Part 3 takes us further into the technical details that SSCPs need to be able to implement many of the risk mitigation controls and countermeasures we examined in Part 2 and keep them running.
Chapter 5 shows us what we need to secure in our communications and computer networking systems and protocols and how to do it. It uses the concept of the endpoint as boundary or demarcation between how our devices talk with each other, and how we (and our businesses, organizations, and society) get work done by talking with each other. Endpoints may be mobile or fixed, and be “traditional” IT endpoints such as laptop computers, smartphones, or printers, as well as operational technology (OT) devices such as drones, SCADA systems, industrial and process control equipment, and sensors of many different types. You’ll use the Open Systems Interconnection (OSI) 7-layer network protocol stack, plus a few extras, to refresh your networking basics, see the threat landscape, and secure your networks from many different classes of threats.
Chapter 6 deals with two sides of the same coin: identity and access control. The essence of information risk mitigation is ensuring that only the right people and processes can read, view, use, change, or remove any of our sensitive information assets, or use any of our most important information-based business processes. Central to the identity and access control problem is that any given person or device (which we call an entity) may have many different legitimate identities which it uses, much as you have one identity for your online banking and another on your social networks. You’ll learn how to authenticate that a subject user (be that a person or a software process) is who they claim to be; use predetermined policies to decide if they are authorized to do what they are attempting to do; and build and maintain accounting or audit information that shows you who asked to do what, when, where, and how. Chapter 6 combines decades of theory-based models and ideas with cutting-edge how-to insight; both are vital to an SSCP on the job.
Chapter 7 dives deep into cryptography, the art and science of hiding plain meaning so that it is kept away from the wrong set of eyes or ears. Cryptographic techniques have become so commonplace in our modern world that we even have digital, virtual money—the cryptocurrencies—that theoretically make it all but impossible to counterfeit or fake a financial transaction. Chapter 7 will show us how to deploy and manage a variety of cryptographically powered processes, from secure email to trusted software update mechanisms.
Chapter 8 shows us how to protect and secure the hardware and software systems that provide the backbone of infrastructures modern organizations must have to survive and succeed. From computing hardware and operating systems, to cloud-based infrastructures, SSCPs will learn important concepts and techniques pertaining to these core levels of our IT-enabled world. Building on concepts from the previous chapters, Chapter 8 will also look at endpoint security, a topic area which has taken on much greater significance in recent years.
Chapter 9 goes one further technology layer out and shows how we can ensure the confidentiality, integrity, and availability needs of the applications software systems, databases, and storage systems, as well as the “glueware” that binds them all together. It looks at securing the endpoints, whether the data, apps, and infrastructure that support them reach back into the clouds or just to a local area network. It also provides an end-to-end view of all of these technologies, and in doing so enables the SSCP to see that most (if not all) information security problems touch on every one of these technologies—so there’s a part of the solution you’ll need in each one of them as well.
Let’s get started!