The Official (ISC)2 SSCP CBK Reference E-Book

The Official (ISC)2®SSCP® CBK®Reference

Fifth Edition

Copyright © 2020 by (ISC)2

Portions of this Work are reused from (ISC)2 SSCP Systems Security Certified Practitioner Official Study Guide, 2nd Edition by Mike Wills copyright 2019 John Wiley & Sons, Inc.

Portions of this Work are reused from The Official (ISC)2 Guide to the CISSP CBK Reference, 5th Edition by John Warsinske with Mark Graff, Kevin Henry, Christopher Hoover, Ben Malisow, Sean Murphy, C. Paul Oakes, George Pajari, Jeff T. Parker, David Seidl, Mike Vasquez copyright 2019 (ISC)2

Published by John Wiley & Sons, Inc. Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-1-119-60194-4 ISBN: 978-1-119-60196-8 (ebk.)ISBN: 978-1-119-60200-2 (ebk.)

Manufactured in the United States of America

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2019952065

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. (ISC)2, SSCP, and CBK are registered trademarks or certification marks of International Information Systems Certification Consortium, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Acknowledgments

“It's like writing two books at once, only harder,” Jim said to me when he asked me to take on writing this Common Book of Knowledge book while I was still writing the SSCP Study Guide. More like taking one subject, turning it sideways, and shaking hard, perhaps! Unlike the Study Guide, writing this book felt more like writing several hundred short white papers on closely related subjects.

Since this book needed to speak to troubleshooters, I drew on decades of teaching I'd received from many professionals in the military, in government, and in the private sector about the fine art and brute-force cybernetics of debugging networks, systems, highly secure communications systems, and all of the arcana of controlling space-based systems working many different missions. I've also drawn on years of working with small and medium but otherwise rather down-to-earth business IT systems and what it took to get them back into operations. Where that problem-solving focus comes through clearly and helps you shoot the troubles you have to deal with, I owe a great debt of thanks to those who let me learn how in real time.

Without the tireless support of the editorial team at Wiley/Sybex—Jim Minatel and Kelly Talbot—I think I'd still be struggling with unflowing the lessons and reflowing them into reference and troubleshooting memory-joggers. And as with producing the Study Guide, the technical review by Jacob Penovich, as well as by Tara Zeiler and Charles Gaughf at (ISC)2, have all helped make what you have in your hands right now deliver the right content in the best way possible. Christine O'Connor, Kim Wimpsett and the rest of her team of proofreaders and copyeditors made it all look great too! Any remaining mistakes, omissions, or confusing passages that remain are mine, not theirs; let me know please when you find one!

Finally, I wish to thank my wife Nancy. She saved my life and brought me peace. Her strength inspired me to say “yes” one more time when Jim called me, again, about doing this book, and she has kept both of us healthy and happy throughout. We go together, on adventures like writing, and on ones for which we do need to pack a pocket handkerchief.

About the Author

Mike Wills, SSCP, CISSP, CAMS, has spent more than 40 years as a computer systems architect, programmer, security specialist, database designer, consultant, and teacher (among other duties). Starting out as a bit of a phone phreak in his college days, he sharpened his skills on the 1960s generation of mainframes and minicomputers, just in time for the first 8080 and Z80 microprocessors to fuel the home computer revolution. Learning about the ARPANET just added spice to that mix. Since then, he's had ones, zeros, and now qubits under his fingernails too many times to count, whether as part of his jobs, his teaching, or his hobbies.

Mike earned his BS and MS degrees in computer science, both with minors in electrical engineering, from the Illinois Institute of Technology; and his MA in defence studies from King's College, London. He is a graduate of the Federal Chief Information Officer program at National Defense University and the Program Manager's Course at Defense Systems Management College.

As an Air Force officer, Mike served in the National Reconnaissance Office, building and flying some of the most complex, cutting-edge space-based missions large and small. As a “ground control” guy, he specialized in the design, operation, and support of highly secure, globe-spanning command, control, communications and intelligence systems that support U.S. and Coalition missions around the world. These duties often required Mike to “optimize” his way around the official configuration management and security safeguards—all on official business, of course.

Because no good deed goes unpunished, he then spent two years on the Joint Staff as a policy and budget broker for all command, control, and communications systems, and then taught in the School of Information Warfare and Strategy at National Defense University. He's taught at senior leader colleges in both the United States and United Kingdom and has been a continuing guest lecturer at the UK's Defence Academy. He served as advisor to the United Kingdom's Joint Intelligence Committee, Ministry of Justice, and Defence Science and Technology Laboratories on the national and personal security implications of science and technology policy; this led to him sometimes being known as the United Kingdom's nonresident expert on outer space law.

Mike is the author of the SSCP Official Study Guide 2nd Edition. Along with his SSCP and CISSP, Mike is also a Certified Anti-Money Laundering Specialist.

Currently he is an assistant professor of applied information technologies in the College of Business at Embry-Riddle Aeronautical University, Worldwide Campus, where he is the change leader and academic visionary behind bringing the Microsoft Software and Systems Academy program into ERAU's classrooms at 13 locations around the United States. Prior to this, Mike helped create two new master of science degrees—information security and assurance, and management of information systems—and was program chair of both during their launch and first year of teaching. He also taught in Worldwide's Security and Intelligence Studies program during its 2005 launch in ERAU's European Division.

Mike and his wife Nancy currently call Montevideo, Uruguay, their home. Living abroad since the end of the last century, they find new perspectives, shared values, and wonderful people wherever they go. As true digital nomads, it's getting time to move again. Where to? They'll find out when they get there.

About the Technical Editor

Jacob Penovich is an experienced information security practitioner who has worked in a variety of roles from systems administration to ethical hacking and penetration testing. Jacob is driven by a strong belief in the practice of empowering team members, colleagues, and the local InfoSec community while striving to help cultivate an environment of knowledge exchange and growth.

Holder of numerous industry certifications including the CISSP, GPEN, GWAPT, and more, he considers himself a lifelong learner who is always on the lookout for unique challenges, upcoming threats, and new ways to approach InfoSec issues. He loves to volunteer and give back whenever possible and enjoys working with local high schools and colleges to help inspire the next generation of InfoSec pros. When not absorbed in a computer screen, he can be found in the company of his amazing wife Jessica and their grumble of pugs.

List of Tables

Introduction

Table 1

Chapter 2

Table 2.1

Chapter 4

Table 4.1

Table 4.2

Chapter 5

Table 5.1

Table 5.2

Chapter 6

Table 6.1

Table 6.2

Table 6.3

Table 6.4

Table 6.5

Table 6.6

Table 6.7

Table 6.8

Table 6.9

Table 6.10

Table 6.11

Table 6.12

List of Illustrations

Introduction

Figure 1 MITRE’s ATT&CK cybersecurity kill chain model

Chapter 1

Figure 1.1 Subjects and objects

Figure 1.2 US-CERT Traffic Light Protocol for information classification and handling

Figure 1.3 Bell–LaPadula (a) versus Biba access control models (b)

Figure 1.4 Crossover error rate

Chapter 2

Figure 2.1 The DIKW knowledge pyramid

Figure 2.2 ISO 27002 phases

Figure 2.3 AWS dashboard

Chapter 3

Figure 3.1 Kill chain conceptual model

Figure 3.2 Target 2013 data breach kill chain

Figure 3.3 Four bases of risk, viewed together

Figure 3.4 Risk timeline

Figure 3.5 ISO 31000 RMF

Figure 3.6 PCI-DSS goals and requirements

Chapter 4

Figure 4.1 Triage: from precursors to incident response

Figure 4.2 Incident response lifecycle

Figure 4.3 NIST incident handling checklist

Figure 4.4 Indicators of a kill chain in action

Figure 4.5 The descent from anomaly to organizational death

Figure 4.6 Continuity of operations planning and supporting planning processes

Figure 4.7 Beyond the seventh layer

Chapter 5

Figure 5.1 Crypto family tree

Figure 5.2 Comparing hashing and encryption as functions

Figure 5.3 Notional S-box

Figure 5.4 Notional P-box

Figure 5.5 Feistel encryption and decryption (notional)

Figure 5.6 CBC mode

Figure 5.7 CFB mode

Figure 5.8 CTR mode

Figure 5.9 ECB with small block size weaknesses showing

Figure 5.10 RC4 stream cipher

Figure 5.11 Diffie-Hellman-Merkle shared key generation (conceptual)

Figure 5.12 TLS handshake

Figure 5.13 The blockchain concept

Figure 5.14 Chains of trust

Figure 5.15 Certification path validation algorithm

Chapter 6

Figure 6.1 Wrapping: layer-by-layer encapsulation

Figure 6.2 DNS resolver in action

Figure 6.3 DNS caching

Figure 6.4 Dynamic routing protocols family tree

Figure 6.5 OSI Seven-Layer Reference Model

Figure 6.6 IPv4 packet format

Figure 6.7 TCP three-way handshake

Figure 6.8 OSI and TCP/IP side-by-side comparison

Figure 6.9 TCP flag fields

Figure 6.10 Changes to packet header from IPv4 to IPv6

Figure 6.11 A ring topography

Figure 6.12 A star topography

Figure 6.13 A mesh topography

Figure 6.14 Man-in-the-middle attack

Figure 6.15 Smurfing attack

Figure 6.16 Network access control in context

Figure 6.17 Remote access in context

Figure 6.18 Common areas of increased risk in remote access

Figure 6.19 Extranet advantages and disadvantages

Figure 6.20 Perimeter net and screened hosts

Figure 6.21 The geographies of TOR usage

Chapter 7

Figure 7.1 Cloud service models

Guide

Cover

Table of Contents

Introduction

Pages

iii

iv

v

vii

viii

ix

xxi

xxii

xxiii

xxiv

xxv

xxvi

xxvii

xxviii

xxix

xxx

xxxi

xxxii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

622

623

624

625

626

627

628

629

630

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

647

650

651

652

653

654

655

656

657

658

659

660

661

662

663

664

665

666

667

668

669

670

671

672

673

674

675

676

677

678

679

680

681

682

683

684

685

686

687

688

689

690

691

692

693

694

695

696

697

698

699

700

701

702

703

704

705

706

707

708

709

710

711

712

713

714

715

716

717

718

719

720

721

722

723

724

725

726

727

728

729

730

731

732

733

734

735

736

737

738

739

740

741

742

743

744

745

746

747

748

749

750

751

752

753

Foreword

Welcome to The Official(ISC)2 Guide to the SSCP CBK! By picking up this book, you’ve made the decision to take the next step in your career and have demonstrated your commitment to continuing your professional education.

The recognition that comes with an (ISC)2 Systems Security Certified Practitioner (SSCP) credential next to your name shows your understanding of and proficiency with the hands-on technical work that is needed in the information security field. It demonstrates that you closely follow best practices, policies and procedures in accordance with the SSCP Common Body of Knowledge. Whether you are using this guide to supplement your preparation to sit for the exam or you are an existing SSCP using this as a reference, this book helps to facilitate the practical knowledge you need to assure strong information security for your organization’s daily operations.

The recognized leader in the field of information security education and certification, (ISC)2 promotes the development of information security professionals throughout the world. As a SSCP with all the benefits of (ISC)2membership, you will become part of a global network of more than 140,000 certified professionals who are working to inspire a safe and secure cyber world. By becoming a member of (ISC)2 you will have also officially committed to ethical conduct commensurate to your position of trust as a cybersecurity professional.

Reflecting the most pertinent issues that security practitioners currently face, along with the best practices for mitigating those issues, The Official (ISC)2 Guide to the SSCP CBK offers step-by-step guidance through the seven different domains included in the exam, which are:

Access Controls

Security Operations and Administration

Risk Identification, Monitoring and Analysis

Incident Response and Recovery

Cryptography

Networks and Communications Security

Systems and Application Security

Drawing from a comprehensive, up-to-date global body of knowledge, this book prepares you to join thousands of practitioners worldwide who have obtained the SSCP. For those with proven technical skills and practical security knowledge, the SSCP certification is the ideal credential. The SSCP confirms the breadth and depth of practical security knowledge expected of those in hands-on operational IT roles. The certification provides industry-leading confirmation of a practitioner’s ability to implement, monitor and administer information security policies and procedures that ensure data confidentiality, integrity and availability (CIA).

The goal for SSCP credential holders is to achieve the highest standard for cybersecurity expertise – managing multi-platform IT systems while keeping sensitive data secure. This becomes especially crucial in the era of digital transformation, where cybersecurity permeates virtually every value stream imaginable. Organizations that can demonstrate world-class cybersecurity capabilities and trusted transaction methods enable customer loyalty and fuel success.

The opportunity has never been greater for dedicated men and women to carve out a meaningful career and make a difference in their organizations. The Official (ISC)2 Guide to the SSCP CBK will be your constant companion in protecting and securing the critical data assets of your organization that will serve you for years to come.

Thank you for reading and good luck in this next step along your career path.

Regards,

David P. Shearer, CISSP

CEO, (ISC)2

Introduction

Congratulations on choosing to become a Systems Security Certified Practitioner (SSCP)! In making this choice, you’re signing up to join the “white hats,” the professionals who strive to keep our information-based modern world safe, secure, and reliable. SSCPs and other information security professionals help businesses and organizations keep private data private and help to ensure that published and public-facing information stays unchanged and unhacked.

Whether you are new to the fields of information security, information assurance, or cybersecurity, or you’ve been working with these concepts, tools, and ideas for some time now, this book is here to help you grow your knowledge, skills, and abilities as a systems security professional.

Let’s see how!

About This Book

You’re here because you need a ready reference source of ideas, information, knowledge, and experience about information systems security. Users of earlier editions of the CBK describe it as the place to go when you need to look up something about bringing your systems or networks back up and online—when you can’t exactly Google or Bing it. As a first responder in an information security incident, you may need to rely on what you know and what you’ve got at hand as you characterize, isolate, and contain an intruder and their malware or other causal agents. This book cannot answer all of the questions you’ll have in real time, but it may just remind you of important concepts as well as critical details when you need them. As with any reference work, it can help you think your way through to a solution. By taking key definitions and concepts and operationalizing them, showing how they work in practice, this book can enrich the checklists, troubleshooting guides, and task-focused procedures that you may already be using in your work.

  Why This CBK as Well as a Study Guide?

Good question! This Common Book of Knowledge (CBK) provides you the data, information, knowledge—and in some cases, some bits of wisdom—that have been hard-won by the experience of many SSCPs and other information security professionals. This CBK is structured around the SSCP domains of knowledge; as such, it’s not a cover-to-cover learning journey but more of an atlas for such a journey.

The SSCP Official Study Guide exists because (ISC)2 wanted a book that would teach as well as guide, explain as well as capture the common knowledge about keeping information systems secure, protecting information assets, and information assurance that all SSCPs should have at their mental fingertips. As creators of the SSCP program, (ISC)2 defines that common body of knowledge, in continuous consultation with system security experts and practitioners from business, industry, government, and academia from around the world. This book is its natural companion.

The SSCP Seven Domains

This book directly reflects the SSCP Common Body of Knowledge, which is the comprehensive framework that (ISC)2 has developed to express what security professionals should have working knowledge of. These domains include theoretical knowledge, industry best practices, and applied skills and techniques. Chapter by chapter, this book takes you through these domains, with major headings within each chapter being your key to finding what you need when you need it. Topics that are covered in more than one domain will be found within sections or subsections in each chapter as appropriate.

(ISC)² is committed to helping members learn, grow, and thrive. The Common Body of Knowledge (CBK) is the comprehensive framework that helps (ISC)² fulfill this commitment. The CBK includes all the relevant subjects a security professional should be familiar with, including skills, techniques, and best practices. (ISC)2 uses the various domains of the CBK to test a certificate candidate’s levels of expertise in the most critical aspects of information security. You can see this framework in the SSCP Exam Outline at www.isc2.org/-/media/ISC2/Certifications/Exam-Outlines/ SSCP-Exam-Outline-Nov-1-2018.ashx.

Chapter by chapter, domain by domain, these domains are as follows:

Chapter 1: Access Controls Policies, standards, and procedures that define who users are, what they can do, which resources and information they can access, and what operations they can perform on a system, such as:

1.1 Implement and maintain authentication methods

1.2 Support internetwork trust architectures

1.3 Participate in the identity management life cycle

1.4 Implement access controls

Chapter 2: Security Operations and AdministrationIdentification of information assets and documentation of policies, standards, procedures, and guidelines that ensure confidentiality, integrity, and availability, such as:

2.1 Comply with codes of ethics

2.2 Understand security concepts

2.3 Document, implement, and maintain functional security controls

2.4 Participate in asset management

2.5 Implement security controls and assess compliance

2.6 Participate in change management

2.7 Participate in security awareness and training

2.8 Participate in physical security operations

Chapter 3: Risk Identification, Monitoring, and AnalysisRisk identification is the review, analysis, and implementation of processes essential to the identification, measurement, and control of loss associated with unplanned adverse events. Monitoring and analysis consists of determining system implementation and access in accordance with defined IT criteria. Collecting information for identification of, and response to, security breaches or events, such as the following:

3.1 Understand the risk management process

3.2 Perform security assessment activities

3.3 Operate and maintain monitoring systems

3.4 Analyze monitoring results

Chapter 4: Incident Response and RecoveryThe show must go on is a well-known saying that means, even if there are problems or difficulties, an event or activity must continue. Incident response and recovery ensures the work of the organization will continue. In this domain the SSCP gains an understanding of how to handle incidents using consistent, applied approaches like business continuity planning (BCP) and disaster recovery planning (DRP). These approaches are utilized to mitigate damages, recover business operations, and avoid critical business interruption.

4.1 Support incident life cycle

4.2 Understand and support forensic investigations

4.3 Understand and support Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) activities

Chapter 5: CryptographyThe protection of information using techniques that ensure its integrity, confidentiality, authenticity, and nonrepudiation, and the recovery of encrypted information in its original form.

5.1 Understand fundamental concepts of cryptography

5.2 Understand reasons and requirements for cryptography

5.3 Understand and support secure protocols

5.4 Understand Public Key Infrastructure (PKI) systems

Chapter 6: Network and Communications SecurityThe network structure, transmission methods and techniques, transport formats, and security measures used to operate both private and public communication networks.

6.1 Understand and apply fundamental concepts of networking

6.2 Understand network attacks and countermeasures

6.3 Manage network access controls

6.4 Manage network security

6.5 Operate and configure network-based security devices

6.6 Operate and configure wireless technologies

Chapter 7: Systems and Application SecurityCountermeasures and prevention techniques for dealing with viruses, worms, logic bombs, Trojan horses, and other related forms of intentionally created damaging code.

7.1 Identify and analyze malicious code and activity

7.2 Implement and operate endpoint device security

7.3 Operate and configure cloud security

7.4 Operate and secure virtual environments

Using This Book to Defeat the Cybersecurity Kill Chain

Your employers or clients have entrusted the safety and security of their information systems to you, as one of their on-site information security professionals. Those systems are under constant attack—not just the threat of attack. Each day, the odds are great that somebody is knocking at your electronic front doors, trying the e-window latches on your organization’s web pages, and learning about your information systems and how you use them. That’s reconnaissance in action, the first step in the cybersecurity kill chain.

As an SSCP you’re no doubt aware of the cybersecurity kill chain, as a summary of how advanced persistent threat (APT) actors plan and conduct their attacks against many private and public organizations, their IT infrastructures, and their information assets and systems. Originally developed during the 1990s by applying military planning doctrines of effects-based targeting, this kill chain is similar to the value chain concept used by businesses and public-sector organizations around the world. Both value chains and kill chains start with the objective—the desired end state or result—and work backward, all the way back to choosing the right targets to attack in the first place.1 Lockheed-Martin first published its cybersecurity kill chain in 2011; the MITRE Corporation, a federally funded research and development corporation (FFRDC), expanded on this in 2018 with its threat-based Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework. ATT&CK takes the kill chain concept down into the tactics, techniques, and procedures used by squad-level and individual soldiers in the field. (Note that in military parlance, planning flows from strategic, through operational, to tactical; but common business-speak usage flips the names of the last two steps, looking at business operations as being the point-of-contact steps with customers, and the tactical layer of planning translating strategic objectives into manageable, measurable, value-producing packages of work.) ATT&CK as a framework is shown in Figure 1, highlighting the two major phases that defenders need to be aware of and engaged with: prestrike planning and the enterprise-level targeted strikes at your systems, your data, and your mission.

FIGURE 1 MITRE’s ATT&CK cybersecurity kill chain model

© 2018 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

MITRE, Lockheed Martin, and others may give slightly different names to the different phases of their kill chain models. For example, MITRE’s combines exploitation with installation, while emphasizing the persistent presence of the adversary inside your systems as they maintain their capabilities to quietly wreak havoc and achieve their objectives. The names of the phases aren’t important; their underlying flow of ideas is what matters. To date, there does not seem to be any evidence that any given attacker has used exactly one planning model or another. There is abundant evidence, however, that defenders who do not understand these models pay for their ignorance—or, more precisely, their employers and clients do.

Combining these two models gives us eight phases of the life of an APT’s kill chain and suggests which domains of knowledge (and therefore which chapters) may be your first ports of call as you plan to detect, prevent, degrade, or defeat the individual tasks that might make up each step in such a kill chain’s operation. These are shown in Table 1.

TABLE 1Kill Chain Phases Mapped to Chapters

Kill Chain Phase

Attack Operations

Defensive Options

Reconnaissance

All-source intelligence gathering to inform the attack: OSINT, scanning, early intrusion, social engineering

All chapters: enhance overall risk/security posture, awareness, vigilance

Weaponization

Select and prepare access techniques and pathways

Chapters 1, 7

Delivery

Email, USBs, URLs, access control gaps, etc.

Chapters 1, 2, 5, 6, 7

Exploitation

Malware, rootkit exploits, live off the land

Chapters 1, 4, 6, 7

Installation

Backdoors, false or subverted user IDs

Chapters 1, 7

Command & Control

Privilege escalation, credential access; lateral movement; find, fix, select in-system targets

Chapters 1, 2, 4, 6

Execute the Attack

Exfiltrate; corrupt; encrypt for ransom; springboard to other targets

Chapters 4, 5

Maintain Hostile Presence

Continue to exploit target’s systems and data; continue hiding one’s tracks

Chapters 1, 4, 6, 7

You might be wondering why all chapters seem to apply to the Reconnaissance phase. The key to this is to recognize that the attacker will seek to find all possible sources of information about your organization, its business associates and relationships, its communications patterns, and its IT systems. APTs seek understanding of their targets’ business and social networks, the “watering holes” where their people gather to collaborate with others in their trade or market. They’ll try to suck up every unencrypted, unprotected, unsecured bit of anything that might be of use to them, as they determine your value to them as a set of exploitable opportunities. As the defender, this is your first clear opportunity to practice what insurance companies call “all-risks coverage” by exerting all possible efforts to identify, prioritize, and control all hazards that your systems and your organization might be exposed to.

The attack execution phase, by contrast, must rely heavily on your organization’s ability to detect and respond in real time, or as close to real time as you can manage. Industry-wide, we’re not doing too well on this front. It takes businesses and organizations an average of 197 days to detect an intrusion into their IT systems, according to research for IBM Security done by the Ponemon Institute in 2018.2 On average, worldwide, any given business may suffer as much as $3.86 million USD in losses due to a data breach attack. A ransom attack, however, can demand $50 million USD or more in payouts. Those firms that have chosen not to pay off their attackers have reportedly suffered even greater losses. The same research conducted by Ponemon, by the way, demonstrates that having an effective security incident response plan in place, with first responders properly trained and equipped, can save at least $340,000 per incident.

As an SSCP, you’ve got your work cut out for you. Let this book be one of the many sources of knowledge, experience, and information you can count on, before, during, and after intruders start to target your organization’s information, its systems, and its very existence.

Where Do You Go from Here?

The world of information systems security is constantly changing. You need to continually grow your skills and keep up with the latest changes in the ways that businesses and organizations use the Internet and information technologies, as well as how the threat actors continually evolve to find new and different ways to exploit our systems against us. As a digital citizen of the 21st century, staying current—staying on the cutting edge of change, if not sometimes on the bleeding edge of it—is part of how you meet your due care and due diligence responsibilities to your clients, to your employers, and to the larger society around you. As a recognized member of that profession, the world expects you to stay sharp, stay focused, and stay informed.

That journey begins with this book, which provides you with a tangible foundation for your learning, exploration, and discovery. As a resource, this book provides the following strengths:

It provides

context

. The domain-based structure maps concepts, ideas, problems, and solutions into a comfortable, straightforward framework that should make it easier to find what you need when you need it

and

find it positioned in a proper context. This book grounds you in the fundamental concepts, principles, design standards, and practices that are an invaluable resource.

It

extends your memory

, as all reference works can do, as it shows you best practices in action, focused on the essentials and, again, in context.

It provides

clarity

that can help you quickly orient to an issue or situation, while establishing links in your mind’s eye to other related or important information.

The SSCP CBK and Your Professional Growth Path

Possibly one of the best ways to see your SSCP in the context of your professional growth and development can be found on the CyberSeek website. CyberSeek is a partnership sponsored by NIST that brings together the current state of the job market in cybersecurity, information security, or information risk management. It combines data on job market demand for such skills, current average salaries, and even insight on the numbers of professionals holding various certifications. The real gem, however, for the new cybersecurity or information security pro is its Career Mapping tool. See this at www.cyberseek.org and use it to help navigate the options to consider and the opportunities that an earned SSCP after your name might open up.

As an international, nonprofit membership association with more than 140,000 members, (ISC)2 has worked since its inception in 1989 to serve the needs for standardization and certification in the cybersecurity workplaces around the world. Since then, (ISC)2’s founders and members have been shaping the information security profession and have developed the following information security certifications:

Certified Information Systems Security Professional (CISSP):

The CISSP is an experienced professional who holds the most globally recognized standard of achievement in the industry and is the first information security credential to meet the strict conditions of ISO/IEC Standard 17024. The CISSP certification has three concentrations:

Certified Information Systems Security Professional: Information Systems Security Architecture Professional (CISSP: ISSAP):

The CISSP-ISSAP is a chief security architect, analyst, or other professional who

designs, builds, and oversees the implementation of network and computer security for an organization

. The CISSP-ISSAP may work as an independent consultant or other professional who provides operational guidance and direction to support business strategies.

Certified Information Systems Security Professional: Information Systems Security Engineering Professional (CISSP-ISSEP):

The CISSP-ISSEP can effectively incorporate security into all facets of business operations.

Certified Information Systems Security Professional: Information Systems Security Management Professional (CISSP-ISSMP):

The CISSP-ISSMP is a cybersecurity manager who demonstrates deep management and leadership skills and excels at establishing, presenting, and governing information security programs.

Systems Security Certified Practitioner (SSCP):

The SSCP is a high-value practitioner who demonstrates technical skills in implementing, monitoring, and administering IT infrastructure using information security policies and procedures. The SSCP’s commitment to continuous learning and practice ensures consistent information assurance.

Certified Cloud Security Professional (CCSP):

The CCSP is a globally recognized professional who demonstrates expertise and implements the highest standards in cloud security. The certification was co-created by ISC² and Cloud Security Alliance—the leading stewards for information security and cloud computing security.

Certified Authorization Professional (CAP):

The CAP is a leader in information security and aligns information systems with the risk management framework (RMF). The CAP certification covers the RMF at an extensive level, and it’s the only certification under the DoD 8570/DoD 8140 Approved Baseline Certifications that aligns to each of the RMF steps.

Certified Secure Software Lifecycle Professional (CSSLP):

The CSSLP is an internationally recognized professional with the ability to incorporate security practices—authentication, authorization, and auditing—into each phase of the software development lifecycle (SDLC).

HealthCare Information Security and Privacy Practitioner (HCISPP):

The HCISSP is a skilled practitioner who combines information security with healthcare security and privacy best practices and techniques.

Each of these certifications has its own requirements for documented full-time experience in its requisite topic areas.

Newcomers to information security who have not yet had supervised work experience in the topic areas can take and pass the SSCP exam and then become recognized as Associates of (ISC)2. Associates then have two years to attain the required experience to become full members of (ISC)2.

Maintaining the SSCP Certification

SSCP credentials are maintained in good standing by participating in various activities and gaining continuing professional education credits (CPEs). CPEs are obtained through numerous methods such as reading books, attending seminars, writing papers or articles, teaching classes, attending security conventions, and participating in many other qualifying activities. Visit the (ISC)2 website for additional information concerning the definition of CPEs.

Individuals are required to post a minimum of 20 CPE credits each year on the (ISC)2 member website. Generally, the CPE credit post will be recognized immediately by the system, but it’s also subject to random audit. Please note that any CPEs accomplished prior to being awarded the (ISC)2 certification may not be claimed. If an individual accomplishes more than 20 CPEs for one year, the remainder may be carried forward to the following year. The (ISC)2 website describes CPEs as items gained external to your current employment duties.

Join a Local Chapter

As an SSCP, you’ve become one of more than 140,000 members worldwide. They, like you, are there to share in the knowledge, experience, and opportunity to help accomplish the goals and objectives of being an information security professional. Nearly 12,500 of your fellow members participate in local area chapters, and (ISC)2 has over 140 local chapters around the world. You can find one in your area by visiting www.isc2.org/Chapters.

Being an active part of a local chapter helps you network with your peers as you share knowledge, exchange information about resources, and work on projects together. You can engage in leadership roles and participate in co-sponsored local events with other industry associations. You might write for or speak at (ISC)2 events and help support other (ISC)2 initiatives. You can also be a better part of your local community by participating in local chapter community service outreach projects.

Chapter membership earns you CPE credits and can make you eligible for special discounts on (ISC)2 products and programs.

Let’s Get Started!

This book is for you. This is your journey map, your road atlas, and your handbook. Make it work for you.

Choose your own course through it, based on what you need on the job today and every day.

Go for it.

Notes

1

I had the privilege of developing and teaching some of these evolving concepts at the U.S. National Defense University’s School of Information Warfare and Strategy, 1998-2000. At the School, we made extensive use of the “Strategic Information Warfare” series of publications by Roger C. Molander and others at the RAND Corporation, which were exploring this backward chain from desired strategic effect to the “kill effect” required of attacks on information and information systems.

2

Ponemon Institute LLC, for IBM Security. “2018 Cost of a Data Breach Study: Global Overview.” Other sources, particularly business news media in India and Asia, have claimed as high as 220 days for this average, but there is little hard data to support this larger claim. Either way, this is seriously bad news.

CHAPTER 1Access Controls

Identity management and access control are two sides of the same coin. Attacks on your systems happen because there are exploitable vulnerabilities in your systems that allow the attacker to bypass your identity authentication and access control processes. Once inside your systems, other access control failures (be they physical, logical, or administrative) allow the attacker to exfiltrate data, corrupt your systems, or use your systems as the launching pad for attacks on other parties’ systems.

But what if the initial intrusion is not detected in a timely way and the copies of your data have already left your systems? If you’ve kept good records of every login, every connection, and every access attempt, then you have a chance to identify what data was lost, figure out when it was lost, and get some idea where it might have gone. Without this, you’ll probably not find out about the data breach until your customers and their attorneys are informing you about the impacts your carelessness has caused them.

This chapter provides you a detailed, operationalized guide to implementing and benefiting from an integrated identity management and access control system and process. In doing so, it makes extensive use of confidentiality, integrity, availability, nonrepudiation, and authorization (CIANA) as a way to capture the essence of any organization’s information security needs. This is an expanded version of the confidentiality, integrity, and availability (known as the CIA) triad. Both CIANA and the CIA triad have been in use for a number of years in the worldwide information security community, and both provide a starting point on our quest to assure systems’ safety, reliability, and resilience. CIANA, however, places greater emphasis on the vital importance to business (and in law) of having highly reliable, auditable, verifiable confirmation that messages were received, connections were established, or assets were accessed, what device, function, or process attempted or did those things, and at whose request.

The CIANA set of needs illustrates why information security and assurance is much more than just cybersecurity. Cybersecurity focuses intently upon the information technology aspects of keeping computers, networks, data centers, and endpoints safe, secure, and reliable. That focus on the technologies of the information infrastructure is important; it does not, however, provide much assistance in designing business processes for cross-organization collaboration that provide the appropriate assurance to each party that their knowledge, information, and data are safe and secure. Information assurance is about information risk management, which Chapter 3, “Risk Identification, Monitoring, and Analysis,” will address in more detail. Chapter 3 will also emphasize the use of physical, logical, and administrative means by which vulnerabilities are mitigated. Maintaining and operating those information assurance processes almost invariably requires a significant degree of attention to the human-facing procedural details, many of which are involved in how information systems and the IT they rely upon are managed; this will be addressed in Chapter 2, “Security Operations and Administration,” as well as in Chapter 7, “Systems and Application Security.”

This chapter, however, deals almost exclusively with the logical means of implementing identity management and access control. These logical means will involve management making decisions that establish organizational and local policies and procedures, which will be addressed here in context, but I’ll leave the physical restriction of access to computing and communications hardware to Chapter 7.

Access Control Concepts

Access control is all about subjects and objects (see Figure 1.1). Simply put, subjects try to perform an action upon an object; that action can be reading it, changing it, executing it (if the object is a software program), or doing anything to the object. Subjects can be anything that is requesting access to or attempting to access anything in a system, whether data, metadata, or another process, for whatever purpose. Subjects can be people, software processes, devices, or services being provided by other web-based systems. Subjects are trying to do something to or with the object of their desire. Objects can be collections of information, or the processes, devices, or people who have that information and act as gatekeepers to it. This subject-object relationship is fundamental to your understanding of access control. It is a one-way relationship: objects do not “do anything” to a subject. Don’t be fooled into thinking that two subjects, interacting with each other, is a special case of a bidirectional access control relationship. It is simpler, more accurate, and much more useful to see this as two one-way subject-object relationships. It’s also critical to see that every task is a chain of these two-way access control relationships. It’s clearer to see this as two one-way trust relationships as well.

FIGURE 1.1 Subjects and objects

As an example, consider the access control system itself as an object. It is a lucrative target for attackers who want to get past its protections and into the soft underbellies of the information assets, networks, and people behind its protective moat. In that light, hearing these functions referred to as data center gatekeepers makes a lot of sense. Yet the access control system is a subject that makes use of its own access control tables and of the information provided to it by requesting subjects. (You, at sign-on, are a subject providing a bundle of credential information as an object to that access control process.)

Subjects and Objects

The first notion you have to come to grips with is just how many millions of objects can exist within even a small office/home office (SOHO) local area network (LAN) environment; scale this up to a large cloud-hosted data center operation and you could be dealing with billions and billions of objects. Even at the small end of this scale, the sheer number of objects involved dictates the need for efficient processes and effective, automated solutions to carry out most of the work that an access control system has to perform. For example, a typical SOHO LAN environment with an ISP-provided modem, a Wi-Fi router, and peer-to-peer file and resource sharing across a half-dozen devices on that LAN might have the following types of objects as part of that LAN system:

Each hardware device; its onboard firmware, configuration parameters, or device settings; and its external physical connections to other devices

Power conditioning and distribution equipment and cabling, such as a UPS

The file systems on each storage device, on each computer, and on each subtree and each file within each subtree

All of the removable storage devices and media, such as USB drives, DVDs, or CDs used for backup or working storage

Each installed application on each device

Each defined user identity on each device and the authentication information that goes with that user identity, such as username and password

Each person who is a user or is attempting to be a user (whether as

guest

or otherwise)

Accounts at all online resources used by people in this organization and the access information associated with those accounts

The random access memory (RAM) in each computer, as free memory

The RAM in each computer allocated to each running application, process, process thread, or other software element

The communications interfaces to the ISP, plain old telephone service, or other media

Wi-Fi is a registered trademark of the Wi-Fi Alliance, the nonprofit organization that promotes wireless connectivity, certifies products as conforming to their standards for interoperability. The name does not stand for anything; in particular, it does not mean “wireless fidelity,” even though a number of websites say that it does.

Note that third item: on a typical Windows 10 laptop with 330GB of files and installed software on a 500GB drive, that’s only half a million files—and each of those, as well as each of the 100,000 or so folders in that directory space, is an object. Those USB drives, and any cloud-based file storage, could add similar amounts of objects for each computer; mobile phones using the Wi-Fi might not have quite so many objects on them to worry about. A conservative upper bound might be 10 million objects.

What might the population of subjects be, in this same SOHO office?

Each human, including visitors, clients, family, or even the janitorial crew

Each user ID for each human

Each hardware device, including each removable disk

Each mobile device each human might bring into the SOHO physical location with them

Each

executing

application, process, process thread, or other software element that the operating system (of the device it’s on) can grant CPU time to

Any software processes running elsewhere on the Internet, which establish or can establish connections to objects on any of the SOHO LAN systems

That same Windows 10 laptop, by the way, shows 8 apps, 107 background processes, 101 Windows processes, and 305 services currently able to run—loaded in memory, available to Windows to dispatch to execute, and almost every one of them connected by Windows to events so that hardware actions (such as moving a mouse) or software actions (such as an Internet Control Message Protocol packet) hitting a system’s network interface card will wake them up and let them run. That’s 521 pieces of executing code. And as if to add insult to injury, the one live human who is using that laptop has caused 90 user identities to be currently active. Many of these are associated with installed services, but each is yet another subject in its own right.

Subjects and objects have identities by which they are known to the systems that they participate in. For identity management and access control to work effectively, these identities need to be unique—that there is a one-to-one correspondence between a subject and its identity (or identifying information). Human names fail this uniqueness need more often than not; thus, we have to end up assigning some kind of identification key or value to each new human entity that comes into our identity management system’s purview. Hardware identities, such as the media access control (MAC) addresses, are reasonably unique, but they can be locally altered and spoofed. You’ll look at this identity proofing problem in more detail later in the “Proofing” section.

Privileges: What Subjects Can Do with Objects

The next key ingredient to access control is to define the privileges that subjects can have with respect to objects. A privilege is a type of action that the subject can perform upon the subject, such as:

Read data from the object.

Write data into the object.

Delete the object.

Read or inspect metadata associated with the object.

Modify the metadata associated with the object.

Load the object into memory and execute it as a program.

Extend or alter the system resources (such as storage space) allocated to the object.

Copy the object from one location to another.

Move the object from one location to another.