CC Certified in Cybersecurity Study Guide E-Book

Table of Contents

COVER

TABLE OF CONTENTS

TITLE PAGE

COPYRIGHT

ACKNOWLEDGMENTS

ABOUT THE AUTHOR

ABOUT THE TECHNICAL EDITOR

INTRODUCTION

CC CERTIFICATION

TAKING THE CC EXAM

COMPUTER-BASED TESTING ENVIRONMENT

EXAM RETAKE POLICY

RECERTIFICATION REQUIREMENTS

USING THE ONLINE PRACTICE TEST

HOW TO CONTACT THE PUBLISHER

PART I: Domain 1: Security Principles

CHAPTER 1: Confidentiality, Integrity, Availability, and Non-repudiation

THE CIA TRIAD

NON-REPUDIATION

CHAPTER 2: Authentication and Authorization

ACCESS CONTROL PROCESS

PASSWORD POLICIES

AUTHENTICATION FACTORS

CHAPTER 3: Privacy

PRIVACY

PRIVACY MANAGEMENT FRAMEWORK

CHAPTER 4: Risk Management

RISK TYPES

RISK IDENTIFICATION AND ASSESSMENT

RISK TREATMENT STRATEGIES

RISK PROFILE AND TOLERANCE

CHAPTER 5: Security Controls

WHAT ARE SECURITY CONTROLS?

CATEGORIZING SECURITY CONTROLS

CHAPTER 6: Ethics

CORPORATE ETHICS CODES

ISC2 CODE OF ETHICS

ETHICS COMPLAINT PROCEDURE

CHAPTER 7: Security Governance Processes

SECURITY POLICIES AND PROCEDURES

LAWS AND REGULATIONS

PART II: Domain 2: Business Continuity (BC), Disaster Recovery (DR) & Incident Response (IR) Concepts

CHAPTER 8: Business Continuity

BUSINESS CONTINUITY PLANNING

BUSINESS CONTINUITY CONTROLS

HIGH AVAILABILITY AND FAULT TOLERANCE

CHAPTER 9: Disaster Recovery

DISASTER RECOVERY PLANNING

BACKUPS

DISASTER RECOVERY SITES

TESTING DISASTER RECOVERY PLANS

CHAPTER 10: Incident Response

CREATING AN INCIDENT RESPONSE PROGRAM

BUILDING AN INCIDENT RESPONSE TEAM

INCIDENT COMMUNICATIONS PLAN

INCIDENT IDENTIFICATION AND RESPONSE

PART III: Domain 3: Access Controls Concepts

CHAPTER 11: Physical Access Controls

PHYSICAL FACILITIES

DESIGNING FOR SECURITY

VISITOR MANAGEMENT

PHYSICAL SECURITY PERSONNEL

CHAPTER 12: Logical Access Controls

AUTHORIZATION

ACCOUNT TYPES

NON-REPUDIATION

PART IV: Domain 4: Network Security

CHAPTER 13: Computer Networking

NETWORK TYPES

TCP/IP NETWORKING

IP ADDRESSING

NETWORK PORTS AND APPLICATIONS

SECURING WI-FI NETWORKS

CHAPTER 14: Network Threats and Attacks

MALWARE

EAVESDROPPING ATTACKS

DENIAL-OF-SERVICE ATTACKS

SIDE-CHANNEL ATTACKS

CHAPTER 15: Threat Identification and Prevention

ANTIVIRUS SOFTWARE

INTRUSION DETECTION AND PREVENTION

FIREWALLS

VULNERABILITY SCANNING

CHAPTER 16: Network Security Infrastructure

DATA CENTER PROTECTION

NETWORK SECURITY ZONES

SWITCHES, WAPs, AND ROUTERS

NETWORK SEGMENTATION

VIRTUAL PRIVATE NETWORKS

NETWORK ACCESS CONTROL

INTERNET OF THINGS

CHAPTER 17: Cloud Computing

CLOUD COMPUTING

CLOUD DEPLOYMENT MODELS

CLOUD SERVICE CATEGORIES

SECURITY AND THE SHARED RESPONSIBILITY MODEL

AUTOMATION AND ORCHESTRATION

VENDOR RELATIONSHIPS

PART V: Domain 5: Security Operations

CHAPTER 18: Encryption

CRYPTOGRAPHY

ENCRYPTION ALGORITHMS

USES OF ENCRYPTION

HASH FUNCTIONS

CHAPTER 19: Data Handling

DATA LIFE CYCLE

DATA CLASSIFICATION

CHAPTER 20: Logging and Monitoring

LOGGING

LOG MONITORING

CHAPTER 21: Configuration Management

CONFIGURATION MANAGEMENT

CONFIGURATION VULNERABILITIES

CHAPTER 22: Best Practice Security Policies

ACCEPTABLE USE POLICY

DATA HANDLING POLICY

PASSWORD POLICY

BRING YOUR OWN DEVICE POLICY

PRIVACY POLICY

CHANGE MANAGEMENT POLICY

CHAPTER 23: Security Awareness Training

SOCIAL ENGINEERING

SECURITY EDUCATION

INDEX

END USER LICENSE AGREEMENT

List of Tables

Chapter 8

TABLE 8.1 Example of prioritized risks and potential impacts

Chapter 13

TABLE 13.1 Common TCP Ports

List of Illustrations

Chapter 1

FIGURE 1.1 The CIA triad summarizes the three main goals of information secu...

Chapter 2

FIGURE 2.1 The physical access control process

FIGURE 2.2 The digital access control process

FIGURE 2.3 Creating a password in LastPass

FIGURE 2.4 Fingerprint authentication on a smartphone

FIGURE 2.5 Eye scan authentication for entering a facility

Chapter 3

FIGURE 3.1 Do you have a reasonable expectation of privacy?

Chapter 4

FIGURE 4.1 Risks are the combination of a threat and a corresponding vulnera...

FIGURE 4.2 Qualitative risk assessment

FIGURE 4.3 Applying controls reduces the inherent risk down to the residual ...

Chapter 6

FIGURE 6.1 AT&T's Code of Business Conduct

Chapter 8

FIGURE 8.1 Web-based application

FIGURE 8.2 Adding clustered web servers

FIGURE 8.3 Adding high availability firewalls

FIGURE 8.4 Adding redundant network links

FIGURE 8.5 Server with dual power supplies

FIGURE 8.6 Uninterruptible power supply (UPS)

FIGURE 8.7 RAID 1 disk mirroring

FIGURE 8.8 RAID 5 disk striping with parity

Chapter 9

FIGURE 9.1 LTO backup tapesSource: bigmagic/Adobe Stock Photos

Chapter 10

FIGURE 10.1 NIST incident response life cycle

Chapter 11

FIGURE 11.1 A typical data center facility

FIGURE 11.2 A wiring closet

FIGURE 11.3 Cable distribution runs

FIGURE 11.4 Bollards used to block vehicle access

Chapter 12

FIGURE 12.1 A Microsoft Windows access control list

Chapter 13

FIGURE 13.1 The Open Systems Interconnection (OSI) network model

FIGURE 13.2 Communication from a user to a web server

FIGURE 13.3 Communication from a web server to a user

FIGURE 13.4 SSIDs appearing on a macOS system

FIGURE 13.5 A captive portal used for wireless authentication

FIGURE 13.6 Wireless encryption summary

Chapter 14

FIGURE 14.1 The common perception of web communication

FIGURE 14.2 The actual network path for web communication

FIGURE 14.3 A man-in-the-middle (MitM) attack

FIGURE 14.4 A denial-of-service (DoS) attack

FIGURE 14.5 A distributed denial-of-service (DDoS) attack

Chapter 15

FIGURE 15.1 Network firewalls divide networks into three zones

Chapter 16

FIGURE 16.1 HVAC systems on a data center roof

FIGURE 16.2 The fire triangle

FIGURE 16.3 A network border firewall with three interfaces

FIGURE 16.4 A 48-port network switch

FIGURE 16.5 A network connection in a wall

FIGURE 16.6 A wireless access point (WAP)

FIGURE 16.7 A typical network diagram

FIGURE 16.8 A typical VLAN layout

FIGURE 16.9 IoT network segmentation

Chapter 18

FIGURE 18.1 A plaintext message

FIGURE 18.2 The ciphertext message obtained by encrypting the plain text in ...

FIGURE 18.3 Examples of symmetric shapes

FIGURE 18.4 Symmetric encryption with two individuals

FIGURE 18.5 Symmetric encryption with three individuals

FIGURE 18.6 Symmetric encryption with larger groups

Chapter 19

FIGURE 19.1 Data life cycle

FIGURE 19.2 A data destruction flowchart

Chapter 23

FIGURE 23.1 A security awareness poster

Guide

Cover

Title Page

Copyright

Acknowledgments

About the Author

About the Technical Editor

Introduction

Table of Contents

Begin Reading

Index

End User License Agreement

Pages

iii

iv

v

vii

ix

xvii

xviii

xix

xx

1

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

23

24

25

26

27

28

29

30

31

32

33

35

36

37

38

39

40

41

42

43

45

46

47

48

49

51

52

53

54

55

56

57

59

60

61

62

63

64

65

67

68

69

70

71

72

73

74

75

76

77

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

99

101

102

103

104

105

106

107

108

109

111

112

113

114

115

116

117

118

119

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

181

182

183

184

185

186

187

188

189

190

191

193

194

195

196

197

198

199

200

201

202

203

204

205

207

208

209

210

211

213

214

215

216

217

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

CC℠ Certified in CybersecurityStudy Guide

Copyright © 2024 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.Published simultaneously in Canada and the United Kingdom.

ISBNs: 9781394213832 (paperback), 9781394213863 (ePDF), 9781394213849 (ePub)

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permission.

Trademarks: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CC is a service mark of ISC2, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Control Number: 2023948599

Cover image: © Jeremy Woodhouse/Getty ImagesCover design: Wiley

ACKNOWLEDGMENTS

Books like this involve work from many people, and as an author, I truly appreciate the hard work and dedication that the team at Wiley shows. I would especially like to thank my acquisitions editor, Jim Minatel. I've worked with Jim for too many years to count, and it's always an absolute pleasure working with a true industry pro.

I also greatly appreciate the editing and production team for the book, including Kelly Talbot, the project editor, who brought years of experience and great talent to the project; and Shahla Pirnia, the technical editor, who provided insightful advice and gave wonderful feedback throughout the book. I would also like to thank the many behind-the-scenes contributors, including the graphics, production, and technical teams who make the book and companion materials into a finished product.

My agent, Carole Jelen of Waterside Productions, continues to provide me with wonderful opportunities, advice, and assistance throughout my writing career.

Finally, I would like to thank my family, who supported me through the late evenings, busy weekends, and long hours that a book like this requires to write, edit, and get to press.

ABOUT THE AUTHOR

Mike Chapple, CISSP, CCSP, is an author of the best-selling CISSP (ISC)2Certified Information Systems Security Professional Official Study Guide (Sybex, 2021), now in its ninth edition. He is an information security professional with 25 years of experience in higher education, the private sector, and government.

Mike currently serves as Teaching Professor of IT, Analytics, and Operations at the University of Notre Dame's Mendoza College of Business. He previously served as Senior Director for IT Service Delivery at Notre Dame, where he oversaw the information security, data governance, IT architecture, project management, strategic planning, and product management functions for the university.

Before returning to Notre Dame, Mike served as Executive Vice President and Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. Mike also spent four years in the information security research group at the National Security Agency and served as an active-duty intelligence officer in the U.S. Air Force.

He is a technical editor for Information Security Magazine and has written more than 30 books, including Cyberwarfare: Information Operations in a Connected World (Jones & Bartlett, 2022), ISC2 CISSP Official Study Guide (Wiley, 2021), and CompTIA Cybersecurity Analyst+ (CySA+) Study Guide (Wiley, 2023) and Practice Tests (Wiley, 2023).

Mike earned both his BS and PhD degrees from Notre Dame in computer science and engineering. He also holds an MS in computer science from the University of Idaho and an MBA from Auburn University. His IT certifications include the CC, CISSP, Security+, CySA+, CISA, PenTest+, CIPP/US, CISM, CCSP, and PMP credentials.

Mike provides books, video-based training, and free study groups for a wide variety of IT certifications at his website, CertMike.com.

ABOUT THE TECHNICAL EDITOR

Shahla Pirnia is a freelance technical editor and proofreader with a focus on cybersecurity and certification topics.

Starting her career at Montgomery College's computer labs, Shahla quickly acquired a foundational grasp of technology in her role as a Student Aide. This foundational experience set the stage for subsequent roles: She managed a childcare provider database for a referral agency for 5 years, and then spent 9 years with a document conversion bureau. Shahla later ventured into clerical temp roles via a staffing agency and freelance writing for a digital content company.

Shahla currently serves as a technical editor for CertMike.com, where she works on projects including books, video courses, and practice tests.

Shahla earned BS degrees in computer and information science and psychology from the University of Maryland Global Campus, coupled with an AA degree in information systems from Montgomery College, Maryland. Shahla's IT certifications include the ISC2 Certified in Cybersecurity and the CompTIA Security+, Network+, and A+ credentials.

INTRODUCTION

If you're preparing to take the Certified in Cybersecurity (CC) exam, you'll undoubtedly want to find as much information as you can about information security. The more information you have at your disposal, the better off you'll be when attempting the exam. This study guide was written with that in mind. The goal is to provide enough information to prepare you for the test, but not so much that you'll be overloaded with information that's outside the scope of the exam.

This book presents the material at an entry level. You don't need any prior experience with cybersecurity to read this book or take the exam. The CC certification is designed for newcomers to the field, and this book will give you all the information you need to know to pass it.

I've included review questions at the end of each chapter to give you a taste of what it's like to take the exam. I recommend that you check out these questions first to gauge your level of expertise. You can then use the book mainly to fill in the gaps in your current knowledge. This study guide will help you round out your knowledge base before tackling the exam.

If you can answer the review questions correctly for a given chapter, you can feel safe moving on to the next chapter. If you're unable to answer them correctly, reread the chapter and try the questions again. Your score should improve.

NOTE

Don't just study the questions and answers! The questions on the actual exam will be different from the practice questions included in this book. The exam is designed to test your knowledge of a concept or objective, so use this book to learn the objectives behind the questions.

CC CERTIFICATION

The CC certification is offered by the International Information System Security Certification Consortium, or ISC2, a global nonprofit organization. The mission of ISC2 is to support and provide members and constituents with credentials, resources, and leadership to address cyber, information, software, and infrastructure security to deliver value to society. ISC2 achieves this mission by delivering the world's leading information security certification program. The CC is the flagship credential in this series and is accompanied by several other ISC2 programs:

Certified Information Systems Security Professional (CISSP)

Systems Security Certified Practitioner (SSCP)

Certified Secure Software Lifecycle Professional (CSSLP)

Certified Cloud Security Professional (CCSP)

Certified in Governance, Risk, and Compliance (CGRC)

The CC certification covers five domains of information security knowledge. These domains are meant to serve as the broad knowledge foundation required to succeed in the information security profession:

Security Principles (26% of exam questions)

Business Continuity (BC), Disaster Recovery (DR) & Incident Response (IR) Concepts (10% of exam questions)

Access Control Concepts (22% of exam questions)

Network Security (24% of exam questions)

Security Operations (18% of exam questions)

Complete details about the CC exam objectives are contained in the Exam Outline. It includes a full outline of exam topics and can be found on the ISC2 website at www.isc2.org/Certifications/cc/cc-certification-exam-outline.

TAKING THE CC EXAM

The CC exam includes only standard multiple-choice questions. Each question has four possible answers, and only one of the answers is correct. When taking the test, you'll likely find some questions where you think multiple answers might be correct. In those cases, remember that you're looking for the best possible answer to the question!

The CC exam is currently available for free to the first one million candidates through an ISC2 initiative called One Million Certified in Cybersecurity. You can find more details about the CC exam and how to take it at www.isc2.org/Certifications/CC.

You'll have 2 hours to take the exam and will be asked to answer 100 questions. Your exam will be scored on a scale of 1,000 possible points, with a passing score of 700.

NOTE

The CC exam includes 25 unscored questions, meaning that only 75 of the questions actually count toward your score. ISC2 does this to gather research data, which it then uses when developing new versions of the exam. So, if you come across a question that does not appear to map to any of the exam objectives—or, for that matter, does not appear to belong in the exam—it is likely a seeded question. You never really know whether or not a question is seeded, however, so always make your best effort to answer every question.

COMPUTER-BASED TESTING ENVIRONMENT

The CC exam is administered in a computer-based testing (CBT) format. You can register for the exam through the ISC2 and Pearson VUE websites.

You take the exam in a Pearson VUE testing center located near your home or office. The centers administer many different exams, so you may find yourself sitting in the same room as a student taking a school entrance examination and a health care professional earning a medical certification. If you'd like to become more familiar with the testing environment, the Pearson VUE website offers a virtual tour of a testing center at home.pearsonvue.com/test-taker/Pearson-Professional-Center-Tour.aspx.

When you take the exam, you'll be seated at a computer that has the exam software already loaded and running. It's a pretty straightforward interface that allows you to navigate through the exam. You can download a practice exam and tutorial from the Pearson VUE website at www.vue.com/athena/athena.asp.

EXAM TIP

At the beginning of the exam, you'll be asked to agree to the terms. This section of the exam has its own 5-minute timer. If you don't agree within 5 minutes, your exam will automatically end and you will not be able to restart it!

EXAM RETAKE POLICY

If you don't pass the CC exam, you shouldn't panic. Many individuals don't reach the bar on their first attempt but gain valuable experience that helps them succeed the second time around. When retaking the exam, you'll have the benefit of familiarity with the CBT environment and CC exam format. You'll also have time to study the areas where you felt less confident.

After your first exam attempt, you must wait 30 days before retaking it. If you're not successful on that attempt, you must then wait 60 days before your third attempt and 90 days before your fourth attempt. You cannot take the exam more than three times in a single calendar year.

RECERTIFICATION REQUIREMENTS

Once you've earned your CC credential, you'll need to maintain your certification by paying maintenance fees and participating in continuing professional education (CPE). As long as you maintain your certification in good standing, you will not need to retake the CC exam.

Currently, the annual maintenance fee for the CC credential is $50 for those who do not hold another ISC2 certification. Members who hold another credential pay a $125 maintenance fee each year. This fee covers the renewal for all ISC2 certifications held by an individual.

The CC CPE requirement mandates earning at least 45 CPE credits during each three-year renewal cycle. ISC2 provides an online portal where certificate holders can submit CPE completion for review and approval. The portal also tracks annual maintenance fee payments and progress toward recertification.

USING THE ONLINE PRACTICE TEST

All the questions in this book are also available in Sybex's online practice test tool, along with a full-length 100-question CC practice test. To get access to this online format, go to www.wiley.com/go/sybextestprep and start by registering your book. You'll receive a PIN code and instructions on where to create an online test bank account. Once you have access, you can use the online version to create your own sets of practice tests from the book questions and practice in a timed and graded setting.

In addition to the questions and practice test, the Sybex online learning environment includes an extensive set of electronic flashcards to improve your exam preparation. Each flashcard has one question and one correct answer. These are great as last minute drills. And there is an online glossary is a searchable list of key terms introduced in this study guide that you should know for the CC certification exam.

HOW TO CONTACT THE PUBLISHER

If you believe you have found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts an error may occur.

In order to submit your possible errata, please email it to our Customer Service Team at [email protected] with the subject line “Possible Book Errata Submission.”

PART IDomain 1: Security Principles

Chapter 1

Confidentiality, Integrity, Availability, and Non-repudiation

Chapter 2

Authentication and Authorization

Chapter 3

Privacy

Chapter 4

Risk Management

Chapter 5

Security Controls

Chapter 6

Ethics

Chapter 7

Security Governance Processes

Security Principles is the first domain of ISC2's Certified in Cybersecurity exam. It provides the foundational knowledge that anyone in information technology needs to understand as they begin their careers. The domain includes the following five objectives:

1.1 Understand the security concepts of information assurance

1.2 Understand the risk management process

1.3 Understand security controls

1.4 Understand the ISC2 Code of Ethics

1.5 Understand governance processes

Questions from this domain make up 26 percent of the questions on the CC exam, so you should expect to see 26 questions on your test covering the material in this part.

CHAPTER 1Confidentiality, Integrity, Availability, and Non-repudiation: Objective 1.1 Understand the Security Concepts of Information Assurance

Information plays a vital role in the operations of modern business, and we find ourselves entrusted with sensitive information about our customers, employees, internal operations, and other critical matters. As information technology professionals, we must work with information security teams, other technology professionals, and business leaders to protect the security of that information.

In this chapter, you'll learn about four of the subobjectives of CC objective 1.1. The remaining material for this objective is covered in Chapter 2, “Authentication and Authorization,” and Chapter 3, “Privacy.” The following subobjectives are covered in this chapter:

Confidentiality

Integrity

Availability

Non-repudiation

THE CIA TRIAD

Cybersecurity professionals have three primary objectives when it comes to protecting information and systems. They want to ensure that private data remains secret (confidentiality), that information isn't altered without permission (integrity), and that information is available to authorized users when they need it (availability). You can remember these three main goals by thinking of the CIA triad, as shown in Figure 1.1. Each side of this triangle covers one of the three main goals.

FIGURE 1.1 The CIA triad summarizes the three main goals of information security: confidentiality, integrity, and availability.

Confidentiality

Confidentiality ensures that only authorized individuals have access to information and resources. This is what most people think of when they think about information security—keeping secrets away from prying eyes. And it is, in fact, how security professionals spend the majority of their time.

Confidentiality Risks

As you prepare for the exam, you'll need to understand the main threats against each of the cybersecurity objectives. I'll talk about many different kinds of threats in this book, but I'll begin with the following: snooping, dumpster diving, eavesdropping, wiretapping, and social engineering.

Snooping Snooping is exactly what the name implies. The individual engaging in snooping wanders around your office or other facility and simply looks to see what information they can gather. When people leave sensitive papers on their desks or in a public area, it creates an opportunity for snooping.

Organizations can protect against snooping by enforcing a clean desk policy. Employees should maintain a clean workspace and put away any sensitive materials whenever they step away, even if it's just for a moment.

Dumpster Diving Dumpster diving attacks also look for sensitive materials, but the attacker doesn't walk around the office; instead, they look through the trash, trying to find sensitive documents that an employee threw in the garbage or recycling bin.

You can protect your organization against dumpster diving attacks using a simple piece of technology: a paper shredder! If you destroy documents before discarding them, you'll protect against a dumpster diver pulling them out of the trash.

Eavesdropping Eavesdropping attacks come in both physical and electronic types. In a physical eavesdropping attack, the attacker simply positions themselves where they can overhear conversations, such as in a cafeteria or hallway, and then listens for sensitive information.

You can protect against eavesdropping attacks by putting rules in place limiting where sensitive conversations may take place. For example, sensitive conversations should generally take place in a closed office or conference room.

Electronic eavesdropping attacks are also known as wiretapping. They occur when an attacker gains access to a network and monitors the data being sent electronically within an office.

The best way to protect against electronic eavesdropping attacks is to use encryption to protect information being sent over the network. If data is encrypted, an attacker who intercepts that data won't be able to make any sense of it. I'll talk more about how encryption works later in this book.

Social Engineering The last type of confidentiality attack I'll talk about is social engineering. In a social engineering attack, the attacker uses psychological tricks to persuade an employee to give them sensitive information or access to internal systems. They might pretend that they're on an urgent assignment from a senior leader, impersonate an IT technician, or send a phishing email.

It's difficult to protect against social engineering attacks. The best defense against these attacks is educating users to recognize the dangers of social engineering and empower them to intervene when they suspect an attack is taking place.

Integrity

Security professionals are also responsible for protecting the integrity of an organization's information. This means that there aren't any unauthorized changes to information. Unauthorized changes may come in the form of a hacker seeking to intentionally alter information or a service disruption accidentally affecting data stored in a system. In either case, it's the information security professional's responsibility to prevent these lapses in integrity.

Integrity Risks

This section covers four types of integrity attacks: the unauthorized modification of information, impersonation attacks, man-in-the-middle (MitM) attacks, and replay attacks.

Unauthorized Modification of Information The unauthorized modification of information occurs when an attacker gains access to a system and makes changes that violate a security policy. This might be an external attack, such as an intruder breaking into a financial system and issuing themselves checks, or it might be an internal attack, such as an employee increasing their own salary in the payroll system.

Following the principle of least privilege is the best way to protect against integrity attacks. Organizations should carefully consider the permissions that each employee needs to perform their job and then limit employees to the smallest set of permissions possible.

Impersonation In an impersonation attack, the attacker pretends to be someone other than who they actually are. They might impersonate a manager, executive, or IT technician in order to convince someone to change data in a system. This is an extension of the social engineering attacks mentioned earlier, and the best defense against these attacks is strong user education.

Man-in-the-Middle Attacks Sometimes impersonation attacks are electronic. In a man-in-the-middle (MitM) attack, the attacker intercepts network traffic as a user is logging into a system and pretends to be that system. They then sit in the middle of the communication, relaying information between the user and the system while they monitor everything that is occurring. In this type of attack, the attacker might be able to steal a user's password and use it later to log in to the system themselves.

Replay Attacks In a replay attack, the attacker doesn't get in the middle of the communication but finds a way to observe a legitimate user logging into a system. They then capture the information used to log in to the system and later replay it on the network to gain access themselves.

The best defense against both replay and MitM attacks is the use of encryption to protect communications. For example, web traffic might use the Transport Layer Security (TLS) protocol to prevent an eavesdropper from observing network traffic. You'll learn more about this technology in Chapter 18, “Encryption.”

Availability

As a security professional, you must also understand how to apply security controls that protect the availability of information and systems. As the third leg of the CIA triad, availability controls ensure that information and systems remain available to authorized users when needed. They protect against disruptions to normal system operation or data availability.

Availability Risks

This chapter covers five different types of events that can disrupt the availability of systems: denial-of-service attacks, power outages, hardware failures, destruction of equipment, and service outages.

Denial-of-Service Attacks Denial-of-service (DoS) attacks occur when a malicious individual bombards a system with an overwhelming amount of network traffic. The idea is to simply send so many requests to a server that it is unable to answer any requests from legitimate users.

You can protect your systems against DoS attacks by using firewalls that block illegitimate requests and by partnering with your Internet service provider to block DoS attacks before they reach your network.

Power Outages Power outages can occur on a local or regional level for many different reasons. Increased demand can overwhelm the power grid; natural disasters can disrupt service; and other factors can cause power outages that disrupt access to systems.

You can protect against power outages by having redundant power sources and backup generators that supply power to your system when commercial power is not available.

Hardware Failures Hardware failures can and do occur. Servers, hard drives, network gear, and other equipment all fail occasionally and can disrupt access to information. That's an availability problem.

You can protect against hardware failures by building a system that has built-in redundancy so that if one component fails, another is ready to pick up the slack.

Destruction of Equipment Sometimes equipment is just outright destroyed. This might be the result of intentional or accidental physical damage, or it may be the result of a larger disaster, such as a fire or a hurricane.

You can protect against small-scale destruction with redundant systems. If you want to protect against larger-scale disasters, you may need to have backup data centers in remote locations or in the cloud that can keep running when your primary data center is disrupted.

Service Outages Finally, sometimes service outages occur. This might be due to programming errors, the failure of underlying equipment, or many other reasons. These outages disrupt user access to systems and information and are, therefore, an availability concern.

You can protect against service outages by building systems that are resilient in the face of errors and hardware failures.

NON-REPUDIATION

Another important focus of some security controls is providing non-repudiation. Repudiation is a term that means denying that something is true. Non-repudiation is a security goal that prevents someone from falsely denying that something is true.

For example, you might agree to pay someone $10,000 in exchange for a car. If you just had a handshake agreement, it might be possible for you to later repudiate your actions. You might claim that you never agreed to purchase the car or that you agreed to pay a lower price.

To solve this issue, a signed contract is used when a car is sold. Your signature on the document is the proof that you agreed to the terms, and if you later go to court, the person selling you the car can prove that you agreed by showing the judge the signed document. Physical signatures provide non-repudiation on contracts, receipts, and other paper documents.

There's also an electronic form of the physical signature. Digital signatures use encryption technology to provide non-repudiation for electronic documents. You'll learn more about that technology in Chapter 18.

There are other ways that you can provide non-repudiation as well. You might use biometric security controls, such as a fingerprint or facial recognition, to prove that someone was in a facility or performed an action. You might also use video surveillance for that same purpose. All of these controls enable you to prove that someone was in a particular location or performed an action, offering some degree of non-repudiation.

EXAM ESSENTIALS

The CIA triad references the three main goals of information security: confidentiality, integrity, and availability.

Confidentiality protects sensitive information from unauthorized access. The major threats to confidentiality include snooping, dumpster diving, eavesdropping, wiretapping, and social engineering.

Integrity protects information and systems from unauthorized modification. The major threats to integrity include the unauthorized modification of information, impersonation attacks, man-in-the-middle attacks, and replay attacks.

Availability ensures that authorized users have access to information when they need it. The major threats to availability include denial-of-service attacks, power outages, hardware failures, destruction of equipment, and service outages.

Non-repudiation uses technical measures to ensure that a user is not able to later deny that they took some action.

Practice Question 1

Which one of the following security risks would most likely be considered an availability issue?

Replay attack

Power outage

Social engineering

Snooping

Practice Question 2

What are the three major objectives of cybersecurity programs?

Confidentiality, integrity, and availability

Confidentiality, integrity, and authorization

Confidentiality, infrastructure, and authorization

Communications, infrastructure, and authorization

Practice Question 1 Explanation