(ISC)2 SSCP Systems Security Certified Practitioner Official Study Guide E-Book

(ISC)2®SSCP® Systems SecurityCertified PractitionerOfficial Study Guide

Second Edition

Development Editor: Kim Wimpsett

Technical Editor: Scott Pike

Production Editor: Lauren Freestone

Copy Editor: Elizabeth Welch

Editorial Manager: Pete Gaughan

Production Manager: Kathleen Wisor

Associate Publisher: Jim Minatel

Proofreader: Tiffany Taylor

Indexer: Johnna VanHoose Dinse

Project Coordinator, Cover: Brent Savage

Cover Designer: Wiley

Cover Image: © Getty Images Inc./Jeremy Woodhouse

Copyright © 2019 by John Wiley & Sons, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-1-119-54294-0

ISBN: 978-1-119-54295-7 (ebk.)

ISBN: 978-1-119-54292-6 (ebk.)

Manufactured in the United States of America

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2019936132

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. (ISC)2, SSCP, and the SSCP logo are registered trademarks or certification marks of (ISC)2, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Acknowledgments

This book owes a great deal to the many teachers, coworkers, teammates, and friends who've worked so hard for so long to teach me what I know about information security and insecurity, and about risk management and mismanagement. Where this book works well in conveying that body of knowledge, skills, and attitudes to you is a testament to their generosity in sharing their insights with me. I would also like to acknowledge my faculty teammates here at Embry-Riddle Aeronautical University for sharing their frank and candid views throughout many conversations on making this body of knowledge accessible and engaging in the classroom. The ideas and experiences of Dr. Aaron Glassman, Dr. Wesley Phillips, Dr. Robert “Trez” Jones, and Mr. Hamid Ait Kaci Azzou have profoundly affected my approach to what you see before you here in this book.

The combined team at Wiley/Sybex and at (ISC)2 worked tirelessly to focus, strengthen, and clarify what I wanted to say and how I said it, all while keeping my voice and my teaching ideas authentic and on point. My thanks go out to the editorial team at Wiley/Sybex: Jim Minatel, Kim Wimpsett, Pete Gaughan, Lauren Freestone, Elizabeth Welch, Tiffany Taylor, and their technical reviewers Jacob Penovich, Scott Pike, and Raven Sims, as well as to Tara Zeiler and Charles Gaughf, our reviewers at (ISC)2. Johnna VanHoose Dinse, Wiley's indexer, has also made the art of finding what you want in this book when you need it more of a science (and I've always had a soft spot for a great index!). Where this book works well for you, it works because of the efforts of all of those people to make this book the best it can be. What errors, omissions, misspeaks, and confusions that remain are mine, not theirs.

Finally, I wish to thank my wife Nancy. She saved my life and brought me peace. Her strength inspired me to say “yes” when Jim first called me about doing this book and has kept both of us healthy and happy throughout.

About the Author

Mike Wills, SSCP, CISSP has spent more than 40 years as a computer systems architect, programmer, security specialist, database designer, consultant, and teacher (among other duties). Starting out as a bit of a phone phreak in his college days, he sharpened his skills on the 1960s generation of mainframes and minicomputers, just in time for the first 8080 and Z80 microprocessors to fuel the home computer revolution. Learning about the ARPANET just added spice to that mix. Since then, he's had ones, zeros, and now qubits under his fingernails too many times to count, whether as part of his jobs, his teaching, or his hobbies.

Mike earned his BS and MS degrees in computer science, both with minors in electrical engineering, from Illinois Institute of Technology, and his MA in Defence Studies from King's College, London. He is a graduate of the Federal Chief Information Officer program at National Defense University and the Program Manager's Course at Defense Systems Management College.

As an Air Force officer, Mike served in the National Reconnaissance Office, building and flying some of the most complex, cutting-edge space-based missions, large and small. As a “ground control” guy, he specialized in the design, operation, and support of highly secure, globe-spanning command, control, communications, and intelligence systems that support US and Coalition missions around the world. These duties often required Mike to “optimize” his way around the official configuration management and security safeguards—all on official business, of course.

No good deed going unpunished, he then spent two years on the Joint Staff as a policy and budget broker for all command, control, and communications systems, and then taught in the School of Information Warfare and Strategy at National Defense University. He's taught at senior leader colleges in both the United States and United Kingdom, and has been a continuing guest lecturer at the UK's Defence Academy. He served as adviser to the UK's Joint Intelligence Committee, Ministry of Justice, and Defence Science and Technology Laboratories on the national and personal security implications of science and technology policy; this led to him sometimes being known as the UK's nonresident expert on outer space law.

Currently he is an assistant professor of Applied Information Technologies in the College of Business at Embry-Riddle Aeronautical University – Worldwide, where he is the change leader and academic visionary behind bringing the Microsoft Software and Systems Academy program into ERAU's classrooms at 13 locations around the United States. Prior to this, Mike helped create two new MS degrees—Information Security and Assurance, and Management of Information Systems—and was program chair of both during their launch and first year of teaching. He also taught in Worldwide's Security and Intelligence Studies program during its 2005 launch in ERAU's European Division.

Mike and his wife Nancy currently call Montevideo, Uruguay, their home. Living abroad since the end of the last century, they find new perspectives, shared values, and wonderful people wherever they go. As true digital nomads, it's getting time to move again. Where to? They'll find out when they get there.

CONTENTS

Cover

Acknowledgments

About the Author

Foreword

Introduction

Part I Getting Started as an SSCP

Chapter 1 The Business Case for Decision Assurance and Information Security

Information: The Lifeblood of Business

Policy, Procedure, and Process: How Business Gets Business Done

Who Runs the Business?

Summary

Chapter 2 Information Security Fundamentals

The Common Needs for Privacy, Confidentiality, Integrity, and Availability

Training and Educating Everybody

SSCPs and Professional Ethics

Summary

Exam Essentials

Review Questions

Part II Integrated Risk Management and Mitigation

Chapter 3 Integrated Risk Management and Mitigation

It’s a Dangerous World

The Four Faces of Risk

Getting Integrated and Proactive with Information Defense

Risk Management: Concepts and Frameworks

Risk Assessment

Four Choices for Limiting or Containing Damage

Summary

Exam Essentials

Review Questions

Chapter 4 Operationalizing Risk Mitigation

From Tactical Planning to Information Security Operations

Operationalizing Risk Mitigation: Step by Step

The Ongoing Job of Keeping Your Baseline Secure

Ongoing, Continuous Monitoring

Reporting to and Engaging with Management

Summary

Exam Essentials

Review Questions

Part III The Technologies of Information Security

Chapter 5 Communications and Network Security

Trusting Our Communications in a Converged World

Internet Systems Concepts

Two Protocol Stacks, One Internet

IP Addresses, DHCP, and Subnets

IPv4 vs. IPv6: Key Differences and Options

CIANA Layer by Layer

Securing Networks as Systems

Summary

Exam Essentials

Review Questions

Chapter 6 Identity and Access Control

Identity and Access: Two Sides of the Same CIANA Coin

Identity Management Concepts

Access Control Concepts

Network Access Control

Implementing and Scaling IAM

Zero Trust Architectures

Summary

Exam Essentials

Review Questions

Chapter 7 Cryptography

Cryptography: What and Why

Building Blocks of Digital Cryptographic Systems

Keys and Key Management

Modern Cryptography: Beyond the “Secret Decoder Ring”

“Why Isn’t All of This Stuff Secret?”

Cryptography and CIANA

Public Key Infrastructures

Other Protocols: Applying Cryptography to Meet Different Needs

Measures of Merit for Cryptographic Solutions

Attacks and Countermeasures

On the Near Horizon

Summary

Exam Essentials

Review Questions

Chapter 8 Hardware and Systems Security

Infrastructure Security Is Baseline Management

Infrastructures 101 and Threat Modeling

Malware: Exploiting the Infrastructure’s Vulnerabilities

Privacy and Secure Browsing

“The Sin of Aggregation”

Updating the Threat Model

Managing Your Systems’ Security

Summary

Exam Essentials

Review Questions

Chapter 9 Applications, Data, and Cloud Security

It’s a Data-Driven World…At the Endpoint

Software as Appliances

Applications Lifecycles and Security

CIANA and Applications Software Requirements

Application Vulnerabilities

“Shadow IT:” The Dilemma of the User as Builder

Information Quality and Information Assurance

Protecting Data in Motion, in Use, and at Rest

Into the Clouds: Endpoint App and Data Security Considerations

Legal and Regulatory Issues

Countermeasures: Keeping Your Apps and Data Safe and Secure

Summary

Exam Essentials

Review Questions

Part IV People Power: What Makes or Breaks Information Security

Chapter 10 Incident Response and Recovery

Defeating the Kill Chain One Skirmish at a Time

Incident Response Framework

Preparation

Detection and Analysis

Containment and Eradication

Recovery: Getting Back to Business

Post-Incident Activities

Summary

Exam Essentials

Review Questions

Chapter 11 Business Continuity via Information Security and People Power

A Spectrum of Disruption

Surviving to Operate: Plan for It!

Cloud-Based “Do-Over” Buttons for Continuity, Security, and Resilience

CIANA at Layer 8 and Above

Summary

Exam Essentials

Review Questions

Note

Chapter 12 Risks, Issues, and Opportunities, Starting Tomorrow

On Our Way to the Future

CIA, CIANA, or CIANAPS?

Enduring Lessons

Your Next Steps

At the Close

Appendix Answers to Review Questions

Self-Assessment

Chapter 2: Information Security Fundamentals

Chapter 3: Integrated Information Risk Management

Chapter 4: Operationalizing Risk Mitigation

Chapter 5: Communications and Network Security

Chapter 6: Identity and Access Control

Chapter 7: Cryptography

Chapter 8: Hardware and Systems Security

Chapter 9: Applications, Data, and Cloud Security

Chapter 10: Incident Response and Recovery

Chapter 11: Business Continuity via Information Security and People Power

Index

Advertisement

Register and Access the Online Test Bank

End User License Agreement

List of Tables

Introduction

Table I.1

Chapter 5

Table 5.1

Table 5.2

Table 5.3

Table 5.4

Table 5.5

List of Illustrations

Chapter 1

Figure 1.1 The knowledge pyramid

Figure 1.2 Messaging at passenger screening (notional)

Figure 1.3 The value chain

Figure 1.4 Ishikawa (or “fishbone”) diagram for a value process

Figure 1.5 The organization chart as pyramid (traditional view)

Figure 1.6 The inverted pyramid supports work at the gemba

Chapter 3

Figure 3.1 Vulnerability leads to failure, which leads to impact

Figure 3.2 Four faces of risk, viewed together

Figure 3.3 The layered view

Figure 3.4 NIST RMF areas of concern

Figure 3.5 NIST RMF phased approach

Figure 3.6 ISO 31000:2018 Conceptual RMF

Figure 3.7 PDCA cycle diagram (simple), with subcycles

Chapter 4

Figure 4.1 John Boyd’s OODA loop

Figure 4.2 Risk mitigation major steps

Chapter 5

Figure 5.1 Wrapping: layer-by-layer encapsulation

Figure 5.2 Bus topology

Figure 5.3 Ring network topology

Figure 5.4 Star (or tree) network topology

Figure 5.5 Mesh network topology (

fully connected

)

Figure 5.6 Data Link layer frame format

Figure 5.7 IPv4 packet format

Figure 5.8 Easy OSI mnemonics

Figure 5.9 Changes to the packet header from IPv4 to IPv6

Chapter 6

Figure 6.1 Subjects and objects

Figure 6.2 US-CERT Traffic Light Protocol for information classification and handling

Figure 6.3 Bell-LaPadula (a) vs. Biba access control models (b)

Chapter 7

Figure 7.1 The basics of encoding, encrypting, decrypting, and decoding

Figure 7.2 Substitution and transposition

Figure 7.3 Comparing hashing and encryption as functions

Figure 7.4 Chains of trust

Figure 7.5 Certification path validation algorithm

Figure 7.6 TLS handshake

Figure 7.7 Crypto family tree

Figure 7.8 The blockchain concept

Chapter 8

Figure 8.1 Notional datacenter design

Figure 8.2 Is this firmware update good news?

Chapter 9

Figure 9.1 Waterfall software development lifecycle model

Chapter 10

Figure 10.1 Incident triage and response process

Figure 10.2 Incident response process

Figure 10.3 NIST 800-61 incident response flow

Figure 10.4 Incident Handling Checklist

Chapter 11

Figure 11.1 The descent from anomaly to organizational death

Figure 11.2 Continuity of operations planning and supporting planning processes

Figure 11.3 Beyond the seventh layer

Guide

Cover

Table of Contents

Foreword

Pages

iii

iv

v

vii

xxi

xxiii

xxiv

xxv

xxvi

xxvii

xxviii

xxix

xxx

xxxi

xxxii

xxxiii

xxxiv

xxxv

xxxvi

xxxvii

xxxviii

xxxix

xl

xli

xlii

xliii

xliv

xlv

xlvi

xlvii

xlviii

xlix

l

li

lii

liii

liv

lv

lvi

lvii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

622

623

624

625

626

627

628

629

630

631

632

Foreword

Welcome to the (ISC)2 SSCP Systems Security Certified Practitioner Official Study Guide, Second Edition! The global cybersecurity talent gap represents a huge opportunity for you to leverage your information technology skills to help protect your organization’s infrastructure, information, systems, and processes and to improve and grow in your professional journey.

The Systems Security Certified Practitioner is a foundational certification that demonstrates you have the advanced technical skills and knowledge to implement, monitor, and administer IT infrastructure using security best practices, policies, and procedures established by the cybersecurity experts at (ISC)² for protecting critical assets. This book will guide you through the seven subject area domains on which the SSCP exam will test your knowledge. Step by step, it will cover the fundamentals involved in each topic and will gradually build toward more focused areas of learning in order to prepare you.

The SSCP is a mark of distinction that hiring managers look for when recruiting for roles that include cybersecurity responsibilities. Your pursuit and maintenance of this credential demonstrates that you have the knowledge and the drive to meet a recognized standard of excellence.

Whether you are brand new to the field or just want a refresher on the core tenets of cybersecurity, this guide will help you build a solid understanding of the technical, physical, administrative and legal aspects of the information security and assurance profession, as well as the ethical fidelity required of the SSCP.

I hope that you will find the (ISC)2 SSCP Systems Security Certified Practitioner Official Study Guide, Second Edition to be an informative and helpful tool and wish you great success in your preparation and your professional growth.

Sincerely,

David P. Shearer, CISSP

CEO, (ISC)2

Introduction

Congratulations on choosing to become a Systems Security Certified Practitioner (SSCP)! In making this choice, you’re signing up to join the “white hats,” the professionals who strive to keep our information-based modern world safe, secure, and reliable. SSCPs and other information security professionals help businesses and organizations keep private data private and help to ensure that published and public-facing information stays unchanged and unhacked.

Whether you are new to the fields of information security, information assurance, or cybersecurity, or you’ve been working with these concepts, tools, and ideas for some time now, this book is here to help you grow your knowledge, skills, and abilities as a systems security professional.

Let’s see how!

About This Book

You’re here because you want to learn what it takes to be an SSCP. You know this will demand that you build a solid understanding of many different concepts, not only as theories but also as practical tasks you can do to help make information systems more secure. You know you’ll need to master a number of key definitions and be able to apply those definitions to real-world situations—you’ll need to operationalize those definitions and concepts by turning them into the step-by-step operations that make security become real.

This book is your study guide. It guides you along your personal journey as you learn and master these ideas and technologies. It takes you on that journey concept by concept, starting with simple, fundamental ideas and growing them to the level of power and complexity you will need, on the job, as an SSCP. That is this book’s focus, its purpose, and design.

In doing so, it’s also a valuable reference to have with you on the job, or as you continue to learn more about information security, information risk management, or any of a number of other related subject areas. You’ll find it more than covers the topic domains that (ISC)2 requires you to demonstrate competency in, should you wish to earn their Systems Security Certified Practitioner credential.

What Makes This the “Official” Study Guide for the SSCP?

Good question! This book exists because (ISC)2 wanted a book that would teach as well as guide, explain as well as capture the common knowledge about keeping information systems secure, protecting information assets, and information assurance that all SSCPs should have at their mental fingertips. As creators of the SSCP program, (ISC)2 defines that common body of knowledge, in continuous consultation with system security experts and practitioners from business, industry, government, and academia from around the world.

Using this official study guide, individuals can prepare for the SSCP exam with confidence. Businesses and other organizations can build their own in-house staff development and training programs around this book and have the same confidence that what they’ll be training their people on aligns with (ISC)2’s structure and definition of the SSCP as a body of knowledge.

What Is an SSCP?

The SSCP is actually three things in one: a standard of excellence, a credential that attests to demonstrated excellence, and a person who has earned that credential. Perhaps instead of asking “what” is an SSCP, we should also ask why, who, and how:

SSCP as standard of excellence.

The International Information System Security Certification Consortium, or (ISC)

2

, created this standard to reflect the continually evolving needs for people who can help all sorts of organizations around the world keep their information systems safe, secure, confidential, private, reliable, and trustworthy. Working with businesses, nonprofits, academic researchers, and the thought leaders of the cybersecurity and information assurance communities of practice, they developed the list of subject areas, or

domains

, that are the SSCP as a standard. That standard is set as the starting point for your professional journey as an information security specialist. Its focus is on hands-on technical knowledge combined with procedural and administrative awareness. The knowledge, skills, and abilities that make up the SSCP domains become the foundation for other, more advanced certifications (and hence standards).

SSCP as a credential.

Earning an SSCP certification attests to the fact that you have solid working knowledge of the topic domains that are the SSCP. As a published standard of excellence, this certification or credential is portable—people in the information system business, or who know the needs of their own organizations for information security, recognize and respect this credential. People can easily consult (ISC)

2

’s published standards for the SSCP and understand what it means. It is a portable, stackable credential, meaning that it can clearly pave the way for you to take on job responsibilities that need the knowledge and skills it attests to, and demonstrates you have the foundational knowledge to earn other credentials that can build on it.

SSCP as a goal or objective

. The SSCP as a standard answers the needs of hiring managers when they seek the right kind of people to help protect their organization’s information, their information systems and processes, their IT infrastructure, and their ability to make informed decisions in reliable, timely ways. Training managers or functional department leaders in various organizations can design their own internal training and skills development programs around the SSCP, knowing that it is a reliable standard for information system security knowledge and experience. They can look at job descriptions or task designs, and use the SSCP as a standard to identify whether the job and the SSCP are a good fit with each other, or if other significant knowledge and skills will be needed by people filling that position.

SSCP as a person

. By choosing to earn an SSCP credential, you’re declaring to yourself and to others that you’re willing to hold yourself to a respected and recognized standard of excellence. You’re willing to master what that standard asks of you, not only on the technical, physical, and administrative aspects of information security and assurance, but also on its legal and ethical requirements.

The Systems Security Certified Practitioner is thus a person who does the job of systems security to a level of competency that meets or exceeds that standard and who has earned a credential as testament to their knowledge and skills. It is a foundational certification, based on the knowledge and skills that people should already have when they first start out as an information security professional.

Let’s operationalize that set of words by showing them in action:

Systems

—Generally, a

system

is a collection or set of elements that interconnect and interact with each other to fulfill or achieve a larger purpose or objective. In this context, we mean

information systems

.

Information systems

are the collected sets of hardware, software, databases, and data sets; the communications, networking, and other technologies that connect all of those elements together into a cohesive, working whole; and the people who use them and depend on them to achieve their goals and objectives.

Security

—Again, generally speaking, security is the set of plans, procedures, and actions that keep something safe from harm, damage, or loss, through accident, acts of nature, or deliberate actions taken by people. Applying that to information systems, we see that

information systems security

is everything we need to do during design, implementation, operational use, and maintenance to keep all aspects of an information system protected against accidental or deliberate damage; it includes keeping its information free from unauthorized changes or viewing; and it keeps those systems up and running so that the information is there when people need it to get their jobs done.

Certified

—The person holding this credential (or certification) has earned the right to do so by means of having demonstrated their mastery of the knowledge, skills, and attitudes that are defined to be the subject area or domain of the certification. Specifically, an SSCP has passed the certification exam and demonstrated the required work experience in the field of information security, as specified by the SSCP subject area domains.

Practitioner

—A person whose professional or workplace duties, responsibilities, and tasks has them using the knowledge, skills, and abilities required by the standard to have earned the certification. There’s a degree of

practice

in the definition of

practitioner

, of course; as a practitioner, you are continually

doing

the stuff of your profession, and in doing so you continue to

learn it better

as well as refine, polish, and enrich the ways in which you do those tasks and fulfill those responsibilities. Practitioners get better with practice! (After all, if you’ve been “practicing medicine” for 20 years, we expect you are a much better medical doctor now than you were when you started.)

Note that a practitioner may be a specialist or a generalist; this is usually defined by the standards issued by the credentialing organization and reflects accepted and valued practice in the profession or industry as a whole.

What Can We Expect of Our SSCPs?

The world of commerce, industry, and governance expects you, as an SSCP, to be a hands-on practitioner of information systems security, someone who continuously monitors information systems to safeguard against security threats, vulnerabilities, and risks while having the knowledge to apply security concepts, tools, and procedures to react to security incidents. As an SSCP, you demonstrate certain knowledge and skills, in areas such as:

Information technology and cybersecurity theory and hands-on/technical practice

Cybersecurity policy, procedures, standards, and guidelines

Using simple coding or programming language techniques, in languages such as command line interface, PowerShell, Java, HTML, CSS, Python, and C#

You’ll also need more than just technical skills and knowledge. As an SSCP, you’ll be working with people constantly, as you assist them in securing their organization’s information security needs. This takes adaptability on your part, plus strong interpersonal skills. You’ll need to be a critical thinker, and to make sounds judgments; you’ll have to communicate in person and in writing as you build and manage professional relationships within your organization and the larger information security community of practice. You’ll build this social capital both through your problem-solving skills and by applying your emotional intelligence.

Soft Skills: Very Strong Tickets to Success

Employers, clients, and others you’ll work with value your technical knowledge and skills, but they desperately need to be able to work with and communicate with you as you bring that knowledge and skills to bear on their problems. The irony of calling these skills “soft” is that for some of us, it can be very hard work to improve on them. Investing in improving these skills will more than pay off for you in terms of salary and opportunities.

It’s also natural to expect that as an SSCP, you will be continually learning about your craft. You’ll keep current about the ways that threats evolve and stay informed about known vulnerabilities as they might be exploited against the systems under your care. You’ll know how to apply analytical and research skills to dig deeper into what you’re seeing in the way those systems are behaving, with an eye to identifying problems, recognizing that an information security incident might be under way, and responding to such incidents. This also means that you will periodically reflect on what you’ve been doing, how you’ve been doing it, and what you’ve been learning, and consider where improvement and growth are required to ensure continued effectiveness.

Who Should Take the SSCP Certification Exam?

The SSCP designation is designed for individuals who desire to learn hands-on, technical, cybersecurity fundamentals. While any individual who desires to practice cybersecurity can learn the material, there are certain requirements before sitting for the exam. SSCP candidates must have at least one year of cumulative work experience in one or more of the seven domains of the (ISC)2 SSCP Common Body of Knowledge (CBK). A one-year prerequisite pathway will be granted for candidates who received an accredited university degree (bachelor’s or master’s) in a cybersecurity program. Candidates without the required experience can take and pass the SSCP exam to earn an Associate of (ISC)2 designation and will have up to two years to gain the work experience needed for the SSCP.

Certificate vs. Certification vs. “Being Certified”

If you’re new to formal certifications, these terms may seem interchangeable—but they are not!

A certificate is an official document or proof that displays or attests to your completion of a formal program, school, or training course. Earning a certificate may require passing a formal exam, hands-on practice, or just remaining in the course until the end. Certificate courses are designed to teach a skill and/or influence knowledge and understanding of a topic.

A certification goes several steps further than a certificate. Typically, certifications require a minimum period of professional experience, which may include supervision by someone who also holds that same certifications.

Certifications are established by professional organizations that serve a particular industry, and thus earning that certification means you’ve demonstrated what that industry needs. Certificates are defined and issued by the schools or training programs that teach them.

Typically, certifications have requirements for ongoing learning, experience, and skills development; certificates usually do not.

Finally, consider who awards you that credential. If it’s the school or the training organization, it’s a certificate. If it’s that standards-setting body, it’s a certification.

As a result, you are entitled—you have earned the right—to put the official, accepted designation of that certification after your name, when used as a part of your professional correspondence, marketing, or other communications. John Doe, SSCP, or Jayne Smith, MD, are ways that these individuals rightfully declare their earned certifications.

Academic programs increasingly offer sets of accredited university courses bundled as certificate programs; instead of completing 120 semester hours for a bachelor’s degree, for example, a certificate program might only require 15 to 30 semester hours of study.

Thus, we see that “being certified” means that you’ve met the standards required by the professional organization that defines and controls that certification as a process and as a standard; you’ve earned the right to declare yourself “certified” in the domain of that standard.

The National and International Need

We’ve certainly needed people who understood information security as a systems discipline since the dawn of the computer age, but it wasn’t until the early 1990s that we saw national and global awareness of this need start to attract headlines and influence the ways people prepared for careers in cybersecurity. One of the results of the President’s Commission on Critical Infrastructure Protection (PCCIP), created by Bill Clinton, was the recognition that the nation needed a far larger and more sustained effort focused on securing the Internet-based backbones and systems on which our society and much of the world depended upon for day-to-day business, commerce, public services, hygiene, transportation, medicine—in short, for everything! Virtually all of that infrastructure was owned and operated by private business; this was not something governments could mandate, direct, or perform.

The National Institute of Standards and Technology (NIST) took the lead in defining standards-based frameworks and approaches for identifying, managing, and controlling risks to information systems and infrastructures. As a part of this effort, NIST established the National Initiative for Cybersecurity Education (NICE). This partnership between government, academia, and the private sector works to continually define the standards and best practices that cybersecurity professional educators and trainers need to fulfill in order to produce a qualified cybersecurity workforce.

In the meantime, the Department of Defense (DoD) has continued its efforts to professionalize its workforce (both the uniformed and civilian members) and, in a series of regulations and directives, has defined its baseline set of approved certifications in various fields. One of these, DoD Directive 8140, defines the minimum acceptable certifications someone must demonstrate to hold jobs in the information assurance technical, managerial, and systems architecture job series. DoD 8140 also defines the certifications necessary to hold jobs as a cybersecurity service provider at various levels.

Internationally, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have jointly issued their own family of standards designed to help private and public organizations worldwide attain minimum acceptable standards in achieving information security, information assurance, and cybersecurity. The ISO/IEC 27000 family of standards provides best practice recommendations on information security management and the management of information risks through information security controls, within the context of an overall information security management system (ISMS). ISO/IEC 27001 is the best-known standard in the family providing requirements for an ISMS. The European Union has issued a series of regulations and policy documents that help refine and implement these ISO/IEC standards.

(ISC)2 plays a part in helping all of these standards bodies and regulatory agencies assess the current needs of the information security community of practitioners and works to update its set of certifications to support these national, international, and global needs. As a result, the SSCP certification is recognized around the world.

The SSCP and Your Professional Growth Path

Possibly one of the best ways to see your SSCP in the context of your professional growth and development can be seen at the CyberSeek website. CyberSeek is a partnership sponsored by NIST that brings together the current state of the job market in cybersecurity, information security, and information risk management. It combines data on job market demand for such skills, current average salaries, and even insight on the numbers of professionals holding various certifications. The real gem, however, for the new cybersecurity or information security pro is its Career Mapping tool. See this at www.cyberseek.org and use it to help navigate the options to consider and the opportunities that an earned SSCP after your name might open up.

As an international, nonprofit membership association with more than 140,000 members, (ISC)2 has worked since its inception in 1989 to serve the needs for standardization and certification in cybersecurity workplaces around the world. Since then, (ISC)2’s founders and members have been shaping the information security profession and have developed the following information security certifications:

Certified Information Systems Security Professional (CISSP): The CISSP is an experienced professional who holds the most globally recognized standard of achievement in the industry, and the first information security credential to meet the strict conditions of ISO/IEC Standard 17024. The CISSP certification has three concentrations:

Certified Information Systems Security Professional: Information Systems Security Architecture Professional (CISSP-ISSAP): The CISSP-ISSAP is a chief security architect, analyst, or other professional who

designs, builds, and oversees the implementation of network and computer security for an organization

. The CISSP-ISSAP may work as an independent consultant or other professional who provides operational guidance and direction to support business strategies.

Certified Information Systems Security Professional: Information Systems Security Engineering Professional (CISSP-ISSEP): The CISSP-ISSEP can effectively incorporate security into all facets of business operations.

Certified Information Systems Security Professional: Information Systems Security Management Professional (CISSP-ISSMP): The CISSP-ISSMP is a cybersecurity manager who demonstrates deep management and leadership skills and excels at establishing, presenting, and governing information security programs.

Systems Security Certified Practitioner (SSCP): The SSCP is a high-value practitioner who demonstrates technical skills in implementing, monitoring, and administering IT infrastructure using information security policies and procedures. The SSCP’s commitment to continuous learning and practice ensures consistent information assurance.

Certified Cloud Security Professional (CCSP): The CCSP is a globally recognized professional who demonstrates expertise and implements the highest standards in cloud security. The certification was co-created by (ISC)² and Cloud Security Alliance—the leading stewards for information security and cloud computing security.

Certified Authorization Professional (CAP): The CAP is a leader in information security and aligns information systems with the risk management framework (RMF). The CAP certification covers the RMF at an extensive level, and it’s the only certification under the DoD 8570/DoD 8140 Approved Baseline Certifications that aligns to each of the RMF steps.

Certified Secure Software Lifecycle Professional (CSSLP): The CSSLP is an internationally recognized professional with the ability to incorporate security practices— authentication, authorization, and auditing—into each phase of the software development lifecycle (SDLC).

HealthCare Information Security and Privacy Practitioner (HCISPP): The HCISSP is a skilled practitioner who combines information security with healthcare security and privacy best practices and techniques.

Each of these certifications has its own requirements for documented full-time experience in its requisite topic areas.

Newcomers to information security who have not yet had supervised work experience in the topic areas can take and pass the SSCP exam and then become recognized as Associates of (ISC)2. Associates then have two years to attain the required experience to become full members of (ISC)2.

The SSCP Seven Domains

(ISC)² is committed to helping members learn, grow, and thrive. The Common Body of Knowledge (CBK) is the comprehensive framework that helps it fulfill this commitment. The CBK includes all the relevant subjects a security professional should be familiar with, including skills, techniques, and best practices. (ISC)2 uses the various domains of the CBK to test a certificate candidate’s levels of expertise in the most critical aspects of information security. You can see this framework in the SSCP Exam Outline at www.isc2.org/-/media/ISC2/Certifications/Exam-Outlines/SSCP-Exam-Outline-Nov-1-2018.ashx.

Successful candidates are competent in the following seven domains:

Domain 1: Access Controls Policies, standards, and procedures that define who users are, what they can do, which resources and information they can access, and what operations they can perform on a system, such as:

1.1 Implement and maintain authentication methods

1.2 Support internetwork trust architectures

1.3 Participate in the identity management lifecycle

1.4 Implement access controls

Domain 2: Security Operations and Administration Identification of information assets and documentation of policies, standards, procedures, and guidelines that ensure confidentiality, integrity, and availability, such as:

2.1 Comply with codes of ethics

2.2 Understand security concepts

2.3 Document, implement, and maintain functional security controls

2.4 Participate in asset management

2.5 Implement security controls and assess compliance

2.6 Participate in change management

2.7 Participate in security awareness and training

2.8 Participate in physical security operations (e.g., data center assessment, badging)

Domain 3: Risk Identification, Monitoring, and Analysis Risk identification is the review, analysis, and implementation of processes essential to the identification, measurement, and control of loss associated with unplanned adverse events. Monitoring and analysis are determining system implementation and access in accordance with defined IT criteria. This involves collecting information for identification of, and response to, security breaches or events, such as:

3.1 Understand the risk management process

3.2 Perform security assessment activities

3.3 Operate and maintain monitoring systems (e.g., continuous monitoring)

3.4 Analyze monitoring results

Domain 4: Incident Response and Recovery “The show must go on” is a well-known saying that means even if there are problems or difficulties, an event or activity must continue. Incident response and recovery ensures the work of the organization will continue. In this domain, the SSCP gains an understanding of how to handle incidents using consistent, applied approaches like business continuity planning (BCP) and disaster recovery planning (DRP). These approaches are utilized to mitigate damages, recover business operations, and avoid critical business interruption:

4.1 Support incident lifecycle

4.2 Understand and support forensic investigations

4.3 Understand and support business continuity plan (BCP) and disaster recovery plan (DRP) activities

Domain 5: Cryptography The protection of information using techniques that ensure its integrity, confidentiality, authenticity, and nonrepudiation, and the recovery of encrypted information in its original form:

5.1 Understand fundamental concepts of cryptography

5.2 Understand reasons and requirements for cryptography

5.2 Understand and support secure protocols

5.2 Understand public key infrastructure (PKI) systems

Domain 6: Network and Communications Security The network structure, transmission methods and techniques, transport formats, and security measures used to operate both private and public communication networks:

6.1 Understand and apply fundamental concepts of networking

6.2 Understand network attacks and countermeasures (e.g., DDoS, man-in-the-middle, DNS poisoning)

6.3 Manage network access controls

6.4 Manage network security

6.5 Operate and configure network-based security devices

6.6 Operate and configure wireless technologies (e.g., Bluetooth, NFC, Wi-Fi)

Domain 7: Systems and Application Security Countermeasures and prevention techniques for dealing with viruses, worms, logic bombs, Trojan horses, and other related forms of intentionally created damaging code:

7.1 Identify and analyze malicious code and activity

7.2 Implement and operate endpoint device security

7.3 Operate and configure cloud security

7.4 Operate and secure virtual environments

Using This Book

This book is structured to take you on your learning journey through all seven subject area domains that the SSCP requires. It does this one building block at a time, starting with the fundamentals involved in a particular topic or subject, and building on those to guide you toward the degree of knowledge you’ll need as an SSCP. This book is structured in four major parts:

Part 1 provides a solid foundation of how organizations use information to drive decision making, and the role of information systems and information technologies in making that information available, reliable, and useful. It then looks to the fundamental concepts of information security and assurance, using operational definitions and examples to help you apply these concepts to real-world situations you may find around you today:

Business and the private sector speak their own language, and organize, direct, manage, and lead their people in different ways than do governments or military services. If you haven’t had experience in the private sector or have no business background, start with Chapter 1.

 Using the Language of Business

Chapter 1’s content is valuable to every SSCP, but it is not officially a part of the SSCP domains, and is outside the scope of the SSCP certification exam. Even if you’ve had private sector work experience, you’ll find Chapter 1 will strengthen your understanding of why business finds information security and assurance so important. With that as foundation, you can go on and learn how to make that security happen.

Chapter 2 provides a deep look at the fundamentals of information security and assurance.

Part 2 takes you deep into the practice of risk management, with great emphasis on information risk management:

Chapter 3 defines the basic concepts of risk management and risk mitigation and familiarizes you with the processes all organizations can use to understand risks, characterize their impact on organizational objectives, and prioritize how to deal with information risks specifically.

Chapter 4 dives into risk mitigation. Here’s where we make decisions about specific risks (or, rather, about the vulnerabilities we’ve discovered that could lead to such a risk becoming reality). We’ll look at choices you can make, or advise your company’s management to make, and how you can estimate the value of your mitigation choices as compared to the possible impacts if nothing is done.

Part 3 gets down into the technologies of information security; we’ll start each major subject area in Part 3 first by reviewing the fundamentals of various information systems technologies and how they are used, and then look to their vulnerabilities and what choices we might have to help mitigate their associated risks. Key throughout Part 3 is the need to own and manage the baseline architectures of our information systems—for without effective management of our systems, we have little hope of being able to keep them secure, much less operating correctly!

Chapter 5 is all about communications as a people-to-people and systems-to-systems set of processes and

protocols.

Two

protocol stacks

—the Open Systems Interconnection (OSI) 7-layer reference model and the Transmission Control Protocol over Internet Protocol (TCP/IP)—will become your highway to understanding and appreciating the different perspectives you’ll need as you seek to secure networks and systems.

Chapter 6 considers identity management and access control, which are two sides of the same process: how do we know that users or processes asking to use our systems and our information are who they claim they are, and how do we control, limit, or deny their access to or use of any of our information, our systems, our knowledge, or our people?

Chapter 7 demystifies cryptography and cryptographic systems, with special emphasis on the use of symmetric and asymmetric encryption algorithms as part of our digital certificates, signatures, and public infrastructure for security.

Chapter 8 considers the security aspects of computing and communications hardware, and the systems software, utilities, firmware, and connections that bring that all together.

Chapter 9 continues on the foundation laid in Chapter 8 by investigating how we secure applications software, data, and endpoint devices. It also looks at the specific issues involved when organizations migrate their information systems to the cloud (or have developed them in the cloud from the beginning).

Part 4 shifts the emphasis back onto the real driving, integrative force that we need to apply to our information security problems: the people power inherent in our workforce, their managers and leaders, even our customers, clients, and those we partner with or share federated systems with:

Chapter 10 takes us through the information security incident response process, from planning and preparation through the real-time challenges of detection, identification, and response. It then takes us through the post-response tasks and shows how attention to these can increase our organization’s chances of never having to cope with making the same mistakes twice by learning from the experiences of an incident response while they’re still fresh in our response team members’ minds.

Chapter 11 addresses business continuity and disaster recovery, which are both the overriding purpose of information security and assurance and the worst-case scenario for why we need to plan and prepare if we want our organization to survive a major incident and carry on with business as usual.

Chapter 12 takes a look back across all chapters and highlights important issues and trends which you as an SSCP may have to deal with in the very near future. It also offers some last-minute practical advice on getting ready to take your SSCP exam and ideas for what you can do after that.

As you look at the chapters and the domains, you should quickly see that some domains fit neatly into a chapter all by themselves; other domains share the limelight with each other in the particular chapters that address their subject areas. You’ll also see that some chapters focus on building foundational knowledge and skills; others build applied problem-solving skills and approaches; and some provide a holistic, integrated treatment spanning CBK domains. This is intentional—the design of this book takes you on a journey of learning and mastery of those seven CBK domains.

Risk identification, monitoring, and analysis as a domain is a fundamental element of two chapters (Chapters 3 and 4) almost by itself. This important topic deserves this level of attention; you might even say that the very reason we do information security at all is because we’re trying to manage and mitigate risks to our information! Similarly, we see that Chapter 11, which focuses on the people power aspects of achieving business continuity in the face of information security incidents and disasters, must make significant use of the domains of access control, security operations and administration, and risk identification, monitoring, and analysis. Finally, the growing emphasis in the marketplace on data security, cloud security, endpoint security, and software lifecycle security dictates that we first build a strong foundation on hardware and systems security (Chapter 8), on which we build our knowledge and skills for applications, data, cloud, and mobile endpoint security.

Objective Map

Table I.1 contains an objective map to show you at-a-glance where you can find each objective covered. Note that all chapters except Chapters 1 and 12 cover objectives from the SSCP exam.

TABLE I.1Objective Map

Objective

Chapter

Domain 1: Access Controls

1.1 Implement and maintain authentication methods

6

1.2 Support internetwork trust architectures

6

1.3 Participate in the identity management lifecycle

6, 11

1.4 Implement access controls

6

Domain 2: Security Operations and Administration

2.1 Comply with codes of ethics

2, 11

2.2 Understand security concepts

2, 11

2.3 Document, implement, and maintain functional security controls

11

2.4 Participate in asset management

11

2.5 Implement security controls and assess compliance

3, 4

2.6 Participate in change management

3, 4

2.7 Participate in security awareness and training

3, 4, 11

2.8 Participate in physical security operations (e.g., data center assessment, badging)

3, 4

Domain 3: Risk Identification, Monitoring, and Analysis

3.1 Understand the risk management process

3, 4

3.2 Perform security assessment activities

4

3.3 Operate and maintain monitoring systems (e.g., continuous monitoring)

4, 10

3.4 Analyze monitoring results

4

Domain 4: Incident Response and Recovery

4.1 Support incident lifecycle

10

4.2 Understand and support forensic investigations

10

4.3 Understand and support business continuity plan (BCP) and disaster recovery plan (DRP) activities

10

Domain 5: Cryptography

5.1 Understand fundamental concepts of cryptography

7

5.2 Understand reasons and requirements for cryptography

7

5.2 Understand and support secure protocols

7

5.2 Understand public key infrastructure (PKI) systems

7

Domain 6: Network and Communications Security

6.1 Understand and apply fundamental concepts of networking

5

6.2 Understand network attacks and countermeasures (e.g., DDoS, man-in-the-middle, DNS poisoning)

5

6.3 Manage network access controls

6

6.4 Manage network security

5

6.5 Operate and configure network-based security devices

5

6.6 Operate and configure wireless technologies (e.g., Bluetooth, NFC, Wi-Fi)

5

Domain 7: Systems and Application Security

7.1 Identify and analyze malicious code and activity

8

7.2 Implement and operate endpoint device security

8, 9

7.3 Operate and configure cloud security

8, 9

7.4 Operate and secure virtual environments

8, 9

Earning Your Certification

Earning your SSCP requires that you take and pass the SSCP exam, of course; it also requires that you have at least one year of full-time work experience, in at least one of the seven domains of knowledge of the SSCP. A one-year prerequisite waiver will be granted by (ISC)2 if you have earned a bachelor’s degree or higher in a recognized cybersecurity-related discipline. The website www.isc2.org/Certifications/SSCP/Prerequisite-Pathway explains this and should be your guide. Note the requirements to be able to document your work experience.

No matter where you are on that pathway right now, put this book to work! Use it as a ready reference, as a roadmap, and as a learning tool. Let it help you broaden and deepen your knowledge base, while you sharpen your skills on the job or in your classes—or both!

Before the Exam: Grow Your Knowledge, Skills, and Experience

The key to this or any personal and professional development you wish to achieve is to first set your goals. SMART goals can help you plan and achieve most anything you set your body, mind, heart and spirit to:

Specific

—What is it,

exactly,

that you want to achieve?

Measurable

—How will you know that you’ve achieved that specific goal?

Achievable

—Is it really within your power and ability to achieve it? Or do you need to first build other strengths, develop other talents, or align other resources to help you take this goal on?

Realistic

—Can you actually do this? Are there practical ways to go about accomplishing this goal?

Timely

—When,

exactly,

do you want or need to accomplish this goal by?

Having set SMART goals, set a plan; lay out the tasks you’ll need to accomplish, and break those down, week by week, perhaps even day by day, to get to the goals of taking and passing the exam, and having the prerequisite experience or earned degree.

Start by thoroughly reading, and rereading, this study guide. Work through its review questions, not only to focus on why the right answers are in fact correct, but to identify and understand what’s wrong with the wrong answers. Work through the case studies, and let them suggest other real-world issues to you as you do.

Other options to consider include: