Chapter 1 Security Governance Through Principles and Policies Understand and Apply Concepts of Confidentiality, Integrity, and Availability Confidentiality Integrity Availability Other Security Concepts Protection Mechanisms Layering Abstraction Data Hiding Encryption Apply Security Governance Principles Alignment of Security Function to Strategy, Goals, Mission, and Objectives Organizational Processes Security Roles and Responsibilities Control Frameworks Due Care and Due Diligence Develop and Implement Documented Security Policy, Standards, Procedures, and Guidelines Security Policies Security Standards, Baselines, and Guidelines Security Procedures Understand and Apply Threat Modeling Identifying Threats Determining and Diagramming Potential Attacks Performing Reduction Analysis Prioritization and Response Integrate Security Risk Considerations into Acquisition Strategy and Practice
Chapter 2 Personnel Security and Risk Management Concepts Contribute to Personnel Security Policies Employment Candidate Screening Employment Agreements and Policies Employment Termination Processes Vendor, Consultant, and Contractor Controls Compliance Privacy Security Governance Understand and Apply Risk Management Concepts Risk Terminology Identify Threats and Vulnerabilities Risk Assessment/Analysis Risk Assignment/Acceptance Implementation Types of Controls Monitoring and Measurement Asset Valuation Continuous Improvement Risk Frameworks Establish and Manage Information Security Education, Training, and Awareness Manage the Security Function
Chapter 3 Business Continuity Planning Planning for Business Continuity Project Scope and Planning Business Organization Analysis BCP Team Selection Resource Requirements Legal and Regulatory Requirements Business Impact Assessment Identify Priorities Risk Identification Likelihood Assessment Impact Assessment Resource Prioritization Continuity Planning Strategy Development Provisions and Processes Plan Approval Plan Implementation Training and Education BCP Documentation Continuity Planning Goals Statement of Importance Statement of Priorities Statement of Organizational Responsibility Statement of Urgency and Timing Risk Assessment Risk Acceptance/Mitigation Vital Records Program Emergency-Response Guidelines Maintenance Testing and Exercises
Chapter 4 Laws, Regulations, and Compliance Categories of Laws Criminal Law Civil Law Administrative Law Laws Computer Crime Intellectual Property Licensing Import/Export Privacy Compliance Contracting and Procurement Summary Exam Essentials Written Lab Review Questions Chapter 5 Protecting Security of Assets Classifying and Labeling Assets Defining Sensitive Data Defining Classifications Defining Data Security Requirements Understanding Data States Managing Sensitive Data Protecting Confidentiality with Cryptography Identifying Data Roles Data Owners System Owners Business/Mission Owners Data Processors Administrators Custodians Users Protecting Privacy Using Security Baselines Scoping and Tailoring Selecting Standards
Chapter 6 Cryptography and Symmetric Key Algorithms Historical Milestones in Cryptography Caesar Cipher American Civil War Ultra vs. Enigma Cryptographic Basics Goals of Cryptography Cryptography Concepts Cryptographic Mathematics Ciphers Modern Cryptography Cryptographic Keys Symmetric Key Algorithms Asymmetric Key Algorithms Hashing Algorithms Symmetric Cryptography Data Encryption Standard Triple DES International Data Encryption Algorithm Blowfish Skipjack Advanced Encryption Standard Symmetric Key Management Cryptographic Life Cycle
Chapter 7 PKI and Cryptographic Applications Asymmetric Cryptography Public and Private Keys RSA El Gamal Elliptic Curve Hash Functions SHA MD2 MD4 MD5 Digital Signatures HMAC Digital Signature Standard Public Key Infrastructure Certificates Certificate Authorities Certificate Generation and Destruction Asymmetric Key Management Applied Cryptography Portable Devices Email Web Applications Digital Rights Management Networking Cryptographic Attacks
Chapter 8 Principles of Security Models, Design, and Capabilities Implement and Manage Engineering Processes Using Secure Design Principles Objects and Subjects Closed and Open Systems Techniques for Ensuring Confidentiality, Integrity, and Availability Controls Trust and Assurance Understand the Fundamental Concepts of Security Models Trusted Computing Base State Machine Model Information Flow Model Noninterference Model Take-Grant Model Access Control Matrix Bell-LaPadula Model Biba Model Clark-Wilson Model Brewer and Nash Model (aka Chinese Wall) Goguen-Meseguer Model Sutherland Model Graham-Denning Model Select Controls and Countermeasures Based on Systems Security Evaluation Models Rainbow Series ITSEC Classes and Required Assurance and Functionality Common Criteria Industry and International Security Implementation Guidelines Certification and Accreditation Understand Security Capabilities of Information Systems Memory Protection Virtualization Trusted Platform Module Interfaces Fault Tolerance
Chapter 9 Security Vulnerabilities, Threats, and Countermeasures Assess and Mitigate Security Vulnerabilities Hardware Input/Output Structures Firmware Client-Based Applets Local Caches Server Based Database Security Aggregation Inference Data Mining and Data Warehousing Data Analytics Large-Scale Parallel Data Systems Distributed Systems Cloud Computing Grid Computing Peer to Peer Industrial Control Systems Assess and Mitigate Vulnerabilities in Web-Based Systems Assess and Mitigate Vulnerabilities in Mobile Systems Device Security Application Security BYOD Concerns Assess and Mitigate Vulnerabilities in Embedded Devices and Cyber-Physical Systems Examples of Embedded and Static Systems Methods of Securing Essential Security Protection Mechanisms Technical Mechanisms Security Policy and Computer Architecture Policy Mechanisms Common Architecture Flaws and Security Issues Covert Channels Attacks Based on Design or Coding Flaws and Security Issues Programming Timing, State Changes, and Communication Disconnects Technology and Process Integration Electromagnetic Radiation
Chapter 10 Physical Security Requirements Apply Secure Principles to Site and Facility Design Secure Facility Plan Site Selection Visibility Natural Disasters Facility Design Design and Implement Physical Security Equipment Failure Wiring Closets Server Rooms Media Storage Facilities Evidence Storage Restricted and Work Area Security (e.g., Operations Centers) Datacenter Security Utilities and HVAC Considerations Water Issues (e.g., Leakage, Flooding) Fire Prevention, Detection, and Suppression Implement and Manage Physical Security Perimeter (e.g., Access Control and Monitoring) Internal Security (e.g., Escort Requirements/Visitor Control, Keys, and Locks)
Chapter 11 Secure Network Architecture and Securing Network Components OSI Model History of the OSI Model OSI Functionality Encapsulation/Deencapsulation OSI Layers TCP/IP Model TCP/IP Protocol Suite Overview Converged Protocols Content Distribution Networks Wireless Networks Securing Wireless Access Points Securing the SSID Conducting a Site Survey Using Secure Encryption Protocols Determining Antenna Placement Antenna Types Adjusting Power Level Controls Using Captive Portals General Wi-Fi Security Procedure Secure Network Components Network Access Control Firewalls Endpoint Security Other Network Devices Cabling, Wireless, Topology, and Communications Technology Network Cabling Network Topologies Wireless Communications and Security LAN Technologies
Chapter 12 Secure Communications and Network Attacks Network and Protocol Security Mechanisms Secure Communications Protocols Authentication Protocols Secure Voice Communications Voice over Internet Protocol (VoIP) Social Engineering Fraud and Abuse Multimedia Collaboration Remote Meeting Instant Messaging Manage Email Security Email Security Goals Understand Email Security Issues Email Security Solutions Remote Access Security Management Plan Remote Access Security Dial-Up Protocols Centralized Remote Authentication Services Virtual Private Network Tunneling How VPNs Work Common VPN Protocols Virtual LAN Virtualization Virtual Software Virtual Networking Network Address Translation Private IP Addresses Stateful NAT Static and Dynamic NAT Automatic Private IP Addressing Switching Technologies Circuit Switching Packet Switching Virtual Circuits WAN Technologies WAN Connection Technologies Dial-Up Encapsulation Protocols Miscellaneous Security Control Characteristics Transparency Verify Integrity Transmission Mechanisms Security Boundaries Prevent or Mitigate Network Attacks DoS and DDoS Eavesdropping Impersonation/Masquerading Replay Attacks Modification Attacks Address Resolution Protocol Spoofing DNS Poisoning, Spoofing, and Hijacking Hyperlink Spoofing
Chapter 13 Managing Identity and Authentication Controlling Access to Assets Comparing Subjects and Objects Types of Access Control The CIA Triad Comparing Identification and Authentication Registration and Proofing of Identity Authorization and Accountability Authentication Factors Passwords Smartcards and Tokens Biometrics Multifactor Authentication Device Authentication Implementing Identity Management Single Sign-On Credential Management Systems Integrating Identity Services Managing Sessions AAA Protocols Managing the Identity and Access Provisioning Life Cycle Provisioning Account Review Account Revocation
Chapter 14 Controlling and Monitoring Access Comparing Access Control Models Comparing Permissions, Rights, and Privileges Understanding Authorization Mechanisms Defining Requirements with a Security Policy Implementing Defense in Depth Discretionary Access Controls Nondiscretionary Access Controls Understanding Access Control Attacks Risk Elements Identifying Assets Identifying Threats Identifying Vulnerabilities Common Access Control Attacks Summary of Protection Methods
Chapter 15 Security Assessment and Testing Building a Security Assessment and Testing Program Security Testing Security Assessments Security Audits Performing Vulnerability Assessments Vulnerability Scans Penetration Testing Testing Your Software Code Review and Testing Interface Testing Misuse Case Testing Test Coverage Analysis Implementing Security Management Processes Log Reviews Account Management Backup Verification Key Performance and Risk Indicators
Chapter 16 Managing Security Operations Applying Security Operations Concepts Need to Know and Least Privilege Separation of Duties and Responsibilities Job Rotation Mandatory Vacations Monitor Special Privileges Managing the Information Life Cycle Service Level Agreements Addressing Personnel Safety Provisioning and Managing Resources Managing Hardware and Software Assets Protecting Physical Assets Managing Virtual Assets Managing Cloud-based Assets Media Management Managing Configuration Baselining Using Images for Baselining Managing Change Security Impact Analysis Versioning Configuration Documentation Managing Patches and Reducing Vulnerabilities Patch Management Vulnerability Management Common Vulnerabilities and Exposures
Chapter 17 Preventing and Responding to Incidents Managing Incident Response Defining an Incident Incident Response Steps Implementing Preventive Measures Basic Preventive Measures Understanding Attacks Intrusion Detection and Prevention Systems Specific Preventive Measures Logging, Monitoring, and Auditing Logging and Monitoring Egress Monitoring Auditing to Assess Effectiveness Security Audits and Reviews Reporting Audit Results
Chapter 18 Disaster Recovery Planning The Nature of Disaster Natural Disasters Man-made Disasters Understand System Resilience and Fault Tolerance Protecting Hard Drives Protecting Servers Protecting Power Sources Trusted Recovery Quality of Service Recovery Strategy Business Unit and Functional Priorities Crisis Management Emergency Communications Workgroup Recovery Alternate Processing Sites Mutual Assistance Agreements Database Recovery Recovery Plan Development Emergency Response Personnel and Communications Assessment Backups and Offsite Storage Software Escrow Arrangements External Communications Utilities Logistics and Supplies Recovery vs. Restoration Training, Awareness, and Documentation Testing and Maintenance Read-Through Test Structured Walk-Through Simulation Test Parallel Test Full-Interruption Test Maintenance
Chapter 19 Incidents and Ethics Investigations Investigation Types Evidence Investigation Process Major Categories of Computer Crime Military and Intelligence Attacks Business Attacks Financial Attacks Terrorist Attacks Grudge Attacks Thrill Attacks Incident Handling Common Types of Incidents Response Teams Incident Response Process Interviewing Individuals Incident Data Integrity and Retention Reporting and Documenting Incidents Ethics (ISC)2 Code of Ethics Ethics and the Internet
Chapter 20 Software Development Security Introducing Systems Development Controls Software Development Systems Development Life Cycle Life Cycle Models Gantt Charts and PERT Change and Configuration Management The DevOps Approach Application Programming Interfaces Software Testing Code Repositories Service-Level Agreements Software Acquisition Establishing Databases and Data Warehousing Database Management System Architecture Database Transactions Security for Multilevel Databases ODBC Storing Data and Information Types of Storage Storage Threats Understanding Knowledge-based Systems Expert Systems Neural Networks Decision Support Systems Security Applications
Chapter 21 Malicious Code and Application Attacks Malicious Code Sources of Malicious Code Viruses Logic Bombs Trojan Horses Worms Spyware and Adware Countermeasures Password Attacks Password Guessing Dictionary Attacks Social Engineering Countermeasures Application Attacks Buffer Overflows Time of Check to Time of Use Back Doors Escalation of Privilege and Rootkits Web Application Security Cross-Site Scripting (XSS) SQL Injection Reconnaissance Attacks IP Probes Port Scans Vulnerability Scans Dumpster Diving Masquerading Attacks IP Spoofing Session Hijacking |