiving Procedures and Mechanisms 731

Event Sources 732

Data Event Logging and Event Attributes 735

Storage and Analysis of Data Events 736

Securing Big Data Systems 738

Operating and Securing Virtual Environments 740

Software-Defined Network (SDN) 741

Virtual Appliances 741

Continuity and Resilience 742

Attacks and Countermeasures 743

Security Virtualization Best Practices 744

Summary 750

Sample Questions 750

End Notes 757

APPENDIX A: ANSWERS TO SAMPLE QUESTIONS 769

Domain 1: Access Controls 770

Domain 2: Security Operations 777

Domain 3: Risk, Identification, Monitoring, and Analysis 785

Domain 4: Incident Response and Recovery 793

Domain 5: Cryptography 798

Domain 6: Networks and Communications Security 805

Domain 7: Systems and Application Security 814

APPENDIX B: DNSSEC WALKTHROUGH 831

Hardware and Software Requirements 832

Configuring the Test Lab 832

Configuring DC1 832

Creating a Domain Administrator Account 834

Configuring the sec.isc2.com DNS Zone 834

Enabling Remote Desktop on DC1 835

Configuring DNS1 835

Installing the OS and Configuring TCP/IP on DC1 836

Installing and Configuring DNS on DNS1 836

Signing a Zone on DC1 and Distributing

Trust Anchors 837

Distributing a Trust Anchor to DNS1 838

Verifying Trust Anchors 838

Querying a Signed Zone with DNSSEC Validation Required 838

Unsigning the Zone 839

Resigning the Zone with Custom Parameters 840

APPENDIX C: GLOSSARY OF TERMS RELATED TO THE SSCP 841

Index 873