ISC2 SSCP Systems Security Certified Practitioner Official Study Guide E-Book

Table of Contents

Cover

Title Page

Copyright

Acknowledgments

About the Author

About the Technical Editor

Introduction

About This Book

What Is an SSCP?

Using This Book

Major Changes in This Edition

Objective Map

Earning Your Certification

Congratulations! You're Now an SSCP. Now What?

Let's Get Started!

Assessment  Test

Answers to Assessment  Test

PART I: Getting Started as an SSCP

Chapter 1: The Business Case for Decision Assurance and Information Security

Information: The Lifeblood of Business

Policy, Procedure, and Process: How Business Gets Business Done

Who Runs the Business?

Summary

Exam Essentials

Review Questions

Chapter 2: Information Security Fundamentals

The Common Needs for Privacy, Confidentiality, Integrity, and Availability

Training and Educating Everybody

SSCPs and Professional Ethics

Summary

Exam Essentials

Review Questions

PART II: Integrated Risk Management and Mitigation

Chapter 3: Integrated Information Risk Management

It’s a Dangerous World

The Four Faces of Risk

Getting Integrated and Proactive with Information Defense

Risk Management: Concepts and Frameworks

Risk Assessment

Four Choices for Limiting or Containing Damage

Summary

Exam Essentials

Review Questions

Chapter 4: Operationalizing Risk Mitigation

From Tactical Planning to Information Security Operations

Operationalizing Risk Mitigation: Step by Step

The Ongoing Job of Keeping Your Baseline Secure

Ongoing, Continuous Monitoring

Reporting to and Engaging with Management

Summary

Exam Essentials

Review Questions

PART III: The Technologies of Information Security

Chapter 5: Communications and Network Security

Trusting Our Communications in a Converged World

Internet Systems Concepts

Two Protocol Stacks, One Internet

Wireless Network Technologies

IP Addresses, DHCP, and Subnets

IPv4 vs. IPv6: Important Differences and Options

CIANA Layer by Layer

Securing Networks as Systems

Summary

Exam Essentials

Review Questions

Chapter 6: Identity and Access Control

Identity and Access: Two Sides of the Same CIANA+PS Coin

Identity Management Concepts

Access Control Concepts

Network Access Control

Implementing and Scaling IAM

User and Entity Behavior Analytics (UEBA)

Zero Trust Architectures

Summary

Exam Essentials

Review Questions

Chapter 7: Cryptography

Cryptography: What and Why

Building Blocks of Digital Cryptographic Systems

Keys and Key Management

Modern Cryptography: Beyond the “Secret Decoder Ring”

“Why Isn't All of This Stuff Secret?”

Cryptography and CIANA+PS

Public Key Infrastructures

Applying Cryptography to Meet Different Needs

Managing Cryptographic Assets and Systems

Measures of Merit for Cryptographic Solutions

Attacks and Countermeasures

PKI and Trust: A Recap

On the Near Horizon

Summary

Exam Essentials

Review Questions

Chapter 8: Hardware and Systems Security

Infrastructure Security Is Baseline Management

Securing the Physical Context

Infrastructures 101 and Threat Modeling

Endpoint Security

Malware: Exploiting the Infrastructure's Vulnerabilities

Privacy and Secure Browsing

“The Sin of Aggregation”

Updating the Threat Model

Managing Your Systems' Security

Summary

Exam Essentials

Review Questions

Chapter 9: Applications, Data, and Cloud Security

It's a Data-Driven World…At the Endpoint

Software as Appliances

Applications Lifecycles and Security

CIANA+PS and Applications Software Requirements

Application Vulnerabilities

“Shadow IT:” The Dilemma of the User as Builder

Information Quality and Information Assurance

Protecting Data in Motion, in Use, and at Rest

Into the Clouds: Endpoint App and Data Security Considerations

Legal and Regulatory Issues

Countermeasures: Keeping Your Apps and Data Safe and Secure

Summary

Exam Essentials

Review Questions

PART IV: People Power: What Makes or Breaks Information Security

Chapter 10: Incident Response and Recovery

Defeating the Kill Chain One Skirmish at a Time

Harsh Realities of Real Incidents

Incident Response Framework

Preparation

Detection and Analysis

Containment and Eradication

Recovery: Getting Back to Business

Post-Incident Activities

Summary

Exam Essentials

Review Questions

Note

Chapter 11: Business Continuity via Information Security and People Power

What Is a Disaster?

Surviving to Operate: Plan for It!

Timelines for BC/DR Planning and Action

Options for Recovery

Cloud-Based “Do-Over” Buttons for Continuity, Security, and Resilience

People Power for BC/DR

Security Assessment: For BC/DR and Compliance

Converged Communications: Keeping Them Secure During BC/DR Actions

Summary

Exam Essentials

Review Questions

Chapter 12: Cross-Domain Challenges

Operationalizing Security Across the Immediate and Longer Term

Supply Chains, Security, and the SSCP

Other Dangers on the Web and Net

On Our Way to the Future

Enduring Lessons

Your Next Steps

At the Close

Exam Essentials

Review Questions

Appendix: Answers to Review Questions

Chapter 1: The Business Case for Decision Assurance and Information Security

Chapter 2: Information Security Fundamentals

Chapter 3: Integrated Information Risk Management

Chapter 4: Operationalizing Risk Mitigation

Chapter 5: Communications and Network Security

Chapter 6: Identity and Access Control

Chapter 7: Cryptography

Chapter 8: Hardware and Systems Security

Chapter 9: Applications, Data, and Cloud Security

Chapter 10: Incident Response and Recovery

Chapter 11: Business Continuity via Information Security and People Power

Chapter 12: Cross-Domain Challenges

Index

End User License Agreement

List of Tables

Introduction

TABLE I.1 Objective Map

Chapter 5

TABLE 5.1 OSI and TCP/IP side by side

TABLE 5.2 OSI 7-layer model and TCP/IP 4-layer model in context

TABLE 5.3 Common TCP/IP ports and protocols

TABLE 5.4 IPv4 address classes

TABLE 5.5 Address classes and CIDR

List of Illustrations

Chapter 1

FIGURE 1.1 The knowledge pyramid

FIGURE 1.2 Messaging at passenger screening (notional)

FIGURE 1.3 The value chain

FIGURE 1.4 Ishikawa (or “fishbone”) diagram for a value process

FIGURE 1.5 The organization chart as pyramid (traditional view)

FIGURE 1.6 The inverted pyramid supports work at the gemba

Chapter 3

FIGURE 3.1 Vulnerability leads to failure, which leads to impact

FIGURE 3.2 Four faces of risk, viewed together

FIGURE 3.3 The layered view

FIGURE 3.4 NIST RMF areas of concern

FIGURE 3.5 NIST RMF phased approach

FIGURE 3.6 ISO 31000:2018 Conceptual RMF

FIGURE 3.7 PDCA cycle diagram (simple), with subcycles

Chapter 4

FIGURE 4.1 John Boyd’s OODA loop

FIGURE 4.2 Risk mitigation major steps

Chapter 5

FIGURE 5.1 Wrapping: layer-by-layer encapsulation

FIGURE 5.2 Bus topology

FIGURE 5.3 Ring network topology

FIGURE 5.4 Star (or tree) network topology

FIGURE 5.5 Mesh network topology (

fully connected

)

FIGURE 5.6 Data Link layer frame format

FIGURE 5.7 IPv4 packet format

FIGURE 5.8 Easy OSI mnemonics

FIGURE 5.9 Changes to the packet header from IPv4 to IPv6

Chapter 6

FIGURE 6.1 Subjects and objects

FIGURE 6.2 US-CERT Traffic Light Protocol for information classification and...

FIGURE 6.3 Bell-LaPadula (a) vs. Biba access control models (b)

FIGURE 6.4 Crossover error rate (where FAR equals FRR)

FIGURE 6.5 Overall access control system error rates trade space

FIGURE 6.6 Digital identity and credentials process model (from NIST SP 800-...

FIGURE 6.7 UEBA security in operation (conceptual)

Chapter 7

FIGURE 7.1 The basics of encoding, encrypting, decrypting, and decoding

FIGURE 7.2 Substitution and transposition

FIGURE 7.3 Comparing hashing and encryption as functions

FIGURE 7.4 Chains of trust

FIGURE 7.5 Certification path validation algorithm

FIGURE 7.6 The blockchain concept

FIGURE 7.7 Crypto family tree

Chapter 8

FIGURE 8.1 Notional datacenter design

FIGURE 8.2 Is this firmware update good news?

Chapter 9

FIGURE 9.1 Waterfall software development lifecycle model

Chapter 10

FIGURE 10.1 Incident triage and response process

FIGURE 10.2 ATT&CK enterprise framework (partial)

FIGURE 10.3 Incident response process

FIGURE 10.4 NIST 800-61 incident response flow

FIGURE 10.5 Incident Handling Checklist

Chapter 11

FIGURE 11.1 Continuity of operations planning and supporting planning proces...

FIGURE 11.2 Timelines for incident response, recovery, and continuity

FIGURE 11.3 Beyond the seventh layer

Guide

Cover Page

Title Page

Copyright

Acknowledgments

About the Author

About the Technical Editor

Introduction

TABLE of Contents

Begin Reading

Appendix: Answers to Review Questions

Index

WILEY END USER LICENSE AGREEMENT

Pages

iii

iv

v

vii

ix

xxv

xxvi

xxvii

xxviii

xxix

xxx

xxxi

xxxii

xxxiii

xxxiv

xxxv

xxxvi

xxxvii

xxxviii

xxxix

xl

xli

xlii

xliii

xliv

xlv

xlvi

xlvii

xlviii

xlix

l

li

lii

liii

liv

lv

lvi

lvii

lviii

lix

lx

lxi

lxii

lxiii

lxiv

lxv

lxvi

lxvii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

622

623

624

625

626

627

628

629

630

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

647

648

649

650

651

652

653

654

655

656

657

658

659

660

661

662

663

664

665

666

667

668

669

670

671

672

673

674

675

676

677

678

679

680

681

682

683

684

685

686

687

688

689

690

691

692

693

694

695

696

697

698

699

700

701

702

703

704

705

706

707

708

709

710

711

712

713

714

715

716

717

718

719

720

721

722

723

724

725

727

728

729

730

731

732

733

734

735

736

737

738

739

740

741

742

743

744

745

746

747

748

(ISC)2®SSCP® Systems Security Certified Practitioner

Official Study Guide

Third Edition

Michael S. Wills, SSCP, CISSP, CAMS

Copyright © 2022 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

978-1-119-85498-2978-1-119-85500-2 (ebk.)978-1-119-85499-9 (ebk.)

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Website may provide or recommendations it may make. Further, readers should be aware the Internet Websites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Control Number: 2021948848

Trademarks: WILEY, the Wiley logo, Sybex and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. (ISC)2 and SSCP are trademarks or registered trademarks of International Information Systems Security Certification Consortium, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Cover image: © Jeremy Woodhouse/Getty ImagesCover design: Wiley

Acknowledgments

This book owes a great deal to the many teachers, co-workers, teammates, and friends who've worked so hard for so long to teach me what I know about information security and insecurity and about risk management and mismanagement. Where this book works well in conveying that body of knowledge, skills, and attitudes to you is a testament to their generosity in sharing their insights with me. (And where it fails to work well, or doesn't work at all, it's my own darned fault.) In particular I'd like to thank the team at (ISC)2 with whom I worked these past 18 months on updates to and then complete revisions of their SSCP and CISSP courses to meet 2021's newly updated exam outlines and content expectations. Countless hours on Zoom and Webex with Graham Thornburrow-Dobson, John Warsinske, Maytal Brooks-Kempler, Laural Hargadon, and Fabio Cerullo sharpened my thinking and focused my writing more toward the operational aspects of cybersecurity and less on the theoretical. A special thank-you too goes out to Kaitlyn Langenbacher, the project owner for these updates at (ISC)2, and to all of the editors and proofreaders working with her. Throughout all of that, the support, questions, and co-creativity they brought made that work a truly joint, collaborative one; their work and care color and shape this revision of this Study Guide as well. I would also like to acknowledge my faculty teammates here at Embry-Riddle Aeronautical University for sharing their frank and candid views throughout many conversations on making this body of knowledge accessible and engaging in the classroom. The ideas and experiences of Drs. Aaron Glassman and Jason Clark have profoundly affected my approach to what you see before you here in this book.

The combined team at Wiley/Sybex and at (ISC)2 worked tirelessly to focus, strengthen, and clarify what I wanted to say here in this book and how I said it, all while keeping my voice and my teaching ideas authentic and on point. My thanks go out to the editorial team at Wiley/Sybex: Jim Minatel, Tracy Brown, Pete Gaughan, Nancy Carrasco, Barath Kumar Rajasekaran, Kim Wimpsett, and their technical reviewer Graham Thornburrow-Dobson, as well as to Tara Zeiler and Fabio Cerullo, our reviewers at (ISC)2. Johnna VanHoose Dinse, Wiley's indexer, has also made the art of finding what you want in this book when you need it more of a science (and I've always had a soft spot for a great index!). Where this book works well for you, it works because of the efforts of all of those people to make this book the best it can be. What errors, omissions, misspeaks, and confusions that remain are mine, not theirs.

Finally, I wish to thank my wife Nancy. She saved my life and brought me peace. Her strength inspired me to say “yes” the first time when Jim called me about doing this book the first time, and her patience has kept both of us healthy and happy throughout everything. Even these updates.

About the Author

Michael S. Wills, CAMS, CISSP, SSCP, is Assistant Professor of Applied and Innovative Information Technologies at the College of Business, Embry-Riddle Aeronautical University – Worldwide, where he continues his graduate and undergraduate teaching and research in cybersecurity and information assurance.

Mike has also been an advisor on science and technology policy to the UK's Joint Intelligence Committee, Ministry of Justice, and Defense Science and Technology Laboratories, helping them to evolve an operational and policy consensus relating topics from cryptography and virtual worlds, through the burgeoning surveillance society, to the proliferation of weapons of mass disruption (not just “destruction”) and their effects on global, regional, national, and personal security. For a time, this had him sometimes known as the UK's nonresident expert on outer space law.

Mike has been supporting the work of (ISC)2 by writing, editing, and updating books, study guides, and course materials for both its SSCP and CISSP programs. He wrote SSCP Official Study Guide 2nd Edition in 2019, followed quickly by SSCP Official CBK Reference 5th Edition. He was lead author for the 2021 update of (ISC)2's official CISSP and SSCP training materials, and the 2021 revisions for the SSCP Official Study Guide and to its companion Official CBK 6th Edition reference book. Mike has also contributed to several industry roundtables and white papers on digital identity and cyber fraud detection and prevention and has been a panelist and webinar presenter on these and related topics for ACAMS.

Mike earned his BS and MS degrees in computer science, both with minors in electrical engineering, from Illinois Institute of Technology, and his MA in Defence Studies from King's College, London. He is a graduate of the Federal Chief Information Officer program at National Defense University and the Program Manager's Course at Defense Systems Management College.

Mike and his wife Nancy currently call Wexford, Ireland, their home. Living abroad since the end of the last century, they find new perspectives, shared values, and wonderful people wherever they go. As true digital nomads, it's getting time to move again. Where to? They'll find out when they get there.

If you've got comments, questions, errata, or ideas about this book that you'd like to share, find Mike on LinkedIn and send him a comment. Or, send those to Wiley's Customer Service team at [email protected] with the subject line “Possible Book Errata Submission.”

About the Technical Editor

Graham Thornburrow-Dobson, CISSP, SSCP, is a security consultant and instructor with more than 30 years of experience in IT, with 20 years focused on IT security and related training.

Graham is an authorized (ISC)2 instructor who has delivered security training to a wide range of security professionals globally via both classroom-based and online training.

Graham has also been supporting the efforts of (ISC)2 in the continued development of their CISSP, SSCP, and ISSAP programs as both a writer and a technical editor.

Graham currently resides in Lincolnshire, United Kingdom. Graham would add more, but this would conflict with security policies.

Introduction

Congratulations on choosing to become a Systems Security Certified Practitioner (SSCP)! In making this choice, you're signing up to join the professionals who strive to keep our information-based modern world safe, secure, and reliable. SSCPs and other information security professionals help businesses and organizations keep private data private and help to ensure that published and public-facing information stays unchanged and unhacked. They help ensure the safe, secure, reliable, and trustworthy operation of our financial, energy, communications, transportation, and many other critical infrastructure systems we all rely upon.

Whether you are new to the fields of information security, information assurance, or cybersecurity, or you've been working with these concepts, tools, and ideas for some time now, this book is here to help you grow your knowledge, skills, and abilities as a systems security professional.

Let's see how!

About This Book

You're here because you want to learn what it takes to be an SSCP. You know this will demand that you build a solid understanding of many different concepts, not only as theories but also as practical tasks you can do to help make information systems more secure. You know you'll need to master a number of key definitions and be able to apply those definitions to real-world situations—you'll need to operationalize those definitions and concepts by turning them into the step-by-step operations that make security become real.

This book is your study guide. It guides you along your personal journey as you learn and master these ideas and technologies. It takes you on that journey concept by concept, starting with simple, fundamental ideas and growing them to the level of power and complexity you will need, on the job, as an SSCP. That is this book's focus, its purpose, and design.

(ISC)2 periodically updates the technical scope—the breadth and depth—of their various certifications to keep them more closely aligned with the needs of the security profession and to better focus them on the current tactics, techniques, and strategies that those professionals are using, day after day. This new edition of the Study Guide has also been updated to reflect and support readers like you as you work to strengthen your own knowledge of information systems security, and the proficiency of your skills with those concepts.

That means this book is also a valuable reference to have with you on the job, or as you continue to learn more about information security, information risk management, or any of a number of other related subject areas. You'll find it more than covers the topic domains that (ISC)2 requires you to demonstrate competency in, should you want to earn your Systems Security Certified Practitioner credential.

Go to https://www.wiley.com/go/sybextestprep to register and gain access to the Sybex interactive online learning environment and test bank with study tools.

What Makes This the “Official” Study Guide for the SSCP?

Good question! This book exists because (ISC)2 wanted a book that would teach as well as guide and explain as well as capture the common knowledge about information assurance—keeping information systems safe and secure by protecting their information assets that all SSCPs should have at their mental fingertips. As creators of the SSCP program, (ISC)2 defines that common body of knowledge, in continuous consultation with system security experts and practitioners from business, industry, government, and academia from around the world.

What Is an SSCP?

The SSCP is actually three things in one: a standard of excellence, a credential that attests to demonstrated excellence, and a person who has earned that credential. Perhaps instead of asking “what” is an SSCP, we should also ask why, who, and how:

SSCP as standard of excellence

. The International Information System Security Certification Consortium, or (ISC)

2

, created this standard to reflect the continually evolving needs for people who can help all sorts of organizations around the world keep their information systems safe, secure, confidential, private, reliable, and trustworthy. Working with businesses, nonprofits, academic researchers, and the thought leaders of the cybersecurity and information assurance communities of practice, they developed the list of subject areas, or

domains

, that are the SSCP as a standard. That standard is set as the starting point for your professional journey as an information security specialist. Its focus is on hands-on technical knowledge combined with procedural and administrative awareness. The knowledge, skills, and abilities that make up the SSCP domains become the foundation for other, more advanced certifications (and hence standards).

SSCP as a credential

. Earning an SSCP certification attests to the fact that you have solid working knowledge of the topic domains that are the SSCP. As a published standard of excellence, this certification or credential is portable—people in the information system business, or who know the needs of their own organizations for information security, recognize and respect this credential. People can easily consult (ISC)

2

's published standards for the SSCP and understand what it means. It is a portable, stackable credential, meaning that it can clearly pave the way for you to take on job responsibilities that need the knowledge and skills it attests to, and demonstrates you have the foundational knowledge to earn other credentials that can build on it.

SSCP as a goal or objective

. The SSCP as a standard answers the needs of hiring managers when they seek the right kind of people to help protect their organization's information, their information systems and processes, their IT infrastructure, and their ability to make informed decisions in reliable, timely ways. Training managers or functional department leaders in various organizations can design their own internal training and skills development programs around the SSCP, knowing that it is a reliable standard for information system security knowledge and experience. They can look at job descriptions or task designs and use the SSCP as a standard to identify whether the job and the SSCP are a good fit with each other or if other significant knowledge and skills will be needed by people filling that position.

SSCP as a person

. By choosing to earn an SSCP credential, you're declaring to yourself and to others that you're willing to hold yourself to a respected and recognized standard of excellence. You're willing to master what that standard asks of you, not only on the technical, physical, and administrative aspects of information security and assurance, but also on its legal and ethical requirements.

The Systems Security Certified Practitioner is thus a person who does the job of systems security to a level of competency that meets or exceeds that standard and who has earned a credential as testament to their knowledge and skills. It is a foundational certification, based on the knowledge and skills that people should already have when they first start out as an information security professional.

Let's operationalize that set of words by showing them in action:

Systems

—Generally, a

system

is a collection or set of elements that interconnect and interact with each other to fulfill or achieve a larger purpose or objective. In this context, we mean information systems.

Information systems

are the collected sets of hardware, software, databases, and data sets; the communications, networking, and other technologies that connect all of those elements together into a cohesive, working whole; and the people who use them and depend on them to achieve their goals and objectives.

Security

—Again, generally speaking, security is the set of plans, procedures, and actions that keep something safe from harm, damage, or loss, through accident, acts of nature, or deliberate actions taken by people. Applying that to information systems, we see that

information systems security

is everything we need to do during design, implementation, operational use, and maintenance to keep all aspects of an information system protected against accidental or deliberate damage; it includes keeping its information free from unauthorized changes or viewing; and it keeps those systems up and running so that the information is there when people need it to get their jobs done.

Certified

—The person holding this credential (or certification) has earned the right to do so by means of having demonstrated their mastery of the knowledge, skills, and attitudes that are defined to be the subject area or domain of the certification. Specifically, an SSCP has passed the certification exam and demonstrated the required work experience in the field of information security, as specified by the SSCP subject area domains.

Practitioner

—A person whose professional or workplace duties, responsibilities, and tasks has them using the knowledge, skills, and abilities required by the standard to have earned the certification. There's a degree of

practice

in the definition of

practitioner

, of course; as a practitioner, you are continually

doing

the stuff of your profession, and in doing so you continue to

learn it better

as well as refine, polish, and enrich the ways in which you do those tasks and fulfill those responsibilities. Practitioners get better with practice! (After all, if you've been “practicing medicine” for 20 years, we expect you are a much better medical doctor now than you were when you started.)

What Can We Expect of Our SSCPs?

The world of commerce, industry, and governance expects you, as an SSCP, to be a hands-on practitioner of information systems security, someone who continuously monitors information systems to safeguard against security threats, vulnerabilities, and risks while having the knowledge to apply security concepts, tools, and procedures to react to security incidents. As an SSCP, you demonstrate certain knowledge and skills, in areas such as:

Information technology and cybersecurity theory and hands-on/technical practice

Cybersecurity policy, procedures, standards, and guidelines

Using simple coding or programming language techniques, in languages such as command-line interface, PowerShell, Java, HTML, CSS, Python, and C#

You'll also need more than just technical skills and knowledge. As an SSCP, you'll be working with people constantly as you assist them in securing their organization's information security needs. This takes adaptability on your part, plus strong interpersonal skills. You'll need to be a critical thinker and to make sound judgments; you'll have to communicate in person and in writing as you build and manage professional relationships within your organization and the larger information security community of practice. You'll build this social capital both through your problem-solving skills and by applying your emotional intelligence.

Soft Skills: Very Strong Tickets to Success

Employers, clients, and others you'll work with value your technical knowledge and skills, but they desperately need to be able to work with and communicate with you as you bring that knowledge and skills to bear on their problems. The irony of calling these skills “soft” is that for some of us, it can be very hard work to improve on them. Investing in improving these skills will more than pay off for you in terms of salary and opportunities.

It's also natural to expect that as an SSCP, you will be continually learning about your craft. You'll keep current about the ways that threats evolve and stay informed about known vulnerabilities as they might be exploited against the systems under your care. You'll know how to apply analytical and research skills to dig deeper into what you're seeing in the way those systems are behaving, with an eye to identifying problems, recognizing that an information security incident might be under way, and responding to such incidents. This also means that you will periodically reflect on what you've been doing, how you've been doing it, and what you've been learning, and consider where improvement and growth are required to ensure continued effectiveness.

Who Should Take the SSCP Certification Exam?

The SSCP designation is designed for individuals who desire to learn hands-on, technical, cybersecurity fundamentals. While any individual who desires to practice cybersecurity can learn the material, there are certain requirements before sitting for the exam. SSCP candidates must have at least one year of cumulative work experience in one or more of the seven domains of the (ISC)2 SSCP Common Body of Knowledge (CBK). A one-year prerequisite pathway will be granted for candidates who received an accredited university degree (bachelor's or master's) in a cybersecurity program. Candidates without the required experience can take and pass the SSCP exam to earn an Associate of (ISC)2 designation and will have up to two years to gain the work experience needed for the SSCP.

Certificate vs. Certification vs. “Being Certified”

If you're new to formal certifications, these terms may seem interchangeable—but they are not!

A certificate is an official document or proof that displays or attests to your completion of a formal program, school, or training course. Earning a certificate may require passing a formal exam, hands-on practice, or just remaining in the course until the end. Certificate courses are designed to teach a skill and/or influence knowledge and understanding of a topic.

A certification goes several steps further than a certificate. Typically, certifications require a minimum period of professional experience, which may include supervision by someone who also holds those same certifications.

Certifications are established by professional organizations that serve a particular industry, and thus earning that certification means you've demonstrated what that industry needs. Certificates are defined and issued by the schools or training programs that teach them.

Typically, certifications have requirements for ongoing learning, experience, and skills development; certificates usually do not.

Finally, consider who awards you that credential. If it's the school or the training organization, it's a certificate. If it's that standards-setting body, it's a certification.

As a result, you are entitled—you have earned the right—to put the official, accepted designation of that certification after your name, when used as a part of your professional correspondence, marketing, or other communications. John Doe, SSCP, or Jayne Smith, MD, are ways that these individuals rightfully declare their earned certifications.

Academic programs increasingly offer sets of accredited university courses bundled as certificate programs; instead of completing 120 semester hours for a bachelor's degree, for example, a certificate program might require only 15 to 30 semester hours of study.

Thus, we see that “being certified” means that you've met the standards required by the professional organization that defines and controls that certification as a process and as a standard; you've earned the right to declare yourself “certified” in the domain of that standard.

The Global Need

Cyberattacks have become tremendously big business worldwide. Attackers have proven that exploiting the security weaknesses of critical infrastructures, businesses across every industry, and government agency systems around the globe can bring the attackers tremendous profit. Critical infrastructure attacks have crippled hospital and public health systems, energy distribution, and water supply treatment systems. Misdirection, distortion, and malformed data attacks on news and information media as well as databases that support clinical trials of new medicines, or control the operation of manufacturing systems, provide further profit opportunities for those who carry out these attacks. The cybercrime business model does not just begin and end with the attacker, however; it includes those who perform targeting intelligence-gathering operations, resell stolen data and intellectual property, and a hundred other logistics and support tasks that sophisticated cyber attackers benefit from.

Governments cannot protect all of the information systems that our modern digital age depends upon—nearly all of them are owned and operated by private businesses. Each of these owner-operators has the responsibility and the opportunity to do a far, far better job of securing their systems to protect the safety, reliability, and trustworthiness of their data, their organizations, and their people.

National and international standards do exist to help guide the information security profession in accomplishing this task. From a global perspective, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have jointly issued their own family of standards designed to help private and public organizations worldwide attain minimum acceptable standards in achieving information security, information assurance, and cybersecurity. The ISO/IEC 27000 family of standards provides best-practice recommendations on information security management and the management of information risks through information security controls, within the context of an overall information security management system (ISMS). ISO/IEC 27001 is the best-known standard in the family providing requirements for an ISMS. The European Union has issued a series of regulations and policy documents that help refine and implement these ISO/IEC standards.

In the United States, the National Institute of Standards and Technology (NIST) has the lead in defining standards-based frameworks and approaches for identifying, managing, and controlling risks to information systems and infrastructures. As a part of this effort, NIST established the National Initiative for Cybersecurity Education (NICE). This partnership between government, academia, and the private sector works to continually define the standards and best practices that cybersecurity professional educators and trainers need to fulfill to produce a qualified cybersecurity workforce. The US Department of Defense (DoD) has continued its efforts to professionalize its workforce (both the uniformed and civilian members) and, in a series of regulations and directives, has defined its baseline set of approved certifications in various fields. One of these, DoD Directive 8140, defines the minimum acceptable certifications someone must demonstrate to hold jobs in the information assurance technical, managerial, and systems architecture job series. DoD 8140 also defines the certifications necessary to hold jobs as a cybersecurity service provider at various levels.

(ISC)2 plays a part in helping all of these standards bodies and regulatory agencies assess the current needs of the information security community of practitioners and works to update its set of certifications to support these national, international, and global needs. As a result, the SSCP certification is recognized around the world.

The SSCP and Your Professional Growth Path

Possibly one of the best ways to see your SSCP in the context of your professional growth and development can be seen at the CyberSeek website. CyberSeek is a partnership sponsored by NIST that brings together the current state of the job market in cybersecurity, information security, and information risk management. It combines data on job market demand for such skills, current average salaries, and even insight on the numbers of professionals holding various certifications. The real gem, however, for the new cybersecurity or information security pro is its Career Mapping tool. See this at www.cyberseek.org and use it to help navigate the options to consider and the opportunities that an earned “SSCP” after your name might open up. It's true that CyberSeek focuses on the US job market and job descriptions as it maps those against different certifications; but a few minute's perusal of its data, when compared with the job market in any other country, will show very similar job titles and functions. Let's face it: a cybersecurity intelligence analyst, or a network security administrator, has much the same job functions to perform no matter where in the world their employer happens to be located.

As an international, nonprofit membership association with more than 160,000 members, (ISC)2 has worked since its inception in 1989 to serve the needs for standardization and certification in cybersecurity workplaces around the world. Since then, (ISC)2's founders and members have been shaping the information security profession and have developed the following information security certifications:

Certified Information Systems Security Professional (CISSP)

: The CISSP is an experienced professional who holds the most globally recognized standard of achievement in the industry; it was the first information security credential to meet the strict conditions of ISO/IEC Standard 17024. The CISSP certification has three concentrations:

Certified Information Systems Security Professional: Information Systems Security Architecture Professional (CISSP-ISSAP)

: The CISSP-ISSAP is a chief security architect, analyst, or other professional who designs, builds, and oversees the implementation of network and computer security for an organization. The CISSP-ISSAP may work as an independent consultant or other professional who provides operational guidance and direction to support business strategies.

Certified Information Systems Security Professional: Information Systems Security Engineering Professional (CISSP-ISSEP)

: The CISSP-ISSEP can effectively incorporate security into all facets of business operations.

Certified Information Systems Security Professional: Information Systems Security Management Professional (CISSP-ISSMP)

: The CISSP-ISSMP is a cybersecurity manager who demonstrates deep management and leadership skills and excels at establishing, presenting, and governing information security programs.

Systems Security Certified Practitioner (SSCP)

: The SSCP is a high-value practitioner who demonstrates technical skills in implementing, monitoring, and administering IT infrastructure using information security policies and procedures. The SSCP's commitment to continuous learning and practice ensures consistent information assurance.

Certified Cloud Security Professional (CCSP)

: The CCSP is a globally recognized professional who demonstrates expertise and implements the highest standards in cloud security. The certification was co-created by (ISC)

2

and Cloud Security Alliance—the leading stewards for information security and cloud computing security.

Certified Authorization Professional (CAP)

: The CAP is a leader in information security and aligns information systems with the risk management framework (RMF). The CAP certification covers the RMF at an extensive level, and it's the only certification under the DoD 8570/DoD 8140 Approved Baseline Certifications that aligns to each of the RMF steps.

Certified Secure Software Lifecycle Professional (CSSLP)

: The CSSLP is an internationally recognized professional with the ability to incorporate security practices—authentication, authorization, and auditing—into each phase of the software development lifecycle (SDLC).

HealthCare Information Security and Privacy Practitioner (HCISPP)

: The HCISSP is a skilled practitioner who combines information security with healthcare security and privacy best practices and techniques.

Each of these certifications has its own requirements for documented full-time experience in its requisite topic areas.

Newcomers to information security who have not yet had supervised work experience in the topic areas can take and pass the SSCP exam and then become recognized as Associates of (ISC)2. Associates then have two years to attain the required experience to become full members of (ISC)2.

The SSCP Seven Domains

(ISC)2 is committed to helping members learn, grow, and thrive. The Common Body of Knowledge (CBK) is the comprehensive framework that helps it fulfill this commitment. The CBK includes all the relevant subjects a security professional should be familiar with, including skills, techniques, and best practices. (ISC)2 uses the various domains of the CBK to test a certificate candidate's levels of expertise in the most critical aspects of information security. You can see this framework in the SSCP Exam Outline here:

https://www.isc2.org/-/media/ISC2/Certifications/Exam-Outlines/2021/SSCP-Exam-Outline-English-Nov-2021.ashx?la=en&hash=ABCB9E34548D2E8170ADA04EAAD3003F5577D3F5

Successful candidates are competent in the following seven domains:

Domain 1 Security Operations and Administration

 Identification of information assets and documentation of policies, standards, procedures, and guidelines that ensure confidentiality, integrity, and availability, such as:

1.1

Comply with codes of ethics

1.2

Understand security concepts

1.3

Identify and implement security controls

1.4

Document and maintain functional security controls

1.5

Participate in asset management lifecycle (hardware, software, and data)

1.6

Participate in change management lifecycle

1.7

Participate in implementing security awareness and training (e.g., social engineering/phishing)

1.8

Collaborate with physical security operations (e.g., data center assessment, badging)

Domain 2 Access Controls

 Policies, standards, and procedures that define users (human and nonhuman) as entities with identities that are approved to use an organization's systems and information assets, what they can do, which resources and information they can access, and what operations they can perform on a system, such as:

2.1

Implement and maintain authentication methods

2.2

Support internetwork trust architectures

2.3

Participate in the identity management lifecycle

2.4

Understand and apply access controls

Domain 3 Risk Identification, Monitoring, and Analysis

 Risk identification is the review, analysis, and implementation of processes essential to the identification, measurement, and control of loss associated with unplanned adverse events. Monitoring and analysis are determining system implementation and access in accordance with defined IT criteria. This involves collecting information for identification of, and response to, security breaches or events, such as:

3.1

Understand the risk management process

3.2

Understand legal and regulatory concerns (e.g., jurisdiction, limitations, privacy)

3.3

Participate in security assessment and vulnerability management activities

3.4

Operate and monitor security platforms (e.g., continuous monitoring)

3.5

Analyze monitoring results

Domain 4 Incident Response and Recovery

 Prevent. Detect. Respond. Recover. Incident response and recovery focus on the near real time actions that must take place if the organization is to survive a cyberattack or other information security incident, get back into operation, and continue as a viable entity. In this domain, the SSCP gains an understanding of how to handle incidents using consistent, applied approaches within a framework of business continuity planning (BCP) and disaster recovery planning (DRP). These approaches are utilized to mitigate damages, recover business operations, and avoid critical business interruption:

4.1

Support incident lifecycle e.g., National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO)

4.2

Understand and support forensic investigations

4.3

Understand and support business continuity plan (BCP) and disaster recovery plan (DRP) activities

Domain 5 Cryptography

 The protection of information using techniques that ensure its integrity, confidentiality, authenticity, and nonrepudiation, and the recovery of encrypted information in its original form:

5.1

Understand reasons and requirements for cryptography

5.2

Apply cryptography concepts

5.3

Understand and implement secure protocols

5.4

Understand and support public key infrastructure (PKI) systems

Domain 6 Network and Communications Security

 The network structure, transmission methods and techniques, transport formats, and security measures used to operate both private and public communication networks:

6.1

Understand and apply fundamental concepts of networking

6.2

Understand network attacks e.g., distributed denial of service (DDoS), man-in-the-middle (MITM), Domain Name System (DNS) poisoning) and countermeasures (e.g., content delivery networks (CDN)

6.3

Manage network access controls

6.4

Manage network security

6.5

Operate and configure network-based security devices

6.6

Secure wireless communications

Domain 7 Systems and Application Security

 Countermeasures and prevention techniques for dealing with viruses, worms, logic bombs, Trojan horses, and other related forms of intentionally created damaging code:

7.1

Identify and analyze malicious code and activity

7.2

Implement and operate endpoint device security

7.3

Administer Mobile Device Management (MDM)

7.4

Understand and configure cloud security

7.5

Operate and maintain secure virtual environments

Using This Book

This book is structured to take you on your learning journey through all seven subject area domains that the SSCP requires. It does this one building block at a time, starting with the fundamentals involved in a particular topic or subject and building on those to guide you toward the degree of knowledge you'll need as an SSCP. This journey does not assume you already have broad or deep knowledge or experience in any one domain—or, for that matter, in information security at all. Instead, it starts with broad concepts that are then broken down into successively finer-grain details, which are then placed into an operational context. This journey is structured in four major parts:

Part 1

provides a solid foundation of how organizations use information to drive decision making, and the role of information systems and information technologies in making that information available, reliable, and useful. It then looks to the fundamental concepts of information security and assurance, using operational definitions and examples to help you apply these concepts to real-world situations you may find around you today:

Business and the private sector speak their own language, and organize, direct, manage, and lead their people in different ways than do governments or military services. If you haven't had experience in the private sector or have no business background, start with

Chapter 1

.

Using the Language of Business

Chapter 1 has been extensively revised in this edition to place security fundamental concepts into the context of business logic and organizational management processes. Even if you've had private sector work experience, you'll find Chapter 1 will strengthen your understanding of why business finds information security and assurance so important. With that as foundation, you can go on and learn how to make that security happen.

Chapter 2

provides a deep look at the fundamentals of information security and assurance. It also establishes the ethical and operational framework that forms the foundation of the rest of book.

Part 2

takes you deep into the practice of information risk management as part of building and maintaining a proactive information systems defensive posture:

Chapter 3

defines the basic concepts of risk management and risk mitigation and familiarizes you with the processes all organizations can use to understand risks, characterize their impact on organizational objectives, and prioritize how to deal with information risks specifically.

Chapter 4

dives into risk mitigation. Here's where we make decisions about specific risks (or, rather, about the vulnerabilities we've discovered that could lead to such a risk becoming reality). We'll look at choices you can make, or advise your company's management to make, and how you can estimate the value of your mitigation choices as compared to the possible impacts if nothing is done.

Part 3

gets down into the technologies of information security; we'll start each major subject area in

Part 3

first by reviewing the fundamentals of various information systems technologies and how they are used, and then look to their vulnerabilities and what choices we might have to help mitigate their associated risks. One important point that is emphasized throughout Part 3 is the need to own and manage the baseline architectures of our information systems—for without effective management of our systems, we have little hope of being able to keep them secure, much less operating correctly!

Chapter 5

is all about communications as a people-to-people and systems-to-systems set of processes and

protocols

. Two

protocol stacks

—the Open Systems Interconnection (OSI) 7-layer reference model and the Transmission Control Protocol over Internet Protocol (TCP/IP)—will become your highway to understanding and appreciating the different perspectives you'll need as you seek to secure networks and systems.

Chapter 6

considers identity management and access control, which are two sides of the same process: how do we know that users or processes asking to use our systems and our information are who they claim they are, and how do we control, limit, or deny their access to or use of any of our information, our systems, our knowledge, or our people?

Chapter 7

demystifies cryptography and cryptographic systems, with special emphasis on the use of symmetric and asymmetric encryption algorithms as part of our digital certificates, signatures, and public infrastructure for security. It also explores the management of cryptologic systems and assets.

Chapter 8

considers the security aspects of computing and communications hardware, and the systems software, utilities, firmware, and connections that bring that all together.

Chapter 9

continues on the foundation laid in

Chapter 8

by investigating how we secure applications software, data, and endpoint devices. It also looks at the specific issues involved when organizations migrate their information systems to the cloud (or have developed them in the cloud from the beginning).

Part 4

shifts the emphasis back onto the real driving, integrative force that we need to apply to our information security problems: the people power inherent in our workforce, their managers and leaders, and even our customers, clients, and those we partner with or share federated systems with:

Chapter 10

takes us through the information security incident response process, from planning and preparation through the real-time challenges of detection, identification, and response. It then takes us through the post-response tasks and shows how attention to these can increase our organization's chances of never having to cope with making the same mistakes twice by learning from the experiences of an incident response while they're still fresh in our response team members' minds.

Chapter 11

addresses business continuity and disaster recovery, which are both the overriding purpose of information security and assurance and the worst-case scenario for why we need to plan and prepare if we want our organization to survive a major incident and carry on with business as usual.

Chapter 12

takes a look back across all chapters and then goes further into some of the more challenging concepts and ideas, applying them to different settings. It then highlights important issues and trends that you as an SSCP may have to deal with in the very near future. It also offers some last-minute practical advice on getting ready to take your SSCP exam and ideas for what you can do after that.

As you look at the chapters and the domains, you should quickly see that some domains fit neatly into a chapter all by themselves; other domains share the limelight with each other in the particular chapters that address their subject areas. You'll also see that some chapters focus on building foundational knowledge and skills; others build applied problem-solving skills and approaches; and some provide a holistic, integrated treatment spanning CBK domains. This is intentional—the design of this book takes you on a journey of learning and mastery of those seven CBK domains.

Risk identification, monitoring, and analysis as a domain is a fundamental element of two chapters (Chapters 3 and 4) almost by itself. This important topic deserves this level of attention; you might even say that the very reason we do information security at all is because we're trying to manage and mitigate risks to our information! Similarly, we see that Chapter 11, which focuses on the people power aspects of achieving business continuity in the face of information security incidents and disasters, must make significant use of the domains of access control, security operations and administration, and risk identification, monitoring, and analysis. Finally, the growing emphasis in the marketplace on data security, cloud security, endpoint security, and software lifecycle security dictates that we first build a strong foundation on hardware and systems security (Chapter 8), on which we build our knowledge and skills for applications, data, cloud, and mobile endpoint security.

Major Changes in This Edition

In putting together both the 2021 SSCP Exam Outline and its official SSCP training materials, (ISC)2