Index

* (star) integrity property (Bell-LaPadula model), 301
* (star) security property (Bell-LaPadula model), 300

A
AAA (authentication, authorization, accounting), identity, 293–295
ABAC (attribute-based access control), 303
acceptance testing, 76, 128, 146, 148, 421, 422, 428
access control. See also NAC (network access control)
- ABAC (attribute-based access control), 303
- Active Directory and, 272
- answers to review questions, 586–589
- baselines and, 437–438
- Bell-LaPadula model, 299–302
- Biba model, 299–302
- Brewer and Nash model, 301
- centralized access control, 311–312
- CIANA+PS and, 286–287
- Clark-Wilson model, 301
- data classification, 297–299
- datacenter gatekeepers, 295
- decentralized access control, 312
- discretionary, 305, 312–313
- Gogun-Meseguer, 301
- Graham-Denning model, 301
- mandatory, 305, 312
- object-based, 304
- objects, 295
- protocols, 404
- RBAC (role-based access control), 302–303
- risk-based, 304
- RuBAC (rule-based access control), 304
- subject-based, 303
- subjects, 295

accountability, 204, 675–676
- due care, 18
- due diligence, 18
- due process, 18
- ethical, 19
- financial accounting, 18–19
- legal accountability, 19–20
- stewardship, 20

accounting. See financial accounting
- identity and, 294

ACL (access control list), 293, 294, 306–307
Active Directory, 269
- centralized access control and, 272
- identity and access, 373
- identity management and, 469
- single sign-on architecture, 283
- TACACS+ and, 270

address resolution, 209
addressing, 211–212
- link local address, 246
- loopback addresses, 246

administrative controls, 149, 158
administrative elements, 86
AES (Advanced Encryption Standard), 396
agents, NAC (network access control), 267
Agile, 493
AH (Authentication Header), 235
AI (artificial intelligence), 422–423, 667
ALE (annual loss expectancy), 100, 102–103
algorithms
- attacks, 412–413
- cryptographic, 354, 359–360
- encryption algorithm, 360
- hash algorithms, 363–364
- rounds, 360
- SHA (Secure Hashing Algorithms), 364

allowed listing, 502–503
analytics, 668
anonymization, 380
answers to review questions
- access control, 704–707
- application security, 712–715
- business continuity, 718–722
- cloud security, 712–715
- communications, 701–703
- cross-domain challenges, 722–725
- cryptography, 707–709
- data security, 712–715
- hardware, 709–711
- identity, 704–707
- incident recovery, 715–718
- incident response, 715–718
- information security, 718–722
- information security fundamentals, 693–695
- integrated information risk management, 695–698
- network security, 701–703
- operationalizing risk mitigation, 698–701
- people power, 718–722
- systems security, 709–711

API (application programming interface), 232
APIPA (Auto-IP Address), 246
appliances, 486
- software as, 487–490

Application Layer 7 (OSI), 232–233
- CIANA
  - countermeasures, 261–262
  - residual risk, 262
  - vulnerabilities, 261
applications
- answers to review questions, 594–597
- lifecycles, 490–491
  - SDLC (software development lifecycle), 491–493
- vulnerabilities, lifecycle, 504–506

apps, 488–489
APTs (advanced persistent threats), 484, 558–559
architecture
- asset management, 169–174
- change control, 169–174
- IT architecture
  - clouds, 140
  - external system providers, 140
  - information security baseline, 138
  - information technology baseline, 138
  - networks, 140
  - service bureaus, 140
  - software-defined service provision, 141–142
- zero-trust, 332–333

archives, disaster recovery, 618–620
ARO (annual rate of occurrence), 100, 102–103
ARP (Address Resolution Protocol), 233
- gratuitous ARP, 233
- Proxy ARP, 233

ARPANet (Advanced Research Projects Agency), 201, 219
assessment, continuous, 650–651
asset management, 151
- data security lifecycle, 172–173
- IT/OT (information technology/operational technology) lifecycle, 170–172
- risk register and, 173

asset-based risk, 79, 82
assets
- information assets, 79
- information technology, 79
- intangible, 79
- tangible, 79

assurance, 9
asymmetric encryption, trapdoor functions, 371
asymmetric key cryptography, 370–371
attack surface, 205
attacks
- computationally infeasible attacks, 363, 370, 386, 668
- cryptanalysis, quantum computing, 422
- cryptosystems, 408–418
  - algorithm, 412–413
  - brute force, 410–411
  - dictionary, 410–411
  - implementation, 410
  - key, 412–413
  - massively parallel computing, 414
  - numeric, 412–413
  - operational intelligence, 413–414
  - side channel, 411–412
  - social engineering, 413–414
  - supply chain vulnerabilities, 414–415
  - traffic analysis, 413–414
- living off the land, 393
- malformed, 521–522
- phishing, 629–630
- query injection, 521–522
- threat actors, 64

authentication, 203
- cryptography and, 376
- handshake, EAPOL, 307
- identity and, 293
- multifactor, 315–319

authorization, identity and
- assigning privileges, 294
- authorizing specific request, 294

availability, 14, 40
- cryptography and, 379

avoidance, 111–112

B
backplanes, bus topologies, 214
backups, disaster recovery, 618–620
bare iron cloud, 440
baselines, 437
- access control and, 437–438
- cloud services, 439–441
- controlled, auditing, 174
- supply chain security, 439
- uncontrolled, 173

bases, 77
basis of estimate, 66
BC/DR. See also restore
- archives, 618–620
- backups, 618–620
- C3I and, 631–632
- cloud do-over buttons
  - complex service do-over, 623
  - session do-over, 623
  - transaction do-over, 623
- compliance, 633–634
- cryptographic assets, 620
- golden images, 621–622
- historical zero-day attacks, 622
- image copies, 618–620
- planning, timelines, 615–617
- restart from baseline, 622–623
- social engineering attacks, 629
- timeline, 615–617
- virtual organization restoration, 625–626

BCP. See business continuity
behavior analysis, 668
Bell-LaPadula model, 299–302
- * (star) integrity property, 301
- * (star) security property, 300
- discretionary security property, 300
- simple integrity property, 261
- simple security (SS) property, 300

Berners-Lee, Tim, 212–213
best effort services, 217
BI (business intelligence), 668
BIA (business impact analysis), 105, 204, 310, 610
Biba model, 260–262, 299–302
- * (star) integrity property, 261, 301
- * (star) security property, 300
- discretionary security property, 261
- simple integrity property, 261, 301
- simple security (SS) property, 261

biometrics, 316
Bitcoin, 402
BITE (built-in test equipment), 175
BLOB (binary large objects), 385–386
blobs, 455
block ciphers, 359
blockchain, 401–402
blocked listing, 502–503
Bluetooth, 242
botnets, 237–238
Boyd, John, 131
Brewer and Nash model, 301
broadcast messages, 246
broadcast news, 46
browsing, secure, 466–468
brute force attacks, 410–411
budgets, 23
bump-in-the-stack, 344–345
bump-in-the-wire, 344–345
bus topologies, 214
business
- boards of directors, 20–21
- C-Suite, 21
- competitors, 12
- corporations, 11
- customers, 12
- employees, 12
- executive directors, 21
- investors, 11, 20
- managing directors, 21
- owners, 20
- partnerships, 11
- sole proprietorships, 11
- stakeholders, 12

business continuity, 88, 610. See also BC/DR
- answers to review questions, 601–604
- contingency operations planning, 612
- critical asset protection planning, 612
- physical security and safety planning, 613
- planning, 612–615

business continuity plan, 610–611, 638
business logic, 7, 14–15, 78
- patents, 15
- trade secrets, 15

business plan, 12–13
business process engineering, 137
business processes, 71–72, 78
BYOC (bring your own cloud), 460–461
BYOD (bring your own device), 459
BYOI (bring your own infrastructure), 460–461

C
C3 (command, control, communications), 75
C3I, BC/DR and, 631–632
CA (certificate authorities), 387–388, 389
CADAM (computer-aided design and manufacturing), 13
captive portals, 308
case studies, voter registration, 70–71, 80–83
catphishing, 630
causal agents, 503
CCITT (International Telegraph and Telephone Consultative Committee), 219
CCTV (closed-circuit television), 41
celebrities, 44
centralized access control, 311–312
CEO (chief executive officer), 21
CERT (computer emergency response team), 568
certificates, 388
- CSR (certificate signing request), 391
- leaf, 390
- revocation, 335
- root certificate, 389

CFO (chief financial officer), 21
chain of custody, evidence, 510
chain of trust, 389
character ciphers, 359
checksums, 362
CI/CD (continuous integrational/continuous delivery), 656
CIA (confidentiality, integrity, availability), 562
- real estate, 40–41

CIANA
- product development and, 13–14

CIANA (confidentiality, integrity, availability, nonrepudiation, authentication), 562
- e-voting and, 379
- Layer 1 - Physical
  - countermeasures, 253–254
  - residual risk, 254
  - tools, 252–253
  - vulnerabilities, 251–252
- Layer 2 - Data Link
  - countermeasures, 255
  - residual risk, 256
  - vulnerabilities, 254–255
- Layer 3 - Network
  - countermeasures, 256
  - residual risk, 257
  - vulnerabilities, 256
- Layer 4 - Transport
  - countermeasures, 257–258
  - residual risk, 258
  - vulnerabilities, 257
- Layer 5 - Session
  - countermeasures, 259
  - residual risk, 260
  - vulnerabilities, 258–259
- Layer 6 - Presentation
  - countermeasures, 260
  - residual risk, 260
  - vulnerabilities, 260
- Layer 7 - Application
  - countermeasures, 261–262
  - residual risk, 262
  - vulnerabilities, 261
CIANA+P
- government and, 45
- military and, 45
- nuclear medicine and, 49
- private business, 44–45
- society’s need for, 46–47
- training, 47
CIANA+PS, 203
- access and, 286–287
- applications software and, 498–503
- cryptography and, 375–381
- identity and, 286–287
- individual’s needs, 43–44
- layer 8, 627–628
- wireless security, 265
  - network monitoring, 266
  - WIDSs, 266–267
  - WIPSs, 266–267
CIDR (Classless Inter-Domain Routing), 220, 240
CIFS (Common Internet File System), 232
CIO (chief information officer), 21
ciphers, 352–357
- block ciphers, 359
- character ciphers, 359
- stream ciphers, 359
- symbol ciphers, 359
ciphertext, 353
circle of trust (public keys), 387
CISO (chief information security officer), 21
civil law, 19
CKO (chief knowledge officer), 21
Clark-Wilson model, 301
classical cryptography, 379–380
cleartext, 301–302, 322, 365
clients, star network, 215
cloud, 140
- answers to review questions, 594–597
- bare iron, 440
- blobs, 455
- community, 440
- continuity and, 528
- versus datacenter, 522–523
- deployment models, 524–525
- do-over buttons
  - complex service do-over, 623
  - session do-over, 623
  - transaction do-over, 623
- edge computing, 441
- fog computing, 441
- GovCloud, 440
- hybrid, 441
- IoT devices, 441
- object storage, 455
- penetration testing, 533
- private, 439–440
- public, 440
- resiliency and, 529
- SASE (secure access service edge), 667
- security methods, 531–532
- services
  - baseline management and, 439–441
  - IaaS (infrastructure as a service), 525
  - IDaaS (identity as a service), 526
  - PaaS (platform as a service), 525
  - SaaS (software as a service), 525
- SLAs (service-level agreements), 533
- threat modeling and, 529–530
- TORs (terms of reference), 533
- updates, 624
CMIP (Common Management Information Protocol), 234
CMIS (Common Management Information Service), 234
CMVP (Cryptographic Module Validation Program), 362
code, 352–357
- decoding, 352
- encoding, 352
- prisoner’s code, 352–353
- software security and, 494
Code of Ethics, 47–48
Code-First Design, 493
collaborative workspaces, 627
collision detection, 222
collision domain, 223
collisions, 360
- encryption, 363
common law, privacy and, 34–35
common sense, risk management and, 74–75
communications, 200
- answers to review questions, 583–586
- connectionless, 205, 211, 228
- intent, 202
- media, 202
- message content, 202
- parties, 202
- privileged, 38
- protocols, 202
- purpose, 202
- quantum communications, 669
- recipients, 202
- risk treatment and, 161–162
- senders, 202
- strategy, 204
- subtext, 202
- threat modeling, 205–206
community cloud, 440
community of practice, 48
company confidential information, 35
competitive advantage, 15
competitors, 12
complex service do-over button, 623
compliance, continuous, 650–651
computationally infeasible attacks, 363, 370, 386, 668
computing hygiene, 75
confidentiality, 14
- cryptography and, 351, 375–381
- privacy, 38
- privileged communications, 38
- requirements, 501
configuration control, 169
configuration management, 169
connectionless communications, 205, 211, 228
connections
- logical, 209
- NIC and transmission medium, 222
- physical, 209
containment, incident response, 502–503
contingency operations planning, 638
continuity, cloud and, 452
continuous follow-through, 112
control plane, 235
controlled paths, 205
controls
- risk treatment
  - administrative, 158
  - logical, 158
  - physical, 157–158
  - selecting, 159
  - technical, 158
- user engagement and, 165
convergence of communications, 200–203
COO (chief operations officer), 21
COPE (company-owned personally enabled), 459
core technologies, understanding, 672
corporate officers, 44
corporations, 11
counterattacks, 567
countermeasures
- applications, 535–536
- controls
  - administrative, 158
  - logical, 158
  - physical, 157–158
  - selecting, 159
  - technical, 158
- cryptosystems
  - administrative, 418
  - logical, 417
  - physical, 416–417
  - timing, 418
covert paths, 320, 390, 398, 405
CPTED (crime prevention through environmental design), 442–443
credential management, 326–328
criminal law, 19
critical path, 80
CRM (customer relationship management), 13, 78
cross MAC scheduling, 234
cryptanalysis, 357
- attacks, quantum computing, 422
- ethical, 372
- unethical, 371
CryptGenRandom function, 365
cryptocurrency, 401–402
cryptographic hygiene, 406
cryptographic module, 362
cryptographic systems, 356
- QKD (quantum key distribution), 422
cryptography, 350–351. See also encryption; quantum cryptography
- access control protocols, 404
- AI (artificial intelligence), 422–423
- algorithms, 354, 359–360
- answers to review questions, 589–591
- assets, 405–406
  - BC/DR, 620
- asymmetric key, 370–371
- blockchain and, 401–402
- certificate authorities, 387–388
- CIANA+PS and
  - authentication, 376
  - availability, 379
  - confidentiality, 376
  - integrity, 376–377
  - nonrepudiation, 377
  - privacy, 380–381
  - safety, 381
- ciphers, 352–357
- ciphertext, 353
- classical, 379–380
- classical versus modern, 379–380
- cleartext, 301–302, 365
- codes, 352–357
- computationally infeasible attacks, 363, 370, 386, 668
- confidentiality and, 351
- definition, 357
- digital certificates, 387–388
- digital cryptographic systems, 358
  - block ciphers, 359
  - character ciphers, 359
  - stream ciphers, 359
  - symbol ciphers, 359
- digital signatures, 387
- DKIM and, 400–401
- e-voting and, 358
- email and, 378
- engineers, 373
- entropy and, 365
- functions and, 356
- hashing and, 362
- hybrid cryptosystems, 371
- identity and, 351
- integrity and, 351
- IPSec and, 396–397
- Kerckhoff’s principle, 366
- keys, 360–361, 367
  - distribution and management, 361
  - keying management, 361
  - keying material, 361
  - management, 367
  - protection, 367
  - protocols, 361–362
  - pseudorandom numbers, 361
  - revocation, 368
  - space, 361
  - storage, 367
  - strength, 361
  - zeroization, 368–369
- legalities, 374
- lexical analysis, 350
- MCTL (Militarily Critical Technologies List), 374
- measuring merit, 407–408
- modern, 379–380
- nonrepudiation and, 351
- pervasive cryptography, 373
- PKI (public key infrastructure), 395
- plaintext, 309, 322, 353–354
- primitives, 373
- privacy and, 351
- protocols, 361–362
- public key, 370–371
- S/MIME and, 400
- sets and, 356
- Shannon’s maxim, 366
- strength, 374
- symmetric key, 370, 395
- systems management, 405–406
- uniqueness and, 351
- utility and, 351
- zero value, 365–366
cryptolinguistics, 357
cryptology, 357
cryptosystems
- attacks, 408–418
  - algorithm, 412–413
  - brute force, 410–411
  - dictionary, 410–411
  - implementation, 410
  - key, 412–413
  - massively parallel computing, 414
  - numeric, 412–413
  - operational intelligence, 413–414
  - side channel, 411–412
  - social engineering, 413–414
  - supply chain vulnerabilities, 414–415
  - traffic analysis, 413–414
- countermeasures
  - administrative, 418
  - logical, 417
  - physical, 416–417
  - timing, 418
- design, 371–372
- hybrid, 371
CSIRT (computer security incident response teams), 568
CSO (chief security officer), 21
CSR (certificate signing request), 391
CTO (chief technology officer), 21
customers, 12
CVE (Common Vulnerabilities and Exposures), 145–147, 251
CVSS (Common Vulnerability Scoring System), 145
cyber as prefix, 10
cybernetics, 71
cybersecurity, 10
CYOD (choose your own device), 460

D
DAD (duplicate address detection), 245
dark web, 663–665
data, 6
- acquisition, unauthorized, 518–519
- answers to review questions, 594–597
- cleaning, 7
- errors, 496
- exfiltration, 516–518, 533
- hypotheses, 6
- information and, 6
- insight, 6
- knowledge, 6
- knowledge pyramid and, 8
- loss, preventing, 519–521
- modeling, 496
- as procedural knowledge, 509–511
- processed, 6, 7
- processing, 7
- quality assurance, 144
- raw, 6
- recovery, 588–589
- semantics, 352, 670
- smoothing, 7
- typing, 496
- validation, 7
- verifiability, 7
- wisdom, 6
data classification
- access control and, 297–299
- privacy-related information, 298
- reading up, 299
- secret, 298
- suitable for public release, 297
- top secret, 298
- unclassified, 297
- writing down, 299
data encapsulation, 319
data in motion, 514–522
data in rest, 514–522
data in use, 514–522
Data Link Layer 2 (OSI), 223–225
- CIANA
  - countermeasures, 255
  - residual risk, 256
  - vulnerabilities, 254–255
data localization, 36
data plane, 235
data remanence, 317, 351, 356, 462
data residency, 36
data security lifecycle, 172–173
Data-Information-Knowledge-Wisdom pyramid, 484–485
datacenter keepers, 295
datacenters versus clouds, 522–523
datagrams, 207–208, 229
DDC (Dewey Decimal Classification), 362
decentralized access control, 312
decision assurance, 73–74
- zero trust architecture, 332–333
decision flow, airline flight purchase, 72–73
decision making, PDCA (Plan, Do, Check, Act), 93–95
decision work, 71–72
decoding, 352, 354
decryption, 353, 354
- collisions, 360
- substitution, 355
- transposition, 355
deep web, 663–665
deepfake phishing, 630
defense, 83–89
- due care, 87–88
- due diligence, 87–88
- layers, 83–89
- priority setting, 88–89
defense in depth, 64
Delta Airlines breach, 68
DES (Data Encryption Standard), 395–396
deserializing, 231
design pattern, 424, 461
design, software security and, 494
detection, 110
deterministic numbers, hashing and, 364–365
deterrence, 109–110
DevOps, 655
DevSecOps, 656
DHCP (Dynamic Host Configuration Protocol), 233
- IPv4, 243–245
- IPv6, 243–245
DHCPv4, 244–245
Diameter, 269
dictionary attacks, 410–411
Dierks, Tim, 388
Diffie, Whitfield, 382
digital certificates, 387–388
digital cryptographic systems, 358
- block ciphers, 359
- character ciphers, 359
- stream ciphers, 359
- symbol ciphers, 359
digital fingerprints, 362
digital identification, 365
digital nomads, 670
digital signatures, 386
- integrity and, 377
directives, 23
disaster, 608–609
disaster recovery, 609. See also BC/DR
- IS (information systems), 610–611
discretionary access control, 305, 312–313
discretionary security property (Bell-LaPadula model), 261
DKIM (Domain Keys Identified Mail), 400–401
DLP (data loss prevention), 520–521
DMZ (demilitarized zone), 237–238, 397, 405–406
DNS (Domain Name System), 212, 234
- attacks, 665–666
do-over buttons
- complex service do-over, 623
- session do-over, 623
- transaction do-over, 623
DoS (denial-of-service) attack, 584–585
Dragonfly 2.0, 559
DRM (digital rights management), 520
DSA (Digital Signature Algorithm), 385
DSS (Digital Signature Standard), 386
DTLS (Datagram Transport Layer Security), 239
due care, 74, 87–88
due diligence, 74, 87–88
due process, 17, 27

E
e-voting, cryptography and, 358, 375
EAPOL (Extensible Authentication Protocol), 307
- authentication handshake, 307
ECC (elliptical curve cryptography), 386, 669
ECC (error correction code), 376
edge computing, 441
electronic commerce, 387
ElGamal encryption, 385–386
email, cryptography and, 378
emergency zeroization, 316
employees, 12
encapsulation, 209–211, 229
- data encapsulation, 319
- key encapsulation, 319
encoding, 352, 354
encryption, 353, 354. See also cryptography
- AES (Advanced Encryption Standard), 396
- algorithm, 360
- collisions, 360, 363
- decryption, 353
- DES (Data Encryption Standard), 395–396
- ElGamal, 385–386
- homomorphic, 420–421
- HTTPS (Hypertext Transfer Protocol Secure), 394–395
- pervasive, 420–421
- PGP (Pretty Good Privacy), 392
  - GPG (GNU Privacy Guard), 393
  - OpenPGP, 393
- public key, 381
- RSA (Rivest-Shamir-Adleman), 385
- symmetric, forward secrecy, 367
- TLS (Transport Layer Security), 393–394
endpoints, 237, 484–486
- security, 457–458
entropy, cryptography and, 365
Equifax breach, 67–68
ESP (Encapsulating Security Payloads), 235
estimates, 77
Ether Type field, 224
ethical accountability, 19
ethical cryptanalysis, 372
ethical penetration testing, 167
European Union, 36
events versus incidents, 562–563
evidence, incident response and, 504
executing code, 297
exfiltration, data, 445–446
existential risk, 84
existential threats, 90
expected cost, 84
explicit information, 7
explicit knowledge, 137

F
facilities security, 442–443
fake news, 47
false acceptance rate (FAR), 317–319
false negative access control error, 275–276, 288, 393, 447, 514
false positive access control error, 275–276, 288, 393, 447
false rejection rate, 288
false rejection rate (FRR), 317–319
fault tree analysis, 17
FCS (Frame Check Sequence), 224
FDFI (fault detection and fault isolation), 175
federated IAM system, 322–323
federated system, 322–323
FERPA (Family Educational Rights and Privacy Act), 107
financial accounting, 18–19
- GAAP (Generally Accepted Accounting Principles), 18–19
fingerprinting, 381
firewalls, 111
firmware, vulnerabilities, threat modeling, 449–451
fishbone diagram, 16–17, 77
flexibility of vision, 675
fog computing, 441
forward secrecy, 367
four faces of risk, 75–83, 77
- asset-based, 79, 82
- outcomes-based, 77–78, 80–81
- process-based, 78, 81
- threat-based, 79–80, 82–83
frames, 223
freeware, 139
frequency of occurrence, 69
FTP (File Transfer Protocol), handshakes, 208–209
functional impact, 502
functional requirements, 500

G
GAAP (Generally Accepted Accounting Principles), 18–19
gap analysis, 150–151
GDPR (General Data Protection Regulation), 36
gemba, 21
- inverted pyramid chart, 22
GIS (geographical information system), 490
glueware, 121, 174
Gogun-Meseguer, 301
golden images, 621–622
GovCloud, 440
government
- CIANA+P and, 45
government officials, 44
GPG (GNU Privacy Guard), 393
graceful degradation, 124, 137, 452, 467
Graham-Denning model, 301

H
handshakes, 208–209
- EAPOL, 307
hardware, 497–498
- answers to review questions, 592–594
- vulnerabilities, threat modeling, 447–449
hashing, 362
- checksums, 362
- DDC (Dewey Decimal Classification), 362
- deterministic numbers, 364–365
- digital fingerprints, 362
- functions, 363
- hash algorithms, 363–364
- integrity and, 377
- mappings, 363
- pseudorandom numbers, 364–365
- SHA (Secure Hash Algorithms), 364
Hellman, Martin, 382
HIDS (host-based intrusion detection system), 387, 404, 457
hierarchies of trust, 389–390
historical zero-day attacks, 622
homomorphic encryption, 420–421
honeypot, 388, 405–406
hot-swap topologies, 214
HSM (hardware security module), 620
HTTP (Hypertext Transfer Protocol), 213
HTTPS (Hypertext Transfer Protocol Secure), 394–395
human security behaviors, 669
hybrid clouds, 441
hybrid cryptosystems, 371
- data (payload) encapsulation, 371
- ElGamal, 385–386
- key encapsulation, 371
hypervisor, 374–376, 385, 450, 463, 466
hypotheses, 6

I
IaaS (infrastructure as a service), 141, 525
IALs (identity assurance levels), 291–292
IAM (identity management and access control), 310
- authentication, multifactor, 315–319
- built-in solutions, 313–314
- centralized access control, 311–312
- credential management, 326–328
- decentralized access control, 312
- discretionary access control, 312–313
- false acceptance rate (FAR), 317–319
- false rejection rate (FRR), 317–319
- federated system, 322–323
- IDaaS (Identity as a Service), 322
- integrated systems, 320–321
- Kerberos, 325–326
- LDAP (Lightweight Directory Access Protocol), 314
- mandatory access control, 312
- OAuth (Open Authorization), 315
- OpenID Connect, 322
- policy objects, 313
- SAML (Security Assertions Markup Language), 314
- SCIM (system for cross-domain identity management), 315
- server-based, 319–320
- session management, 323–325
- SSO (single sign-on), 321
- trust frameworks, 328–329
- XACML (Extensible Access Control Markup Language), 314
IANA (Internet Assigned Numbers Authority), 211
ICANN (Internet Corporation for Assigned Names and Numbers), 213
ICFR (internal controls over financial reporting systems), 18–19
ICMP (Internet Control Message Protocol), 225
IDaaS (Identity as a Service), 141, 322, 526
- IAM systems, 320–321
identity
- accounting and, 294
- Active Directory and, 373
- answers to review questions, 586–589
- authentication and, multifactor, 293
- authorization
  - assigning privileges, 294
  - authorizing specific request, 294
- CIANA+PS and, 286–287
- cryptography and, 351
- deleting identities, 290
- IAL (identity assurance levels), 291–292
- JIT (just-in-time identity), 291–292
- sovereign identity, 292–293
identity management, 288
- Active Directory and, 469
- lifecycle, 289–291
- privilege creep, 290
- provisioning, 289
  - identity proofing, 289–290
  - manual, 291
  - proofing, 291
- review, 290
- revocation, 290–291
identity plane, 415
identity proofing, 289
identity provisioning, 289
- identity proofing, 289
identity theft, APTs and, 559
IDEs (integrated development environments), 461, 493
IDS (intrusion detection systems), 387–388, 457
- HIDS (host-based intrusion detection system), 387, 404
- NIDS (network-based intrusion detection system), 387, 404
IEEE 802.1X, 267–268
IETF (Internet Engineering Task Force), 388
IGRP (Interior Gateway Routing Protocol), 225
IKE (Internet Key Exchange), 235, 398
image copies, disaster recovery, 618–620
impact assessment, 129
implementation attacks, 410
InARP (Inverse ARP), 233
incident investigation, 181
incident response
- answers to review questions, 597–601
- appreciative inquiry, 590–591
- APTs (advanced persistent threats), 558–559
- causal agent, 584
- CERT (computer emergency response team), 568
- checklist, 576–577
- containment, 584–587
- counterattacks and, 567
- CSIRT (computer security incident response teams), 568
- detection
  - initial, 580–581
  - notification, 582–583
  - timeline, 581
  - warning signs, 578–580
- DoS attack, 584–585
- eradication, 585
- evidence, 585–586
- flow, 567
- framework, 566–571
  - ATT&CK, 564–565
- functional impact, 583
- information impact, 583
- kill chain, 560–562
- monitoring, 586
- point of contact, 568
- post-incident, 590–591
  - evidence chain of custody, 593
  - evidence retention, 593–594
  - forensics, ongoing, 592–593
  - information retention, 593–594
  - information sharing, 594
  - lessons learned, 591
- preparation
  - implementing plan, 574–575
  - planning, 572–574, 613
- priorities, 570–571
- process, 566
- quarantine, 585
- recoverability, 583
- recovery, 587–588
  - answers to review questions, 597–601
  - data recovery, 588–589
  - post-recovery, 589
- SOAR (security orchestration and automation for response), 592
- teams
  - roles, 565–567
  - structures, 568–570
- triage, 563
incidents
- versus events, 562–563
indicator of compromise, 499
individuals, CIANA+P and, 43–44
industrial automation, 488
infiltration of code, 505
information, 4–5, 34
- company confidential, 35
- data and, 6
- explicit, 7
- versus information technology, 8–10
- knowledge pyramid and, 8
- privileged, 38
- proprietary, 35
- tacit, 7
information architecture
- assessment, 136
  - cultural context, 136–137
  - organization culture, 136–137
- business processes, 137–138
- decision flow, 137–138
- IT architecture
  - information security baseline, 138
  - information technology baseline, 138
information assets, 79
information assurance, 10, 511–513
information classification system and categorization, 97
- security baseline, 98
- security categorization, 98
- security classification, 98
information classification system, qualitative risk, 90
information processing, 4, 7
information quality, 511–512
- garbage in, 513
- lifecycle, 512
information risk, 65
- financial data, 97
- internal business processes, 97
- PII (personally identifying information), 97
information risk management, 62
- consensus building, 95–96
- integrated information risk management, 64
- risk appetite, 96
- risk tolerance, 96
information security, 10. See also security
- answers to review questions, 576–578
- baseline, 138
- hygiene, 149, 168, 674
information systems
- kill chain, 561 (See also kill chain)
- protocols, 5
information technology, 8–10, 34
- assets, 79
- baseline, 138
infotainment, 46
infrastructure, 485
- baseline management, 437
  - access control and, 437–438
  - cloud services, 439–441
  - supply chain security, 439
- BYOC (bring your own cloud), 460–461
- BYOD (bring your own device), 459
- BYOI (bring your own infrastructure), 460–461
- COPE (company-owned personally enabled), 459
- CYOD (choose your own device), 460
- malware, 452
  - countermeasures, 465–466
  - procedural misuse of capabilities, 464
- MDM (mobile device management), 459
- NOS (network operating systems), 455–457
  - IDS (intrusion detection systems), 457
- public key, 381
- TCB (trusted computing base), 447
- threat modeling and, 444–447
  - firmware vulnerabilities, 449–451
  - hardware vulnerabilities, 447–449
  - operating systems vulnerabilities, 451–453
  - TPMs (trusted platform modules), 448–449
  - virtual machines vulnerabilities, 454–455
insight, 6
insure, 9
intangible assets, 79
integrated defense, 62
integrated IAM systems, 320–321
integrated information risk management, 64
- answers to review questions, 579–581
integrity, 14, 39
- cryptography and, 351, 376–377
Internet, traffic, 220
Internet backbone, 209
Internet point of presence, 209
Internet segments, 212
Internet systems, 206–207
- addressing, 211–212
- Berners-Lee, Tim, 212–213
- best effort systems, 217
- datagrams, 207–208
- encapsulation, 209–211
- handshakes, 208–209
- packets, 209–211
- PDUs (protocol data units), 207
- routing, 211–212
- segmentation, 212
- switching, 211–212
- topologies
  - bus, 214
  - mesh, 216
  - peer-to-peer, 213–214
  - point-to-point, 213–214
  - ring, 214–215
  - star, 215
investors, dividends, 11
IOC (indicator of compromise), 143, 263, 580, 649
IoT (Internet of Things), 489
- cloud computing devices, 441
IP (Internet Protocol), 234–235
IP addresses
- dynamic, 243
- link local addresses, 246
- loopback addresses, 246
- static, 243
IP masquerading, 234
IPS (intrusion prevention system), 388, 404, 457, 495
IPSec (Internet Protocol Security), 235, 396–397
- bump-in-the-stack, 344–345, 397
- bump-in-the-wire, 344–345, 397
- IP stack, 397
- transport mode, 397
- tunnel mode, 397
IPv4
- address exhaustion, 210, 220
- addressing, classes, 245–247
- versus IPv6, 248–250
- packet format, 226
- subnetting, 247–248
IPv6
- versus IPv4, 248–250
- packages, 249
IS DRP (IS disaster recovery plan), 611
ISAKMP (Internet Security Association and Key Management Protocol), 235, 398
Ishikawa diagram, 16, 77
ISO (International Organization for Standardization), 219
ISP (Internet service provider), 209
IT architecture
- clouds, 140
- external system providers, 140
- information security baseline, 138
- information technology baseline, 138
- networks, 140
- service bureaus, 140
- shadow IT, 139–140
- software-defined service provision, 141–142
- standalone systems, 139–140
IT/OT (information technology/operational technology) lifecycle, 170–172
ITU (International Telecommunications Union), 219

J
JIT (just-in-time)
- identity, 291–292
- task-based security, 657
- training, 656–657
journalists, 44

K
Kerberos, 325–326
Kerckhoff’s principle, 366
key attacks, 412–413
key encapsulation, 319
keys, cryptographic, 360–361
- distribution and management, 361
- exchange, 211, 215, 315
- keying material, 361
- protection, 367
- protocols, 361–362
- pseudorandom numbers, 361
- public key exchange protocols, 371
- revocation, 368
- space, 361
- storage, 367
- strength, 361
- zeroization, 368–369
kill chain, 133, 560–562
KINK (Kerberized Internet Negotiations of Keys), 235
knowledge, 6
knowledge discovery, 147
knowledge engineering, 147
knowledge management, 7
knowledge pyramid, 6
knowledge seeking workers, 614

L
LANs (local area networks), objects, 296–297
law of diminishing returns, 79
Layer 1 - Physical layer (OSI model and TCP/IP), 222–223
- countermeasures, 253–254
- residual risk, 254
- tools, 252–253
- vulnerabilities, 251–252
Layer 2 - Data Link layer (OSI model and TCP/IP), 223–225
- countermeasures, 255
- residual risk, 256
- vulnerabilities, 254–255
Layer 3 - Network layer (OSI model and TCP/IP), 225–226
- countermeasures, 256
- residual risk, 257
- vulnerabilities, 256
Layer 4 - Transport layer (OSI model and TCP/IP), 226–230
- countermeasures, 257–258
- residual risk, 258
- vulnerabilities, 257
Layer 5 - Session layer (OSI model and TCP/IP), 230–231
- countermeasures, 259
- residual risk, 260
- vulnerabilities, 258–259
Layer 6 - Presentation layer (OSI model and TCP/IP), 231–232
- countermeasures, 260
- residual risk, 260
- vulnerabilities, 260
Layer 7 - Application layer (OSI model and TCP/IP), 232–233
- countermeasures, 261–262
- residual risk, 262
- vulnerabilities, 261
layers of abstraction, 207
layers, calls, 220
LDAP (Lightweight Directory Access Protocol), 309
- IAM and, 314
leaf certificates, 390
legacy systems, 139
legal accountability, 19–20
legal issues
- privacy, 34–36
- public law, 35–36
- security, 533–535
legislation, 673
lessons learned, 672–677
lexical analysis
- cryptography, 350
- cryptography and, 350
Li-Fi, 240
licensed professionals, 44
link local address, 246
links, 212
living off the land attacks, 393
LLC (Logical Link Control), sublayer, 223
locators, 212
logical connections, 209, 223
logical controls, 158
logical elements, 86
loopback addresses, 246
loss prevention, 519–521
lunchtime attacks, 386

M
MAC (media access control) address, 211
- cross MAC scheduling, 234
- spoofing, 224
- sublayer, 223–224
malformed attacks, 521–522
malware, 216, 254, 262, 317, 391–393, 452
- countermeasures, 394–395
- definition file, 284
- procedural misuse of capabilities, 393
- quarantine and, 268
managed security services providers, 458–459
management plane, 235
mandatory access control, 305, 312
MAO (maximum acceptable outage), 100
mappings, hashing, 363
massively parallel computing attacks, 414
MCTL (Militarily Critical Technologies List), 374
MDM (mobile device management), 459
media control, transmission media, 222
medical informatics, 488
Merkle, Ralph, 384
mesh topologies, 216
messages, broadcast messages, 246
metadata, as procedural knowledge, 509–511
middleware, 485
military, CIANA+P and, 45
mitigation, 108
MITRE ATT&CK framework, 564–565
ML (machine learning), 423, 457, 668
modern cryptography, 379–380
monitoring
- alert team and, 177–178
- continuous, 174–182
- end users and, 179
- IT support staff, 179
- leadership and, 179–180
- management and, 179–180
MPLS (Multiprotocol Label Switching), 239
MTO (maximum tolerable outage), 100
MTPOD (maximum tolerable period of disruption), 100
MTTR (mean time to repair), 100
multicasting, 219
multifactor authentication, 315–319

N
NAC (network access control), 305–307
- agent, 307
- agentless, 307
- IEEE 802.1X, 307–308
- inline, 307–308
- out-of-band, 307–308
- postadmission, 307
- preadmission, 307
- RADIUS (Remote Authentication Dial-In Service), 308–309
- remediation
  - captive portals, 308
  - quarantine networks, 308
name resolution, 209
narrowcasting, 46, 668
NAT (Network Address Translation), 234
NBT (NetBIOS over TCP/IP), 232
NDP (neighbor discovery protocol), 245
need to know, RBAC (role-based access control) and, 302
negative security control, 431–432
NetBIOS (Network Basic Input/Output System), 232
Network Layer 3 (OSI), 225–226
- CIANA
  - countermeasures, 256
  - residual risk, 257
  - vulnerabilities, 256
network management, functions, 234
networks, 140
- answers to review questions, 583–586
- botnets, 237–238
- CANs (campus area networks), 236
- DMZ (demilitarized zone), 237
- extranets, 236
- intranets, 236
- LANs (local area networks), 236
- overlay, 663
- SDNs (software-defined networks), 238
- segments, 236
- WANs (wide area networks), 236
newspapers of record, 46
NFC (near-field communication), 242–243
NGFWs (next-generation firewalls), 263–264
NGOs (nongovernmental organizations), 328
NIC (network interface card), 209
NIDS (network-based intrusion detection system), 387, 404
NOC (network operations center), 269–271
- tools, 270–271
non-zero day exploit, 67
nonfunctional requirements, 425, 430–431
nonrepudiation, 203
- cryptography and, 351, 377
- requirements, 501
Norsk Hydro attack, 613–614
NOS (network operating systems), 455–457
- IDS (intrusion detection systems), 457
numeric attacks, 412–413

O
OAuth, 315
OAuth (Open Authorization), 315
object storage, 455
object-based access control, 304
objects, 205
- access control, 295
- LANs, 296–297
- policy objects, 313
one-time pads, cryptographic keys and, 360–361
one-way cryptography, hashing as, 362–365
one-way trust relationship, 328, 336, 388
OODA loop (observe, orient, decide, act), 131–133
Open Systems Interconnection Reference Model, 219
OpenID Connect, 322
OpenPGP, 393
operating systems, threat modeling, 451–453
operational intelligence attacks, 413–414
operational risk mitigation planning, 108
operationalizing risk, 66
operationalizing risk mitigation, 134–135
- answers to review questions, 581–583
- control implementation, 157–161
- control selection, 151–157
- information architecture and, 135–142
- information technology architecture and, 135–142
- senior leaders and, 162
- threat assessment, 142–150
- treatment selection, 151–157
- vulnerability assessment, 142–150
organization chart as pyramid, 22
- inverted, 23
organization culture, 120
orphaned technology, 453
orphans, 384
OSI (Open Systems Interconnection) network
- Layer 1 - Physical layer, 222–223
- Layer 2 - Data Link layer, 223–225
- Layer 3 - Network layer, 225–226
- Layer 4 - Transport layer, 226–230
- Layer 5 - Session layer, 230–231
- Layer 6 - Presentation layer, 231–232
- Layer 7 - Application layer, 232–233
- mnemonics for remembering, 232
- TCP/IP comparison, 207, 221
OT (operational technology), 162–163, 381
- security, 444
OT&E (operational test and evaluation), 148–150
OTV (Overlay Transport Virtualization), 233
outcomes-based risk, 77–78, 80–81
overlay networks, 663
OWASP (Open Web Application Security Project), 495

P
PaaS (platform as a service), 142, 525
packages, IPv6, 249
packets, 209–211, 225
- IPv4, 226
partnerships, 11
PAT (Port Address Translation), 234
patent infringement, 15
patents, 15
PCCIP (President’s Commission on Critical Infrastructure Protection), 163
PDCA (Plan, Do, Check, Act), 93–95
PDU (protocol data unit), 207
peer-to-peer topologies, 213–214
penetration testing, 533
- ethical, 167
perception management, 666, 671–672
personnel reliability program, 148–149
pervasive cryptography, 373
pervasive encryption, 420–421
PGP (Pretty Good Privacy), 392
- GPG (GNU Privacy Guard), 393
- OpenPGP, 393
phishing attacks, 506, 629–630
- catphishing, 630
- deepfake phishing, 630
- spear phishing, 629–630
- whaling attacks, 630
PHY scheduling, 234
physical connections, 209
physical controls, 157–158
Physical Layer 1 (OSI), 222–223
- CIANA
  - countermeasures, 253–254
  - residual risk, 254
  - tools, 252–253
  - vulnerabilities, 251–252
physical security
- CPTED (crime prevention through environmental design), 442–443
- facilities, 442–443
- OT context, 444
- POP (point of presence), 443
- service access, 443
- services, 443
physical security systems, 488
physical systems elements, 85
PI (predictive intelligence), 668
PII (personally identifiable information), 6, 30, 59–60, 86, 139, 313, 456
PKI (public key infrastructure), 381, 384, 395
- trust relationships, 389–390
plaintext, 353
planes
- control plane, 235
- data plane, 235
- management plane, 235
platforms, 139, 485
PLCs (programmable logic controllers), 163
point-to-point topologies, 213–214
policies, 23, 106
policy objects, 313
POP (point of presence), 443
portals, captive portals, 308
Porter, Michael, 15
ports, 226
- TCP/IP, 227–229
postadmission, NAC (network access control), 267
POTS (plain old telephone systems), 211, 635–636
preadmission, NAC (network access control), 267
Presentation Layer 6 (OSI), 231–232
- CIANA
  - countermeasures, 260
  - residual risk, 260
  - vulnerabilities, 260
prevention, 110–111
priorities, 88–89
prisoner’s code, 352–353
privacy
- common law and, 34–35
- confidentiality, 38
- cryptography and, 351, 380–381
- European Union, 36
- private places, 37
- public law and, 35–36
- security and, 41–43
private browsing, 466–468
private business, CIANA+P and, 44–45
private citizens, 44
private clouds, 439–440
private spaces, 35
privilege creep, 290
- RBAC and, 302
privileged communications, 38
privileged information, 38
proactive defense, 62
probability of occurrence, 69
procedures, 106
process-based risk, 78, 81
processed data, 6
processing, 7
product development, CIANA and, 13–14
proofing, 291
proprietary information, 35
protocol stacks, 206, 218
protocols, 5
- cryptographic, 361–362
- public key exchange protocols, 371
- TCP/IP, 227–229
proximate causes, 143
Proxy ARP, 233
pseudorandom numbers, 361
- hashing and, 364–365
PSTN (public switched telephone network), 635
PUAs (potentially unwanted applications), 502
public clouds, 440
public key cryptography, 370–371
- public key exchange protocols, 371
public key encryption, 381
public key exchange protocols, 371, 381
- Diffie-Hellman-Merkle, 382–384
public law, privacy and, 35–36
public places, 37
PUPs (potentially unwanted programs), 502
pyramid chart (org chart), 22
- inverted, 23

Q
QKD (quantum key distribution), 422
qualitative risk
- compartmentalization of information, 103
- existential threats, 103
- information classification system, 103
quality assurance
- data quality assurance, 144
- software quality assurance, 144
quantitative risk
- ALE (annual loss expectancy), 100
- ARO (annual rate of occurrence), 100
- calculating for small business, 102–103
- MAO (maximum acceptable outage), 100
- MTO (maximum tolerable outage), 100
- MTPOD (maximum tolerable period of disruption), 100
- MTTR (mean time to repair), 100
- pain points, 101
- RPO (recovery point objective), 101
- RTO (recovery time objective), 101
- safeguard value, 100
- SLE (single loss expectancy), 100
quantum communications, 669
quantum cryptography, 421–422
- attacks, 422
- QKD (quantum key distribution), 422
quantum mechanics, 421
quarantine networks, 308
query injection attacks, 521–522

R
RADIUS (Remote Authentication Dial-In Service), 308–309
- Diameter, 269
- roaming, 309
Rapid Prototyping, 493
RARP (Reverse ARP), 233
raw data, 6
RBAC (role-based access control), 302–303
real estate, CIA in, 40–41
regulatory issues, security, 533–535
remedial action, 154–155
remediation
- captive portals, 308
- quarantine networks, 308
remediation quarantine, 456
reporting, 182
repudiation, 203
residual risk, 156, 254, 256
resiliency, 452–453, 467
responder’s workbench, 492–493
restore, virtual organizations, 625–626
revocation, 243
- certificate revocation, 335
- key revocation, 315–316
RFID (radio frequency identification), 242
ring topologies, 214–215
risk, 65
- accepting, 112
- anticipating, 69
- ATM (automatic teller machine), 113
- expected cost, 84
- four faces, 75–83
  - asset-based, 79
  - outcomes-based, 77–78
  - process-based, 78
  - threat-based, 79–80
- ignoring, 112
- information risk, 65
- operationalizing, 66
- residual risk, 156
risk analysis
- proximate cause analysis, 99
- root cause analysis, 99
risk appetite, 96
risk assessment, 95
- impact assessment, 129
- information risk, consensus building, 95–96
- qualitative risk
  - compartmentalization of information, 103
  - existential threats, 103
  - information classification system, 103
- quantitative risk
  - ALE (annual loss expectancy), 100
  - ARO (annual rate of occurrence), 100
  - MAO (maximum acceptable outage), 100
  - MTO (maximum tolerable outage), 100
  - MTPOD (maximum tolerable period of disruption), 100
  - MTTR (mean time to repair), 100
  - pain points, 101
  - RPO (recovery point objective), 101
  - RTO (recovery time objective), 101
  - safeguard value, 100
  - SLE (single loss expectancy), 100
- risk appetite, 96
- risk register, 104
- risk tolerance, 96
- vulnerabilities, 104
risk management, 92–93, 128
- common sense, 74–75
- concepts, 89–92
- frameworks, 89–92
risk mitigation, 128, 129
- asset management, 169–170
- configuration control, 169
- operationalizing, 134–135
  - control implementation, 157–161
  - control selection, 151–157
  - information architecture and, 135–142
  - information technology architecture and, 135–142
  - senior leaders and, 162
  - threat assessment, 142–150
  - treatment selection, 151–157
  - vulnerability assessment, 142–150
- planning, 130–132
- security assessment participation, 166
  - assessment-driven training, 168–169
  - OT&E, 166–167
risk register, 104
- asset inventories and, 173
risk tolerance, 96
risk treatment
- command and control, 162–163
- communications, 161–162
- controls
  - administrative, 158
  - implementation, 159–162
  - logical, 158
  - physical, 157–158
  - selecting, 159
  - technical, 158
- countermeasures, 159–161
- self-insuring, 153
- strategies
  - accept, 152–153
  - avoidance, 155=156
  - elimination, 155–156
  - mitigation, 154–155
  - recasting, 156
  - remediation, 154–155
  - residual, 156–157
  - transfer, 153–154
risk-averse, 136
risk-based access control, 304
risk-tolerant, 136
RJ-11 connection, 206
RJ-45 connection, 198
RMF (Risk Management Framework), 62, 64–65, 89–90
- areas of concern, 90
- conceptual, 92
- phases, 91
robots, 249
root causes, 143
root certificate, 389
rootkits, 452
routers, 225
routing, 211–212
RPO (recovery point objective), 101, 616
RSA (Rivest-Shamir-Adleman) encryption, 385
RTO (recovery time objective), 101, 616
RTP (Real-Time Transport Protocol), 231
RuBAC (rule-based access control), 304

S
S/MIME (Secure Multipurpose Internet Mail Extensions), 400
SaaS (software as a service), 142, 525
safeguard value, 100
safety, cryptography and, 381
safety requirements, 500
SAML (Security Assertion Markup Language), 314
- IAM and, 314
sandboxes, 385, 397
SAs (security associations), 235
SASE (secure access service edge), 667
SCADA (Supervisory Control and Data Acquisition), 144, 163
SCIM (system for cross-domain identity management), 315
Scrum, 493
SDLC (software development lifecycle), 491
- development and test activities, 492
- IDEs (integrated development environments) and, 493
- operational deployment, 492
- performance requirements, 492
- systems analysis, 492
- systems design, 492
- systems replacement and retirement, 492
- validation or acceptance testing, 492
- waterfall software lifecycle model, 491
SDNs (software-defined networks), 238, 532, 651–652
SDP (Session Description Protocol), 231
SDS (software-defined security), 652–653
SDU (service data unit), 211
secure browsing, 466–468
security, 10. See also information security
- data security lifecycle, 172–173
- legal issues, 533–535
- privacy and, 41–43
- regulatory issues, 533–535
security baseline, 98
security categorization, 98
security classification, 98
security evangelist, 564
security hygiene, 149
segmentation, 212, 223
self-assessment answers, 570–576
SEM (security event management), 75
semantics of data, 352, 670
senior leadership, risk mitigation and, 163–164
separation of duties, RBAC (role-based access control) and, 302
serialization, 231
server-based IAM, 319–320
servers, star network, 215
service access, physical security, 443
service bureaus, 140
service fabric, 387
services security, 443
session do-over button, 623
Session Layer 5 (OSI), 230–231
- CIANA
  - countermeasures, 259
  - residual risk, 260
  - vulnerabilities, 258–259
session management, 323–325
sets, cryptography and, 356
SFD (Start Frame Delimiter), 224
SHA (Secure Hash Algorithms), 364
shadow IT, 139–140, 507–509
- procedural knowledge
  - data as, 509–511
  - metadata as, 509–511
Shannon’s maxim, 366
shared responsibility model, 524
shouldersurfing, 299
side channel attacks, 411–412
SIE (Search Improvement Engineering), 78
SIEM (security information and event management), 75
signal conditioning, ring networks, 214–215
signature recognition, 404, 432
SIM (security information management), 75
simple security (SS) property (Bell-LaPadula model), 261
SIP (Session Initiation Protocol), 231
SLAAC (stateless automatic address configuration), 245
SLAs (service-level agreements), 533
SLE (single loss expectancy), 100, 102–103
SMB (Server Message Block), 232
SMBs (small and medium businesses), 62
SMEs (small and medium enterprises), 62
SNMP (Simple Network Management Protocol), 234
SOAR (security orchestration and automation for response), 592, 653–655
- DevSecOps and, 656
SOC (security operations center), 269–271, 307
- fusion center approach, 661–662
- tools, 270–271
social engineering attacks, 413–414
- insider information and, 629
sockets, 198, 205, 333
soft targets, 62
software
- allowed listing, 502–503
- as appliance, 487–490
- baked in security, 495
- blocked listing, 502–503
- CIANA+PS and, 498–503
- confidentiality requirements, 501
- design
  - data modeling, 496
  - data quality, 497
  - data typing, 496
- functional requirements, 500
- insecurity, 494–497
- negative control, 503–504
- nonrepudiation requirements, 501
- positive control, 502–503
- quality assurance, 144
- safety requirements, 500
software-defined service provision, 141–142
SOHO (small office/home office), 80
- migrating from, 310–311
- objects, 296–297
- subjects, 296–297
sole proprietorships, 11
sovereign identity, 292–293
spaghetti code, 425
span of control, 21–22
spear phishing, 629–630
Spiral, 493
SSCPs (Systems Security Certified Professional)
- administrative controls, 149
- Code of Ethics, 47–48
- human components, 148–149
SSL (secure sockets layer), 333, 335, 338–340
SSO (single sign-on), 310, 321
- IAM systems, 321
stakeholders, 12
standalone systems, 139–140
star topologies, 215
stateful communications processes, 229
stateless communication processes, 229
steganography, 520
stewardship, 20
strategic plans, 204
strategic telescope, 675
stream ciphers, 359
subject-based access control, 303
subjects, 205
- access control, 295
subnets, 212, 223
- IPv4, 247–248
- IPv6, 240
substitution, cryptography, 355
SUNBURST, 658
supply chain
- attacks, 657
  - 2017 TRISIS attack, 658–660
  - SUNBURST, 658
- vulnerabilities, 414–415, 439
surface web, 662–663
switching, 211–212
symbol ciphers, 359
symmetric encryption, forward secrecy, 367
symmetric key algorithms, 395
symmetric key cryptography, 370
syntax, 300–301
system security, 262–265
- analysis, 267–269
- answers to review questions, 592–594
- data loss prevention, 264
- devices, 263
- DLP (data loss prevention), 264
- infrastructure, 436
- intrusion detection and prevention, 263–264
- log management, 268
- monitoring, 267–269
- NOC (network operations center), 269–271
  - tools, 270–271
- QoS (quality of service), 264
- services, 263
- SOC (security operations center), 269–271
  - tools, 270–271
- timeframes, 262
- traffic control, 264
- wireless networks, 264–265

T
TACACS (Terminal Access Controller Access Control System), 309–310
- Active Directory and, 270
- TACACS+, 310
- XTACACS (Extended TACACS), 270
tacit information, 7
tacit knowledge, 137
tactical choices, 108
tangible assets, 79
TCB (trusted computing base), 447
TCG (Trusted Computing Group), 448–449
TCP/IP (Transmission Control Protocol over Internet Protocol), 218
- Application layer, 208–209
- ARPANet and, 219
- Data Link layer, 223–225
- IP (Internet Protocol), 210–211
- Network layer, 201–202
- OSI and
  - cross-layer protocols, 233–234
  - cross-layer services, 233–234
- OSI comparison, 207, 221
- Physical layer, 222–223
- ports, 227–229
- Presentation layer, 207–208
- protocols, 227–229
- Session layer, 206–207
- Transport layer, 202–206, 230
technical controls, 158
technical elements, 86
telemetry data, 447
Test-First, 493
threat actors, 64, 79
threat modeling, 444–447
- administrative controls, 149
- administrative threat surface, 147–148
- clouds, 529–530
- communications systems, 205–206
- firmware vulnerabilities, 449–451
- hardware vulnerabilities, 447–449
- logical threat surface, 147
- operating systems vulnerabilities, 451–453
- physical threat surface, 147
- TPMs (trusted platform modules), 448–449
- updating model, 469–470
- virtual machines vulnerabilities, 454–455
threat surface, 205
- migrating to cloud, 530–531
threat typologies, 329
threat-based risk, 79–80, 82–83
threat-centric control, 503
threats, data exfiltration, 516–518
timeframes, 262
timeline analysis, 500
TLP (Traffic Light Protocol), 298
TLS (Transport Layer Security), 393–394
tokenization, 380
topologies
- bus, 214
- mesh, 216
- peer-to-peer, 213–214
- point-to-point, 213–214
- ring, 214–215
- star, 215
TORs (terms of reference), 533
tort law, 20
TPMs (trusted platform modules), 379–380, 448–449
trade secrets, 15
traffic analysis attacks, 413–414
training, CIANA+P and, 47
transaction do-over button, 623
transformational communication paradigms, 670
transitive trust relationships, 388
transmission media control, 222
Transport Layer 4 (OSI), 226–230
- CIANA
  - countermeasures, 257–258
  - residual risk, 258
  - vulnerabilities, 257
transposition, cryptography, 355
trapdoor functions, 371
Trojan horse malware, 452
trust anchors, 386
trust frameworks, 328–329
trust relationships, 388–392
- chain of trust, 389
- PKI and, 389–390
- web of trust, 389
trust-centric control, 503
trusted installer, 313
trusted supply chain, 374–375
TTL (Time To Live), 225

U
UAVs (uninhabited aerial vehicles), 490
UDP (User Datagram Protocol), 207
UEBA (user and entity behavioral analysis), 329–332
unauthorized disclosure, 67
unethical cryptanalysis, 371
unicasting, 246
uniqueness, cryptography and, 351
unwarranted actions, 35
updates, cloud, 624
URLs (Uniform Resource Locators), 213
US-CERT Traffic Light Protocol, 298–299
user as builder, 507–509
- data/metadata as procedural knowledge, 509–511
user identities, 297
utility, cryptography and, 351

V
value chain, 15–16, 560
verifiability, 7, 87
vision, flexibility, 675
virtual organizations, 625–626
viruses, 452
VMs (virtual machines), 532
- hypervisor, 454
- vulnerabilities, threat modeling, 454–455
VoIP (Voice over Internet Protocol), 231, 635–636
voter registration case study, 70–71, 80–83, 150–152
VPNs (virtual private networks), 236, 239
- downside, 468
vulnerabilities, 66–67, 79, 80
- applications, lifecycle, 504–506
- supply chain, 414–415, 439
vulnerability assessments, 142–143
- data quality assurance, 144
- IOCs (indicators of compromise), 143
- proximate causes, 143
- as quality assurance, 144–145
- root causes, 143
- software quality assurance, 144

W
walking the gemba, 22
watermarks, 520
Web browsers, 213
Web crawlers, 213
web of trust, 389
WEP (Wired Equivalency Protocol), 241
whaling attacks, 630
whistleblowers, 44
white hat hacking, 452
WIDSs (wireless intrusion detection systems), 266–267
WIPSs (wireless intrusion prevention systems), 266–267
wireless networks, 240
- data links
  - access points, 212
  - Bluetooth, 215–216
  - NFC (near-field communication), 216
  - Wi-Fi, 214–215
- security, 240–241
  - Bluetooth, 242
  - NFC (near-field communication), 242–243
  - WEP (Wired Equivalency Protocol), 215, 241
  - WPA (Wi-Fi Protected Access), 241
  - WPA2 (Wi-Fi Protected Access Version 2), 241
wisdom, 6
workbench, 504
World Wide Web, 213
WPA (Wi-Fi Protected Access), 241
WPA2 (Wi-Fi Protected Access Version 2), 241

X
XACML (Extensible Access Control Markup Language)
- IAM and, 314
XTACACS (Extended Terminal Access Controller Access Control System), 309–310

Z
zero day exploit, 446
- historical, blocking, 622
zero trust architectures, 332–333
zero value, 365–366
zero day exploits, 68
zeroization, 315–317
Zimmerman, Phil, 392