Foreword xxi -- Introduction xxiii -- Self-Assessment xlv -- Part I Getting Started as an SSCP 1 -- Chapter 1 The Business Case for Decision Assurance and Information Security 3 -- Information: The Lifeblood of Business 4 -- Data, Information, Knowledge, Wisdom… 5 -- Information Is Not Information Technology 8 -- Policy, Procedure, and Process: How Business Gets Business Done 10 -- Who Is the Business? 11 -- “What’s Your Business Plan?” 12 -- Purpose, Intent, Goals, Objectives 13 -- Business Logic and Business Processes: Transforming Assets into Opportunity, Wealth, and Success 14 -- The Value Chain 15 -- Being Accountable 17 -- Who Runs the Business? 19 -- Owners and Investors 19 -- Boards of Directors 20 -- Managing or Executive Directors and the “C-Suite” 20 -- Layers of Function, Structure, Management, and Responsibility 21 -- Plans and Budgets, Policies, and Directives 22 -- Summary 23 -- Chapter 2 Information Security Fundamentals 25 -- The Common Needs for Privacy, Confidentiality, Integrity, and Availability 26 -- Privacy 26 -- Confidentiality 29 -- Integrity 30 -- Availability 31 -- Privacy vs. Security, or Privacy and Security? 32 -- CIA Needs of Individuals 34 -- Private Business’s Need for CIA 35 -- Government’s Need for CIA 36 -- The Modern Military’s Need for CIA 36 -- Do Societies Need CIA? 36 -- Training and Educating Everybody 38 -- SSCPs and Professional Ethics 38 -- Summary 40 -- Exam Essentials 40 -- Review Questions 44 -- Part II Integrated Risk Management and Mitigation 51 -- Chapter 3 Integrated Information Risk Management 53 -- It’s a Dangerous World 54 -- What Is Risk? 55 -- Risk: When Surprise Becomes Disruption 59 -- Information Security: Delivering Decision Assurance 60 -- “Common Sense” and Risk Management 63 -- The Four Faces of Risk 65 -- Outcomes-Based Risk 67 -- Process-Based Risk 67 -- Asset-Based Risk 68 -- Threat-Based (or Vulnerability-Based) Risk 69 -- Getting Integrated and Proactive with Information Defense 72 -- Trust, but Verify 76 -- Due Care and Due Diligence: Whose Jobs Are These? 76 -- Be Prepared: First, Set Priorities 77 -- Risk Management: Concepts and Frameworks 78 -- The SSCP and Risk Management 81 -- Plan, Do, Check, Act 82 -- Risk Assessment 84 -- Establish Consensus about Information Risk 84 -- Information Risk Impact Assessment 85 -- The Business Impact Analysis 92 -- From Assessments to Information Security Requirements 92 -- Four Choices for Limiting or Containing Damage 94 -- Deter 96 -- Detect 96 -- Prevent 97 -- Avoid 97 -- Summary 100 -- Exam Essentials 101 -- Review Questions 105 -- Chapter 4 Operationalizing Risk Mitigation 111 -- From Tactical Planning to Information Security Operations 112 -- Operationally Outthinking Your Adversaries 114 -- Getting Inside the Other Side’s OODA Loop 116 -- Defeating the Kill Chain 117 -- Operationalizing Risk Mitigation: Step by Step 118 -- Step 1: Assess the Existing Architectures 119 -- Step 2: Assess Vulnerabilities and Threats 126 -- Step 3: Select Risk Treatment and Controls 135 -- Step 4: Implement Controls 141 -- Step 5: Authorize: Senior Leader Acceptance and Ownership 146 -- The Ongoing Job of Keeping Your Baseline Secure 146 -- Build and Maintain User Engagement with Risk Controls 147 -- Participate in Security Assessments 148 -- Manage the Architectures: Asset Management and Configuration Control 151 -- Ongoing, Continuous Monitoring 152 -- Exploiting What Monitoring and Event Data Is Telling You 155 -- Incident Investigation, Analysis, and Reporting 159 -- Reporting to and Engaging with Management 160 -- Summary 161 -- Exam Essentials 161 -- Review Questions 166 -- Part III The Technologies of Information Security 173 -- Chapter 5 Communications and Network Security 175 -- Trusting Our Communications in a Converged World 176 -- Introducing CIANA 179 -- Threat Modeling for Communications Systems 180 -- Internet Systems Concepts 181 -- Datagrams and Protocol Data Units 182 -- Handshakes 184 -- Packets and Encapsulation 185 -- Addressing, Routing, and Switching 187 -- Network Segmentation 188 -- URLs and the Web 188 -- Topologies 189 -- “Best Effort” and Trusting Designs 193 -- Two Protocol Stacks, One Internet 194 -- Complementary, Not Competing, Frameworks 194 -- Layer 1: The Physical Layer 198 -- Layer 2: The Data Link Layer 199 -- Layer 3: The Network Layer 201 -- Layer 4: The Transport Layer 202 -- Layer 5: The Session Layer 206 -- Layer 6: The Presentation Layer 207 -- Layer 7: The Application Layer 208 -- Cross-Layer Protocols and Services 209 -- IP and Security 210 -- Layers or Planes? 211 -- Software-Defined Networks 212 -- Virtual Private Networks 213 -- A Few Words about Wireless 214 -- IP Addresses, DHCP, and Subnets 217 -- IPv4 Address Classes 217 -- Subnetting in IPv4 219 -- IPv4 vs. IPv6: Key Differences and Options 221 -- CIANA Layer by Layer 223 -- CIANA at Layer 1: Physical 223 -- CIANA at Layer 2: Data Link 226 -- CIANA at Layer 3: Network 228 -- CIANA at Layer 4: Transport 229 -- CIANA at Layer 5: Session 230 -- CIANA at Layer 6: Presentation 231 -- CIANA at Layer 7: Application 232 -- Securing Networks as Systems 233 -- A SOC Is Not a NOC 234 -- Tools for the SOC and the NOC 235 -- Integrating Network and Security Management 236 -- Summary 238 -- Exam Essentials 238 -- Review Questions 243 -- Chapter 6 Identity and Access Control 249 -- Identity and Access: Two Sides of the Same CIANA Coin 250 -- Identity Management Concepts 251 -- Identity Provisioning and Management 252 -- Identity and AAA 254 -- Access Control Concepts 255 -- Subjects and Objects—Everywhere! 257 -- Data Classification and Access Control 258 -- Bell-LaPadula and Biba Models 260 -- Role-Based 263 -- Attribute-Based 263 -- Subject-Based 264 -- Object-Based 264 -- Mandatory vs. Discretionary Access Control 264 -- Network Access Control 265 -- IEEE 802.1X Concepts 267 -- RADIUS Authentication 268 -- TACACS and TACACS+ 269 -- Implementing and Scaling IAM 270 -- Choices for Access Control Implementations 271 -- “Built-in” Solutions? 273 -- Multifactor Authentication 274 -- Server-Based IAM 276 -- Integrated IAM systems 277 -- Zero Trust Architectures 281 -- Summary 282 -- Exam Essentials 283 -- Review Questions 290 -- Chapter 7 Cryptography 297 -- Cryptography: What and Why 298 -- Codes and Ciphers: Defining Our Terms 300 -- Cryptography, Cryptology, or…? 305 -- Building Blocks of Digital Cryptographic Systems 306 -- Cryptographic Algorithms 307 -- Cryptographic Keys 308 -- Hashing as One-Way Cryptography 310 -- A Race Against Time 313 -- “The Enemy Knows Your System” 314 -- Keys and Key Management 314 -- Key Storage and Protection 315 -- Key Revocation and Zeroization 315 -- Modern Cryptography: Beyond the “Secret Decoder Ring” 317 -- Symmetric Key Cryptography 317 -- Asymmetric Key (or Public Key) Cryptography 318 -- Hybrid Cryptosystems 318 -- Design and Use of Cryptosystems 319 -- Cryptanalysis (White Hat and Black Hat) 319 -- Cryptographic Primitives 320 -- Cryptographic Engineering 320 -- “Why Isn’t All of This Stuff Secret?” 320 -- Cryptography and CIANA 322 -- Confidentiality 322 -- Authentication 323 -- Integrity 323 -- Nonrepudiation 324 -- “But I Didn’t Get That Email…” 324 -- Availability 325 -- Public Key Infrastructures 327 -- Diffie-Hellman-Merkle Public Key Exchange 328 -- RSA Encryption and Key Exchange 331 -- ElGamal Encryption 331 -- Digital Signatures 332 -- Digital Certificates and Certificate Authorities 332 -- Hierarchies (or Webs) of Trust 333 -- Pretty Good Privacy 337 -- TLS 338 -- HTTPS 340 -- Symmetric Key Algorithms and PKI 341 -- PKI and Trust: A Recap 342 -- Other Protocols: Applying Cryptography to Meet Different Needs 344 -- IPSec 344 -- S/MIME 345 -- DKIM 345 -- Blockchain 346 -- Access Control Protocols 348 -- Measures of Merit for Cryptographic Solutions 348 -- Attacks and Countermeasures 349 -- Brute Force and Dictionary Attacks 350 -- Side Channel Attacks 350 -- Numeric (Algorithm or Key) Attacks 351 -- Traffic Analysis, “Op Intel,” and Social Engineering Attacks 352 -- Massively Parallel Systems Attacks 353 -- Supply Chain

Vulnerabilities 354 -- The “Sprinkle a Little Crypto Dust on It” Fallacy 354 -- Countermeasures 355 -- On the Near Horizon 357 -- Pervasive and Homomorphic Encryption 358 -- Quantum Cryptography and Post–Quantum Cryptography 358 -- AI, Machine Learning, and Cryptography 360 -- Summary 361 -- Exam Essentials 361 -- Review Questions 366 -- Chapter 8 Hardware and Systems Security 371 -- Infrastructure Security Is Baseline Management 372 -- It’s About Access Control… 373 -- It’s Also About Supply Chain Security 374 -- Do Clouds Have Boundaries? 375 -- Infrastructures 101 and Threat Modeling 376 -- Hardware Vulnerabilities 379 -- Firmware Vulnerabilities 380 -- Operating Systems Vulnerabilities 382 -- Virtual Machines and Vulnerabilities 385 -- Network Operating Systems 386 -- MDM, COPE, and BYOD 388 -- BYOI? BYOC? 389 -- Malware: Exploiting the Infrastructure’s Vulnerabilities 391 -- Countering the Malware Threat 394 -- Privacy and Secure Browsing 395 -- “The Sin of Aggregation” 397 -- Updating the Threat Model 398 -- Managing Your Systems’ Security 399 -- Summary 399 -- Exam Essentials 400 -- Review Questions 407 -- Chapter 9 Applications, Data, and Cloud Security 413 -- It’s a Data-Driven World…At the Endpoint 414 -- Software as Appliances 417 -- Applications Lifecycles and Security 420 -- The Software Development Lifecycle (SDLC) 421 -- Why Is (Most) Software So Insecure? 424 -- Hard to Design It Right, Easy to Fix It? 427 -- CIANA and Applications Software Requirements 428 -- Positive and Negative Models for Software Security 431 -- Is Blacklisting Dead? Or Dying? 432 --