Shon Harris Audio Book

CISSP ALL-IN-ONE EXAM GUIDE,
NINTH EDITION
BY FERNANDO MAYMÍ, PHD, CISSP AND
SHON HARRIS, CISSP
Contents
Table 1 11
Table 2 14
Figure 1-1 16
Table 1-1 17
Figure 1-2 18
Table 1-2 19
Figure 1-3 20
Table 1-3 21
Figure 2-1 22
Figure 2-2 23
Table 2-1 24
Table 2-2 25
Figure 2-3 26
Table 2-3 27
Figure 2-4 28
Table 2-4 29
Table 2-5 30
Figure 2-5 31
Figure 2-6 32
Table 2-6 33
Table 2-7 34
Figure 2-7 35
Table 2-8 36
Figure 2-8 37
Figure 2-9 38
Figure 2-10 39
Figure 3-1 40
Figure 3-2 41
Figure 3-3 42
Figure 3-4 43
Figure 3-5 44
Figure 4-1 45
Figure 4-2 46
Figure 4-3 47
Table 4-1 48
Table 4-2 49
Figure 4-4 50
Table 4-3 51
Figure 4-5 52
Figure 4-6 53
Table 4-4 54
Figure 4-7 55
Figure 4-8 56
Figure 4-9 57
Table 5-1 58
Figure 5-1 59
Figure 5-2 60
Table 5-2 61
Electronic Discovery Reference Model 62
Figure 5-3 63
Figure 5-4 64
Figure 5-5 65
Figure 6-1 66
Figure 6-2 67
Figure 6-3 68
Figure 6-4 69
Figure 6-5 70
Figure 6-6 71
Figure 6-7 72
Figure 7-1 73
Figure 7-2 74
Figure 7-3 75
Figure 7-4 76
Figure 7-5 77
Figure 7-6 78
Figure 7-7 79
Figure 8-1 80
Figure 8-2 81
Figure 8-3 82
Figure 8-4 83
Figure 8-5 84
Figure 8-6 85
Figure 8-7 86
Figure 8-8 87
Figure 8-9 88
Figure 8-10 89
Table 8-1 90
Figure 8-11 91
Figure 8-12 92
Figure 8-13 93
Figure 8-14 94
Figure 8-15 95
Table 8-2 96
Figure 8-16 97
Figure 8-17 98
Figure 8-18 99
Figure 8-19 100
Figure 8-20 101
Figure 8-21 102
Figure 8-22 103
Figure 8-23 104
Figure 9-1 105
Table 9-1 106
Figure 9-2 107
Figure 9-3 108
Figure 9-4 109
Figure 9-5 110
Figure 10-1 111
Figure 10-2 112
Figure 10-3 113
Figure 10-4 114
Figure 10-5 115
Figure 10-6 116
Figure 10-7 117
Figure 10-8 118
Figure 10-9 119
Table 10-1 120
Figure 10-10 121
Figure 10-11 122
Figure 10-12 123
Table 10-2 124
Table 10-3 125
Figure 10-13 126
Figure 11-1 127
Figure 11-2 128
Figure 11-3 129
Figure 11-4 130
Figure 11-5 131
Figure 11-6 132
Figure 11-7 133
Figure 11-8 134
Figure 11-9 135
Figure 11-10 136
Figure 11-11 137
Table 11-1 138
Figure 11-12 139
Table 11-2 140
Figure 11-13 141
Figure 11-14 142
Figure 11-15 143
Table 11-3 144
Figure 11-16 145
Figure 11-17 146
Figure 11-18 147
Figure 11-19 148
Figure 11-20 149
Table 11-4 150
Figure 11-21 151
Figure 11-22 152
Table 11-5 153
Figure 11-23 154
Figure 11-24 155
Figure 11-25 156
Figure 11-26 157
Figure 11-27 158
Table 11-6 159
Figure 11-28 160
Figure 11-29 161
DNS Resolution Components 162
Figure 11-30 163
Figure 11-31 164
Figure 11-32 165
Figure 11-33 166
Figure 11-34 167
Table 11-7 168
Table 11-8 169
Table 11-9 170
Frequency-division multiplexing (FDM) 171
Figure 11-35 172
Figure 11-36 173
Figure 11-37 174
Table 11-10 175
Figure 12-1 176
Figure 12-2 177
Table 12-1 178
Figure 12-3 179
Figure 12-4 180
Figure 12-5 181
Table 12-2 182
Figure 12-6 183
Figure 13-1 184
Figure 13-2 185
Figure 13-3 186
Figure 13-4 187
Figure 13-5 188
Figure 13-6 189
Figure 13-7 190
Figure 13-8 191
Figure 13-9 192
Figure 13-10 193
Figure 13-11 194
Figure 14-1 195
Table 14-1 196
Figure 14-2 197
Figure 14-3 198
Table 14-2 199
Figure 14-4 200
Figure 14-5 201
Figure 14-6 202
Table 14-3 203
Figure 14-7 204
Figure 14-8 205
Figure 14-9 206
Table 14-4 207
Figure 14-10 208
Figure 15-1 209
Figure 15-2 210
Figure 15-3 211
Figure 15-4 212
Figure 15-5 213
Table 15-1 214
Figure 15-6 215
Figure 15-7 216
Figure 16-1 217
Figure 16-2 218
RSA SecureID Time-Synchronous Two-Factor Authentication 219
Figure 16-3 220
Figure 16-4 221
Directory Schema 222
Figure 16-5 223
Chapter 16 Review Question 9 Graphic 224
Chapter 16 Review Question 10 Diagram 225
Chapter 16 Review Question 11 Graphic 226
Table 17-1 227
Figure 17-1 228
Figure 17-2 229
Figure 17-3 230
Figure 17-4 231
Figure 17-5 232
Figure 17-6 233
Figure 17-7 234
Figure 17-8 235
Figure 17-9 236
Figure 17-10 237
Table 17-2 238
Figure 17-11 239
Table 18-1 240
Figure 18-1 241
Figure 18-2 242
Figure 18-3 243
Figure 18-4 244
Figure 19-1 245
Figure 19-2 246
Figure 19-3 247
Table 19-1 248
Figure 19-4 249
Table 20-1 250
Figure 20-1 251
Figure 20-2 252
Figure 20-3 253
Figure 20-4 254
Figure 20-5 255
Figure 20-6 256
Figure 20-7 257
Figure 20-8 258
Figure 20-9 259
Figure 20-10 260
Figure 21-1 261
Figure 21-2 262
Figure 21-3 263
Figure 21-4 264
Figure 21-5 265
Figure 21-6 266
Figure 21-7 267
Table 21-1 268
Figure 21-8 269
Figure 21-9 270
Figure 21-10 271
Figure 21-11 272
Figure 21-12 273
Figure 21-13 274
Figure 21-14 275
The Cyber Kill Chain 276
Table 22-1 277
Table 22-2 278
Table 22-3 279
Table 22-4 280
Figure 22-1 281
Figure 22-2 282
Figure 22-3 283
Figure 23-1 284
Figure 23-2 285
Table 23-1 286
Figure 23-3 287
Figure 23-4 288
Figure 23-5 289
Figure 23-6 290
Figure 23-7 291
Figure 24-1 292
Figure 24-2 293
Figure 24-3 294
Figure 24-4 295
Table 24-1 296
Figure 24-5 297
Figure 24-6 298
Figure 24-7 299
Figure 24-8 300
Figure 24-9 301
Figure 24-10 302
Figure 24-11 303
Figure 25-1 304
Figure 25-2 305
Figure 25-3 306
Figure 25-4 307
Figure 25-5 308
Figure 25-6 309
Figure 25-7 310
Figure 25-8 311
Figure 25-9 312
Appendix A 313
Appendix B 367
All-In-One / CISSP® All-in-One Exam Guide, Ninth Edition / Maymí / 737-6 / Front Matter
Domain 2: Asset Security

2.4 Manage data lifecycle
2.4.1 Data roles (i.e., owners, controllers, custodians, processors, users/subjects)
2.4.3 Data location
2.4.4 Data maintenance
2.5 Ensure appropriate asset retention (e.g., End-of-Life (EOL), End-of-Support (EOS))
Domain 3: Security Architecture and Engineering
(Under 3.7 Understand methods of cryptanalytic attacks)
3.7.1 Brute force
3.7.4 Frequency analysis
3.7.6 Implementation attacks
3.7.8 Fault injection
3.7.9 Timing
3.7.10 Man-in-the-Middle (MITM)
3.7.11 Pass the hash
3.7.12 Kerberos exploitation
3.7.13 Ransomware
(Under 3.9 Design site and facility security controls)
3.9.9 Power (e.g., redundant, backup)
Domain 4: Communication and Network Security
(Under 4.1 Assess and implement secure design principles in network architectures)
4.1.3 Secure protocols
4.1.6 Micro-segmentation (e.g., Software Defined Networks (SDN), Virtual eXtensible Local
Area Network (VXLAN), Encapsulation, Software-Defined Wide Area Network (SD-WAN))
4.1.8 Cellular networks (e.g., 4G, 5G)
(Under 4.3 Implement secure communication channels according to design)
4.3.6 Third-party connectivity
Domain 5: Identity and Access Management (IAM)
(Under 5.1 Control physical and logical access to assets)
5.1.5 Applications
(Under 5.2 Manage identification and authentication of people, devices, and services)
5.2.8 Single Sign On (SSO)
5.2.9 Just-In-Time (JIT)
(Under 5.4 Implement and manage authorization mechanisms)
5.4.6 Risk based access control
(Under 5.5 Manage the identity and access provisioning lifecycle)
5.5.3 Role definition (e.g., people assigned to new roles)
5.5.4 Privilege escalation (e.g., managed service accounts, use of sudo, minimizing its use)
Table 1 CBK 2021: New Objectives (continued)
11
00-FM.indd 30 11/09/21 12:40 PM


5.6 Implement authentication systems
5.6.1 OpenID Connect (OIDC)/Open Authorization (OAuth)
5.6.2 Security Assertion Markup Language (SAML)
5.6.3 Kerberos
5.6.4 Remote Authentication Dial-In User Service (RADIUS)/Terminal Access Controller
Access Control System Plus (TACACS+)
Domain 6: Security Assessment and Testing
(Under 6.2 Conduct security control testing)
6.2.9 Breach attack simulations
6.2.10 Compliance checks
(Under 6.3 Collect security process data (e.g., technical and administrative))
6.3.6 Disaster Recovery (DR) and Business Continuity (BC)
(Under 6.4 Analyze test output and generate report)
6.4.1 Remediation
6.4.2 Exception handling
6.4.3 Ethical disclosure
Domain 7: Security Operations
(Under 7.1 Understand and comply with investigations)
7.1.5 Artifacts (e.g., computer, network, mobile device)
(Under 7.2 Conduct logging and monitoring activities)
7.2.5 Log management
7.2.6 Threat intelligence (e.g., threat feeds, threat hunting)
7.2.7 User and Entity Behavior Analytics (UEBA)
(Under 7.7 Operate and maintain detective and preventative measures)
7.7.8 Machine learning and Artificial Intelligence (AI) based tools
(Under 7.11 Implement Disaster Recovery (DR) processes)
7.11.7 Lessons learned
Domain 8: Software Development Security
(Under 8.2 Identify and apply security controls in software development ecosystems)
8.2.1 Programming languages
8.2.2 Libraries
8.2.3 Tool sets
8.2.5 Runtime
8.2.6 Continuous Integration and Continuous Delivery (CI/CD)
8.2.7 Security Orchestration, Automation, and Response (SOAR)
Table 1 CBK 2021: New Objectives
12
00-FM.indd 30 11/09/21 12:40 PM


8.2.10 Application security testing (e.g., Static Application Security Testing (SAST), Dynamic
Application Security Testing (DAST))
(Under 8.4 Assess security impact of acquired software)
8.4.1 Commercial-off-the-shelf (COTS)
8.4.2 Open source
8.4.3 Third-party
8.4.4 Managed services (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS),
Platform as a Service (PaaS))
(Under 8.5 Define and apply secure coding guidelines and standards)
8.5.4 Software-defined security
Table 1 CBK 2021: New Objectives (continued)
13
00-FM.indd 31 11/09/21 12:40 PM

Domain Description
Security and Risk This domain covers many of the foundational concepts of information
Management systems security. Some of the topics covered include
•• Professional ethics
•• Security governance and compliance
•• Legal and regulatory issues
•• Personnel security policies
•• Risk management
Asset Security This domain examines the protection of assets throughout their life cycle.
Some of the topics covered include
•• Identifying and classifying information and assets
•• Establishing information and asset handling requirements
•• Provisioning resources securely
•• Managing the data life cycle
•• Determining data security controls and compliance requirements
Security This domain examines the development of information systems that remain
Architecture and secure in the face of a myriad of threats. Some of the topics covered include
Engineering • Secure design principles
• Security models
• Selection of effective controls
• Cryptography
• Physical security
Communication This domain examines network architectures, communications
and Network technologies, and network protocols with the goal of understanding how to
Security secure them. Some of the topics covered include
• Secure network architectures
• Secure network components
• Secure communications channels
Identity and Access Identity and access management is one of the most important topics in
Management (IAM) information security. This domain covers the interactions between users
and systems as well as between systems and other systems. Some of the
topics covered include
• Controlling physical and logical access to assets
• Identification and authentication
• Authorization mechanisms
• Identity and access provisioning life cycle
• Implementing authentication systems
Security This domain examines ways to verify the security of our information
Assessment systems. Some of the topics covered include
and Testing • Assessment and testing strategies
• Testing security controls
• Collecting security process data
• Analyzing and reporting results
• Conducting and facilitating audits
Table 2 Security Domains that Make Up the CISSP CBK (continued)
14
00-FM.indd 37 11/09/21 12:40 PM

Domain Description
Security This domain covers the many activities involved in the daily business of
Operations maintaining the security of our networks. Some of the topics covered
include
•• Investigations
•• Logging and monitoring
•• Change and configuration management
•• Incident management
•• Disaster recovery
Software This domain examines the application of security principles to the
Development acquisition and development of software systems. Some of the topics
Security covered include
•• The software development life cycle
•• Security controls in software development
•• Assessing software security
•• Assessing the security implications of acquired software
•• Secure coding guidelines and standards
Table 2 Security Domains that Make Up the CISSP CBK (continued)
15
00-FM.indd 38 11/09/21 12:40 PM

All-In-One / CISSP® All-in-One Exam Guide, Ninth Edition / Maymí / 737-6 / Chapter 1
Gives rise to
Figure 1-1
The relationships Exploits
Threat
among the agent Leads to
different security Threat
concepts
Vulnerability
Risk
Directly affects
Asset Can damage
Exposure And causes an
Safeguard
Can be
countermeasured by a
16
01-ch01.indd 10 15/09/21 12:31 PM

Company A Company B
Board members understand that information Board members do not understand that
security is critical to the company and information security is in their realm of
demand to be updated quarterly on security responsibility and focus solely on corporate
performance and breaches. governance and profits.
The chief executive officer (CEO), chief The CEO, CFO, and business unit managers
financial officer (CFO), chief information officer feel as though information security is
(CIO), chief information security officer (CISO), the responsibility of the CIO, CISO, and IT
and business unit managers participate in a department and do not get involved.
risk management committee that meets each
month, and information security is always one
topic on the agenda to review.
Executive management sets an acceptable The CISO copied some boilerplate security
risk level that is the basis for the company’s policies, inserted his company’s name, and
security policies and all security activities. had the CEO sign them.
Executive management holds business unit All security activity takes place within the
managers responsible for carrying out risk security department; thus, security works
management activities for their specific within a silo and is not integrated throughout
business units. the organization.
Critical business processes are documented Business processes are not documented and
along with the risks that are inherent at the not analyzed for potential risks that can affect
different steps within the business processes. operations, productivity, and profitability.
Employees are held accountable for any Policies and standards are developed, but no
security breaches they participate in, either enforcement or accountability practices have
maliciously or accidentally. been envisioned or deployed.
Security products, managed services, and Security products, managed services, and
consulting services are purchased and consulting services are purchased and
deployed in an informed manner. They are deployed without any real research or
also constantly reviewed to ensure they are performance metrics to determine the return
cost-effective. on investment or effectiveness.
The organization is continuing to review its The organization does not analyze its
processes, including security, with the goal of performance for improvement, but continually
continued improvement. marches forward and makes similar mistakes
over and over again.
Table 1-1 Security Governance Program: A Comparison of Two Companies
17
01-ch01.indd 11 15/09/21 12:31 PM

Governance Regulations
model
Development
of metrics
Vulnerability
Common
and threat Vulnerability threats
management and threat Laws
Policy management
development System
Policy life cycle
compliance security
Process
Auditing management
Common
threats
Company Incident
assets response
Security
Physical
program Data
security
Use of classification
metrics
Personnel
security Network Business
Communication continuity
security
security
Risk analysis Process

and management Operational development
management and
monitoring
Risk analysis Tactical management Organizational

and management security
Strategic management
Figure 1-2 A complete security program contains many items.
18
01-ch01.indd 12 15/09/21 12:31 PM

Assets Motivation Process People Location Time

(What) (Why) (How) (Who) (Where) (When)
Contextual The Business risk Business Business Business Business time

business model process organization geography dependencies
model and
relationships
Conceptual Business Control Security Security Security Security-
attributes objectives strategies and entity model domain related
profile architectural and trust model lifetimes and
layering framework deadlines
Logical Business Security Security Entity schema Security Security
information policies services and privilege domain processing
model profiles definitions and cycle
associations
Physical Business Security rules, Security Users, Platform Control
data model practices, and mechanisms applications, and network structure
procedures and user infrastructure execution
interface
Component Detailed Security Security Identities, Processes, Security step
data standards products and functions, nodes, timing and
structures tools actions, and addresses, sequencing
ACLs and protocols
Operational Assurance Operation risk Security Application Security Security
of operation management service and user of sites, operations
continuity management management networks, and schedule
and support and support platforms
Table 1-2 SABSA Architecture Framework
19
01-ch01.indd 14 15/09/21 12:31 PM

Figure 1-3 Policy

Policies are
implemented
through
standards,
Standards Mandatory
procedures, and
guidelines.
Procedures
Guidelines Recommended but optional
20
01-ch01.indd 31 15/09/21 12:31 PM

Awareness Training Education

Attribute “What” “How” “Why”
Level Information Knowledge Insight
Learning Recognition and Skill Understanding
objective retention
Example Media: Practical Instruction: Theoretical Instruction:
teaching Videos Lecture and/or demo Seminar and discussion
method Newsletters Case study Reading and study
Posters Hands-on practice Research
CBT
Social engineering
testing
Test True/False, multiple Problem solving—i.e., Essay (interpret learning)
measure choice (identify recognition and resolution
learning) (apply learning)
Impact Short-term Intermediate Long-term
timeframe
Table 1-3 Aspects of Awareness, Training, and Education
21
01-ch01.indd 41 15/09/21 12:31 PM

Figure 2-1 The three tiers of risk management (Source: NIST SP 800-39)
22
02-ch02.indd 55 15/09/21 12:35 PM

Figure 2-2
The components Assess
of the risk
management
process
Frame
Monitor Respond
23
02-ch02.indd 58 15/09/21 12:35 PM

Threat Actor Can Exploit This Vulnerability To Cause This Effect

Cybercriminal Lack of antimalware software Ransomed data
Nation-state actor Password reuse in privileged Unauthorized access to
accounts confidential information
Negligent user Misconfigured parameter in the Loss of availability due to a system
operating system malfunction
Fire Lack of fire extinguishers Facility and computer loss or
damage, and possibly loss of life
Malicious insider Poor termination procedures Deletion of business-critical
information
Hacktivist Poorly written web application Website defacement
Burglar Lack of security guard Breaking windows and stealing
computers and devices
Table 2-1 Relationship of Threats and Vulnerabilities
24
02-ch02.indd 62 15/09/21 12:35 PM

02-ch02.indd 70
Prepared by:
Approved by:
Date:
Revision:
Failure Effect on . . .
Component Failure
Failure Failure or Functional Next Higher Detection
Item Identification Function Mode Cause Assembly Assembly System Method
IPS application Inline Fails to Traffic Single point of IPS blocks IPS is Health check
content filter perimeter close overload failure Denial of ingress traffic brought status sent
protection service stream down to console
and e-mail
to security
administrator
25
Central antivirus Push updated Fails to Central Individual Network is Central Heartbeat
signature update signatures to provide server node’s antivirus infected with server can status check
engine all servers and adequate, goes software is not malware be infected sent to central
workstations timely down updated and/or console,
protection infect other and e-mail
against systems to network
malware administrator
Fire suppression Suppress fire Fails to Water None Building 1 Fire Suppression
water pipes in building close in pipes has no suppression sensors tied
1 in 5 zones freezes suppression system pipes directly into
agent break fire system
available central console
Etc.
Table 2-2 How an FMEA Can Be Carried Out and Documented
15/09/21 12:35 PM
Top-level failure event is

broken down into possible Failure Event A
contributory failure events. OR symbol means that event
A happens when one or more
of events B, C, or D happen.
Failure Event B Failure Event C Failure Event D
AND symbol means that

event D happens only when
both events E and F happen.
Failure Event E Failure Event F
Figure 2-3 Fault tree and logic components
26
02-ch02.indd 71 15/09/21 12:35 PM

Single Loss Annualized Rate of Annualized Loss

Asset Threat Expectancy (SLE) Occurrence (ARO) Expectancy (ALE)
Facility Fire $230,000 0.1 $23,000
Trade secret Stolen $40,000 0.01 $400
File server Failed $11,500 0.1 $1,150
Business data Ransomware $283,000 0.1 $28,300
Customer Stolen $300,000 3.0 $900,000
credit card info
Table 2-3 Breaking Down How SLE and ALE Values Are Used
27
02-ch02.indd 75 15/09/21 12:35 PM

Consequences
Likelihood
Insignificant Minor Moderate Major Severe
Almost certain M H H E E
Likely M M H H E
Possible L M M H E
Unlikely L M M M H
Rare L L M M H
Figure 2-4 Qualitative risk matrix: likelihood vs. consequences (impact)
28
02-ch02.indd 76 15/09/21 12:35 PM

Threat = Hacker Effectiveness

Accessing Probability Potential of Intrusion
Confidential Severity of Threat Loss to the Effectiveness Detection Effectiveness
Information of Threat Taking Place Organization of Firewall System of Honeypot
IT manager 4 2 4 4 3 2
Database 4 4 4 3 4 1
administrator
Application 2 3 3 4 2 1
programmer
System 3 4 3 4 2 1
operator
Operational 5 4 4 4 4 2
manager
Results 3.6 3.4 3.6 3.8 3 1.4
Table 2-4 Example of a Qualitative Analysis
29
02-ch02.indd 77 15/09/21 12:35 PM

Attribute Quantitative Qualitative

Requires no calculations X
Requires more complex calculations X
Involves high degree of guesswork X
Provides general areas and indications of risk X
Is easier to automate and evaluate X
Used in risk management performance tracking X
Allows for cost/benefit analysis X
Uses independently verifiable and objective metrics X
Provides the opinions of the individuals who know the X
processes best
Shows clear-cut losses that can be accrued within one X
year’s time
Table 2-5 Quantitative vs. Qualitative Characteristics
30
02-ch02.indd 78 15/09/21 12:35 PM

PLAN COLLECT INFORMATION DEFINE

1. Identify team 1. Identify assets RECOMMENDATIONS
2. Identify scope 2. Assign value to assets 1. Risk mitigation
3. Identify method 3. Identify vulnerabilities and threats 2. Risk transference
4. Identify tools 4. Calculate risks 3. Risk acceptance
5. Understand acceptable 5. Cost/benefit analysis 4. Risk avoidance
risk level 6. Uncertainty analysis
MANAGEMENT
RISK MITIGATION RISK AVOIDANCE

Control selection Discontinue activity
Implementation
Monitoring
RISK TRANSFERENCE RISK ACCEPTANCE

Purchase insurance Do nothing
Figure 2-5 How a risk management program can be set up
31
02-ch02.indd 80 15/09/21 12:35 PM

Potential threat Virus scanners
Patch management
Rule-based access control
Account management
Secure architecture
Asset
Demilitarized zones (DMZs)
Firewalls
Virtual private networks (VPNs)
Policies and procedures
Physical security
Figure 2-6 Defense-in-depth
32
02-ch02.indd 84 15/09/21 12:35 PM

Control Type: Preventive Detective Corrective Deterrent Recovery Compensating

Controls by
Category:
Physical
Fences X
Locks X
Badge system X
Security guard X X X X
Mantrap doors X
Lighting X
Motion
X
detectors
Closed-circuit
X
TVs
Offsite facility X X
Administrative
Security policy X X
Monitoring
and X X
supervising
Separation
of X
duties
Job rotation X X
Information
X
classification
Investigations X
Security
X
awareness
training
Technical
ACLs X
Encryption X
Audit logs X
IDS X
Antimalware
X X
software
Workstation
X
images
Smart cards X
Data backup X
Table 2-6 Control Categories and Types
33
02-ch02.indd 87 15/09/21 12:35 PM

Characteristic Description
Modular The control can be installed or removed from an environment
without adversely affecting other mechanisms.
Provides uniform protection A security level is applied in a standardized method to all
mechanisms the control is designed to protect.
Provides override functionality An administrator can override the restriction if necessary.
Defaults to least privilege When installed, the control defaults to a lack of
permissions and rights instead of installing with everyone
having full control.
Independence of control and the The given control can protect multiple assets, and a given
asset it is protecting asset can be protected by multiple controls.
Flexibility and security The more security the control provides, the better. This
functionality should come with flexibility, which enables
you to choose different functions instead of all or none.
Usability The control does not needlessly interfere with users’ work.
Asset protection The asset is still protected even if the countermeasure
needs to be reset.
Easily upgraded Software continues to evolve, and updates should be able
to happen painlessly.
Auditing functionality The control includes a mechanism that provides auditing
at various levels of verbosity.
Minimizes dependence on other The control should be flexible and not have strict requirements
components about the environment into which it will be installed.
Must produce output in usable The control should present important information in a format
and understandable format easy for humans to understand and use for trend analysis.
Testable The control should be able to be tested in different
environments under different situations.
Does not introduce other The control should not provide any covert channels or
compromises back doors.
System and user performance System and user performance should not be greatly
affected by the control.
Proper alerting The control should have the capability for thresholds to be
set as to when to alert personnel of a security breach, and
this type of alert should be acceptable.
Does not affect assets The assets in the environment should not be adversely
affected by the control.
Table 2-7 Characteristics to Consider When Assessing Security Controls
34
02-ch02.indd 89 15/09/21 12:35 PM

Figure 2-7 Risk

Sample risk
Very High 1
heat map
2
3 7
High 5
4 6
Impact
8 10
Medium
9
12
Low 11
13
Very Low 15
14
Very Low Medium High Very

Low high
35
02-ch02.indd 94 15/09/21 12:35 PM

Level Maturity Characteristics

1 Initial Risk activities are ad hoc, reactive, and poorly controlled.
2 Repeatable Procedures are documented and (mostly) followed.
3 Defined Standard procedures, tools, and methods are applied consistently.
4 Managed Quantitative methods are applied both to risk management and to
the program.
5 Optimizing Data-driven innovation occurs across the entire organization.
Table 2-8 Typical Maturity Model
36
02-ch02.indd 96 15/09/21 12:35 PM

Figure 2-8
Simplified supply
chain
Materials Components
Supplier Manufacturer
10
10101
010
Software Distributor Customers

Developer Your Company
Security
Provider
37
02-ch02.indd 97 15/09/21 12:35 PM

Figure 2-9
Risk assessment
Establish the content
process
Communication and consultation

Risk identification
Monitor and review

Risk management
Risk analysis
(including business
impact analysis)
Risk evaluation
Risk treatment
38
02-ch02.indd 110 15/09/21 12:35 PM

Figure 2-10
Maximum Irreparable
tolerable losses
downtime
Point at which the impact
becomes unacceptable
Serious but
survivable
losses
No loss
Time
MTD
39
02-ch02.indd 113 15/09/21 12:35 PM

Attack Attack Attack
Trust Relationship Trust Relationship
Small Business Regional Supplier Multinational

Corporation
Figure 3-1 A typical island-hopping attack
40
03-ch03.indd 133 15/09/21 12:36 PM

Phishing Site Spam Zombie

Malware Download Site DDoS Extortion Zombie
Web Server Bot Activity
Warez/Piracy Server Click Fraud Zombie
Child Pornography Server Anonymization Proxy
Spam Site CAPTCHA Solving Zombie
HACKED PC
Webmail Spam eBay/Paypal Fake Auctions
Stranded Abroad Advance Scams Account Online Gaming Credentials
E-mail Attacks Credentials
Harvesting E-mail Contacts Website FTP Credentials
Harvesting Associated Accounts Skype/VoIP Credentials
Access to Corporate E-mail Client-Side Encryption Certificates
Online Gaming Characters Bank Account Data

Financial
Online Gaming Goods/Currency Credit Card Data
Virtual Goods Credentials
PC Game License Keys Stock Trading Account
Operating System License Key Mutual Fund/401(k) Account
Facebook Fake Antivirus

Twitter Ransomware
Reputation Hijacking Hostage Attacks
Linkedln E-mail Account Ransom
Google+ Webcam Image Extortion
Figure 3-2 Malicious uses for a compromised computer (Source: www.krebsonsecurity.com)
41
03-ch03.indd 135 15/09/21 12:36 PM

Figure 3-3 Gaining access into an environment and extracting sensitive data
42
03-ch03.indd 137 15/09/21 12:36 PM

Figure 3-4 Defendants added to litigation campaigns by year (Data provided by RPX Corporation
on 12/14/20. © 2020 RPX Corporation)
43
03-ch03.indd 152 15/09/21 12:36 PM

6,061 6,025
30% 4,826 30%

1,833 4,587 4,557
1,845
34% 3,608 3,603

37% 42%
1,621 3,375
1,703 1,926
40% 39%
1,430 47% 1,396
1,599 21%
65% 65%
981
3,936 61% 3,924
57%
2,928 54% 54%
2,610 48% 36%
1,957 1,961
1,608 1,636
2013 2014 2015 2016 2017 2018 2019 2020 YTD

NPE Operating Company Pure Design Patent Litigation
Figure 3-5 Data breach costs (Source: Ponemon Institute and IBM Security)
44
03-ch03.indd 160 15/09/21 12:36 PM

Figure 4-1
The NIST Risk CATEGORIZE
Management
Framework
process
MONITOR SELECT
PREPARE
Process initiation
AUTHORIZE IMPLEMENT
ASSESS
45
04-ch04.indd 174 15/09/21 3:55 PM

Figure 4-2
ISO/IEC 27005
risk management
process CONTEXT ESTABLISHMENT
RISK ASSESSMENT
RISK ANALYSIS
RISK IDENTIFICATION
RISK MONITORING AND REVIEW

RISK COMMUNICATION RISK ESTIMATION
RISK EVALUATION
RISK DECISION POINT 1 No

Assessment satisfactory
Yes
RISK TREATMENT
RISK DECISION POINT 2 No

Treatment satisfactory
Yes
RISK ACCEPTANCE
END OF FIRST OR SUBSEQUENT ITERATIONS
46
04-ch04.indd 177 15/09/21 3:55 PM

Figure 4-3 27001 General Requirements

How ISO/IEC ISMS Requirements
27000 standards
relate to each What is an ISMS?
other What must it do?
27002 General Guidelines

Code of Practice
How should an ISMS

provide information
security?
27011 Sector- 27799

ISMS Guidelines for Specific
Health Informatics -
Telecommunications Guidelines
ISMS in Health
Organizations
How should an ISMS How should an ISMS
provide information security provide information
in a telecommunications security in a health
sector organization? services organization?
47
04-ch04.indd 181 15/09/21 3:55 PM

ID Family ID Family
AC Access Control PE Physical and Environmental
Protection
AT Awareness and Training PL Planning
AU Audit and Accountability PM Program Management
CA Assessment, Authorization, and PS Personnel Security
Monitoring
CM Configuration Management PT PII Processing and Transparency
CP Contingency Planning RA Risk Assessment
IA Identification and Authentication SA System and Services Acquisition
IR Incident Response SC System and Communications
Protection
MA Maintenance SI System and Information Integrity
MP Media Protection SR Supply Chain Risk Management
Table 4-1 NIST SP 800-53 Control Categories
48
04-ch04.indd 184 15/09/21 3:55 PM

Control Baselines
Control Name
Control No. CONTROL ENHANCEMENT NAME Low Mod. High
IR-1 Policy and Procedures X X X
IR-2 Incident Response Training X X X
IR-2(1) Simulated Events X
IR-2(2) Automated Training Environments X
IR-2(3) Breach
IR-3 Incident Response Testing X X
IR-3(1) Automated Testing
IR-3(2) Coordination with Related Plans X X
Table 4-2 Sample Mapping of Security Controls to the Three Security Categories in SP 800-53
49
Basic Foundational Organizational

1. Inventory and Control of 7. Email and Web Browser 12. Boundary Defense 17. Implement Security
Hardware Assets Protections Awareness and Training
2. Inventory and Control of 8. Malware Defenses 13. Data Protection 18. Application Software
Software Assets Security
3. Continuous Vulnerability 9. Limit and Control Network 14. Control Access Based on 19. Incident Response and
Management Ports, Protocols, Services Need to Know Management
4. Controlled Use of 10. Data Recovery Capabilities 15. Wireless Access Control 20. Penetration Tests and Red
Administrative Privileges Team Exercises
5. Secure Configuration of 11. Secure Configuration of 16. Account Monitoring and

Hardware and Software Network Devices Control
6. Maintenance, Monitoring
and Analysis of Audit Logs
Figure 4-4 CIS Controls
50
04-ch04.indd 186 15/09/21 3:55 PM

Subcontrol Title IG1 IG2 IG3
13.1 Maintain an Inventory of Sensitive Information X X X
13.2 Remove Sensitive Data or Systems Not Regularly X X X
Accessed by Organization
13.3 Monitor and Block Unauthorized Network Traffic X
13.4 Only Allow Access to Authorized Cloud Storage or X X
Email Providers
13.5 Monitor and Detect Any Unauthorized Use of X
Encryption
13.6 Encrypt Mobile Device Data X X X
13.7 Manage USB Devices X X
13.8 Manage System’s External Removable Media’s X
Read/Write Configurations
13.9 Encrypt Data on USB Storage Devices X
Table 4-3 Data Protection Subcontrols Mapped to Implementation Groups
51
Business
Goals
Requirements Information
IT Goals
IT Processes
to
in
wn
Audited with
do Co
by
en nt
ro
ok
d
lle
re
Br d
su
by
ea
M
Derived
from
Control
Key Control Im
by Activities ce Fo Outcome
Objectives
ple
ed an rm Tests me
rm mr at nte
fo fo u d
Pe
r er For outcome rity Audited with wi
rp th
Fo Based on
Responsibility Control
Performance Outcome Maturity Control
Accountability Design
Indicators Measures Models Practices
Chart Tests
Figure 4-5 COBIT framework
52
04-ch04.indd 188 15/09/21 3:55 PM

External discretionary
Figure 4-6
and nondiscretionary
NIST enterprise standard/requirements
architecture
framework
Business
architecture
Drives
Enterprise
Information discretionary and
architecture non-discretionary
Feedback standards/
Prescribes regulations
Information systems
architecture
Identifies
Data architecture
Supported by
Delivery systems architecture

hardware, software, communications
53
04-ch04.indd 191 15/09/21 3:55 PM

04-ch04.indd 193
Interrogatives
What How Where Who When Why
Contextual Assets and Business Lines Business Locales Partners, Clients, Milestones and Business Strategy
(Executives) Liabilities and Employees Major Events
Conceptual Products Business Logistics and Workflows Master Calendar Business Plan
(Business Mgrs.) Processes Communications
Architectural Data Models Systems Distributed Use Cases Project Schedules Business Rule
(System Architectures Systems Models
54
Architects) Architectures
Technological Data Systems Designs System Interfaces Human Interfaces Process Controls Process Outputs
Perspective
(Audience)
(Engineers) Management
Implementation Data Stores Programs Network Nodes Access Controls Network/ Security Performance
(Technicians) and Links Operations Metrics
Enterprise Information Functions Networks Organizations Schedules Strategies
Table 4-4 Zachman Framework for Enterprise Architecture
15/09/21 3:55 PM
Figure 4-7
ITIL
Political Economical
Organizations Information
and people and technology
du
Pro cts
Environmental Social
Value
an
d s e r vice
s
Partners Value streams
and suppliers and processes
Legal Technological
55
04-ch04.indd 197 15/09/21 3:55 PM

Figure 4-8 Capability Maturity Model for a security program
56
04-ch04.indd 198 15/09/21 3:55 PM

STRATEGIC ALIGNMENT SECURITY EFFECTIVENESS
Strategic PERFORMANCE DASHBOARD

IT
Business
Strategies
Drivers
BUSINESS ENABLEMENT PROCESS ENHANCEMENT
Legal/Regulatory
Specialized Architecture
Architecture Standards
Requirements
Systems Development
Production Readiness
Project Management
Perimeter Network
Incident Response
Internal Network
Change Control
Applications
Compliance
Help Desk
Life Cycle
Facilities
Desired Risk Profile
Security Strategy
and
Policy
Privacy Blueprint
Identity Management Blueprint
Application Integrity Blueprint
Logging, Monitoring, and Reporting
Industry Systems and Network Infrastructure

TAILORED
and ISO/IEC
BEST
Business 17799 Physical and Environmental
PRACTICES
Standards
Information and Asset Baseline
Infrastructure Blueprint
Business Continuity Blueprint
Management Blueprint
SECURITY FOUNDATION
Figure 4-9 Blueprints must map the security and business requirements.
57
04-ch04.indd 202 15/09/21 3:55 PM

Organizations That
Classification Definition Example Would Use This
Public • Disclosure is not welcome, • How many people are Commercial
but it would not cause an working on a specific business
adverse impact to company project
or personnel. • Upcoming projects
Sensitive • Requires special precautions • Financial information Commercial
to ensure the integrity • Details of projects business
and confidentiality of the
• Profit earnings and
data by protecting it from forecasts
unauthorized modification
or deletion.
• Requires higher-than-
normal assurance of
accuracy and completeness.
Private • Personal information for • Work history Commercial
use within a company. • Human resources business
• Unauthorized disclosure information
could adversely affect • Medical information
personnel or the company.
Confidential • For use within the • Trade secrets Commercial
company only. • Healthcare information business
• Data exempt from disclosure Programming code Military
•
under the Freedom of Information that
•
Information Act or other keeps the company
laws and regulations. competitive
• Unauthorized disclosure
could seriously affect a
company.
Unclassified • Data is not sensitive or • Computer manual and Military
classified. warranty information
• Recruiting information
Controlled • Sensitive, but not secret. • Health records Military
unclassified • Information that cannot • Answers to test scores
information legally be made public.
(CUI)
Secret • If disclosed, it could cause • Deployment plans for Military
serious damage to national troops
security. • Unit readiness
information
Top secret • If disclosed, it could cause • Blueprints of new Military
grave damage to national weapons
security. • Spy satellite
information
• Espionage data
Table 5-1 Commercial Business and Military Data Classifications
58
05-ch05.indd 217 15/09/21 12:42 PM

Figure 5-1
The IT asset Replace or
life cycle Dispose
Business
Case
Operate &
Maintain
Create or
Acquire
59
05-ch05.indd 222 15/09/21 12:42 PM

Figure 5-2
The data
life cycle
Acquisition
Storage
Destruction
Use
Archival
Sharing
60
05-ch05.indd 231 15/09/21 12:43 PM

Type of Data General Period of Retention

Business documents (e.g., meeting minutes) 7 years
Invoices 5 years
Accounts payable and receivable 7 years
Human resource files 7 years (for employees who leave) or 3 years (for
candidates who were not hired)
Tax records 3 years after taxes were paid
Legal correspondence Permanently
Table 5-2 Typical Retention Periods for Different Types of Data
61
05-ch05.indd 236 15/09/21 12:43 PM

Electronic Discovery Reference Model
Processing
Preservation
Information
Identification Review Production Presentation
Governance
Collection
Analysis
Volume Relevance
(Source: EDRM; www.edrm.net)
62
05-ch05.indd 237 15/09/21 12:43 PM

15/09/21 12:43 PM
. . . . . . .
. . . . . . .
163
The Lion an
0.663
from sleep b
803
714
Rising up an
kill him, who
166
0
“If you woul

sure to repo
It happend
cought by so
165
0
to the groun
the ropic wit
161
163
222
164
“You ridicul
EOF
164
to help you,
of your favo
a Mouse to
Root Directory
. . . . . . . .
164
163
. . . . . . . .
63
. . . . . . . .
Story1.txt
Story2.txt
Ricin.txt
. . . . . . . .
EOF
. . . . . . . .
162
. . . . . . . .
. . . . . . . .
165
. . . . . . . .
Disk
162
161
160
0
FAT
Writing a text
Figure 5-3
file to disk
05-ch05.indd 241
15/09/21 12:43 PM
. . . . . . .
. . . . . . .
163
The Lion an
0.663
from sleep b
803
714
Rising up an
kill him, who
166
0
“If you woul

sure to repo
It happend
cought by so
165
0
to the groun
the ropic wit
161
163
222
164
“You ridicul
164
0
to help you,
of your favo
a Mouse to
Root Directory
. . . . . . . .
163
0
. . . . . . . .
64
. . . . . . . .
Story1.txt
?tory2.txt
Ricin.txt
. . . . . . . .
EOF
. . . . . . . .
162
. . . . . . . .
. . . . . . . .
165
. . . . . . . .
Disk
162
161
160
0
FAT
Deleting a file
Figure 5-4
05-ch05.indd 242
15/09/21 12:43 PM
. . . . . . .
. . . . . . .
163
Hello World
. . . . . . . .
805
12
. . . . . . . .
. . . . . . . .
166
0
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
165
0
. . . . . . . .
. . . . . . . .
163
163
164
“You ridicul
164
0
to help you,
of your favo
a Mouse to
Root Directory
EOF
. . . . . . . .
163
. . . . . . . .
65
. . . . . . . .
?tory2.txt
hello.txt
. . . . . . . .
EOF
. . . . . . . .
162
. . . . . . . .
. . . . . . . .
165
Disk
. . . . . . . .
162
161
160
0
FAT
overwriting
Figure 5-5
Partially
a file
05-ch05.indd 243
Figure 6-1
The states of data Data in Data in
motion use
Data at
rest
66
06-ch06.indd 254 15/09/21 12:45 PM

Figure 6-2 Overwriting storage media to protect sensitive data
67
06-ch06.indd 260 15/09/21 12:45 PM

Figure 6-3
Main components Select carrier
of steganography file.
Choose a medium to Choose a method

transfer the file of steganography.
(e-mail, website).
Sending a
steganographic
message
Embed message
Choose a program
in carrier file, and
to hide message in
if possible,
carrier file.
encrypt it.
Communicate the
chosen method to
receiver via a different
channel.
68
06-ch06.indd 264 15/09/21 12:45 PM

Mobile
device
Internet
DLP appliance
Workstation Perimeter
firewall
Data DLP policy Mobile

server server device
Figure 6-4 Network DLP
69
06-ch06.indd 272 15/09/21 12:45 PM

DLP
agent
Mobile
device
DLP
agent
Internet
firewall
DLP DLP
agent agent

Figure 6-5 Endpoint DLP
70
06-ch06.indd 273 15/09/21 12:45 PM

DLP
agent
Mobile
device
DLP
agent
Internet
DLP appliance
firewall
DLP DLP
agent agent

Figure 6-6 Hybrid NDLP/EDLP
71
06-ch06.indd 274 15/09/21 12:45 PM

Figure 6-7
Two common CASB
Cloud
approaches to Service
implementing
CASBs: proxy
and API
API
CASB Cloud
Proxy Service
CASB in Proxy Mode CASB in API Mode
72
06-ch06.indd 275 15/09/21 12:45 PM

Tier 1 Tier 2 Tier 3 Tier 4

Figure 7-1
Client Web Application Database
A typical four-tier
server-based
system 10
10101
010
Firefox Apache PHP PostgreSQL
73
07-ch07.indd 285 15/09/21 5:09 PM

Component A Component B Component C Component D
The chicken wore funny
red culottes
Component E Component F
Figure 7-2 Because Emily has access to components A, C, and F, she can figure out the secret
sentence through aggregation.
74
07-ch07.indd 286 15/09/21 5:09 PM

Figure 7-3
OT
Relationship
between
OT terms
ICS
DCS PLC SCADA
75
07-ch07.indd 290 15/09/21 5:09 PM

Tank 1 Tank 2 Tank 3

10 % 85 % 40 %
Valve 1 Valve 2 Valve 2 Delivery

Closed Closed Closed
Pump 1 Pump 2
o˜ o˜
Figure 7-4 A simplified HMI screen
76
07-ch07.indd 292 15/09/21 5:09 PM

IT DMZ IT network OT DMZ OT network
Enterprise
Public server
OT data
server historian
PLC
Internet
Work
station
HMI
Figure 7-5 A simplified IT/OT environment
77
07-ch07.indd 295 15/09/21 5:09 PM

Figure 7-6 Virtual Machine 1 Virtual Machine 2

The hypervisor
controls virtual Application Application
machine
instances. Operating system Operating system
Hypervisor
Hardware
CPU Memory Disk

NIC
78
07-ch07.indd 297 15/09/21 5:09 PM

Global
cloud
services
Data center - West Data center - East
Edge Edge
device device
Door Fire Thermal Door Fire Thermal

sensors alarms sensors sensors alarms sensors
Figure 7-7 A sample edge computing architecture for facility management
79
07-ch07.indd 309 15/09/21 5:09 PM

Figure 8-1
The scytale
was used by
the Spartans
to decipher
encrypted
messages.
80
08-ch08.indd 318 15/09/21 5:10 PM

Repeated
key
Vigenére Table
SECURITY
SYSTEMSE
SECURITY
CURITYAN
SECURITY
DCONTROL
KCUNVULCUYTCKGTLVGQHKZHJ
Key: SECURITY
Original message:
SYSTEM SECURITY AND CONTROL
Encrypted message:
KCUNVULCUYTCKGTLVGQHKZHJ
Figure 8-2 Polyalphabetic algorithms were developed to increase encryption complexity.
81
08-ch08.indd 320 15/09/21 5:10 PM

Keys
Keyspace
0 0 0 0 0 0000 0 0 0 0 0 0 000000 0
Keyspace
Keys
Figure 8-3 Larger keyspaces permit a greater number of possible key values.
82
Encrypted message
askfjaoiwenh220va8fjsdnv jaksfue92v8ssk
Intruder obtains the

message but its encryption
makes it useless to her.
Intruder
askfjaoiwenh220va8fjsdnv jaksfue92v8ssk
Figure 8-4 Without the right key, the captured message is useless to an attacker.
83
08-ch08.indd 323 15/09/21 5:10 PM

Hello Mom,
I’ve dropped out of

school and decided
to travel. Please
send money.
One-time pad Ciphertext

Message
Hello Mom,
I’ve dropped out of

school and decided
to travel. Please
send money.
Ciphertext One-time pad Message
Figure 8-5 A one-time pad
84
08-ch08.indd 326 15/09/21 5:10 PM

Symmetric encryption uses the same keys.

Figure 8-6
When using
symmetric
algorithms,
the sender and
receiver use
the same key
for encryption
and decryption
functions.
Encrypt Decrypt
message message
Message Message Message
85
08-ch08.indd 329 15/09/21 5:10 PM

Message (plaintext)—YX
1 0 1 1 1 0 0 1 1 0 1 1 0 0 0 1 Lookup table
1. XOR bit with

Key determines 1 then 0
which S-boxes S-box S-box S-box S-box 2. XOR result
are used with 0,1,1
and how. 3. XOR result
with 1,0
4. XOR result
with 0,0
S-box S-box S-box S-box
0 0 0 1 0 1 1 1 0 0 0 1 1 1 0 0
Encrypted message (ciphertext)—B9
Figure 8-7 A message is divided into blocks of bits, and substitution and transposition functions
are performed on those blocks.
86
08-ch08.indd 332 15/09/21 5:10 PM

Figure 8-8
With stream Keystream
ciphers, the bits generator
generated by
the keystream
generator are
XORed with 1
0
the bits of
1
the plaintext 1
message. 0
1
0 XOR
0
Plaintext message Ciphertext message
87
08-ch08.indd 333 15/09/21 5:10 PM

Keystream Keystream
generator generator
Key Key
Keystream Keystream
Plaintext Ciphertext Plaintext
Encrypt Decrypt
Figure 8-9 The sender and receiver must have the same key to generate the same keystream.
88
08-ch08.indd 334 15/09/21 5:10 PM

Asymmetric systems use two different keys

Figure 8-10
for encryption and decryption purposes.
An asymmetric
cryptosystem
Public Private
key key
Encrypt Decrypt message
message with different key
Message Message
89
08-ch08.indd 335 15/09/21 5:10 PM

Attribute Symmetric Asymmetric

Keys One key is shared between two or One entity has a public key, and the
more entities. other entity has the corresponding
private key.
Key Out-of-band through secure A public key is made available to
exchange mechanisms. everyone, and a private key is kept
secret by the owner.
Speed The algorithm is less complex and faster. The algorithm is more complex
and slower.
Use Bulk encryption, which means encrypting Key distribution and digital signatures.
files and communication paths.
Security Confidentiality. Confidentiality, authentication, and
service nonrepudiation.
provided
Table 8-1 Differences Between Symmetric and Asymmetric Systems
90
08-ch08.indd 338 15/09/21 5:10 PM

Figure 8-11 S1 S2
A man-in-the-
middle attack
against a
Diffie-Hellman
key agreement
Tanya
Lance
S1 S2
91
08-ch08.indd 339 15/09/21 5:10 PM

Figure 8-12
Elliptic curve
R=P+Q
92
08-ch08.indd 343 15/09/21 5:10 PM

Figure 8-13 Alice’s bit 0 1 1 0 1 0 0 1

Key distillation
Alice’s basis + + × + × × × +
between Alice
and Bob Alice’s polarization
Bob’s filter + × × × + × + +
Bob’s measurement
Shared secret key 0 1 0 1
93
08-ch08.indd 345 15/09/21 5:11 PM

Message and key will be sent to receiver.
Receiver decrypts
and retrieves the
symmetric key,
then uses this
Symmetric key symmetric key to
encrypted with an decrypt the
asymmetric key message.
Message encrypted
with symmetric key
Figure 8-14 In a hybrid system, the asymmetric key is used to encrypt the symmetric key, and the
symmetric key is used to encrypt the message
94
08-ch08.indd 347 15/09/21 5:11 PM

1.
2.
3.
Session key
Encrypted with
Tanya’s public
key
Lance
Tanya
5.
4.
Session key
1) Tanya sends Lance her public key.

2) Lance generates a random session key and encrypts it using Tanya’s public key.
3) Lance sends the session key, encrypted with Tanya’s public key, to Tanya.
4) Tanya decrypts Lance’s message with her private key and now has a copy of the session key.
5) Tanya and Lance use this session key to encrypt and decrypt messages to each other.
Figure 8-15 A session key is generated so all messages can be encrypted during one particular
session between users.
95
08-ch08.indd 349 15/09/21 5:11 PM

Algorithm Description
Message Digest 5 (MD5) algorithm Produces a 128-bit hash value. More complex
than MD4.
Secure Hash Algorithm (SHA) Produces a 160-bit hash value. Used with Digital
Signature Algorithm (DSA).
SHA-1, SHA-256, SHA-384, SHA-512 Updated versions of SHA. SHA-1 produces a
160-bit hash value, SHA-256 creates a 256-bit
value, and so on.
Table 8-2 Various Hashing Algorithms Available
96
08-ch08.indd 352 15/09/21 5:11 PM

1
Message
3
Hashing
function
10110
00101
Message
2 ? 4
10110 10110 10110
digest 00101 00101 = 00101
5
Sender Receiver
Figure 8-16 Verifying message integrity with a message digest
97
08-ch08.indd 355 15/09/21 5:11 PM

Secret key Message

1
10110
00101
Message 2 ? 4
10110 10110 10110
authentication
code (MAC)
00101 00101 = 00101
5
Sender Receiver
Figure 8-17 Verifying message integrity with a message digest
98
08-ch08.indd 356 15/09/21 5:11 PM

Message
Calculated hash
value of ABC
Encrypted with
the private key
Message ABC
Encrypted
message
digest Message ABC User reads message.
Calculates hash value

on received message = Both the calculated
ABC and sent hash
values are the
same, thus the
message was not
Decrypts sent hash
modified during
value with public key =
transmission.
ABC
Figure 8-18 Creating a digital signature for a message
99
08-ch08.indd 357 15/09/21 5:11 PM

Subject
Serial Issuer Subject
Version Signature Issuer Validity Subject public Extensions
number unique ID unique ID
key info
Identifies
the version Public key Optional
Name of
of the of owner extensions
certificate
certificate issuer
ID of
Unique Name of subject
number owner
for the
certificate ID of
issuing CA
Validity
Algorithm ID dates
used to
sign the
certificate
Figure 8-19 Each certificate has a structure with all the necessary identifying information in it.
100
08-ch08.indd 360 15/09/21 5:11 PM

Directory CA
Figure 8-20
CA and user
relationships
John requests Diane validates

Diane’s public key. John’s public key.
Diane’s public
key is sent.
Session key is encrypted

with Diane’s public key.
John Diane
101
08-ch08.indd 363 15/09/21 5:11 PM

1. Login
1. Auth
LSASS Memory:
2. List files
Username: user1
User1 (local admin) DC
NTLM: a3d747dhdh…
Remote Username: IT_Admin 2. Auth

login NTLM: b7ars7r9773…
File server
IT_Admin (domain admin)
Figure 8-21 Single sign-on in Microsoft Windows Active Directory
102
08-ch08.indd 373 15/09/21 5:11 PM

LSASS Memory:
1. Auth
Username: user1
NTLM: a3d747dhdh…
User1 (local admin) DC
Username: IT_Admin
NTLM: b7ars7r9773…
Remote 2. Auth
login
File server
IT_Admin (domain admin)
Figure 8-22 Pass-the-hash attack
103
Apparent connection
1. TLS Hello 2. TLS Hello

4. Cert: g00dsite.com 3. Cert: goodsite.com
Figure 8-23 A web-based man-in-the-middle attack
104
08-ch08.indd 374 15/09/21 5:11 PM

Steal
president’s
mailbox
Access mail Use mailbox Steal

server credentials smartphone
Use server Use social Steal access

Hack into mail Brute-force
admin engineering token from
server attack
credentials on user network
Use social Steal access A given technique can be used by a

Brute-force
engineering token from threat source in multiple attacks.
attack
on admin user the network
Figure 9-1 A simplified attack tree
105
09-ch09.indd 386 15/09/21 3:57 PM

Property
Threat Affected Definition Example
Spoofing Authentication Impersonating someone or An outside sender
something else pretending to be an HR
employee in an e-mail
Tampering Integrity Modifying data on disk, in A program modifying
memory, or elsewhere the contents of a critical
system file
Repudiation Nonrepudiation Claiming to have not A user claiming that she did
performed an action or not receive a request
to have no knowledge of
who performed it
Information Confidentiality Exposing information to An analyst accidentally
disclosure parties not authorized to revealing the inner details
see it of the network to outside
parties
Denial of Availability Denying or degrading A botnet flooding a website
service service to legitimate users by with thousands of requests a
exhausting resources needed second, causing it to crash
for a service
Elevation of Authorization Gaining capabilities without A user bypassing local
privilege the proper authorization to restrictions to gain
do so administrative access
to a workstation
Table 9-1 STRIDE Threat Categories
106
09-ch09.indd 388 15/09/21 3:57 PM

Firewall
Network segmentation
Access controls
Network detection and response (NDR)
Asset Endpoint detection and response (EDR)
Threat
Hardened host
actor
Encryption
Figure 9-2 Defense in depth
107
09-ch09.indd 391 15/09/21 3:57 PM

You manage
User Data User Data User Data
Applications Applications Applications
Services Services Services
Operating System Operating System Operating System
Hypervisor Hypervisor Hypervisor
Storage Storage Storage
Networking Networking Networking
Hardware Hardware Hardware
Facilities Facilities Facilities
SaaS PaaS IaaS
Figure 9-3 Shared responsibility in different cloud computing services
108
09-ch09.indd 393 15/09/21 3:57 PM

Figure 9-4
Functional Cryptographic Persistent memory
components processor
of a Trusted Random number
Platform Module Endorsement Key (EK)
generator
Storage Root
Secured input/output
Key (SRK)
RSA key generator
Versatile memory
Platform Configuration
Registers (PCR)
SHA-1 hash generator
Attestation Identity
Key (AIK)
Encryption-decryption-
Storage keys
signature engine
109
09-ch09.indd 406 15/09/21 3:57 PM

Figure 9-5 Rich execution Trusted execution

environment environment
A typical TEE and
its related REE
Trusted Trusted
App App
app app
TEE external API
Trust boundary
OS Trusted OS
Bootloader Trusted bootloader
Firmware
110
09-ch09.indd 409 15/09/21 3:57 PM

Helps to define… Broken down into… Used to evalute…
Risk Acceptable Baselines of Implemented

analysis risk level performance countermeasures
1. Identify: • Level of risk the • Minimum levels of • Construction

• Vulnerabilities organization is security are materials
• Threats willing to accept defined
• Security guards
2. Calculate business • Guides the team • Quantitative
impact of each to know what metrics defined • Intrusion
“enough security” detection systems
means
• Fire protection
• Emergency
training
To ensure compliance with…
Figure 10-1 Relationships of risk, baselines, and countermeasures
111
10-ch10.indd 425 15/09/21 12:50 PM

Figure 10-2 Sidewalks, lights, and landscaping can be used for protection.
112
10-ch10.indd 429 15/09/21 12:50 PM

Figure 10-3 Open areas reduce the likelihood of criminal activity.
113
10-ch10.indd 432 15/09/21 12:50 PM

Ceiling panels
Server room Computer room
Partition
Figure 10-4 An intruder can lift ceiling panels and enter a secured area with little effort.
114
10-ch10.indd 442 15/09/21 12:50 PM

Biometric access
and exit sensors
Seismically braced
server racks
Continuous
video
surveillance
Electronic
motion UPS and backup
sensors generators
Redundant
HVAC
Security controlled
breach environments
alarm
Data
Center
Gas-based fire
24 7
suppression
system
On-premises 365 Server
security operations
officers monitoring
Figure 10-5 A data center should have many physical security controls.
115
10-ch10.indd 444 15/09/21 12:50 PM

Figure 10-6
Water, steam, and
gas lines should
have emergency
shutoff valves.
116
10-ch10.indd 449 15/09/21 12:50 PM

Figure 10-7 Fluorescent light

RFI and EMI can
cause line noise
on power lines.
RFI
Power source
Electrical current
being affected
Motor
EMI
117
10-ch10.indd 450 15/09/21 12:50 PM

Figure 10-8 This configuration can cause a lot of line noise and poses a fire hazard.
118
10-ch10.indd 452 15/09/21 12:50 PM

Online UPS
DC AC
Inverter
Figure 10-9 A UPS device converts DC current from its internal or external batteries to usable AC
by using an inverter.
119
Table 10-1 Material or Component Damaging Temperature

Components Computer systems and peripheral devices 175°F
Affected
by Specific Magnetic storage devices 100°F
Temperatures Paper products 350°F
120
10-ch10.indd 454 15/09/21 12:50 PM

Figure 10-10 Portable extinguishers are marked to indicate what type of fire they should be
used on.
121
10-ch10.indd 455 15/09/21 12:50 PM

Receiver
Beam of light
Photoelectric
light emitter
Smoke particles
Figure 10-11 A photoelectric device uses a light emitter and a receiver.
122
10-ch10.indd 456 15/09/21 12:50 PM

Figure 10-12
Smoke detectors
should be
located above
suspended
Suspended
ceilings, below ceiling
raised floors, and
in air vents.
Air vent
Raised
floor
Smoke
detector
123
10-ch10.indd 457 15/09/21 12:50 PM

EU Fire Class Type of Fire Elements of Fire Suppression Agent

A Common Wood products, paper, and Water, foam, dry
combustibles laminates powders, wet chemicals
B Liquid Petroleum products and coolants CO2, foam, dry powders
C Gases Butane, propane, or methane Dry powders
D Combustible Aluminum, lithium, or magnesium Dry powders
metals
E Electrical Electrical equipment and wires CO2, dry powders
F Cooking oils Typically found in food Wet chemicals
and fats preparation and storage areas
Table 10-2 Six EU Types of Fires and Their Suppression Methods
124
10-ch10.indd 458 15/09/21 12:50 PM

Combustion Element Suppression Agent How Suppression Works

Fuel Soda acid Removes fuel
Oxygen Carbon dioxide Displaces oxygen
Temperature Water Reduces temperature
Chemical reaction FM-200 (Halon substitute) Interferes with the chemical reactions
between elements
Table 10-3 How Different Substances Interfere with Elements of Fire
125
10-ch10.indd 459 15/09/21 12:50 PM

Figure 10-13
Dry pipe
systems do not Water
supply
hold water in
the pipes.
When temperature
meets a predefined value,
the valve opens.
Water valve
opened
Water sprinklers
126
10-ch10.indd 460 15/09/21 12:50 PM

OSI model TCP/IP model

Figure 11-1
The OSI and TCP/
Application
IP networking
models
Presentation Application
Session
Transport Host-to-host
Network Internet
Data link Network access
Physical
127
11-ch11.indd 471 15/09/21 12:51 PM

Data encapsulation
Application Data
Presentation Data
Session Data
Transport Data
Network Data
Data link Data
Physical Data
Figure 11-2 Each OSI layer protocol adds its own information to the data packet.
128
11-ch11.indd 473 15/09/21 12:51 PM

Outlook Firefox Word
API API API
SMTP
HTTP
LPD
Figure 11-3 Applications send requests to an API, which is the interface to the supporting protocol.
129
11-ch11.indd 475 15/09/21 12:51 PM

Figure 11-4 Application layer

The presentation
layer receives
data from the Presentation layer
application layer
and puts it into a
standard format.
Compression Encryption TIFF JPEG
130
11-ch11.indd 476 15/09/21 12:51 PM

Session layer
Figure 11-5
The session
layer sets up
the connection,
maintains it,
and tears it Connection establishment
down once
communication
is completed.
Data transfer
Connection release
131
11-ch11.indd 477 15/09/21 12:51 PM

Firefox Outlook Zoom
Data Data Data Data Data Data
Transport layer
Data Data Data Data Data Data Data Data Data Data
Assemble data into a stream
Figure 11-6 TCP formats data from applications into a stream to be prepared for transmission.
132
11-ch11.indd 480 15/09/21 12:51 PM

Network layer
Figure 11-7 The network layer determines the most efficient path for each packet to take.
133
11-ch11.indd 481 15/09/21 12:51 PM

OSI layers
Figure 11-8
The data link
layer is made up Upper layers IEEE 802 layers
of two sublayers.
LLC
Logical Link Control
Data link
MAC
Media Access Control
Physical
Physical
134
11-ch11.indd 482 15/09/21 12:51 PM

Message
Application Application
Encryption, compression,
standard formatting Presentation
Presentation
Session maintenance
Session Session
End-to-end
connection
Transport Transport
Datagram Datagram
Network Network Network
Frame Frame Frame

Data link Data link Data link Data link
Bits Bits Bits Bits

Physical Physical Physical Physical Physical
Bridge Computer Router Computer Repeater
Figure 11-9 Each device works at a particular layer within the OSI model.
135
11-ch11.indd 486 15/09/21 12:51 PM

Figure 11-10
In a mesh
topology,
each node is
connected to
all other nodes,
which provides
for redundant
paths.
136
11-ch11.indd 488 15/09/21 12:51 PM

Figure 11-11
A ring topology
forms a closed-
loop connection.
137
11-ch11.indd 489 15/09/21 12:51 PM

Topology Characteristics Problems

Bus Uses a linear, single cable for all If one station experiences a problem,
computers attached. All traffic travels it can negatively affect surrounding
the full cable and can be viewed by all computers on the same cable.
other computers.
Ring All computers are connected by a If one station experiences a problem,
unidirectional transmission link, and it can negatively affect surrounding
the cable is in a closed loop. computers on the same ring.
Star All computers are connected to a The central device is a single point of
central device, which provides more failure.
resilience for the network.
Tree A bus topology with branches off of Multiple single points of failure.
the main cable.
Mesh Computers are connected to each Requires more expense in cabling and
other, which provides redundancy. extra effort to track down cable faults.
Table 11-1 Summary of Network Topologies
138
11-ch11.indd 490 15/09/21 12:51 PM

Figure 11-12 Router

Collision domains
within one Broadcast domain
broadcast domain
Collision domain Collision domain
Switch
Collision domain
Wireless
access point
139
11-ch11.indd 493 15/09/21 12:51 PM

Table 11-2 Cable Type

Ethernet Ethernet Type IEEE Standard (minimum) Speed
Implementation 10Base-T 802.3i-1990 Cat3 UTP 10 Mbps
Types
100Base-TX, 802.3u-1995 Cat5 UTP 100 Mbps
Fast Ethernet
1000Base-T, 802.3ab-1999 Cat5 UTP 1,000 Mbps
Gigabit Ethernet
10GBase-T 802.3an-2006 Cat6a UTP 10,000 Mbps
140
11-ch11.indd 495 15/09/21 12:51 PM

Frame
Figure 11-13
A Token Ring
network
Logical ring
MAU
Physical star
141
11-ch11.indd 496 15/09/21 12:51 PM

Devices are connected

to both rings in case
the primary ring fails.
Connecting
to another
network Concentrating hub Concentrating hub
Patch panel
Primary ring Secondary ring
Figure 11-14 FDDI rings can be used as backbones to connect different LANs.
142
11-ch11.indd 497 15/09/21 12:51 PM

Figure 11-15
FDDI device SAS SAC
SAS
types
Primary ring
DAC
SAS
Secondary ring
DAS
DAS
143
11-ch11.indd 498 15/09/21 12:51 PM

LAN Implementation Standard Characteristics

Ethernet IEEE 802.3 Uses broadcast and collision domains.
Uses CSMA medium access control method.
Can use coaxial, twisted-pair, or fiber-optic
media.
Transmission speeds of 10 Mbps to 10 Gbps.
Token Ring IEEE 802.5 Token-passing media access method.
Transmission speeds of 4 to 16 Mbps.
Uses an active monitor and beaconing.
Effectively defunct.
FDDI ANSI standard Dual counter-rotating rings for fault tolerance.
Based on IEEE 802.4 Transmission speeds of 100 Mbps.
Operates over long distances at high speeds
and is therefore used as a backbone.
CDDI works over UTP.
Very rarely seen in the enterprise.
Table 11-3 LAN Media Access Methods
144
11-ch11.indd 499 15/09/21 12:51 PM

Encrypted Encrypted Encrypted Encrypted
Switch Switch Switch
Server Workstation
Figure 11-16 MACSec provides layer 2 frame protection.
145
11-ch11.indd 500 15/09/21 12:51 PM

IEEE
802.1AF
IEEE
Internal
802.1AR
network
Authentication
server
Certificate
authority
IETF
Key mgt
framework
Upstream
device
0. New device is physically installed.
1. An 802.1X conversation starts.
2. EAP-TLS messages are forwarded.
3. Key material is returned and stored.
New 4. Session keys are generated.
infrastructure IEEE 5. MACSec encryption is enabled.
device 802.1AE
Figure 11-17 Layer 2 security protocols
146
11-ch11.indd 502 15/09/21 12:52 PM

Connection-oriented communication
performs handshaking, sets up a virtual
circuit, and verifies that each packet
reaches its destination.
Host A Host B
Connectionless communication
just puts the packets
on the wire.
Figure 11-18 Connection-oriented protocol vs. connectionless protocol functionality
147
11-ch11.indd 504 15/09/21 12:52 PM

Web browser E-mail client Ping utility SSH client
Telnet SMTP DNS HTTP POP ECHO FTP SSH DNS SNMP
Application
23 25 53 80 110 7 21 22 53 161
TCP UDP
Transport
Network
Data link
Physical
Figure 11-19 The packet can communicate with upper-layer protocols and services through a port.
148
11-ch11.indd 505 15/09/21 12:52 PM

Source port Destination port Source port Destination port
Sequence number Length Checksum
Acknowledgment number Data
Offset Reserved Flags Window

UDP format
Checksum Urgent pointer
Options Padding
Data
TCP format
Figure 11-20 TCP carries a lot more information within its segment because it offers more
services than UDP.
149
11-ch11.indd 506 15/09/21 12:52 PM

Property TCP UDP
Reliability Ensures that packets reach their Does not return ACKs and does not
destinations, returns ACKs when guarantee that a packet will reach its
packets are received, and is a reliable destination. Is an unreliable protocol.
protocol.
Connection Connection-oriented. It performs Connectionless. It does no
handshaking and develops a virtual handshaking and does not set up a
connection with the destination virtual connection.
computer.
Packet Uses sequence numbers within Does not use sequence numbers.
sequencing headers to make sure each packet
within a transmission is received.
Congestion The destination computer can tell the The destination computer does not
controls source if it is overwhelmed and thus communicate back to the source
slow the transmission rate. computer about flow control.
Usage Used when reliable delivery is Used when reliable delivery is not
required. Intended for relatively small required and high volumes of data
amounts of data transmission. need to be transmitted, such as in
streaming video and status broadcasts.
Speed and Uses a considerable amount of Uses fewer resources and is faster
overhead resources and is slower than UDP. than TCP.
Table 11-4 Major Differences Between TCP and UDP
150
1. SYN
Figure 11-21
The TCP three-
2. SYN/ACK
way handshake
3. ACK
Host A Host B
151
11-ch11.indd 508 15/09/21 12:52 PM

Figure 11-22 Decapsulation Protocol data units (PDUs)

Data goes
through its own Data Application: Data
evolutionary
stages as it
Transport Transport: Segments
passes through header
Data
the layers within
the network Network Transport
stack. Data Network: Packets
header header
Frame Network Transport Frame Data link:

Data
header header header trailer Frames
1 0 1 0 0 1 0 0 0 1 0 1 0 1 0 0 0 1 1 1 0 1 0 1 0 1 0 0 0 0 1 0 0 Bits
152
11-ch11.indd 509 15/09/21 12:52 PM

Class Address Range Description

A 0.0.0.0 to 127.255.255.255 The first byte is the network portion, and the
remaining 3 bytes are the host portion.
B 128.0.0.0 to 191.255.255.255 The first 2 bytes are the network portion, and the
remaining 2 bytes are the host portion.
C 192.0.0.0 to 223.255.255.255 The first 3 bytes are the network portion, and the
remaining 1 byte is the host portion.
D 224.0.0.0 to 239.255.255.255 Used for multicast addresses.
E 240.0.0.0 to 255.255.255.255 Reserved for research.
Table 11-5 IPv4 Addressing
153
11-ch11.indd 510 15/09/21 12:52 PM

Router
Figure 11-23
Subnets create
logical partitions.
Subnet 1 Subnet 2 Subnet 3

132.201.1.x 132.201.2.x 132.201.3.x
154
11-ch11.indd 511 15/09/21 12:52 PM

IPv4 header
0 4 8 12 16 20 24 28 31
Version IHL Type of service Total length
Identification Flags Fragment offset
Time to live Protocol Header checksum
Source address
Destination address
IPv6 header
0 4 8 12 16 20 24 28 32 36 40 44 48 52 56 60 63
Version Traffic class Flow label Payload length Next header Hop limit
Source address
Destination address
Figure 11-24 IPv4 vs. IPv6 headers
155
11-ch11.indd 513 15/09/21 12:52 PM

Client connecting from

globally routable IPv6 External CRL
Domain controllers NAP servers Certification
address distribution authority
IPv6
6to4
public IPv4 address
Network Internal CRL
DNS servers
location server distribution point
Teredo
ISATAP tu
nneled IPV IPv6
Client connecting from IPv4 6 traffic
private (NAT) IPv4 address
IP-HTTPS

behind a firewall, or unable Application servers Application servers Application servers
to connect via other running IPv4 running ISATAP running native IPv6
methods Internet Intranet
Figure 11-25 Various IPv4 to IPv6 tunneling techniques
156
11-ch11.indd 515 15/09/21 12:52 PM

IP: 10.0.0.7
MAC: aa:aa:aa:aa:aa:aa
Alice
Who has
10.0.0.7?
10.0.0.7 is at
aa: aa:aa:aa:aa:aa
Bob
10.0.0.7 is at
cc:cc:cc:cc:cc:cc:
IP: 10.0.0.1 10.0.0.7 is at
MAC: bb:bb:bb:bb:bb:bb cc:cc:cc:cc:cc:cc:
10.0.0.7 is at
cc:cc:cc:cc:cc:cc: Attacker
10.0.0.7 is at
cc:cc:cc:cc:cc:cc:
IP: 10.0.0.3
MAC: cc:cc:cc:cc:cc:cc
Figure 11-26 ARP poisoning attack
157
11-ch11.indd 517 15/09/21 12:52 PM

• DHCPDISCOVER—Client searches for the presence of DHCP servers.

Client
DHCP • DHCPOFFER—DHCP server offers the client an available IP address and service settings.
server
• DHCPREQUEST—Client confirms accepting the allocated

Client settings.
• DHCPACK—DHCP server acknowledges that the particular IP address has now been
DHCP allocated to the client system for a specific lease period.
server
Figure 11-27 The four stages of the Discover, Offer, Request, and Acknowledgment (D-O-R-A)
process
158
11-ch11.indd 519 15/09/21 12:52 PM

Table 11-6 Type Name

ICMP Message 0 Echo Reply
Types
1 Unassigned
2 Unassigned
3 Destination Unreachable
4 Source Quench
5 Redirect
6 Alternate Host Address
7 Unassigned
8 Echo Request
9 Router Advertisement
10 Router Solicitation
11 Time Exceeded
12 Parameter Problem
13 Timestamp
14 Timestamp Reply
15 Information Request
16 Information Reply
17 Address Mask Request
18 Address Mask Reply
19 Reserved (for Security)
20–29 Reserved (for Robustness Experiment)
30 Traceroute
31 Datagram Conversion Error
32 Mobile Host Redirect
33 IPv6 Where-Are-You
34 IPv6 I-Am-Here
35 Mobile Registration Request
36 Mobile Registration Reply
37 Domain Name Request
38 Domain Name Reply
39 SKIP
40 Photuris (Disambiguation)
41 ICMP messages utilized by experimental mobility protocols
such as Seamoby
159
11-ch11.indd 521 15/09/21 12:52 PM

SNMP agent
MIB SNMP agent
SNMP agent MIB
SNMP agent MIB
MIB
WAN
SNMP agent SNMP agent

MIB MIB
SNMP agent
MIB
Statistics
Alerts
SNMP manager
Events
Figure 11-28 Agents provide the manager with SNMP data.
160
11-ch11.indd 523 15/09/21 12:52 PM

Root-level
domain
Top-level domain
COM EDU ORG
Second-level domain
mheducation usma ieee
Figure 11-29 The DNS naming hierarchy is similar to the routing hierarchy on the Internet.
161
11-ch11.indd 526 15/09/21 12:52 PM

DNS Resolution Components
Server-to-server
DNS client (resolver) Client-to-server query
query (recursion)
Zones
Other DNS servers

Q3 A3
DNS DNS
resolver server
cache
Q1 Q2 Q5
A1 A2 A5
Web browser Q4
A4
URL: www.google.com
DNS server
HOSTS file cache
162
11-ch11.indd 528 15/09/21 12:52 PM

Border
routers
Interior
routing
ols
protocols
rotoc
p
Autonomous ng
routi Interior
system
erior routing
Ext protocols
Autonomous
system
Figure 11-30 Autonomous systems
163
11-ch11.indd 534 15/09/21 12:52 PM

Business 1 Business 2
Local Local
loop loop
Sonet
LAN Routers CSU/DSU Switch Switch CSU/DSU Routers LAN

Telco central office
Figure 11-31 A MAN covers a large area and enables businesses to connect to each other, to the
Internet, or to other WAN connections.
164
11-ch11.indd 538 15/09/21 12:52 PM

Nearby Nearby
city city
Regional Long-haul
SONET ring network
DSL DSL Local

SONET
POP ring
TI TI
POP Business Business POP
loop loop
TI TI
Campus
Private
loop
DSL DSL
Figure 11-32 Smaller SONET rings connect to larger SONET rings to construct individual MANs.
165
11-ch11.indd 539 15/09/21 12:52 PM

Customer Aggregation Core Aggregation Customer
Government Government
GigE GigE
VCG 1
10 GigE 10 GigE
VCG 1
VCG 1
Layer 2/3 Layer 2/3
Enterprise Enterprise
switches Standards- Standards-
based, based,
intelligent intelligent
packet-to- packet-to-
Content hosting circuit circuit Content hosting
mapping mapping
Figure 11-33 MAN architecture
166
11-ch11.indd 540 15/09/21 12:52 PM

Channel slots
(8 bits each)
… 22 23 24 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 1 2 3 …
Previous TI frame Next

frame frame
Figure 11-34 Multiplexing puts several phone calls, or data transmissions, on the same wire.
167
11-ch11.indd 541 15/09/21 12:52 PM

Table 11-7 Carrier # of T1s # of Channels Speed (Mbps)

A T-Carrier Fractional 1/24 1 0.064
Hierarchy
Summary Chart T1 1 24 1.544
T2 4 96 6.312
T3 28 672 44.736
T4 168 4,032 274.760
168
11-ch11.indd 542 15/09/21 12:52 PM

Table 11-8 Signal Rate
E-Carrier E0 64 Kbps
Characteristics
E1 2.048 Mbps
E2 8.448 Mbps
E3 34.368 Mbps
E4 139.264 Mbps
E5 565.148 Mbps
169
Table 11-9 Optical Carrier Speed

OC Transmission OC-1 51.84 Mbps
Rates
OC-3 155.52 Mbps
OC-9 466.56 Mbps
OC-12 622.08 Mbps
OC-19 933.12 Mbps
OC-24 1.244 Gbps
OC-36 1.866 Gbps
OC-48 2.488 Gbps
OC-96 4.977 Gbps
OC-192 9.953 Gbps
OC-768 40 Gbps
OC-3072 160 Gbps
170
11-ch11.indd 543 15/09/21 12:52 PM

Amplitude
modulation
with carrier f1
Amplitude
modulation
with carrier f2
Amplitude
Filter
demodulation
Amplitude
Filter
demodulation
Frequency-division multiplexing (FDM)
171
11-ch11.indd 544 15/09/21 12:52 PM

Florida Washington
Switch Switch
Router WAN Router
CSU/DSU CSU/DSU
Figure 11-35 A CSU/DSU is required for digital equipment to communicate with

telecommunications lines.
172
11-ch11.indd 545 15/09/21 12:52 PM

Figure 11-36 Packet switching

Circuit switching
provides one
road for a
communication
path, whereas
packet switching
provides many
different possible Circuit switches
roads.
Circuit switching
173
11-ch11.indd 546 15/09/21 12:52 PM

Site Site
B B
Site Site Site Site

A C A C
Frame relay
Dedicated network
lines
Site Site Site Site

E D E D
Private network method Frame relay method

(public method)
Figure 11-37 A private network connection requires several expensive dedicated links. Frame
relay enables users to share a public network.
174
11-ch11.indd 549 15/09/21 12:52 PM

WAN Technology Characteristics

Dedicated line Dedicated, leased line that connects two locations
Expensive compared to other WAN options
Secure because only two locations are using the same medium
Frame relay High-performance WAN protocol that uses packet-switching technology,
which works over public networks
Shared media among organizations
Uses SVCs and PVCs
Fee based on bandwidth used
X.25 First packet-switching technology developed to work over public
networks
Lower speed than frame relay because of its extra overhead
Uses SVCs and PVCs
Basically obsolete and replaced with other WAN protocols
ATM High-speed bandwidth switching and multiplexing technology that has
a low delay
Uses 53-byte fixed-size cells
Very fast because of the low overhead
HSSI DTE/DCE interface to enable high-speed communication over WAN links
Table 11-10 Characteristics of WAN Technologies
175
11-ch11.indd 552 15/09/21 12:52 PM

Figure 12-1
Various wireless Satellite network
networks
Wireless wide area

networks
4G/LTE
Wireless metropolitan
area networks
WiMAX
Wi-Fi AP
Wireless local area
networks
ZigBee
Wireless personal area
networks
Bluetooth
176
12-ch12.indd 560 15/09/21 12:54 PM

Figure 12-2
Access points
allow wireless
devices to
participate in
wired LANs.
Station
Access point
177
12-ch12.indd 564 15/09/21 12:54 PM

Table 12-1 Technology Supported Wi-Fi Generation

Generational 802.11b Wi-Fi 1
Wi-Fi
802.11a Wi-Fi 2
802.11g Wi-Fi 3
802.11n Wi-Fi 4
802.11ac Wi-Fi 5
802.11ax Wi-Fi 6
178
12-ch12.indd 566 15/09/21 12:54 PM

1 A subscriber sends 2 The base station recevies

wireless traffic at speeds transmissions from multiple sites
ranging from 2 Mbps to 155 Mbps and sends traffic over wireless or
from a fixed antennna on a building. wired links to a switching center
using 802.16 protocol.
Switching center
Wireless or wired link

using 802.16 protocol
Residential 3 The switching center

subscriber sends traffic to an ISP
or the public-switched
Base station telephone network. ISP
Office building
subscribers
Figure 12-3 Broadband wireless in MAN
179
12-ch12.indd 569 15/09/21 12:54 PM

Figure 12-4 Smart

ZigBee in a light bulb
smart home
ZigBee Serial link

mesh
links
ZigBee Smartphone app
bridge (coordinator)
Smart
dimmer
switch
180
12-ch12.indd 571 15/09/21 12:54 PM

F0 F1 F0
F2 F3 F2
F0 F4
Figure 12-5 Nonadjacent cells can use the same frequency ranges.
181
12-ch12.indd 583 15/09/21 12:54 PM

2G 3G 4G 5G
Spectrum 1,800 MHz 2 GHz Various Various
3–86 GHz
Bandwidth 25 MHz 25 MHz 100 MHz 30–300 MHz
Multiplexing Type TDMA CDMA OFDMA OFDMA
New Features Digital voice, Mobile Internet Mobile broadband, Ultra-HD and
Introduced SMS, MMS access, video HD video 3D video
Data Rate 115–128 Kbps 384 kbps 100 Mbps (moving) Up to 10 Gbps
1 Gbps (stationary)
Introduction 1993 2001 2009 2018
Table 12-2 The Different Characteristics of Mobile Technology
182
12-ch12.indd 587 15/09/21 12:54 PM

Satellite
Satellite link
Earth station (HUB) VSAT

Fiber optics
Internet backbone
LAN
Figure 12-6 Satellite broadband
183
12-ch12.indd 589 15/09/21 12:54 PM

End-to-end encryption happens at higher

layers and does not encrypt headers and trailers.
1010 Encrypted message 1011
Encrypted message
Link encryption happens at lower layers

and encrypts headers and trailers
of the packet.
Figure 13-1 Link and end-to-end encryption happen at different OSI layers.
184
13-ch13.indd 601 15/09/21 12:55 PM

Private link provided by VPN
Remote user Server
Figure 13-2 A VPN provides a virtual dedicated link between two entities across a public network.
185
13-ch13.indd 605 15/09/21 12:55 PM

Enterprise Enterprise
ISP local POP ISP core network
remote office headquarters
Enterprise
intranet
LNS
Client LAC
IP PPP L2TP PPP IP
IPSec
Figure 13-3 IP, PPP, L2TP, and IPSec can work together.
186
13-ch13.indd 607 15/09/21 12:55 PM

Outbound SA Outbound SA
To Protocol Authentication Encryption To Protocol Authentication Encryption
Joe ESP SHA- 1 , x AES, y Mary AH MD 5, z
Inbound SA Inbound SA
From Protocol Authentication Encryption From Protocol Authentication Encryption
Joe AH MD 5, z Mary ESP SHA- 1 , x AES, y
Authenticate Verify
and encrypt and decrypt
IPSec packet
Verify Authenticate
IPSec packet
Figure 13-4 IPSec uses security associations to store VPN parameters.
187
13-ch13.indd 608 15/09/21 12:55 PM

Figure 13-5 Organizational

environment Inventory
Example just-in-
time logistics B2B
web service
s
te
da
Sh
Up
ipm
en
ts
Updates
Orders
Customers Point of ers Suppliers

sale Ord
Forecasting
188
13-ch13.indd 612 15/09/21 12:55 PM

Response:
.com? “Ask com”
n net
.iro
w ww DNS root server
know
Query for Is this host in you
Do
www.ironnet.com my cache?
Response:
Do you know www.ironnet.com?
“Ask ironnet.com”
Do y
ou k
now .com DNS server
www
.iron
net.c
Client Local DNS om? Response:
server A 10.0.0.7
ironnet.com
DNS server
Figure 13-6 A recursive DNS query
189
13-ch13.indd 616 15/09/21 12:55 PM

Compromised system DNS server

7lybodzg6ka5w3qc1.com
NXDOMAIN
gln35e9s82.info
NXDOMAIN
x5bnb2gxs.org
10.0.0.6
Checking in…
Sleep for 7 hours
x5bnb2gxs.org
10.0.0.6
Figure 13-7 DGA in use by a compromised system
190
13-ch13.indd 618 15/09/21 12:55 PM

Attacker’s Response
C2 server “Ask com”
DNS root server

Query for
SUQ6MTIzNEBhY21l . g00dsite.com Is this host in
my cache? Response:
“Ask g00dsite.com”
.com DNS server
Compromised system Local DNS Response:

Base64 encoded payload: server
TXT V2lwZSB0YXJnZXQh
ID:1234@acme
g00dsite.com
Base64 encoded payload:

Wipe target!
Figure 13-8 Covert communication over a DNS tunnel
191
13-ch13.indd 619 15/09/21 12:55 PM

Mail server Mail server
E-mail E-mail
client client
SMTP SMTP
Mail server
Sender Receiver
Mail server Mail server
Figure 13-9 SMTP works as a transfer agent for e-mail messages.
192
13-ch13.indd 622 15/09/21 12:55 PM

Figure 13-10 Floor 2 Floor 1

VLANs enable
administrators to
manage logical
networks.
Floor 3 Floor 4
193
13-ch13.indd 630 15/09/21 12:55 PM

Figure 13-11
VLANs exist on D1 D2 Development D3 D4 D5
Virtual netwrok
a higher level VLAN
than the physical
network and are
not bound to it. P1 P2 P3
Payroll
P4 P5
VLAN
P1 D1 P2 P3 D2 P4 D3 D4 P5 D5
Physical netwrok
Switch Switch
Enterprise switch
194
13-ch13.indd 631 15/09/21 12:55 PM

Digital signal
Analog signal
Amplitude Frequency
Figure 14-1 Analog signals are measured in amplitude and frequency, whereas digital signals
represent binary digits as electrical pulses.
195
14-ch14.indd 644 15/09/21 8:05 PM

Asynchronous Synchronous
Simpler, less costly implementation More complex, costly implementation
No timing component Timing component for data transmission
synchronization
Parity bits used for error control Robust error checking, commonly through cyclic
redundancy checking (CRC)
Used for irregular transmission patterns Used for high-speed, high-volume transmissions
Each byte requires three bits of instruction Minimal protocol overhead compared to
(start, stop, parity) asynchronous communication
Table 14-1 Main Differences Between Asynchronous and Synchronous Transmissions
196
14-ch14.indd 647 15/09/21 8:05 PM

Figure 14-2 Sheath Insulation (PVC, Teflon)

Coaxial cable
Braided shielding Conducting core
197
14-ch14.indd 649 15/09/21 8:05 PM

Figure 14-3
Twisted-pair
cabling uses
copper wires.
Outer Insulated Copper wire

jacket wires conductor
198
UTP Category Characteristics Usage

Category 1 Voice-grade telephone cable for up No longer in use for data or phones.
to 1 Mbps transmission rate
Category 2 Data transmission up to 4 Mbps Historically used in mainframe and
minicomputer terminal connections,
but no longer in common use.
Category 3 10 Mbps for Ethernet Used in older 10Base-T network
installations and legacy phone lines.
Category 4 16 Mbps Normally used in Token Ring
networks.
Category 5 100 Mbps; two twisted pairs Sometimes used in legacy 100Base-
TX; deprecated in 2001 for data but
still used for telephone and video.
Category 5e 1 Gbps; four twisted pairs, providing Widely used in modern networks.
reduced crosstalk
Category 6 1 Gbps, but can support 10 Gbps up Used in newer network installations
to 55 meters requiring high-speed transmission.
Standard for Gigabit Ethernet.
Table 14-2 UTP Cable Ratings
199
14-ch14.indd 650 15/09/21 8:05 PM

Original digital signal Transmission
Destination
Attenuation
Background
noise
Figure 14-4 Background noise can merge with an electronic signal and alter the signal’s integrity.
200
14-ch14.indd 652 15/09/21 8:05 PM

Core
Distribution
Access
Figure 14-5 Hierarchical model of a switched network
201
14-ch14.indd 658 15/09/21 8:05 PM

In Address Out Out In In Address Out Out In In Address Out Out

Tag Prefix I/F Tag Tag I/F Prefix I/F Tag Tag I/F Prefix I/F Tag
128.89 1 128.89 0 128.89 1
171.69 1 171.69 1
Tag request
for 128.89 2
1 0
1
0
3
Tag request Tag request Tag request
for 171.69 1 for 128.89 for 128.89
Tag request
for 171.69
Tag request
for 128.89
Figure 14-6 MPLS uses tags and tables for routing functions.
202
14-ch14.indd 659 15/09/21 8:05 PM

Bridge/Switch Router
Reads header information but does not alter it Creates a new header for each packet
Builds forwarding tables based on MAC Builds routing tables based on IP addresses
addresses
Has no concept of network addresses Assigns a different network address per port
Filters traffic based on MAC addresses Filters traffic based on IP addresses
Forwards broadcast traffic Does not forward broadcast traffic
Forwards traffic if a destination address is Does not forward traffic that contains a
unknown to the bridge destination address unknown to the router
Table 14-3 Main Differences Between Bridges/Switches and Routers
203
14-ch14.indd 661 15/09/21 8:05 PM

NAS
Figure 14-7 Several types of gateways can be used in a network. A NAS is one example.
204
14-ch14.indd 662 15/09/21 8:05 PM

Figure 14-8
Proxy servers
control traffic
between clients
and servers. Computer A
Computer B
Proxy Web
server server
Computer C
205
14-ch14.indd 663 15/09/21 8:05 PM

Figure 14-9
Forward vs.
reverse proxy
services
User Proxy Internet

Internal network
Internet Proxy Web server

Internal network
206
14-ch14.indd 664 15/09/21 8:05 PM

Device OSI Layer Functionality

Repeater Physical Amplifies the signal and extends networks
Bridge Data link Forwards packets and filters based on MAC addresses;
forwards broadcast traffic, but not collision traffic
Switch Data link Provides a private virtual link between communicating
devices; allows for VLANs; reduces collisions; impedes
network sniffing
Router Network Separates and connects LANs creating internetworks; filters
based on IP addresses
Gateway Application Connects different types of networks; performs protocol
and format translations
Web proxy Application Acts as an intermediary between clients and servers,
typically to improve security and/or performance
Table 14-4 Main Differences Between Network Devices
207
14-ch14.indd 665 15/09/21 8:05 PM

Analog
voice
interface
Digital
Digital
voice
switch TI
interface
Data
interface
Figure 14-10 A PBX combines different types of data on the same lines.
208
14-ch14.indd 666 15/09/21 8:05 PM

Nancy
Signal
Service transfer
control point
PSTN
point
Signal Signal
transfer transfer
point point
Signal Signal Base station
switching switching
point point
Meeta Carlos
Figure 15-1 Major components of a public switched telephone network
209
15-ch15.indd 682 15/09/21 12:58 PM

Telecommunications
Subscriber’s home office central office
Voice
Computer switch
PSTN
DSL modem
Internet
Telephone DSL
DSLAM IP router
splitter
Other
subscribers
Figure 15-2 DSL network
210
15-ch15.indd 683 15/09/21 12:58 PM

Figure 15-3
SIP handshake
User User
Agent A Agent B
1. INVITE
2. Trying
3. Ringing
Ringing
User B answers
4. OK
5. ACK
6. RTP voice call
User A hangs up
7. BYE
8. OK
211
15-ch15.indd 690 15/09/21 12:58 PM

Figure 15-4
Unified
communications
components Voice Messaging Video
@
E-mail User Conferencing
Files Presence Directory
212
15-ch15.indd 696 15/09/21 12:58 PM

Logon request
Figure 15-5 1
CHAP uses 2
lenge
a challenge/ Chal
response
mechanism 3 Encrypts value
instead of having
the user send the Encrypts value Decrypts value
password over Response
the wire. 4 5
Client Server
Authorize or fail
6
Compares values
213
15-ch15.indd 698 15/09/21 12:58 PM

Protocol Description
EAP-TLS Digital certificate–based authentication, considered one of the most
secure EAP standards
EAP-PSK Provides mutual authentication and session key derivation using a
preshared key
EAP-TTLS Tunneled TLS, which requires the server to have a CA-issued certificate,
but makes this optional for the client
EAP-IKE2 Internet Key Exchange version 2 (IKE2), which provides mutual
authentication and session key establishment using asymmetric or
symmetric keys or passwords
PEAPv0/EAP- Similar in design to EAP-TTLS but only requires a server-side digital
MSCHAPv2 certificate
PEAPv1/EAP-GTC Cisco variant based on Generic Token Card (GTC) authentication
EAP-FAST Cisco-proprietary replacement for Lightweight EAP (LEAP) based on
Flexible Authentication via Secure Tunneling (FAST)
EAP-SIM For Global System for Mobile Communications (GSM), based on
Subscriber Identity Module (SIM), a variant of PEAP for GSM
EAP-AKA For Universal Mobile Telecommunication System (UMTS) Subscriber
Identity Module (USIM) and provides Authentication and Key
Agreement (AKA)
EAP-GSS Based on Generic Security Service (GSS), uses Kerberos
Table 15-1 EAP Variants
214
15-ch15.indd 699 15/09/21 12:58 PM

SSH steps to establish a

secure connection:
1. Client requests SSH connection
2. Handshake to ÿnd out protocol version
3. Alogrithm negotiation and key exchange
4. Secure session setup
5. Client runs remote application
Figure 15-6 SSH is used for remote terminal-like functionality.
215
15-ch15.indd 702 15/09/21 12:58 PM

Hypervisor
Figure 15-7
Virtualized
networks VM-1 VM-2 VM-3
vNIC vNIC vNIC vNIC
vSwitch-1 vSwitch-2
Virtual interfaces
NIC
Physical interface
216
15-ch15.indd 704 15/09/21 12:58 PM

1. Identification
2. Authentication
3. Authorization
Resource
4. Accountability
Figure 16-1 Four steps must happen for a subject to access an object: identification,
authentication, authorization, and accountability.
217
16-ch16.indd 716 15/09/21 12:59 PM

Figure 16-2
10110011
Biometric data 01011000
is turned into Biometric Image 11001011
binary data capture processing 01101101
and compared 01011000
for identity
validation.
10110011
01011000
Template Biometric
11001011
extraction matching
01101101
01011000
95%
218
16-ch16.indd 726 15/09/21 12:59 PM

RSA SecureID Time-Synchronous Two-Factor Authentication
UserID: asmith UserID: asmith

PIN:kzw08 PIN:kzw08
Token code: 345734 RSA Token code: 345734
authentication
agent
RSA
authentication
manager
345734
RAS, VPN,
SSL-VPN, WLAN,
Web, and more
Algorithm Same algorithm
Time Seed Same time Same seed
Used by permission of RSA Security, Inc., © Copyright RSA Security, Inc. 2012
219
16-ch16.indd 730 15/09/21 12:59 PM

6.
5.
1.
Authentication
4. server
2.
3.
1. Challenge value displayed on workstation.

2. User enters challenge value and PIN into token device.
3. Token device presents a different value to the user.
4. User enters new value into the workstation.
5. Value sent to authentication service on server.
6. AS sends an “allow access” response.
Figure 16-3 Authentication using an asynchronous token device includes a workstation, token
device, and authentication service.
220
16-ch16.indd 731 15/09/21 12:59 PM

Sales
employees Data center
Executives
ERP
Customers
Human
resources
Temporary system
employees
Contractors Network
Distribution
partners CRM
Former
employees
Cloud
IT services
employees
Figure 16-4 Most environments are complex in terms of access.
221
16-ch16.indd 746 15/09/21 12:59 PM

Directory C=US
Schema
ou=U.S. Government
ou=DoD
Service/agency subtrees Special subtrees
ou=Air Force ou=Army ou=Navy ou=DISA ou=PLAs
ou=locations ou=mail lists ou=ships ou=tactical ou=organizations
OUs
OUs
ou=pentagon ou=WNY ou=reston
Loc
OUs
ou=NCTSW
OUs
OUs
ou=General
cn=Kathy Conlon
222
16-ch16.indd 749 15/09/21 12:59 PM

LDAP-
Non-LDAP
enabled
applications
application
Access management
Access management Central Non-LDAP

LDAP directory
Access management directory server server
Meta-directory App-specific
LDAP
directories
Figure 16-5 Meta-directories pull data from other sources to populate the IdM directory.
223
16-ch16.indd 750 15/09/21 12:59 PM

9. This graphic covers which of the following?
10110011
01011000
Biometric Image 11001011
capture processing 01101101
01011000
10110011
01011000
Template Biometric
11001011
extraction matching
01101101
01011000
95%
A. Crossover error rate

B. Identity verification
C. Authorization rates
D. Authentication error rates
224
16-ch16.indd 760 15/09/21 12:59 PM

10. The diagram shown here explains which of the following concepts?
Error rate
FRR FAR
Biometric Biometric
characteristic characteristic
features rejected features accepted
EER Equal error rate (EER)

False False
acceptance rejection
Decision threshold
A. Crossover error rate.

B. Type III errors.
C. FAR equals FRR in systems that have a high crossover error rate.
D. Biometrics is a high acceptance technology.
225
16-ch16.indd 761 15/09/21 12:59 PM

11. The graphic shown here illustrates how which of the following works?
Firewall
Internet
Server
284836 284836
Algorithm Algorithm
Time Seed Time Seed
A. Rainbow tables
B. Dictionary attack
C. One-time password
D. Strong authentication
226
16-ch16.indd 762 15/09/21 12:59 PM

Table 17-1 User File1

The ACL for a Diane Full control
Notional File1
Object Katie Read and execute
Chrissy Read, write, and execute
John Read and execute
227
17-ch17.indd 767 15/09/21 1:00 PM

Security label
Name: Roster.xlsx
Classification: Top secret
Categories: Threatcasting
Security label
Name: Judy
Clearance: Top secret
Categories: Operations
Jack Voltaic Security label
Cyber Guard
Name: Planning Docs
Classification: Secret
Categories: Jack Voltaic
Figure 17-1 A security label is made up of a classification and categories.
228
17-ch17.indd 769 15/09/21 1:00 PM

Figure 17-2 User Action Resource

Components of a context severity sensitivity
risk-based access
control model
Request Reference ?
monitor
Subject
Object
Risk
history
229
17-ch17.indd 775 15/09/21 1:00 PM

Figure 17-3 Target systems

SPML Provisioning
provisioning Service Target 1
steps
SPML client SPML server
Requesting Provisioning Provisioning

Authority Service Point 1 Service Target 2
Provisioning
Service Target 3
Provisioning
Service Target 4
Provisioning Provisioning
Service Point 2 Service Target 5
Provisioning
Service Target 6
230
17-ch17.indd 778 15/09/21 1:00 PM

Google User Acme Corp.

(service provider) (identity provider)
User tries to reach

hosted Google
application START
1
HERE
2 Google
generates Browser
Google redirects
SAML
request 3 browser to SSO URL
Browser redirects
3 to SSO URL
Acme parses
4 SAML request,
authenticates
user
5 Acme
generates
SAML
Acme returns encoded response
SAML response to
Browser sends browser 6
SAML response to
Google Google 6
verifies
7
SAML
response
User is logged in to
Google application
8
Figure 17-4 SAML authentication
231
17-ch17.indd 779 15/09/21 1:00 PM

Figure 17-5
SAML material HTTP header
embedded
within an HTTP
message
HTTP body
SOAP header
SOAP body
SAML request
or response
232
17-ch17.indd 780 15/09/21 1:00 PM

Figure 17-6 7. Access token

OAuth 8. Resource
st Resource
authorization e ect
qu dir server
steps Re Re
1. 2.
Client
4. Redirect w/auth 5. Auth 6. Access

code code token
Resource
owner
3.
Co
n se
nt
Authorization
server
233
17-ch17.indd 782 15/09/21 1:00 PM

Relying Relying
s t t party s t t party
ue ec ue ec
q dir q dir
Re Re Re Re
1. 2. 1. 2.
5. Redirect w/auth 6. Auth 7. User info 5. Redirect w/user

code code info
User User
3. 3.
Au Au
th t he
4. en 4. nt
Co tic Co ica
ns ate n te
en se
t OpenID nt OpenID
provider provider
Authorization code flow Implicit flow
Figure 17-7 Two common OpenID Connect process flows
234
17-ch17.indd 783 15/09/21 1:00 PM

Initial ticket
1.
AS
2. 3.
TGS
4.
User 5.
principal KDC
Ticket
Session Session
key key
1. User authenticates to AS.

File server 2. AS sends initial ticket to user.
principal 3. User requests to access file server.
4. TGS creates new ticket with session keys.
5. User extracts one session key and sends ticket to file server.
Figure 17-8 The user must receive a ticket from the KDC before being able to use the requested
resource.
235
17-ch17.indd 787 15/09/21 1:00 PM

RADIUS RADIUS RADIUS

client client client
Wireless AP
Dial-in VPN
server server
RADIUS
server
Figure 17-9 Environments can implement different RADIUS infrastructures.
236
17-ch17.indd 790 15/09/21 1:00 PM

TACACS+ client
VPN
server
TACACS+
server
Figure 17-10 TACACS+ works in a client/server model.
237
17-ch17.indd 792 15/09/21 1:00 PM

RADIUS TACACS+
Packet delivery UDP TCP
Packet Encrypts only the password from Encrypts all traffic between the
encryption the RADIUS client to the server. client and server.
AAA support Combines authentication and Uses the AAA architecture,
authorization services. separating authentication,
authorization, and auditing.
Multiprotocol Works over PPP connections. Supports other protocols, such as
support AppleTalk, NetBIOS, and IPX.
Responses Uses single-challenge response Uses multiple-challenge response
when authenticating a user, which for each of the AAA processes. Each
is used for all AAA activities. AAA activity must be authenticated.
Table 17-2 Specific Differences Between These Two AAA Protocols
238
17-ch17.indd 793 15/09/21 1:00 PM

Figure 17-11
The identity
and access
management
life cycle
Access
Provisioning control Compliance
Configuration
Deprovisioning
management
239
17-ch17.indd 795 15/09/21 1:00 PM

Test Type Frequency Benefits

Network Continuously to quarterly •• Enumerates the network structure and
scanning determines the set of active hosts and
associated software
•• Identifies unauthorized hosts connected
to a network
•• Identifies open ports
•• Identifies unauthorized services
Log reviews Daily for critical systems •• Validates that the system is operating
according to policy
Password Continuously to same •• Verifies the policy is effective in producing
cracking frequency as expiration policy passwords that are difficult to break
•• Verifies that users select passwords
compliant with the organization’s security
policy
Vulnerability Quarterly or bimonthly (more •• Enumerates the network structure and
scanning often for high-risk systems), determines the set of active hosts and
or whenever the vulnerability associated software
database is updated •• Identifies a target set of computers to
focus vulnerability analysis
•• Identifies potential vulnerabilities on the
target set
•• Validates operating systems and major
applications are up to date with security
patches and software versions
Penetration Annually •• Determines how vulnerable an
testing organization’s network is to penetration
and the level of damage that can be
incurred
•• Tests the IT staff’s response to perceived
security incidents and their knowledge
and implementation of the organization’s
security policy and the system’s security
requirements
Integrity Monthly and in case of a •• Detects unauthorized file modifications
checkers suspicious event
Table 18-1 Example Testing Schedules for Each Operations and Security Department
240
18-ch18.indd 816 15/09/21 1:01 PM

18-ch18.indd 820
• Unencrypted protocols
• Ineffective with encrypted traffic • Unauthorized WAPs
• Full data capture not performed • Terminates on • Unpatched and vulnerable services
• Default installations internal network • Default SNMP RW strings
3. • Network not segmented
7.
9. • Access lists not applied
• Unencrypted management protocols
• Excessive rules
(in/out) See 9.
2. 5.
8. 10.
1. 6. See 9.
• OS not patched and vulnerable
• Access lists not applied • Excessive rules (in/out) • Applications not patched and vulnerable
• Unencrypted management protocols • Unpatched and vulnerable
241
• Unnecessary and vulnerable services
FW and OS • Users running as local admin
• Personal firewalls not used
4. 11.
• OS, DBMS, and application servers not • OS and DBMS not patched and vulnerable
patched and vulnerable • Unnecessary and vulnerable services
• Unnecessary and vulnerable services • Poorly configured services
• Weak certificate management • Outdated and vulnerable applications
• Weak session management • Default and easily guessed passwords
• Cleartext passwords • Excessive directory and file permissions
• Application input not effectively validated • Unencrypted or weak protocols
• Logging and monitoring ineffective
Figure 18-1 Vulnerabilities in heterogeneous networks

15/09/21 1:01 PM
Database Database
Web Data Data

server
cluster
Server Server Server Server
Web
server
Firewalls
Router Firewalls
Server farm Penetration

testing
Host
Internal network
Figure 18-2 Penetration testing is used to prove an attacker can actually compromise systems.
242
18-ch18.indd 823 15/09/21 1:01 PM

Figure 18-3
Log in
UML use case
diagram
>
tend>
<<ex
Customer Place an order
<<
in
clu
de
>>
Provide credit
card info
243
18-ch18.indd 835 15/09/21 1:01 PM

tend>> Use 2-factor <<

<<ex authentication mi
tig
ate
>>
Log in
<<threaten
>>
Guess password
>
tend>
Customer <<ex Encrypt credit
Place an order <<
card info mi
tig
ate
>>
Attacker
<<
>>
in
e
ud
clu
Steal credit card
cl
in
de
>> info
<< eaten
>>
<<thr
Provide credit
card info
Figure 18-4 UML misuse case diagram
244
18-ch18.indd 836 15/09/21 1:01 PM

Figure 19-1
KPI
Relationship
between factors,
measurements,
Metric Metric
baselines,
A1:B1 B1:Baseline
metrics, and KPIs
Measurement Measurement Baseline

A1 B1
Factor A Factor B
ISMS processes
245
19-ch19.indd 853 15/09/21 1:02 PM

E-mail server Hacked site

Figure 19-2
Typical phishing
@
attack 4. Captured user credentials
it
5. Fetch ingk 3. Click link
captured ish
ph
credentials ad
Uplo
1.
2. Send phishing e-mail
Phisher Victim
246
19-ch19.indd 864 15/09/21 1:02 PM

1. Attacker modifies 3. Victim is secretly

2. Victim visits
vulnerable website. redirected to
tampered good
malware server.
website.
4. Malware server gets

browser specs, finds the
right exploit for it.
6. Malware phones
home to attacker,
ready to send data 5. Malware gets
or be used in other installed without
attacks. the victim noticing.
Figure 19-3 Drive-by downloads
247
19-ch19.indd 865 15/09/21 1:02 PM

Names of Staff
Procedure: Personnel Trained to Carry Date Last
Evacuation Description Location Out Procedure Carried Out
Each floor within the building must have West wing David Miller Drills were
two individuals who will ensure that all parking lot Michelle Lester carried out on
personnel have been evacuated from the May 4, 2021.
building after a disaster. These individuals
are responsible for performing employee
head count, communicating with the
business continuity plan (BCP) coordinator,
and assessing emergency response needs
for their employees.
Comments:
These individuals are responsible for
maintaining an up-to-date listing of
employees on their specific floor. These
individuals must have a company-issued
walkie-talkie and proper training for this
function.
Table 19-1 Sample Emergency Response Procedure
248
19-ch19.indd 868 15/09/21 1:02 PM

Figure 19-4
The Plan-Do-
Plan Do
Check-Act loop
Act Check
249
19-ch19.indd 875 15/09/21 1:02 PM

Organizational Role Core Responsibilities

Cybersecurity Analyst Monitors the organization’s IT infrastructure and identifies and
evaluates threats that could result in security incidents
Help Desk/Support Resolves end-user and system technical or operations problems
Incident Responder Investigates, analyzes, and responds to cyber incidents within the
organization
IT Engineer Performs the day-to-day operational duties on systems and
applications
Network Administrator Installs and maintains the local area network/wide area network
(LAN/WAN) environment
Security Architect Assesses security controls and recommends and implements
enhancements
Security Director Develops and enforces security policies and processes to maintain
the security and safety of all organizational assets
Security Manager Implements security policies and monitors security operations
Software Developer Develops and maintains production software
System Administrator Installs and maintains specific systems (e.g., database, e-mail)
Threat Hunter Proactively finds cybersecurity threats and mitigates them before they
compromise the organization
Table 20-1 Roles and Associated Tasks
250
20-ch20.indd 886 15/09/21 5:12 PM

Drive Drive Drive

A B C
Optical
Secondary
stage
Tape
Tertiary
stage
Figure 20-1 HSM provides an economical and efficient way of storing data.
251
20-ch20.indd 899 15/09/21 5:12 PM

ZONE 1
NEIGHBORHOOD
ZONE 2
STANDOFF PERIMETER
BLDG
ZONE 3
SITE ACCESS AND
PARKING
ZONE 4
SITE
ZONE 5
BUILDING ENVELOPE
ZONE 6
MANAGEMENT AND BUILDING OPERATIONS
Figure 20-2 Security zones around a facility (Source: https://www.wbdg.org/FFC/GSA/

site_security_dg.pdf )
252
20-ch20.indd 907 15/09/21 5:12 PM

Figure 20-3 Controller/

Cameras Monitor
Several cameras DVR
can be connected
to a DVR that can
provide remote
storage and Control room
access.
Remote
Internet
client
Remote
storage
253
20-ch20.indd 914 15/09/21 5:12 PM

Delivery
Figure 20-4
(external
Access control entry)
points should
be identified,
marked, and
monitored Secured
area
properly.
Main Secondary
entry entry
254
20-ch20.indd 917 15/09/21 5:12 PM

Figure 20-5
A warded lock
255
20-ch20.indd 918 15/09/21 5:12 PM

Figure 20-6
A key fits into a
notch to turn the
bolt to unlock
the lock.
Locking
bolt
Wards
256
20-ch20.indd 919 15/09/21 5:12 PM

Spring
Figure 20-7
Tumbler lock
Driver
Pin
Cylinder
Key
257
Figure 20-8
An electronic
combination lock
258
20-ch20.indd 920 15/09/21 5:12 PM

Figure 20-9
Laptop security
cable kits secure
a computer by
enabling the
user to attach
the device to
a stationary
component
within an area.
259
20-ch20.indd 922 15/09/21 5:12 PM

Figure 20-10
Different
perimeter
scanning devices
work by covering
a specific area.
260
20-ch20.indd 926 15/09/21 5:12 PM

Technology People Process

Endpoint
detection and Tier 1 Intelligence
Policies
response analyst analyst
Procedures
Business
Security Partners
information
and event
Network management Government
Tier 2 Incident
detection and analyst responder
response
Figure 21-1 Core elements of a mature SOC
261
21-ch21.indd 940 15/09/21 1:03 PM

Requirements
Figure 21-2
The intelligence
cycle
Dissemination Collection
Analysis
262
21-ch21.indd 941 15/09/21 1:03 PM

DMZ Internal LAN
Enterprise
Public servers
servers
Internet
Work
stations
Figure 21-3 At least two firewalls, or firewall interfaces, are generally used to construct a DMZ.
263
21-ch21.indd 946 15/09/21 1:03 PM

Figure 21-4
ACLs are Router D
enforced at
the network 10.10.13.2
f0/0
interface level.
10.10.13.1
f2/0
Router C
f0/0 f1/0
10.10.10.2 10.10.12.2
10.10.10.1 10.10.12.1
f0/0 f0/0
f1/0 f1/0
10.10.11.1 10.10.11.2
Router A Router B
264
21-ch21.indd 947 15/09/21 1:03 PM

Byte
Offset 0 1 2 3
0 Source Port Destination Port
4 Sequence Number
20
8 Acknowledgment Number Bytes
Offset
Offset Reserved TCP Flags Window
12 CEUA PRSF
16 Checksum Urgent Pointer
20 TCP Options (variable length, optional)
1 2 3
Bit 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 89 0 1
Nibble Byte Word
TCP Flags Congestion Notification TCP Options Offset
CEUAPRSF ECN (Explicit Congestion 0 End of Options List Number of 32-bit words
Congestion Window Notification). See RFC 1 No Operation (NOP, Pad) in TCP header, minimum
2 Maximum segment size
3168 for full details, valid value of 5. Multiply by 4
C 0x80 Reduced (CWR)
states below. 3 Window Scale to get byte count.
E 0x40 ECN Echo (ECE)
Packet State DSB ECN bits 4 Selective ACK ok
U 0x20 Urgent Syn 00 11 8 Timestamp
A 0x10 Ack Syn-Ack 00 01
P 0x08 Push Ack 01 00 Checksum
R 0x04 Reset No Congestion 01 00
S 0x02 Syn Checksum of entire TCP
No Congestion 10 00
F 0x01 Fin segment and pseudo
Congestion 11 00 header (parts of IP
Receiver Response 11 01 header)
Sender Response 11 11
Figure 21-5 TCP header
265
21-ch21.indd 950 15/09/21 1:03 PM

User with web

Firewall\HTTP Once page is browser configured
proxy requests cached, proxy server to use firewall proxy
web page on sends the user the server requests web page
behalf of end user. requested web page. from Internet website.
3 5 1
Internet
Web server Workstation

4 2
Web server responds to Firewall\HTTP proxy

HTTP request from proxy accepts connection request.
server, unaware the request
is coming from a user behind a proxy.
Figure 21-6 Proxy firewall breaks connection
266
21-ch21.indd 953 15/09/21 1:03 PM

“SOCKS-ified”
“SOCKS-ified” client
client
Router
“SOCKS-ified” SOCKS server
client
“SOCKS-ified”
client
“SOCKS-ified”
client
Figure 21-7 Circuit-level proxy firewall
267
21-ch21.indd 956 15/09/21 1:03 PM

Firewall Type OSI Layer Characteristics

Packet filtering Network layer Looks at destination and source addresses, ports, and
services requested. Typically routers using ACLs to
control and monitor network traffic.
Stateful Network layer Looks at the state and context of packets. Keeps track
of each conversation using a state table.
Application-level Application Looks deep into packets and makes granular access
proxy layer control decisions. It requires one proxy per protocol.
Circuit-level Session layer Looks only at the header packet information. It protects
proxy a wider range of protocols and services than an
application-level proxy, but does not provide the detailed
level of control available to an application-level proxy.
Next-generation Multiple layers Very fast and supportive of high bandwidth. Built-in
firewall IPS. Able to connect to external services like Active
Directory.
Table 21-1 Comparison of Different Types of Firewalls
268
21-ch21.indd 958 15/09/21 1:03 PM

Internal network
Screening
device Screened
host
Figure 21-8 A screened host is a firewall that is screened by a router.
269
21-ch21.indd 960 15/09/21 1:04 PM

Internal network
Screened subnet
Screening DNS
device Firewall server
Firewall
Mail
server
Figure 21-9 With a screened subnet, two firewalls are used to create a DMZ.
270
Exterior
router
Perimeter network 1
Firewall 1 Firewall 2
Perimeter network 2
Interior
router
Internal netwrok
Figure 21-10 A screened subnet can have different networks within it and different firewalls that
filter for specific threats.
271
21-ch21.indd 961 15/09/21 1:04 PM

Border Border Firewall

Backup router 1 router 2
Perimeter netwrok
Web
Mail 1 DNS
server
Perimeter network Perimeter network
Interior Interior
router 1 router 2
Internal network
Figure 21-11 Some architectures have separate screened subnets with different server types
in each.
272
21-ch21.indd 962 15/09/21 1:04 PM

Web servers Applications Database
VLAN1 VLAN2 VLAN1 VLAN2 VLAN1 VLAN2
vNIC vNIC vNIC
Hypervisor 1 Hypervisor 2 Hypervisor 3
Access
Switch
Aggregation
Switch
Firewall
Border router
Figure 21-12 Virtual firewalls
273
21-ch21.indd 964 15/09/21 1:04 PM

Signature-based
Database of
File 1 patterns
Heuristic-based
Logic, code, and structure
are analyzed.
Malicious
File 1 characteristics
Behavior blocker
Code executes, and its
interactions with the
OS are monitored.
Operating
File 1 system
Figure 21-13 Antimalware vendors use various types of malware detection.
274
21-ch21.indd 971 15/09/21 1:04 PM

Artificial
intelligence
Symbolic AI Non-symbolic AI
Analogical Rule-based Instance-based Statistical

reasoning systems learning methods
Case-based Episodic Expert Production k-nearest Locally k-means Linear

reasoning reasoning systems systems neighbors weighted clustering regression
regression
Decision Neural
trees networks
ID3 C4.5 Convolutional Recurrent

neural networks neural networks
Figure 21-14 A partial taxonomy of artificial intelligence
275
21-ch21.indd 976 15/09/21 1:04 PM

The Cyber Kill Chain
Recon Deliver Install Objective
Weaponize Exploit C2
Proactive detection and mitigation Containment and incident response
276
22-ch22.indd 995 15/09/21 1:04 PM

Role Responsibilities
Core IR Team
Chief information security • Develops and maintains the IR plan
officer (CISO) • Communicates with senior organizational leadership
• Directs security controls before and after incidents
Director of security • Directs execution of the IR plan
operations • Communicates with applicable law enforcement agencies
• Declares security incidents
IR team lead • Overall responsibility for the IR plan
• Communicates with senior organizational leadership
• Maintains repository of incident response lessons learned
Cybersecurity analyst • Monitors and analyzes security events
• Nominates events for escalation to security incidents
• Performs additional analyses for IR team lead as required
IT support specialist • Manages security platforms
• Implements mitigation, recovery, and remediation measures
as directed by the IR team lead
Threat intelligence analyst • Provides intelligence products related to incidents
• Maintains repository of incident facts to support future
intelligence products
Extended IR Team
Human resources manager • Provides oversight for incident-related human resource
requirements (e.g., employee relations, labor agreements)
Legal counsel • Provides oversight for incident-related legal requirements
(e.g., liability issues, requirement for law enforcement
reporting/coordination)
• Ensures evidence collected maintains its forensic value in the
event the organization chooses to take legal action
Public relations • Ensures communications during an incident protect the
confidentiality of sensitive information
• Prepares communications to stockholders and the press
Business unit lead • Balances IR actions and business requirements
• Ensures business unit support to the IR team
Table 22-1 IR Team Roles and Responsibilities
277
22-ch22.indd 1001 15/09/21 1:04 PM

Initial
Severity Criteria Response Time
Severity 1 • Confirmed incident compromising mission-critical systems 1 hour
(critical) • Active exfiltration, alteration, or destruction of sensitive data
• Incident requiring notification to government regulators
• Life-threatening ongoing physical situation (e.g., suspicious
package on site, unauthorized/hostile person, credible threat)
Severity 2 • Confirmed incident compromising systems that are not 4 hours
(high) mission-critical
• Active exfiltration of non-sensitive data
• Time-sensitive investigation of employees
• Non-life-threatening but serious, ongoing physical situation
(e.g., unauthorized person, theft of property)
Severity 3 • Possible incident affecting any systems 48 hours
(moderate) • Security policy violations
• Long-term employee investigations requiring extensive
collection and analysis
• Non-life-threatening past physical situation (e.g., sensitive
area left unsecured overnight)
Table 22-2 Sample Incident Classification Matrix
278
22-ch22.indd 1003 15/09/21 1:04 PM

Stakeholder Severity Level Notification

Executive leaders S1 Immediate via e-mail and phone
S2 On the next daily operational report
S3 None
CISO S1 Immediate via e-mail and phone
S2 Within 4 hours via e-mail and phone
Affected business units S1 Immediate via e-mail and phone
S2 Within 4 hours via e-mail
Affected customers/partners S1 Within 8 hours via e-mail
S2 Within 72 hours via e-mail
S3 None
Table 22-3 Sample Incident Notification Matrix
279
22-ch22.indd 1004 15/09/21 1:04 PM

Operational Task Date/Time Completed

Pre-Execution
Identify assets affected
Obtain access (physical and logical) to all affected assets
Determine forensic evidence requirements
Review compliance requirements (e.g., GDPR, HIPAA, PCI DSS)
Initiate communications plan
Response
Perform immediate actions to mitigate the impact of the incident
Validate detection mechanisms
Request relevant intelligence from threat intelligence team
Gather and preserve incident-related data (e.g., PCAP, log files)
Develop an initial timeline of incident-related activity
Develop mitigation plan based on initial assessment
Mitigation
Verify availability of backup/redundant system (if mission-critical
system was compromised)
Activate backup/redundant systems for continuity of operations (if
mission-critical system was compromised)
Isolate affected assets
Collect forensic evidence from compromised systems (if applicable)
Remove active threat mechanisms to limit further activity
Initiate focused monitoring of the environment for additional activity
Recovery
Restore affected systems’ known-good backups or gold masters
Validate additional controls on restored systems prevent reoccurrence
Reconnect restored systems to production networks
Verify no additional threat activity exists on restored systems
Remediation
Finalize root cause, threat mechanisms, and incident timeline
Identify IOCs and IOAs
Initiate change management processes to prevent reoccurrence
Implement preventive and detective controls to prevent reoccurrence
Table 22-4 Sample Operational Tasks List
280
22-ch22.indd 1005 15/09/21 1:04 PM

EVIDENCE
Station/Section/Unit/Dept___________________________________________________
Case number____________________________ Item#____________________________
Type of offense___________________________________________________________
Description of evidence____________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Suspect_________________________________________________________________
Victim__________________________________________________________________
Date and time of recovery___________________________________________________
Location of recovery_______________________________________________________
Recovered by____________________________________________________________
CHAIN OF CUSTODY
Received from___________________________ By______________________________
Date___________________________Time____________________________A.M./P.M..
Received from___________________________ By______________________________
Date___________________________Time____________________________A.M./P.M.
Received from___________________________ By______________________________
Date___________________________Time____________________________A.M./P.M.
Received from___________________________ By______________________________
Date___________________________Time____________________________A.M./P.M.
WARNING: THIS IS A TAMPER EVIDENT SECURITY PACKAGE. ONCE SEALED, ANY
ATTEMPT TO OPEN WILL RESULT IN OBVIOUS SIGNS OF TAMPERING.
Figure 22-1 Evidence container data
281
22-ch22.indd 1011 15/09/21 1:04 PM

Identification Preservation Collection Examination Analysis Presentation
Event/crime Case
Preservation Preservation Preservation Documentation
detection management
Resolve Imaging Approved
Traceability Traceability Expert testimony
signature technologies methods
Profile Chain of Approved Validation
Statistical Clarification
detection custody software techniques
Anomalous Time Approved Filtering Mission impact
techniques Protocols
detection synchronization hardware statement
Legal Pattern Recommended
Complaints Data mining
authority matching countermeasure
System Lossless Hidden data Statistical
discovery Timeline interpretation
monitoring compression
Audit Hidden data
Sampling Link
analysis extraction
Data Spatial
reduction
Recovery
techniques
Figure 22-2 Characteristics of the different phases through an investigation process
282
22-ch22.indd 1017 15/09/21 1:04 PM

Figure 22-3 EnCase Forensic can be used to collect digital forensic data.
283
22-ch22.indd 1018 15/09/21 1:04 PM

Co r
Re
Te ta
Re op
co
m ec
st /sy
Re ba
Be rec
su er
da
pl ov
ve
an st
Sy vail
un
co ck
m at
gi ov
et e r
rl
d em
st ab
e io
n er
e y
ve log
a
os
em le
ve s
no n
sy y
sy
rw
td
rif
st
st
rm
y
at
or
em
em
al
a
k
Disruptive
Normal operation event Recovery timeframe Normal operation
RPO RTO WRT
MTD
Figure 23-1 Metrics used for disaster recovery
284
23-ch23.indd 1030 15/09/21 1:05 PM

Recovery Disaster!! Recovery

Figure 23-2
point time
RPO and RTO
measures in use
Time
RPO (lost data) RTO (restore and recovery)
How far back? How long to recover?
285
23-ch23.indd 1031 15/09/21 1:05 PM

Data Type RPO RTO

Mission critical Continuous to 1 minute Instantaneous to 2 minutes
Business critical 5 minutes 10 minutes
Business 3 hours 8 hours
Table 23-1 RPO and RTO Value Relationships
286
23-ch23.indd 1032 15/09/21 1:05 PM

Figure 23-3 Backup software steps
287
23-ch23.indd 1036 15/09/21 1:05 PM

Data centers
Provisioned disaster
recovery servers
Clustered devices
Home users
Hot Warm Cold
High-availability
Internet
Replication network
services Remote users
Mobile users
Head office
Recovery site
Figure 23-4 Offsite data replication for data recovery purposes
288
23-ch23.indd 1040 15/09/21 1:05 PM

Time to Restore Business Operation
Continuous
The recovery mechanism
availability
depends on your acceptable
level of downtime and budget
Synchronous
replication
Cost/complexity
Rapid
recovery
Asynchronous
Recovery
replication
Tape restore
Recovery time
Minutes Hours Days
Figure 23-5 The criticality of data recovery will dictate the recovery solution.
289
23-ch23.indd 1041 15/09/21 1:05 PM

User Tier
Internal (intranet) users External (extranet) users
End-user Administrator End-user
user interface user interface user interface
Firewall
Web Tier
(DMZ) Load balancer Load balancer
Web servers Web servers

Optional firewall
Application
Tier Load balancer Load balancer
Application Application
servers servers
Identity Identity
manager manager
Database Database
Tier cluster Repository
LDAP
repository
Managed Network
failover device Offsite
Resource replication
Tier Gateways
Resource Resource Resource Resource Remote systems
Figure 23-6 High-availability technologies
290
23-ch23.indd 1052 15/09/21 1:05 PM

Normal operations
Define the business

continuity concept
Operate and maintain

Assess current
the continuity plans
environment
and solutions
Manage the business

Test and exercise
continuity life cycle Select and define
the continuity plans
continuity strategies
and solutions
Train users
Design continuity
and continuity
plans and solutions
personnel
Implement continuity
plans and solutions
Incident occurs
Return to normal
operations at
Employ high- primary site
availability systems
Conduct resumption
and services
at alternate site
Reconstitute
primary site
Conduct emergency
response Operate from
alternate site
Activate
No
resumption No
Ready for
plan?
reconstitution?
Yes Yes
Figure 23-7 BCP life cycle
291
23-ch23.indd 1066 15/09/21 1:05 PM

Functional
model
Data
Behavioral design
Design
model Architectural
design
Informational
model
Code
Procedural
design Program
modules
Test
Validated
software
Figure 24-1 Information from three models can go into the design.
292
24-ch24.indd 1084 15/09/21 1:06 PM

Figure 24-2 Attack surface analysis result
293
24-ch24.indd 1085 15/09/21 1:06 PM

Threat 1
Compromise
password
1.1 1.3 1.2

Access “in-use” Access Guess
password password in DB password
1.1.1 1.1.2 1.3.1 1.3.2 1.2.1 1.2.2

Password is Compromise Password Brute-force
Sniff network Phishing attack in cleartext database is weak attack
1.3.2.1 1.3.2.2
SQL injection Access database
attack directly
1.3.2.2.2
1.3.2.2.1
Weak DB account
Port open
password(s)
Figure 24-3 Threat tree used in threat modeling
294
24-ch24.indd 1086 15/09/21 1:06 PM

Figure 24-4 Trust boundary

A simple flow
Request Query
diagram for
threat modeling
Web Web Database

client server server
Response Result
295
24-ch24.indd 1087 15/09/21 1:06 PM

Rank Name
1 Out-of-bounds Write
2 Improper Neutralization of Input During Web Page Generation (“Cross-site Scripting”)
3 Out-of-bounds Read
4 Improper Input Validation
5 Improper Neutralization of Special Elements used in an OS Command (“OS Command
Injection”)
6 Improper Neutralization of Special Elements used in an SQL Command (“SQL Injection”)
7 Use After Free
8 Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”)
9 Cross-Site Request Forgery (CSRF)
10 Unrestricted Upload of File with Dangerous Type
11 Missing Authentication for Critical Function
12 Integer Overflow or Wraparound
13 Deserialization of Untrusted Data
14 Improper Authentication
15 NULL Pointer Dereference
16 Use of Hard-coded Credentials
17 Improper Restriction of Operations within the Bounds of a Memory Buffer
18 Missing Authorization
19 Incorrect Default Permissions
20 Exposure of Sensitive Information to an Unauthorized Actor
21 Insufficiently Protected Credentials
22 Incorrect Permission Assignment for Critical Resource
23 Improper Restriction of XML External Entity Reference
24 Server-Side Request Forgery (SSRF)
25 Improper Neutralization of Special Elements used in a Command (“Command Injection”)
Table 24-1 2021 CWE Top 25 Most Dangerous Software Weaknesses List
296
24-ch24.indd 1088 15/09/21 1:06 PM

Figure 24-5 Feasibility

Waterfall
methodology Analysis
used for software
development Design
Implement
Test
Maintain
297
24-ch24.indd 1095 15/09/21 1:06 PM

System/information
Increment 1
engineering
Delivery of
Analysis Design Code Test
1st increment
Delivery of
Increment 2 Analysis Design Code Test
2nd increment
Delivery of
3rd increment
Delivery of
4th increment
Figure 24-6 Incremental development methodology
298
24-ch24.indd 1097 15/09/21 1:06 PM

Cumulative cost
Progress
2. Identify and
1. Determine objectives resolve risks
Risk analysis
Risk analysis
Risk analysis
Require- Operational
Review ments plan Prototype 2 prototype
Prototype 1
Concept of Concept of
require-
Require-
operation Draft Detailed
ments ments
design
Development Verification
plan and validation
Code
Test plan Verification

and validation Integration
Test
Release Implementation
4. Plan the next
iteration
3. Development and test
Figure 24-7 Spiral methodology for software development
299
24-ch24.indd 1098 15/09/21 1:06 PM

Traditional
Analysis High-level design Detailed design Construction Testing Implementation
RAD
O N S T R AT
EM E
D
Analysis and
Testing Implementation
quick design Prototype
Cycles
IL D
RE
BU
FI
N
E
Figure 24-8 Rapid Application Development methodology
300
24-ch24.indd 1100 15/09/21 1:06 PM

Figure 24-9
DevOps exists at
the intersection
of software
development, Software IT
IT, and QA. development operations
DevOps
Quality
assurance
301
24-ch24.indd 1103 15/09/21 1:06 PM

Figure 24-10 Level

Optimizing
CMMI staged 5
maturity levels
Level Quantitatively
4 Managed
Level
Defined
3
Level
Managed
2
Level
Initial
1
Level
Incomplete
0
302
24-ch24.indd 1108 15/09/21 1:06 PM

Functions
Business
Governance Design Implementation Verification Operations
Strategy & Threat Architecture Incident

Secure Build
Security Practices
Metrics Assessment Assessment Management
Policy & Security Secure Requirements- Environment

Compliance Requirements Deployment Driven Testing Management
Education & Security Defect Operational

Security Testing
Guidance Architecture Management Management
Figure 24-11 Software Assurance Maturity Model
303
24-ch24.indd 1109 15/09/21 1:06 PM

Figure 25-1 C source code x = 42;

Converting
a high-level Compiler
language
statement Assembly language mov ax, 2ah
into machine
language code Assembler
Machine language 10100010 10100010 10100010
304
25-ch25.indd 1121 15/09/21 1:07 PM

Figure 25-2
The JVM
interprets
bytecode to ter
erpre
machine code Int
Java program Java bytecode
for that specific
platform.
Compiler Interpreter
Inte
rpre
ter
305
25-ch25.indd 1123 15/09/21 1:07 PM

Your computer
Memory
File system Operating system
Bytecode interpreter
Java Virtual Machine (restricted)
Class Applet security

Java applet
loader manager
Bytecode
verifier
Internet
Java bytecode
(from remote server)
Figure 25-3 Java’s security model
306
25-ch25.indd 1124 15/09/21 1:07 PM

Figure 25-4
In object-oriented Class: Furniture
inheritance, each
object belongs Color
Dimensions
to a class and Weight
takes on the Style
attributes of Cost
that class
Object: Table
Color = brown
Dimensions = 8×10
Weight = 34Ibs
Style = Western
Cost = 145
307
25-ch25.indd 1125 15/09/21 1:07 PM

Object-oriented design Procedural design
• Similar object classes • Algorithm centered—forces early

• Common interfaces implementation and algorithm
• Common usage decisions
• Code reuse—inheritance • Exposes more details
• Defers implementation and • Difficult to extend
algorithm decisions • Difficult to maintain
Figure 25-5 Procedural vs. object-oriented programming
308
25-ch25.indd 1126 15/09/21 1:07 PM

Figure 25-6
Objects Message
Object A (Object B, Withdrawal, 40.00) Object B
communicate
via messages.
309
25-ch25.indd 1127 15/09/21 1:07 PM

Figure 25-7 ATM

Object
relationships
within a program Display panel Button selection
Functions Printing receipts
310
25-ch25.indd 1128 15/09/21 1:07 PM

Figure 25-8
Applications Library
locate the
Application
necessary objects
through a library
index.
Application
Application
Components
311
25-ch25.indd 1130 15/09/21 1:07 PM

Data encapsulation
Figure 25-9
The different
Object
components of
an object and Data
the way it works structures
are hidden from
other objects. Functionality
capabilities
Acceptable
requests
Interface
Object
312
All-In-One / CISSP® All-in-One Exam Guide, Ninth Edition / Maymí / 737-6 / Appendix A
Comprehensive Questions
APPENDIX
A
Use the following scenario to answer Questions 1–3. Josh has discovered that an organized
hacking ring in China has been targeting his company’s research and development
department. If these hackers have been able to uncover his company’s research findings,
this means they probably have access to his company’s intellectual property. Josh thinks
that an e-mail server in his company’s DMZ may have been successfully compromised
and a rootkit loaded.
1. Based upon this scenario, what is most likely the biggest risk Josh’s company
needs to be concerned with?
A. Market share drop if the attackers are able to bring the specific product to
market more quickly than Josh’s company.
B. Confidentiality of e-mail messages. Attackers may post all captured e-mail
messages to the Internet.
C. Impact on reputation if the customer base finds out about the attack.
D. Depth of infiltration of attackers. If attackers have compromised other
systems, more confidential data could be at risk.
2. The attackers in this situation would be seen as which of the following?
A. Vulnerability
B. Threat
C. Risk
D. Threat agent
3. If Josh is correct in his assumptions, which of the following best describes the
vulnerability, threat, and exposure, respectively?
A. E-mail server is hardened, an entity could exploit programming code flaw,
server is compromised and leaking data.
B. E-mail server is not patched, an entity could exploit a vulnerability, server is
hardened.
C. E-mail server misconfiguration, an entity could exploit misconfiguration,
server is compromised and leaking data.
D. DMZ firewall misconfiguration, an entity could exploit misconfiguration,
internal e-mail server is compromised.
313
26-AppA.indd 1155 06/09/21 1:35 PM

4. Aaron is a security manager who needs to develop a solution to allow his company’s
mobile devices to be authenticated in a standardized and centralized manner using
digital certificates. The applications these mobile clients use require a TCP
connection. Which of the following is the best solution for Aaron to implement?
A. TACACS+
B. RADIUS
C. Diameter
D. Mobile IP
5. Terry is a security manager for a credit card processing company. His company uses
internal DNS servers, which are placed within the LAN, and external DNS servers,
which are placed in the DMZ. The company also relies on DNS servers provided by
its service provider. Terry has found out that attackers have been able to manipulate
several DNS server caches to point employee traffic to malicious websites. Which of
the following best describes the solution this company should implement?
A. IPSec
B. PKI
C. DNSSEC
D. MAC-based security
6. Which of the following is not a key provision of the GDPR?
A. Requirement for consent from data subjects
B. Right to be informed
C. Exclusion for temporary workers
D. Right to be forgotten
7. Jane is suspicious that an employee is sending sensitive data to one of the company’s
competitors but is unable to confirm this. The employee has to use this data for
daily activities, thus it is difficult to properly restrict the employee’s access rights.
In this scenario, which best describes the company’s vulnerability, threat, risk,
and necessary control?
A. Vulnerability is employee access rights, threat is internal entities misusing
privileged access, risk is the business impact of data loss, and the necessary
control is detailed network traffic monitoring.
B. Vulnerability is lack of user monitoring, threat is internal entities misusing
privileged access, risk is the business impact of data loss, and the necessary
control is detailed user activity logs.
C. Vulnerability is employee access rights, threat is internal employees misusing
privileged access, risk is the business impact of confidentiality, and the
necessary control is multifactor authentication.
D. Vulnerability is employee access rights, threat is internal users misusing
privileged access, risk is the business impact of confidentiality, and the
necessary control is CCTV.
314
26-AppA.indd 1156 06/09/21 1:35 PM

8. Which of the following best describes what role-based access control offers
organizations in reducing administrative burdens?
A. It allows entities closer to the resources to make decisions about who can and
cannot access resources.
B. It provides a centralized approach for access control, which frees up
department managers.
C. User membership in roles can be easily revoked and new ones established as
job assignments dictate.
D. It enforces an enterprise-wide security policy, standards, and guidelines.
9. Mark works for a large corporation operating in multiple countries worldwide.
He is reviewing his company’s policies and procedures dealing with data breaches.
Which of the following is an issue that he must take into consideration?
A. Each country may or may not have unique notification requirements.
B. All breaches must be announced to affected parties within 24 hours.
C. Breach notification is a “best effort” process and not a guaranteed process.
D. Breach notifications are avoidable if all PII is removed from data stores.
10. A software development company released a product that committed several
errors that were not expected once deployed in their customers’ environments.
All of the software code went through a long list of tests before being released.
The team manager found out that after a small change was made to the code, the
program was not tested before it was released. Which of the following tests was
most likely not conducted?
A. Unit
B. Compiled
C. Integration
D. Regression
11. Which of the following should not be considered as part of the supply chain risk
management process for a smartphone manufacturer?
A. Hardware Trojans inserted by downstream partners
B. ISO/IEC 27001
C. Hardware Trojans inserted by upstream partners
D. NIST Special Publication 800-161
12. Data sovereignty is increasingly becoming an issue that most of us in cybersecurity
should address within our organizations. What does the term data sovereignty mean?
A. Certain types of data concerning a country’s citizens must be stored and
processed in that country.
B. Data on a country’s citizens must be stored and processed according to that
country’s laws, regardless of where the storing/processing takes place.
315
26-AppA.indd 1157 06/09/21 1:35 PM

C. Certain types of data concerning a country’s citizens are the sovereign

property of that data subject.
D. Data on a country’s citizens must never cross the sovereign borders of another
country.
Use the following scenario to answer Questions 13–15. Jack has just been hired as the
security officer for a large hospital system. The organization develops some of its own
proprietary applications. The organization does not have as many layers of controls when
it comes to the data processed by these applications, since it is assumed that external
entities will not understand the internal logic of the applications. One of the first things
that Jack wants to carry out is a risk assessment to determine the organization’s current
risk profile. He also tells his boss that the hospital should become ISO certified to bolster
its customers’ and partners’ confidence in its risk management processes.
13. Which of the following approaches has been implemented in this scenario?
A. Defense-in-depth
B. Security through obscurity
C. Information security management system
D. ISO/IEC 27001
14. Which ISO/IEC standard would be best for Jack to follow to meet his goals?
A. ISO/IEC 27001
B. ISO/IEC 27004
C. ISO/IEC 27005
D. ISO/IEC 27006
15. Which standard should Jack suggest to his boss for compliance with best practices
regarding storing and processing sensitive medical information?
A. ISO/IEC 27004
B. ISO/IEC 27001
C. ISO/IEC 27799
D. ISO/IEC 27006
16. You just received an e-mail from one of your hardware manufacturers notifying
you that it will no longer manufacture a certain product and, after the end of the
year, you won’t be able to send it in for repairs, buy spare parts, or get technical
assistance from that manufacturer. What term describes this?
A. End-of-support (EOS)
B. End-of-service-life (EOSL)
C. Deprecation
D. End-of-life (EOL)
316
26-AppA.indd 1158 06/09/21 1:35 PM

17. The confidentiality of sensitive data is protected in different ways depending on

the state of the data. Which of the following is the best approach to protecting
data in transit?
A. SSL
B. VPN
C. IEEE 802.1X
D. Whole-disk encryption
18. Your boss asks you to put together a report describing probable adverse effects on
your assets caused by specific threat sources. What term describes this?
A. Risk analysis
B. Threat modeling
C. Attack trees
D. MITRE ATT&CK
19. A(n) __________ is the graphical representation of data commonly used on
websites. It is a skewed representation of characteristics a person must enter to prove
that the subject is a human and not an automated tool, as in a software robot.
A. anti-spoofing symbol
B. CAPTCHA
C. spam anti-spoofing symbol
D. CAPCHAT
20. Mark has been asked to interview individuals to fulfill a new position in
his company, chief privacy officer (CPO). What is the function of this type of
position?
A. Ensuring that company financial information is correct and secure
B. Ensuring that customer, company, and employee data is protected
C. Ensuring that security policies are defined and enforced
D. Ensuring that partner information is kept safe
21. A risk management program must be developed properly and in the right sequence.
Which of the following provides the correct sequence for the steps listed?
i. Develop a risk management team.
ii. Calculate the value of each asset.
iii. Identify the vulnerabilities and threats that can affect the identified assets.
iv. Identify company assets to be assessed.
A. i, iii, ii, iv
B. ii, i, iv, iii
C. iii, i, iv, ii
D. i, iv, ii, iii
317
26-AppA.indd 1159 06/09/21 1:35 PM

22. Juan needs to assess the performance of a critical web application that his
company recently upgraded. Some of the new features are very profitable, but
not frequently used. He wants to ensure that the user experience is positive, but
doesn’t want to wait for the users to report problems. Which of the following
techniques should Juan use?
A. Real user monitoring
B. Synthetic transactions
C. Log reviews
D. Management review
23. Which of the following best describes a technical control for dealing with the
risks presented by data remanence?
A. Encryption
B. Data retention policies
C. File deletion
D. Using solid-state drives (SSDs)
24. George is the security manager of a large bank, which provides online banking
and other online services to its customers. George has recently found out that
some of the bank’s customers have complained about changes to their bank
accounts that they did not make. George worked with the security team and
found out that all changes took place after proper authentication steps were
completed. Which of the following describes what most likely took place in
this situation?
A. Web servers were compromised through cross-scripting attacks.
B. TLS connections were decrypted through a man-in-the-middle attack.
C. Personal computers were compromised with malware that installed
keyloggers.
D. Web servers were compromised and masquerading attacks were carried out.
25. Internet Protocol Security (IPSec) is actually a suite of protocols. Each protocol
within the suite provides different functionality. Which of the following is not a
function or characteristic of IPSec?
A. Encryption
B. Link layer protection
C. Authentication
D. Protection of packet payloads and the headers
318
26-AppA.indd 1160 06/09/21 1:35 PM

26. In what order would a typical PKI perform the following transactions?
i. Receiver decrypts and obtains session key.
ii. Public key is verified.
iii. Public key is sent from a public directory.
iv. Sender sends a session key encrypted with receiver’s public key.
A. iv, iii, ii, i
B. ii, i, iii, iv
C. iii, ii, iv, i
D. ii, iv, iii, i
Use the following scenario to answer Questions 27–28. Tim is the CISO for a large
distributed financial investment organization. The company’s network is made up of
different network devices and software applications, which generate their own proprietary
logs and audit data. Tim and his security team have become overwhelmed with trying
to review all of the log files when attempting to identify if anything suspicious is taking
place within the network. Another issue Tim’s team needs to deal with is that many of
the network devices have automated IPv6-to-IPv4 tunneling enabled by default, which
is not what the organization needs.
27. Which of the following is the best solution to Tim’s difficulties handling the
quantity and diversity of logs and audit data?
A. Event correlation tools
B. Intrusion detection systems
C. Security information and event management
D. Hire more analysts
28. How could Tim best address the IP version issue described in the scenario?
A. Change management
B. Zero trust
C. Converged protocols
D. Configuration management
29. Which of the following is not a concern of a security professional considering
adoption of Internet of Things (IoT) devices?
A. Weak or nonexistent authentication mechanisms
B. Vulnerability of data at rest and data in motion
C. Difficulty of deploying patches and updates
D. High costs associated with connectivity
319
26-AppA.indd 1161 06/09/21 1:35 PM

30. What is an advantage of microservices compared to traditional server-based

architectures?
A. Web services support
B. Security
C. Scalability
D. Database connectivity
31. __________, a declarative access control policy language implemented in XML
and a processing model, describes how to interpret security policies. __________
is an XML-based language that allows for the exchange of provisioning data
between applications, which could reside in one organization or many.
A. Service Provisioning Markup Language (SPML), Extensible Access Control
Markup Language (XACML)
B. Extensible Access Control Markup Language (XACML), Service Provisioning
Markup Language (SPML)
C. Extensible Access Control Markup Language (XACML), Security Assertion
Markup Language (SAML)
D. Security Assertion Markup Language (SAML), Service Provisioning Markup
Language (SPML)
32. Doors configured in fail-safe mode assume what position in the event of a power
failure?
A. Open and locked
B. Closed and locked
C. Closed and unlocked
D. Open
33. Next-generation firewalls combine the best attributes of other types of firewalls.
Which of the following is not a common characteristic of these firewall types?
A. Integrated intrusion prevention system
B. Sharing signatures with cloud-based aggregators
C. Automated incident response
D. High cost
34. The purpose of security awareness training is to expose personnel to security issues
so that they may be able to recognize them and better respond to them. Which of
the following is not normally a topic covered in security awareness training?
A. Social engineering
B. Phishing
C. Whaling
D. Trolling
320
26-AppA.indd 1162 06/09/21 1:35 PM

Use the following scenario to answer Questions 35–36. Zack is a security consultant who
has been hired to help an accounting company improve some of its current e-mail
security practices. The company wants to ensure that when its clients send the company
accounting files and data, the clients cannot later deny sending these messages. The
company also wants to integrate a more granular and secure authentication method for
its current mail server and clients.
35. Which of the following best describes how client messages can be dealt with and
addresses the first issue outlined in the scenario?
A. The company needs to integrate a public key infrastructure and the Diameter
protocol.
B. The company needs to require that clients encrypt messages with their public
key before sending them to the company.
C. The company needs to have all clients sign a formal document outlining
nonrepudiation requirements.
D. The company needs to require that clients digitally sign messages that contain
financial information.
36. Which of the following would be the best solution to integrate to meet the
authentication requirements outlined in the scenario?
A. TLS
B. IPSec
C. 802.1X
D. SASL
37. Which of the following is not considered a secure coding practice?
A. Validate user inputs
B. Default deny
C. Defense in depth
D. High (tight) coupling
38. A __________ is the amount of time it should take to recover from a disaster,
and a __________ is the amount of data, measured in time, that can be lost and
be tolerable from that same event.
A. recovery time objective, recovery point objective
B. recovery point objective, recovery time objective
C. maximum tolerable downtime, work recovery time
D. work recovery time, maximum tolerable downtime
321
26-AppA.indd 1163 06/09/21 1:35 PM

39. Mary is doing online research about prospective employers and discovers a way to
compromise a small company’s personnel files. She decides to take a look around,
but does not steal any information. Is she still committing a crime even if she
does not steal any of the information?
A. No, since she does not steal any information, she is not committing a crime.
B. Probably, because she has gained unauthorized access.
C. Not if she discloses the vulnerability she exploited to the company.
D. Yes, she could jeopardize the system without knowing it.
40. In the structure of Extensible Access Control Markup Language (XACML), a
Subject element is the __________, a Resource element is the __________, and
an Action element is the __________.
A. requesting entity, requested entity, types of access
B. requested entity, requesting entity, types of access
C. requesting entity, requested entity, access control
D. requested entity, requesting entity, access control
41. The Mobile IP protocol allows location-independent routing of IP datagrams on
the Internet. Each mobile node is identified by its __________, disregarding its
current location in the Internet. While away from its home network, a mobile
node is associated with a __________.
A. prime address, care-of address
B. home address, care-of address
C. home address, secondary address
D. prime address, secondary address
42. Because she has many different types of security products and solutions, Joan
wants to purchase a product that integrates her many technologies into one user
interface. She would like her staff to analyze all security alerts from the same
application environment. Which of the following would best fit Joan’s needs?
A. Dedicated appliance
B. Data analytics platform
C. Hybrid IDS\IPS integration
D. Security information and event management (SIEM)
43. When classifying an information asset, which of the following is true concerning
its sensitivity?
A. It is commensurate with how its loss would impact the fundamental business
processes of the organization.
B. It is determined by its replacement cost.
322
26-AppA.indd 1164 06/09/21 1:35 PM

C. It is determined by the product of its replacement cost and the probability of

its compromise.
D. It is commensurate with the losses to an organization if it were revealed to
unauthorized individuals.
44. Which of the following is an international organization that helps different
governments come together and tackle the economic, social, and governance
challenges of a globalized economy and provides guidelines on the protection of
privacy and transborder flows of personal data rules?
A. Council of Global Convention on Cybercrime
B. Council of Europe Convention on Cybercrime
C. Organisation for Economic Co-operation and Development
D. Organisation for Cybercrime Co-operation and Development
45. System ports allow different computers to communicate with each other’s services
and protocols. The Internet Assigned Numbers Authority (IANA) has assigned
registered ports to be __________ and dynamic ports to be __________.
A. 0–1024, 49152–65535
B. 1024–49151, 49152–65535
C. 1024–49152, 49153–65535
D. 0–1024, 1025–49151
46. When conducting a quantitative risk analysis, items are gathered and assigned
numeric values so that cost/benefit analysis can be carried out. Which of the
following formulas could be used to understand the value of a safeguard?
A. (ALE before implementing safeguard) – (ALE after implementing safeguard) –
(annual cost of safeguard) = value of safeguard to the organization
B. (ALE before implementing safeguard) – (ALE during implementing safeguard) –
C. (ALE before implementing safeguard) – (ALE while implementing safeguard) –
D. (ALE before implementing safeguard) – (ALE after implementing safeguard) –
(annual cost of asset) = value of safeguard to the organization
47. Patty is giving a presentation next week to the executive staff of her company. She
wants to illustrate the benefits of the company using specific cloud computing
solutions. Which of the following does not properly describe one of these benefits
or advantages?
A. Organizations have more flexibility and agility in IT growth and functionality.
B. Cost of computing can be increased since it is a shared delivery model.
323
26-AppA.indd 1165 06/09/21 1:35 PM

C. Location independence can be achieved because the computing is not

centralized and tied to a physical data center.
D. Scalability and elasticity of resources can be accomplished in near real-time
through automation.
Use the following scenario to answer Questions 48–49. Francisca is the new manager of
the in-house software designers and programmers. She has been telling her team that
before design and programming on a new product begins, a formal architecture needs
to be developed. She also needs this team to understand security issues as they pertain to
software design. Francisca has shown the team how to follow a systematic approach that
allows them to understand different ways in which the software products they develop
could be compromised by specific threat actors.
48. Which of the following best describes what an architecture is in the context of
this scenario?
A. Tool used to conceptually understand the structure and behavior of a complex
entity through different views
B. Formal description and representation of a system and the components that
make it up
C. Framework used to create individual architectures with specific views
D. Framework that is necessary to identify needs and meet all of the stakeholder
requirements
49. Which of the following best describes the approach Francisca has shown her team
as outlined in the scenario?
A. Attack surface analysis
B. Threat modeling
C. Penetration testing
D. Double-blind penetration testing
50. Barry was told that the IDS product that is being used on the network has
heuristic capabilities. Which of the following best describes this functionality?
A. Gathers packets and reassembles the fragments before assigning anomaly values
B. Gathers data and assesses the likelihood of it being malicious in nature
C. Gathers packets and compares their payload values to a signature engine
D. Gathers packet headers to determine if something suspicious is taking place
within the network traffic
324
26-AppA.indd 1166 06/09/21 1:35 PM

51. Bringing in third-party auditors has advantages over using an internal team.
Which of the following is not true about using external auditors?
A. They are required by certain governmental regulations.
B. They bring experience gained by working in many other organizations.
C. They know the organization’s processes and technology better than anyone else.
D. They are less influenced by internal culture and politics.
52. Don is a senior manager of an architectural firm. He has just found out that a key
contract was renewed, allowing the company to continue developing an operating
system that was idle for several months. Excited to get started, Don begins work
on the operating system privately, but cannot tell his staff until the news is
announced publicly in a few days. However, as Don begins making changes in
the software, various staff members notice changes in their connected systems,
even though they have a lower security level than Don. What kind of model
could be used to ensure this does not happen?
A. Biba
B. Bell-LaPadula
C. Noninterference
D. Clark-Wilson
53. Betty has received several e-mail messages from unknown sources that try and
entice her to click a specific link using a “Click Here” approach. Which of the
following best describes what is most likely taking place in this situation?
A. DNS pharming attack
B. Embedded hyperlink is obfuscated
C. Malware back-door installation
D. Bidirectional injection attack
54. Rebecca is an internal auditor for a large retail company. The company has a
number of web applications that run critical business processes with customers
and partners around the world. Her company would like to ensure the security
of technical controls on these processes. Which of the following would not be
a good approach to auditing these technical controls?
A. Log reviews
B. Code reviews
C. Personnel background checks
D. Misuse case testing
325
26-AppA.indd 1167 06/09/21 1:35 PM

55. Which of the following multiplexing technologies analyzes statistics related to

the typical workload of each input device and makes real-time decisions on how
much time each device should be allocated for data transmission?
A. Time-division multiplexing
B. Wave-division multiplexing
C. Frequency-division multiplexing
D. Statistical time-division multiplexing
56. In a VoIP environment, the Real-time Transport Protocol (RTP) and RTP Control
Protocol (RTCP) are commonly used. Which of the following best describes the
difference between these two protocols?
A. RTCP provides a standardized packet format for delivering audio and video
over IP networks. RTP provides out-of-band statistics and control information
to provide feedback on QoS levels.
B. RTP provides a standardized packet format for delivering data over IP networks.
RTCP provides control information to provide feedback on QoS levels.
C. RTP provides a standardized packet format for delivering audio and video over
MPLS networks. RTCP provides control information to provide feedback on
QoS levels.
D. RTP provides a standardized packet format for delivering audio and video over
IP networks. RTCP provides out-of-band statistics and control information to
provide feedback on QoS levels.
57. Which of the following is not descriptive of an edge computing architecture?
A. It eliminates the need for cloud infrastructure.
B. Processing and storage assets are close to where they’re needed.
C. It reduces latency and network traffic.
D. It typically has three layers.
58. Which cryptanalytic attack method is characterized by the identification of
statistically significant patterns in the ciphertext generated by a cryptosystem?
A. Differential attack
B. Implementation attack
C. Frequency analysis
D. Side-channel attack
59. IPSec’s main protocols are AH and ESP. Which of the following services does
AH provide?
A. Confidentiality and authentication
B. Confidentiality and availability
C. Integrity and accessibility
D. Integrity and authentication
326
26-AppA.indd 1168 06/09/21 1:35 PM

60. When multiple databases exchange transactions, each database is updated. This
can happen many times and in many different ways. To protect the integrity of
the data, databases should incorporate a concept known as an ACID test. What
does this acronym stand for?
A. Availability, confidentiality, integrity, durability
B. Availability, consistency, integrity, durability
C. Atomicity, confidentiality, isolation, durability
D. Atomicity, consistency, isolation, durability
Use the following scenario to answer Questions 61–63. Jim works for a large energy company.
His senior management just conducted a meeting with Jim’s team with the purpose
of reducing IT costs without degrading their security posture. The senior management
decided to move all administrative systems to a cloud provider. These systems are
proprietary applications currently running on Linux servers.
61. Which of the following services would allow Jim to transition all administrative
custom applications to the cloud while leveraging the service provider for security
and patching of the cloud platforms?
A. IaaS
B. PaaS
C. SaaS
D. IDaaS
62. Which of the following would not be an issue that Jim would have to consider in
transitioning administrative services to the cloud?
A. Privacy and data breach laws in the country where the cloud servers are
located
B. Loss of efficiencies, performance, reliability, scalability, and security
C. Security provisions in the terms of service
D. Total cost of ownership compared to the current systems
63. Which of the following secure design principles would be most important to
consider as Jim plans the transition to the cloud?
A. Defense in depth
B. Secure defaults
C. Shared responsibility
D. Zero trust
327
26-AppA.indd 1169 06/09/21 1:35 PM

64. A group of software designers are at a stage in their software development project
where they need to reduce the amount of code running, reduce entry points
available to untrusted users, reduce privilege levels as much as possible, and
eliminate unnecessary services. Which of the following best describes the first step
the team needs to carry out to accomplish these tasks?
A. Attack surface analysis
B. Software development life cycle
C. Risk assessment
D. Unit testing
65. Jenny needs to engage a new software development company to create her company’s
internal banking software. The software needs to be created specifically for her
company’s environment, so it must be proprietary in nature. Which of the following
would be useful for Jenny to use as a gauge to determine how advanced the various
software development companies are in their processes?
A. Waterfall methodology
B. Capability Maturity Model Integration level
C. Auditing results
D. Key performance metrics
66. Which type of organization would be likeliest to implement Virtual eXtensible
Local Area Network (VxLAN) technology?
A. Organizations that need to support more than 2,048 VLANs
B. Small and medium businesses
C. Organizations with hosts in close proximity to each other
D. Cloud service providers with hundreds of customers
67. Kerberos is a commonly used access control and authentication technology. It is
important to understand what the technology can and cannot do and its potential
downfalls. Which of the following is not a potential security issue that must be
addressed when using Kerberos?
i. The KDC can be a single point of failure.
ii. The KDC must be scalable.
iii. Secret keys are temporarily stored on the users’ workstations.
iv. Kerberos is vulnerable to password guessing.
A. i, iv
B. iii
C. All of them
D. None of them
328
26-AppA.indd 1170 06/09/21 1:35 PM

68. If the annualized loss expectancy (ALE) for a specific asset is $100,000, and after
implementation of a control to safeguard the asset the new ALE is $45,000 and the
annual cost of the control is $30,000, should the company implement this control?
A. Yes
B. No
C. Not enough information
D. Depends on the annualized rate of occurrence (ARO)
69. ISO/IEC 27000 is a growing family of ISO/IEC information security management
system (ISMS) standards. Which of the following provides an incorrect mapping
of the individual standard number to its description?
A. ISO/IEC 27002: Code of practice for information security controls
B. ISO/IEC 27003: ISMS implementation guidance
C. ISO/IEC 27004: ISMS monitoring, measurement, analysis, and evaluation
D. ISO/IEC 27005: ISMS auditing guidelines
70. Yazan leads the IT help desk at a large manufacturing company. He is concerned
about the amount of time his team spends resetting passwords for the various
accounts that each of his organizational users has. All of the following would be
good approaches to alleviating this help desk load except which one?
A. Single sign-on (SSO)
B. Just-in-time (JIT) access
C. Password managers
D. Self-service password reset
71. Encryption and decryption can take place at different layers of an operating
system, application, and network stack. End-to-end encryption happens within
the __________. IPSec encryption takes place at the __________ layer. PPTP
encryption takes place at the __________ layer. Link encryption takes place at
the __________ and __________ layers.
A. applications, transport, data link, data link, physical
B. applications, transport, network, data link, physical
C. applications, network, data link, data link, physical
D. network, transport, data link, data link, physical
72. Which of the following best describes the difference between hierarchical storage
management (HSM) and storage area network (SAN) technologies?
A. HSM uses optical or tape jukeboxes, and SAN is a network of connected
storage systems.
B. SAN uses optical or tape jukeboxes, and HSM is a network of connected
storage systems.
329
26-AppA.indd 1171 06/09/21 1:35 PM

C. HSM and SAN are one and the same. The difference is in the implementation.
D. HSM uses optical or tape jukeboxes, and SAN is a standard of how to develop
and implement this technology.
73. Which legal system is characterized by its reliance on previous interpretations of
the law?
A. Tort
B. Customary
C. Common
D. Civil (code)
74. In order to be admissible in court, evidence should normally be which of the
following?
A. Subpoenaed
B. Relevant
C. Motioned
D. Adjudicated
75. Which type of authorization mechanism can incorporate historical data into its
access control decision-making in real time?
A. Rule-based access control
B. Risk-based access control
C. Attribute-based access control
D. Discretionary access control
76. Which of the following is an XML-based protocol that defines the schema of
how web service communication takes place over HTTP transmissions?
A. Service-Oriented Protocol
B. Active X Protocol
C. SOAP
D. Web Ontology Language
77. Which of the following has an incorrect definition mapping?
i. Operationally Critical Threat, Asset, and Vulnerability Evaluation
(OCTAVE) Team-oriented approach that assesses organizational and IT
risks through facilitated workshops
ii. Facilitated Risk Analysis Process (FRAP) Stresses prescreening activities so
that the risk assessment steps are only carried out on the item(s) that need(s)
it the most
iii. ISO/IEC 27005 International standard for the implementation of a
risk management program that integrates into an information security
management system (ISMS)
330
26-AppA.indd 1172 06/09/21 1:35 PM

iv. Failure Modes and Effect Analysis (FMEA) Approach that dissects a
component into its basic functions to identify flaws and those flaws’ effects
v. Fault tree analysis Approach to map specific flaws to root causes in complex
systems
A. None of them
B. ii
C. iii, iv
D. v
78. For an enterprise security architecture to be successful in its development and
implementation, which of the following items must be understood and followed?
i. Strategic alignment
ii. Process enhancement
iii. Business enablement
iv. Security effectiveness
A. i, ii
B. ii, iii
C. i, ii, iii, iv
D. iii, iv
79. Which of the following best describes the purpose of the Organisation for
Economic Co-operation and Development (OECD)?
A. An international organization where member countries come together
and tackle the economic, social, and governance challenges of a globalized
economy
B. A national organization that helps different governments come together and
tackle the economic, social, and governance challenges of a globalized economy
C. A United Nations body that regulates economic, social, and governance issues
of a globalized economy
D. A national organization that helps different organizations come together and
tackle the economic, social, and governance challenges of a globalized economy
80. Many enterprise architecture models have been developed over the years for
specific purposes. Some of them can be used to provide structure for information
security processes and technology to be integrated throughout an organization.
Which of the following provides an incorrect mapping between the architecture
type and the associated definition?
A. Zachman Framework Model and methodology for the development of
information security enterprise architectures
B. TOGAF Model and methodology for the development of enterprise
architectures developed by The Open Group
331
26-AppA.indd 1173 06/09/21 1:35 PM

C. DoDAF U.S. Department of Defense architecture framework that ensures

interoperability of systems to meet military mission goals
D. SABSA Framework and methodology for enterprise security architecture and
service management
81. Which of the following best describes the difference between the role of the
ISO/IEC 27000 series and COBIT?
A. COBIT provides a high-level overview of security program requirements,
while the ISO/IEC 27000 series provides the objectives of the individual
security controls.
B. The ISO/IEC 27000 series provides a high-level overview of security
program requirements, while COBIT maps IT goals to enterprise goals to
stakeholder needs.
C. COBIT is process oriented, and the ISO/IEC 27000 series is solution oriented.
D. The ISO/IEC 27000 series is process oriented, and COBIT is solution oriented.
82. The Capability Maturity Model Integration (CMMI) approach is being used
more frequently in security program and enterprise development. Which of the
following provides an incorrect characteristic of this model?
A. It provides a pathway for how incremental improvement can take place.
B. It provides structured steps that can be followed so an organization can evolve
from one level to the next and constantly improve its processes.
C. It was created for process improvement and developed by Carnegie Mellon.
D. It was built upon the SABSA model.
83. If Jose wanted to use a risk assessment methodology across the entire organization
and allow the various business owners to identify risks and know how to deal
with them, what methodology would he use?
A. Qualitative
B. COBIT
C. FRAP
D. OCTAVE
84. Information security is a field that is maturing and becoming more organized and
standardized. Organizational security models should be based on an enterprise
architecture framework. Which of the following best describes what an enterprise
architecture framework is and why it would be used?
A. Mathematical model that defines the secure states that various software
components can enter and still provide the necessary protection
B. Conceptual model that is organized into multiple views addressing each of
the stakeholder’s concerns
332
26-AppA.indd 1174 06/09/21 1:35 PM

C. Business enterprise framework that is broken down into six conceptual levels
to ensure security is deployed and managed in a controllable manner
D. Enterprise framework that allows for proper security governance
85. Which of the following provides a true characteristic of a fault tree analysis?
A. Fault trees are assigned qualitative values to faults that can take place over a
series of business processes.
B. Fault trees are assigned failure mode values.
C. Fault trees are labeled with actual numbers pertaining to failure probabilities.
D. Fault trees are used in a stepwise approach to software debugging.
86. It is important that organizations ensure that their security efforts are effective
and measurable. Which of the following is not a common method used to track
the effectiveness of security efforts?
A. Service level agreement
B. Return on investment
C. Balanced scorecard system
D. Provisioning system
87. Capability Maturity Model Integration (CMMI) is a process improvement
approach that is used to help organizations improve their performance. The
CMMI model may also be used as a framework for appraising the process maturity
of the organization. Which of the following is an incorrect mapping of the levels
that may be assigned to an organization based upon this model?
i. Maturity Level 2 – Managed or Repeatable
ii. Maturity Level 3 – Defined
iii. Maturity Level 4 – Quantitatively Managed
iv. Maturity Level 5 – Optimizing
A. i
B. i, ii
C. All of them
D. None of them
88. An organization’s information systems risk management (ISRM) policy should
address many items to provide clear direction and structure. Which of the
following is not a core item that should be covered in this type of policy?
i. The objectives of the ISRM team
ii. The level of risk the organization will accept and what is considered an
acceptable level of risk
iii. Formal processes of risk identification
333
26-AppA.indd 1175 06/09/21 1:35 PM

iv. The connection between the ISRM policy and the organization’s strategic
planning processes
v. Responsibilities that fall under ISRM and the roles to fulfill them
vi. The mapping of risk to specific physical controls
vii. The approach toward changing staff behaviors and resource allocation in
response to risk analysis
viii. The mapping of risks to performance targets and budgets
ix. Key metrics and performance indicators to monitor the effectiveness of
controls
A. ii, v, ix
B. vi
C. v
D. vii, ix
89. More organizations are outsourcing supporting functions to allow them to
focus on their core business functions. Organizations use hosting companies
to maintain websites and e-mail servers, service providers for various
telecommunication connections, disaster recovery companies for co-location
capabilities, cloud computing providers for infrastructure or application services,
developers for software creation, and security companies to carry out vulnerability
management. Which of the following items should be included during the
analysis of an outsourced partner or vendor?
i. Conduct onsite inspection and interviews
ii. Review contracts to ensure security and protection levels are agreed upon
iii. Ensure service level agreements are in place
iv. Review internal and external audit reports and third-party reviews
v. Review references and communicate with former and existing customers
A. ii, iii, iv
B. iv, v
C. All of them
D. i, ii, iii
90. Which of the following is normally not an element of e-discovery?
A. Identification
B. Preservation
C. Production
D. Remanence
334
26-AppA.indd 1176 06/09/21 1:35 PM

91. A financial institution has developed its internal security program based upon the
ISO/IEC 27000 series. The security officer has been told that metrics need to be
developed and integrated into this program so that effectiveness can be gauged.
Which of the following standards should be followed to provide this type of
guidance and functionality?
A. ISO/IEC 27002
B. ISO/IEC 27003
C. ISO/IEC 27004
D. ISO/IEC 27005
92. Which of the following is not an advantage of using content distribution
networks?
A. Improved responsiveness to regional users
B. Resistance to ARP spoofing attacks
C. Customization of content for regional users
D. Resistance to DDoS attacks
93. Sana has been asked to install a cloud access security broker (CASB) product for
her company’s environment. What is the best description for what CASBs are
commonly used for?
A. Monitor end-user behavior and enforce policies across cloud services
B. Provision secure cloud services
C. Enforce access controls to cloud services through X.500 databases
D. Protect cloud services from certain types of attacks
94. Which of the following allows a user to be authenticated across multiple IT
systems and enterprises?
A. Single sign-on (SSO)
B. Session management
C. Federated identity
D. Role-based access control (RBAC)
95. Which of the following is a true statement pertaining to markup languages?
A. Hypertext Markup Language (HTML) came from Generalized Markup
Language (GML), which came from Standard Generalized Markup
Language (SGML).
B. Hypertext Markup Language (HTML) came from Standard Generalized
Markup Language (SGML), which came from Generalized Markup
Language (GML).
335
26-AppA.indd 1177 06/09/21 1:35 PM

C. Standard Generalized Markup Language (SGML) came from Hypertext Markup

Language (HTML), which came from Generalized Markup Language (GML).
D. Standard Generalized Markup Language (SGML) came from Generalized
Markup Language (GML), which came from Hypertext Markup Language
(HTML).
96. What is Extensible Markup Language (XML) and why was it created?
A. A specification that provides a structure for creating other markup languages
and still allow for interoperability
B. A specification that is used to create static and dynamic websites
C. A specification that outlines a detailed markup language dictating all formats
of all companies that use it
D. A specification that does not allow for interoperability for the sake of security
97. Which access control policy is based on the necessary operations and tasks users
need to fulfill their responsibilities within an organization and allows for implicit
permission inheritance using a nondiscretionary model?
A. Rule-based
B. Role-based
C. Identity-based
D. Mandatory
98. Which of the following centralized access control protocols would a security
professional choose if her network consisted of multiple protocols, including
Mobile IP, and had users connecting via wireless and wired transmissions?
A. RADIUS
B. TACACS+
C. Diameter
D. Kerberos
99. Javad is the security administrator at a credit card processing company. The
company has many identity stores, which are not properly synchronized. Javad is
going to oversee the process of centralizing and synchronizing the identity data
within the company. He has determined that the data in the HR database will
be considered the most up-to-date data, which cannot be overwritten by the
software in other identity stores during their synchronization processes. Which of
the following best describes the role of this database in the identity management
structure of the company?
A. Authoritative system of record
B. Infrastructure source server
C. Primary identity store
D. Hierarchical database primary
336
26-AppA.indd 1178 06/09/21 1:35 PM

100. Proper access control requires a structured user provisioning process. Which of
the following best describes user provisioning?
A. The creation, maintenance, and deactivation of user objects and attributes as
they exist in one or more systems, directories, or applications, in response to
business processes
B. The creation, maintenance, activation, and delegation of user objects and
attributes as they exist in one or more systems, directories, or applications, in
response to compliance processes
C. The maintenance of user objects and attributes as they exist in one or more
systems, directories, or applications, in response to business processes
D. The creation and deactivation of user objects and attributes as they exist in one
or more systems, directories, or applications, in response to business processes
101. Which of the following protocols would an Identity as a Service (IDaaS) provider
use to authenticate you to a third party?
A. Diameter
B. OAuth
C. Kerberos
D. OpenID Connect
102. Johana needs to ensure that her company’s application can accept provisioning
data from the company’s partner’s application in a standardized method. Which
of the following best describes the technology that Johana should implement?
A. Service Provisioning Markup Language
B. Extensible Provisioning Markup Language
C. Security Assertion Markup Language
D. Security Provisioning Markup Language
103. Lynn logs into a website and purchases an airline ticket for her upcoming trip.
The website also offers her pricing and package deals for hotel rooms and
rental cars while she is completing her purchase. The airline, hotel, and rental
companies are all separate and individual companies. Lynn decides to purchase
her hotel room through the same website at the same time. The website is
using Security Assertion Markup Language to allow for this type of federated
identity management functionality. In this example which entity is the principal,
which entity is the identity provider, and which entity is the service provider,
respectively?
A. Portal, Lynn, hotel company
B. Lynn, airline company, hotel company
C. Lynn, hotel company, airline company
D. Portal, Lynn, airline company
337
26-AppA.indd 1179 06/09/21 1:35 PM

104. John is the new director of software development within his company. Several
proprietary applications offer individual services to the employees, but the
employees have to log into each and every application independently to gain access
to these discrete services. John would like to provide a way that allows each of the
services provided by the various applications to be centrally accessed and controlled.
Which of the following best describes the architecture that John should deploy?
A. Service-oriented architecture
B. Web services architecture
C. Single sign-on architecture
D. Hierarchical service architecture
105. Which security model is defined by three main rules: simple security, star
property, and strong star property?
A. Biba
B. Bell-LaPadula
C. Brewer-Nash
D. Noninterference
106. Khadijah is leading a software development team for her company. She knows
the importance of conducting an attack surface analysis and developing a threat
model. During which phase of the software development life cycle should she
perform these actions?
A. Requirements gathering
B. Testing and validation
C. Release and maintenance
D. Design
107. Bartosz is developing a new web application for his marketing department. One
of the requirements for the software is that it allows users to post specific content
to LinkedIn and Twitter directly from the web app. Which technology would
allow him to do this?
A. OpenID Connect
B. OAuth
C. SSO
D. Federated Identity Management
108. Applications may not work on systems with specific processors. Which of the
following best describes why an application may work on an Intel processor but
not on an AMD processor?
A. The application was not compiled to machine language that is compatible
with the AMD architecture.
B. It is not possible for the same application to run on both Intel and AMD
processors.
338
26-AppA.indd 1180 06/09/21 1:35 PM

C. The application was not compiled to machine language that is compatible

with the Windows architecture.
D. Only applications written in high-level languages will work on different
processor architectures.
109. Which of the following is not true about software libraries?
A. They make software development more efficient through code reuse.
B. They are typically accessed through an application programming interface (API).
C. They almost never introduce vulnerabilities into programs that use them.
D. They are used in most major software development projects.
110. Kim is tasked with testing the security of an application but has no access to its
source code. Which of the following tests could she use in this scenario?
A. Dynamic application security testing
B. Static application security testing
C. Regression testing
D. Code review
111. Hanna is a security manager of a company that relies heavily on one specific
operating system. The operating system is used in the employee workstations and is
embedded within devices that support the automated production line software. She
has uncovered a vulnerability in the operating system that could allow an attacker
to force applications to not release memory segments after execution. Which of the
following best describes the type of threat this vulnerability introduces?
A. Injection attacks
B. Memory corruption
C. Denial of service
D. Software locking
112. Which of the following access control mechanisms gives you the most granularity
in defining access control policies?
A. Attribute-based access control (ABAC)
B. Role-based access control (RBAC)
C. Mandatory access control (MAC)
D. Discretionary access control (DAC)
113. All of the following are weaknesses of Kerberos except which one?
A. Principals don’t trust each other.
B. Only the KDC can vouch for individuals’ identities and entitlements.
C. Secret keys are stored on the users’ workstations temporarily.
D. Susceptibility to password guessing and brute-force attacks.
339
26-AppA.indd 1181 06/09/21 1:35 PM

114. A company needs to implement a CCTV system that will monitor a large area of
the facility. Which of the following is the correct lens combination for this?
A. A wide-angle lens and a small lens opening
B. A wide-angle lens and a large lens opening
C. A wide-angle lens and a large lens opening with a small focal length
D. A wide-angle lens and a large lens opening with a large focal length
115. What is the name of a water sprinkler system that keeps pipes empty and doesn’t
release water until a certain temperature is met and a “delay mechanism” is instituted?
A. Wet
B. Preaction
C. Delayed
D. Dry
116. There are different types of fire suppression systems. Which of the following answers
best describes the difference between a deluge system and a preaction system?
A. A deluge system provides a delaying mechanism that allows someone to
deactivate the system in case of a false alarm or if the fire can be extinguished
by other means. A preaction system provides similar functionality but has
wide open sprinkler heads that allow a lot of water to be dispersed quickly.
B. A preaction system provides a delaying mechanism that allows someone to
by other means. A deluge system has wide open sprinkler heads that allow a
lot of water to be dispersed quickly.
C. A dry pipe system provides a delaying mechanism that allows someone to
by other means. A deluge system has wide open sprinkler heads that allow a
lot of water to be dispersed quickly.
D. A preaction system provides a delaying mechanism that allows someone to
by other means. A deluge system provides similar functionality but has wide
open sprinkler heads that allow a lot of water to be dispersed quickly.
117. Which of the following best describes why Crime Prevention Through
Environmental Design (CPTED) would integrate benches, walkways, and bike
paths into a site?
A. These features are designed to provide natural access control.
B. These features are designed to emphasize or extend the organization’s physical
sphere of influence so legitimate users feel a sense of ownership of that space.
C. These features are designed to make criminals think that those in the site are
more attentive, well resourced, and possibly alert.
D. These features are designed to make criminals feel uncomfortable by
providing many ways observers could potentially see them.
340
26-AppA.indd 1182 06/09/21 1:35 PM

118. Which of the following frameworks is a two-dimensional model that uses six
basic communication interrogatives intersecting with different viewpoints to give
a holistic understanding of the enterprise?
A. SABSA
B. TOGAF
C. CMMI
D. Zachman
119. Not every data transmission incorporates the session layer. Which of the following
best describes the functionality of the session layer?
A. End-to-end data transmission
B. Application client/server communication mechanism in a distributed
environment
C. Application-to-computer physical communication
D. Provides application with the proper syntax for transmission
120. What is the purpose of the Logical Link Control (LLC) layer in the OSI model?
A. Provides a standard interface for the network layer protocol
B. Provides the framing functionality of the data link layer
C. Provides addressing of the packet during encapsulation
D. Provides the functionality of converting bits into electrical signals
121. Which of the following best describes why classless interdomain routing (CIDR)
was created?
A. To allow IPv6 traffic to tunnel through IPv4 networks
B. To allow IPSec to be integrated into IPv4 traffic
C. To allow an address class size to meet an organization’s need
D. To allow IPv6 to tunnel IPSec traffic
122. Johnetta is a security engineer at a company that develops highly confidential
products for various government agencies. Her company has VPNs set up to
protect traffic that travels over the Internet and other nontrusted networks, but
she knows that internal traffic should also be protected. Which of the following is
the best type of approach Johnetta’s company should take?
A. Implement a data link technology that provides 802.1AE security functionality.
B. Implement a network-level technology that provides 802.1AE security
functionality.
C. Implement TLS over L2TP.
D. Implement IPSec over L2TP.
341
26-AppA.indd 1183 06/09/21 1:35 PM

123. IEEE __________ provides a unique ID for a device. IEEE __________

provides data encryption, integrity, and origin authentication functionality. IEEE
__________ carries out key agreement functions for the session keys used for
data encryption. Each of these standards provides specific parameters to work
within an IEEE __________ framework.
A. 802.1AF, 802.1AE, 802.1AR, 802.1X EAP-TLS
B. 802.1AT, 802.1AE, 802.1AM, 802.1X EAP-SSL
C. 802.1AR, 802.1AE, 802.1AF, 802.1X EAP-SSL
D. 802.1AR, 802.1AE, 802.1AF, 802.1X EAP-TLS
124. Under the principle of ethical disclosure, information systems security
professionals must properly disclose __________ to the appropriate parties.
A. Vulnerabilities
B. Threats
C. Exploits
D. Incidents
125. Larry is a seasoned security professional and knows the potential dangers associated
with using an ISP’s DNS server for Internet connectivity. When Larry stays at
a hotel or uses his laptop in any type of environment he does not fully trust, he
updates values in his HOSTS file. Which of the following best describes why Larry
carries out this type of task?
A. Reduces the risk of an attacker sending his system a corrupt ARP address that
points his system to a malicious website
B. Ensures his host-based IDS is properly updated
C. Reduces the risk of an attacker sending his system an incorrect IP address-to-host
mapping that points his system to a malicious website
D. Ensures his network-based IDS is properly synchronized with his host-based IDS
126. John has uncovered a rogue system on the company network that emulates a
switch. The software on this system is being used by an attacker to modify frame
tag values. Which of the following best describes the type of attack that has most
likely been taking place?
A. DHCP snooping
B. VLAN hopping
C. Network traffic shaping
D. Network traffic hopping
342
26-AppA.indd 1184 06/09/21 1:35 PM

127. Frank is a new security manager for a large financial institution. He has been
told that the organization needs to reduce the total cost of ownership for many
components of the network and infrastructure. The organization currently
maintains many distributed networks, software packages, and applications.
Which of the following best describes the cloud service models that Frank
could leverage to obtain cloud services to replace on-premises network and
infrastructure components
A. Infrastructure as a Service provides an environment similar to an operating
system, Platform as a Service provides operating systems and other major
processing platforms, and Software as a Service provides specific application-
based functionality.
B. Infrastructure as a Service provides an environment similar to a data center,
Platform as a Service provides operating systems and other major processing
platforms, and Software as a Service provides specific application-based
functionality.
C. Infrastructure as a Service provides an environment similar to a data center,
Platform as a Service provides application-based functionality, and Software
as a Service provides specific operating system functionality.
D. Infrastructure as a Service provides an environment similar to a database,
Platform as a Service provides operating systems and other major processing
platforms, and Software as a Service provides specific application-based
functionality.
128. Terry works in a training services provider where the network topology and
access controls change very frequently. His boss tells him that he needs to
implement a network infrastructure that enables changes to be made quickly and
securely with minimal effort. What does Terry need to roll out?
A. Wi-Fi
B. Infrastructure as a Service
C. Software-defined networking
D. Software-defined wide area networking
129. On a Tuesday morning, Jami is summoned to the office of the security director,
where she finds six of her peers from other departments. The security director
gives them instructions about an event that will be taking place in two weeks.
Each of the individuals will be responsible for removing specific systems from
the facility, bringing them to the offsite facility, and implementing them. Each
individual will need to test the installed systems and ensure the configurations are
correct for production activities. What event is Jami about to take part in?
A. Parallel test
B. Full-interruption test
C. Simulation test
D. Structured walk-through test
343
26-AppA.indd 1185 06/09/21 1:35 PM

130. While disaster recovery planning (DRP) and business continuity planning
(BCP) are directed at the development of “plans,” __________ is the holistic
management process that should cover both of them. It provides a framework
for integrating resilience with the capability for effective responses that protects the
interests of the organization’s key stakeholders.
A. continuity of operations
B. business continuity management
C. risk management
D. enterprise management architecture
131. Your company enters into a contract with another company as part of which
your company requires the other company to abide by specific security practices.
Six months into the effort, you decide to verify that the other company is satisfying
these security requirements. Which of the following would you conduct?
A. Third-party audit
B. External (second-party) audit
C. Structured walk-through test
D. Full-interruption test
132. Which of the following statements is true about employee duress?
A. Its risks can be mitigated by installing panic buttons.
B. Its risks can be mitigated by installing panic rooms.
C. Its risks can be mitigated by enforcing forced vacations.
D. It can more easily be detected using the right clipping levels.
133. The main goal of the Wassenaar Arrangement is to prevent the buildup of military
capabilities that could threaten regional and international security and stability.
How does this relate to technology?
A. Cryptography is a dual-use tool.
B. Technology is used in weaponry systems.
C. Military actions directly relate to critical infrastructure systems.
D. Critical infrastructure systems can be at risk under this agreement.
134. Which world legal system is used in continental European countries, such as
France and Spain, and is rule-based law, not precedent-based?
A. Civil (code) law system
B. Common law system
C. Customary law system
D. Mixed law system
344
26-AppA.indd 1186 06/09/21 1:35 PM

135. Which of the following is not a correct characteristic of the Failure Modes and
Effect Analysis (FMEA) method?
A. Determining functions and identifying functional failures
B. Assessing the causes of failure and their failure effects through a structured
process
C. Structured process carried out by an identified team to address high-level
security compromises
D. Identifying where something is most likely going to break and either fixing
the flaws that could cause this issue or implementing controls to reduce the
impact of the break
136. A risk analysis can be carried out through qualitative or quantitative means.
It is important to choose the right approach to meet the organization’s goals.
In a quantitative analysis, which of the following items would not be assigned
a numeric value?
i. Asset value
ii. Threat frequency
iii. Severity of vulnerability
iv. Impact damage
v. Safeguard costs
vi. Safeguard effectiveness
vii. Probability
A. All of them
B. None of them
C. ii
D. vii
137. Uncovering restricted information by using permissible data is referred
to as __________.
A. inference
B. data mining
C. perturbation
D. cell suppression
345
26-AppA.indd 1187 06/09/21 1:35 PM

138. Meeta recently started working at an organization with no defined security

processes. One of the areas she’d like to improve is software patching. Consistent
with the organizational culture, she is considering a decentralized or unmanaged
model for patching. Which of the following is not one of the risks her
organization would face with such a model?
A. This model typically requires users to have admin credentials, which violates
the principle of least privilege.
B. It will be easier to ensure that all software products are updated, since they
will be configured to do so automatically.
C. It may be difficult (or impossible) to attest to the status of every application in
the organization.
D. Having each application or service independently download the patches will
lead to network congestion.
139. Clustering is an unsupervised machine learning approach that determines where
data samples naturally clump together. It does this by calculating the distance
between a new data point and the existing clusters and assigning the point to the
closest cluster if, indeed, it is close to any of them. What is this approach typically
used for in cybersecurity?
A. Spam filtering
B. Anomaly detection
C. Network flow analysis
D. Signature matching
140. Sam wants to test the ability of her technical security controls to stop realistic
attacks. Her organization is going through significant growth, which is also
increasing the complexity of the networks and systems. To ensure she stays ahead
of the adversaries, Sam wants to run these tests frequently. Which approach
should she use?
A. Breach and attack simulations
B. Tabletop exercises
C. Red teaming
D. Synthetic transactions
Use the following scenario to answer Questions 141–142. Ron is in charge of updating
his company’s business continuity and disaster recovery plans and processes. After
conducting a business impact analysis, his team has told him that if the company’s
e-commerce payment gateway was unable to process payments for 24 hours or more,
this could drastically affect the survivability of the company. The analysis indicates that
346
26-AppA.indd 1188 06/09/21 1:35 PM

after an outage, the payment gateway and payment processing should be restored within
13 hours. Ron’s team needs to integrate solutions that provide redundancy, fault tolerance,
and failover capability.
141. In the scenario, what does the 24-hour time period represent and what does the
13-hour time period represent, respectively?
A. Maximum tolerable downtime, recovery time objective
B. Recovery time objective, maximum tolerable downtime
C. Maximum tolerable downtime, recovery data period
D. Recovery time objective, data recovery period
142. Which of the following best describes the type of solution Ron’s team needs to
implement?
A. RAID and clustering
B. Storage area networks
C. High availability
D. Grid computing and clustering
Answers
1. D. While they are all issues to be concerned with, risk is a combination of
probability and business impact. The largest business impact out of this list and
in this situation is the fact that intellectual property for product development has
been lost. If a competitor can produce the product and bring it to market quickly,
this can have a long-lasting financial impact on the company.
2. D. The attackers are the entities that have exploited a vulnerability; thus, they are
the threat agent.
3. C. In this situation the e-mail server most likely is misconfigured or has a
programming flaw that can be exploited. Either of these would be considered a
vulnerability. The threat is that someone would find out about this vulnerability
and exploit it. The exposure is allowing sensitive data to be accessed in an
unauthorized manner.
4. C. Diameter is a protocol that has been developed to build upon the functionality
of RADIUS and TACACS+ while overcoming some of their limitations,
particularly with regard to mobile clients. RADIUS uses UDP and cannot
effectively deal well with remote access, IP mobility, and policy control. Mobile IP
is not an authentication and authorization protocol, but rather a technology that
allows users to move from one network to another and still use the same IP address.
347
26-AppA.indd 1189 06/09/21 1:35 PM

5. C. DNS Security Extensions (DNSSEC, which is part of the many current

implementations of DNS server software) works within a PKI and uses digital
signatures, which allows DNS servers to validate the origin of a message to ensure
that it is not spoofed and potentially malicious. Suppose DNSSEC were enabled
on server A, and a client sends it a DNS request for a resource that is not cached
locally. Server A would relay the request to one or more external DNS servers
and, upon receiving a response, validate the digital signature on the message
before accepting the information to make sure that it is from an authorized
DNS server. So even if an attacker sent a message to a DNS server, the DNS
server would discard it because the message would not contain a valid digital
signature. DNSSEC allows DNS servers to send and receive only authenticated
and authorized messages between themselves and thwarts the attacker’s goal of
poisoning a DNS cache table.
6. C. The General Data Protection Regulation (GDPR) impacts every organization
that holds or uses European personal data both inside and outside of Europe.
In other words, if your company is a U.S.-based company that has never done
business with the EU but it has an EU citizen working even as temporary staff
(e.g., a summer intern), it probably has to comply with the GDPR or risk facing
stiff penalties. There is no exclusion based on the nature of the relations between
the data subjects and the data controllers and processors.
7. B. A vulnerability is a lack or weakness of a control. The vulnerability is that the
user, who must be given access to the sensitive data, is not properly monitored to
deter and detect a willful breach of security. The threat is that any internal entity
might misuse given access. The risk is the business impact of losing sensitive data.
One control that could be put into place is monitoring so that access activities
can be closely watched.
8. C. A role-based access control (RBAC) model uses a centrally administrated set
of controls to determine how subjects and objects interact. An administrator does
not need to revoke and reassign permissions to individual users as they change
jobs. Instead, the administrator assigns permissions and rights to a role, and users
are plugged into those roles.
9. A. Many (but not all) countries have data breach notification requirements,
and these vary greatly in their specifics. While some countries have very strict
requirements, others have laxer requirement, or lack them altogether. This
requires the security professional to ensure compliance in the appropriate
territory. Applying the most stringent rules universally (e.g., 24-hour notification)
is usually not a good idea from a business perspective. The term “best effort” is
not acceptable in countries with strict rules, nor is the notion that personally
identifiable information (PII) is the only type of data that would trigger a
mandatory notification.
10. D. Regression testing should take place after a change to a system takes place,
retesting to ensure functionality, performance, and protection.
348
26-AppA.indd 1190 06/09/21 1:35 PM

11. B. ISO/IEC 27001 is a standard covering information security management

systems (ISMSs), which is a much broader topic than supply chain risk
management. The other three options are better answers because they are directly
tied to this process: NIST Special Publication 800-161, Supply Chain Risk
Management Practices for Federal Information Systems and Organizations, directly
addresses supply chain risk, and the insertion of hardware Trojans could happen
at any point in the chain, upstream or downstream.
12. B. Various countries have data sovereignty laws that stipulate that anyone who
stores or processes certain types of data (typically personal data on their citizens),
whether or not they do so locally, must comply with those countries’ laws. Data
localization laws, on the other hand, require certain types of data to be stored and
processed in that country (examples include laws in China and Russia).
13. B. Security through obscurity depends upon complexity or secrecy as a protection
method. Some organizations feel that since their proprietary code is not standards
based, outsiders will not know how to compromise its components. This is an
insecure approach. Defense-in-depth is a better approach, with the assumption
that anyone can figure out how something works.
14. C. ISO/IEC 27005 is the international standard for risk assessments and analysis.
15. C. ISO/IEC 27799 is a guideline for information security management in health
organizations. It deals with how organizations that store and process sensitive
medical information should protect it.
16. D. End-of-life (EOL) for an asset is that point in time when its manufacturer
is neither manufacturing nor sustaining it. In other words, you can’t send it in
for repairs, buy spare parts, or get technical assistance from the manufacturer.
The related term, end-of-support (EOS), which is sometimes also called end-of-
service-life (EOSL), means that the manufacturer is no longer patching bugs or
vulnerabilities on the product.
17. B. A virtual private network (VPN) provides confidentiality for data being
exchanged between two endpoints. While the use of VPNs may not be sufficient
in every case, it is the only answer among those provided that addresses the
question. The use of Secure Sockets Layer (SSL) is not considered secure. IEEE
802.1X is an authentication protocol that does not protect data in transit. Finally,
whole-disk encryption may be a good approach to protecting sensitive data, but
only while it is at rest.
18. B. Threat modeling is the process of describing probable adverse effects on
an organization’s assets caused by specific threat sources. This modeling can
use a variety of approaches, including attack trees and the MITRE ATT&CK
framework. However, since the question refers to a report and neither of those
approaches specifically points to a report, the more general answer of threat
modeling is the best one.
19. B. A CAPTCHA is a skewed representation of characteristics a person must enter
to prove that the subject is a human and not an automated tool, as in a software
robot. It is the graphical representation of data.
349
26-AppA.indd 1191 06/09/21 1:35 PM

20. B. The CPO position was created mainly because of the increasing demands on
organizations to protect a long laundry list of different types of data. This role
is responsible for ensuring that customer, organizational, and employee data is
secure and kept secret, which keeps the organization out of criminal and civil
courts and hopefully out of the headlines.
21. D. The correct sequence for the steps listed in the question is as follows:
i. Develop a risk management team.
ii. Identify company assets to be assessed.
iii. Calculate the value of each asset.
iv. Identify the vulnerabilities and threats that can affect the identified assets.
22. B. Synthetic transactions are scripted events that mimic the behaviors of real
users and allow security professionals to systematically test the performance of
critical services. They are the best approach, because they can detect problems
before users notice them. Real user monitoring (RUM) would rely on users
encountering the problem, whereupon the system would automatically report it.
23. A. Data remanence refers to the persistence of data on storage media after it has
been deleted. Encrypting this data is the best of the listed choices because the
recoverable data will be meaningless to an adversary without the decryption key.
Retention policies are important, but are considered administrative controls that
don’t deal with remanence directly. Simply deleting the file will not normally
render the data unrecoverable, nor will the use of SSDs even though these devices
will sometimes (though not always) make it difficult to recover the deleted data.
24. C. While all of these situations could have taken place, the most likely attack
type in this scenario is the use of a keylogger. Attackers commonly compromise
personal computers by tricking the users into installing Trojan horses that
have the capability to install keystroke loggers. The keystroke logger can capture
authentication data that the attacker can use to authenticate as a legitimate user
and carry out malicious activities.
25. B. IPSec is a suite of protocols used to provide VPNs that use strong encryption
and authentication functionality. It can work in two different modes: tunnel
mode (payload and headers are protected) or transport mode (payload protection
only). IPSec works at the network layer, not the data link layer.
26. C. In a typical public key infrastructure, the sender first needs to obtain the
receiver’s public key, which could be from the receiver or a public directory, and
then verify it. The sender needs to protect the symmetric session key as it is being
sent, so the sender encrypts it with the receiver’s public key. The receiver decrypts
the session key with the receiver’s private key.
350
26-AppA.indd 1192 06/09/21 1:35 PM

27. C. Today, more organizations are implementing security information and event
management (SIEM) systems. These products gather logs from various devices
(servers, firewalls, routers, etc.) and attempt to correlate the log data and provide
analysis capabilities. Organizations also have different types of systems on a
network (routers, firewalls, IDS, IPS, servers, gateways, proxies) collecting logs in
various proprietary formats, which requires centralization, standardization, and
normalization. Log formats are different per product type and vendor.
28. D. Configuration management is a process aimed at ensuring that systems and
controls are configured correctly and are responsive to the current threat and
operational environments. Since the IPv6-to-IPv4 tunneling is not desirable,
ensuring all devices are properly configured is the best approach of those listed.
Change management is a broader term that includes configuration management
but is not the best answer listed because it is more general.
29. D. IoT devices run the gamut of cost, from the very cheap to the very expensive.
Cost, among the listed options, is the least likely to be a direct concern for a
security professional. Lack of authentication, encryption, and update mechanisms
are much more likely to be significant issues in any IoT adoption plan.
30. C. Each microservice lives in its own container and gets called as needed. If, for
example, you see a spike in orders, you can automatically deploy a new container
(in seconds), perhaps in a different host, and destroy it when you no longer need
it. This contrasts with traditional servers that have fixed resources available and
don’t scale as well. Both approaches deal equally well with both web and database
services and (properly deployed) have comparable security.
31. B. Extensible Access Control Markup Language (XACML), a declarative access
control policy language implemented in XML and a processing model, describes
how to interpret security policies. Service Provisioning Markup Language
(SPML) is an XML-based language that allows for the exchange of provisioning
data between applications, which could reside in one organization or many;
allows for the automation of user management (account creation, amendments,
revocation) and access entitlement configuration related to electronically
published services across multiple provisioning systems; and allows for the
integration and interoperation of service provisioning requests across various
platforms. Security Assertion Markup Language (SAML) is an XML-based
language that allows for the exchange of provisioning data between applications,
which could reside in one organization or many.
32. C. A company must decide how to handle physical access control in the event of
a power failure. In fail-safe mode, doorways are automatically unlocked. This is
usually dictated by fire codes to ensure that people do not get stuck inside of a
burning building. Fail-secure means that the door will default to lock.
351
26-AppA.indd 1193 06/09/21 1:35 PM

33. C. Incident response typically requires humans in the loop. Next-generation

firewalls (NGFWs) do not completely automate the process of responding
to security incidents. NGFWs typically involve integrated IPS and signature
sharing capabilities with cloud-based aggregators, but are also significantly more
expensive than other firewall types.
34. D. Trolling is the term used to describe people who sow discord on various
social platforms on the Internet by starting arguments or making inflammatory
statements aimed at upsetting others. This is not a topic normally covered
in security awareness training. Social engineering, phishing, and whaling are
important topics to include in any security awareness program.
35. D. When clients digitally sign messages, this ensures nonrepudiation. Since
the client should be the only person who has the client’s private key, and only
the client’s public key can decrypt it, the e-mail must have been sent from the
client. Digital signatures provide nonrepudiation protection, which is what this
company needs.
36. D. Simple Authentication and Security Layer (SASL) is a protocol-independent
authentication framework for authentication and data security in Internet
protocols. It decouples authentication mechanisms from application protocols,
with the goal of allowing any authentication mechanism supported by SASL to
be used in any application protocol that uses SASL. SASL’s design is intended to
allow new protocols to reuse existing mechanisms without requiring redesign of
the mechanisms, and allows existing protocols to make use of new mechanisms
without redesign of protocols.
37. D. Coupling is not considered a secure coding practice, though it does affect the
quality (and hence the security) of software. It is a measurement that indicates
how much interaction one module requires to carry out its tasks. High (tight)
coupling means a module depends upon many other modules to carry out its
tasks. Low (loose) coupling means a module does not need to communicate with
many other modules to carry out its job, which is better because the module
is easier to understand and easier to reuse, and changes can take place to one
module and not affect many modules around it.
38. A. A recovery time objective (RTO) is the amount of time it takes to recover from
a disaster, and a recovery point objective (RPO) is the amount of data, measured
in time, that can be lost and be tolerable from that same event. The RPO is
the acceptable amount of data loss measured in time. This value represents the
earliest point in time by which data must be recovered. The higher the value of
data, the more funds or other resources that can be put into place to ensure
a smaller amount of data is lost in the event of a disaster. RTO is the maximum
time period within which a business process must be restored to a designated
service level after a disaster to avoid unacceptable consequences associated with
a break in business continuity.
39. B. Though laws vary around the world, many countries criminalize unauthorized
access, even if it lacked malicious intent.
352
26-AppA.indd 1194 06/09/21 1:35 PM

40. A. XACML uses a Subject element (requesting entity), a Resource element

(requested entity), and an Action element (types of access). XACML defines
a declarative access control policy language implemented in XML.
41. B. The Mobile IP protocol allows location-independent routing of IP packets on
web-based environments. Each mobile device is identified by its home address.
While away from its home network, a mobile node is associated with a care-of
address, which identifies its current location, and its home address is associated
with the local endpoint of a tunnel to its home agent. Mobile IP specifies how
a mobile device registers with its home agent and how the home agent routes
packets to the mobile device.
42. D. A SIEM solution is a software platform that aggregates security information
and security events and presents them in a single, consistent, and cohesive
manner.
43. D. The sensitivity of information is commensurate with the losses to an
organization if that information were revealed to unauthorized individuals. Its
criticality, on the other hand, is an indicator of how the loss of the information
would impact the fundamental business processes of the organization. While
replacement costs could factor into a determination of criticality, they almost
never do when it comes to sensitivity.
44. C. Global organizations that move data across other country boundaries must
be aware of and follow the Organisation for Economic Co-operation and
Development (OECD) Guidelines on the Protection of Privacy and Transborder
Flows of Personal Data. Since most countries have a different set of laws pertaining
to the definition of private data and how it should be protected, international
trade and business get more convoluted and can negatively affect the economy
of nations. The OECD is an international organization that helps different
governments come together and tackle the economic, social, and governance
challenges of a globalized economy. Because of this, the OECD came up with
guidelines for the various countries to follow so that data is properly protected
and everyone follows the same type of rules.
45. B. Registered ports are 1024–49151, which can be registered with the Internet
Assigned Numbers Authority (IANA) for a particular use. Vendors register specific
ports to map to their proprietary software. Dynamic ports are 49152–65535 and
are available to be used by any application on an “as needed” basis. Port numbers
from 0 to 1023 are well-known ports.
46. A. The correct answer for cost/benefit analysis is the formula: (ALE before
implementing safeguard) – (ALE after implementing safeguard) – (annual cost
of safeguard) = value of safeguard to the organization.
47. B. Each of the listed items are correct benefits or characteristics of cloud computing
except “Cost of computing can be increased since it is a shared delivery model.” The
correct answer would be “Cost of computing can be decreased since it is a shared
delivery model.”
353
26-AppA.indd 1195 06/09/21 1:35 PM

48. A. An architecture is a tool used to conceptually understand the structure and

behavior of a complex entity through different views. An architecture provides
different views of the system, based upon the needs of the stakeholders of that
system.
49. B. Threat modeling is a systematic approach used to understand how different
threats could be realized and how a successful compromise could take place.
A threat model is a description of a set of security aspects that can help define a
threat and a set of possible attacks to consider. It may be useful to define different
threat models for one software product. Each model defines a narrow set of
possible attacks to focus on. A threat model can help to assess the probability,
the potential harm, and the priority of attacks, and thus help to minimize or
eradicate the threats.
50. B. Many IDSs have “heuristic” capabilities, which means that the system gathers
different “clues” from the network or system and calculates the probability an
attack is taking place. If the probability hits a set threshold, then the alarm
sounds.
51. C. External auditors have certain advantages over in-house teams, but they will
almost certainly not be as knowledgeable of internal processes and technology as
the folks who deal with them on a daily basis.
52. C. In this example, staffers with lower security clearance than Don has could
have deduced that the contract had been renewed by paying attention to the
changes in their systems. The noninterference model addresses this specifically
by dictating that no action or state in higher levels can impact or be visible to
lower levels. In this example, the staff could learn something indirectly or infer
something that they do not have a right to know yet.
53. B. HTML documents and e-mails allow users to attach or embed hyperlinks
in any given text, such as the “Click Here” links you commonly see in e-mail
messages or web pages. Attackers misuse hyperlinks to deceive unsuspecting users
into clicking rogue links. The most common approach is known as URL hiding.
54. C. Personnel background checks are a common administrative (not technical)
control. This type of audit would have nothing to do with the web applications
themselves. The other three options (log reviews, code reviews, misuse case
testing) are typical ways to verify the effectiveness of technical controls.
55. D. Statistical time-division multiplexing (STDM) transmits several types of
data simultaneously across a single transmission line. STDM technologies
analyze statistics related to the typical workload of each input device and make
real-time decisions on how much time each device should be allocated for data
transmission.
56. D. The actual voice stream is carried on media protocols such as RTP. RTP provides
a standardized packet format for delivering audio and video over IP networks. RTP
is a session layer protocol that carries data in media stream format, as in audio
354
26-AppA.indd 1196 06/09/21 1:35 PM

and video, and is used extensively in VoIP, telephony, video conferencing, and
other multimedia streaming technologies. It provides end-to-end delivery services
and is commonly run over the transport layer protocol UDP. RTCP is used in
conjunction with RTP and is also considered a session layer protocol. It provides
out-of-band statistics and control information to provide feedback on QoS levels of
individual streaming multimedia sessions.
57. A. Edge computing is a distributed system in which some computational and
data storage assets are deployed close to where they are needed in order to reduce
latency and network traffic. An edge computing architecture typically has three
layers: end devices, edge devices, and cloud infrastructure.
58. C. A frequency analysis, also known as a statistical attack, identifies statistically
significant patterns in the ciphertext generated by a cryptosystem. For example,
the number of zeroes may be significantly higher than the number of ones. This
could show that the pseudorandom number generator (PRNG) in use may be
biased.
59. D. IPSec is made up of two main protocols, Authentication Header (AH) and
Encapsulating Security Payload (ESP). AH provides system authentication and
integrity, but not confidentiality or availability. ESP provides system authentication,
integrity, and confidentiality, but not availability. Nothing within IPSec can ensure
the availability of the system it is residing on.
60. D. The ACID test concept should be incorporated into the software of a database.
ACID stands for:
• Atomicity Either the entire transaction succeeds or the database rolls it back
to its previous state.
• Consistency A transaction strictly follows all applicable rules on all data
affected.
• Isolation If transactions are allowed to happen in parallel (which most of
them are), then they will be isolated from each other so that the effects of one
don’t corrupt another. In other words, isolated transactions have the same
effect whether they happen in parallel or one after the other.
• Durability Ensures that a completed transaction is permanently stored
(for instance, in nonvolatile memory) so that it cannot be wiped by a power
outage or other such failure.
61. B. In a Platform as a Service (PaaS) contract, the service provider normally takes
care of all configuration, patches, and updates for the virtual platform. Jim would
only have to worry about porting the applications and running them.
62. B. The biggest advantages of cloud computing are enhanced efficiency,
performance, reliability, scalability, and security. Still, cloud computing is not a
panacea. An organization must still carefully consider legal, contractual, and cost
issues since they could potentially place the organization in a difficult position.
355
26-AppA.indd 1197 06/09/21 1:35 PM

63. C. Shared responsibility addresses situations in which a cloud service provider

is responsible for certain security controls, while the customer is responsible for
others. It will be critical for Jim to delineate where these responsibilities lie. The
other principles listed would presumably be equally important before and after
the transition.
64. A. The aim of an attack surface analysis is to identify and reduce the amount of
code accessible to untrusted users. The basic strategies of attack surface reduction
are to reduce the amount of code running, reduce entry points available to
untrusted users, reduce privilege levels as much as possible, and eliminate
unnecessary services. Attack surface analysis is generally carried out through
specialized tools to enumerate different parts of a product and aggregate their
findings into a numerical value. Attack surface analyzers scrutinize files, registry
keys, memory data, session information, processes, and services details.
65. B. The Capability Maturity Model Integration (CMMI) model outlines the
necessary characteristics of an organization’s security engineering process. It
addresses the different phases of a secure software development life cycle, including
concept definition, requirements analysis, design, development, integration,
installation, operations, and maintenance, and what should happen in each
phase. It can be used to evaluate security engineering practices and identify ways
to improve them. It can also be used by customers in the evaluation process of a
software vendor. Ideally, software vendors would use the model to help improve
their processes, and customers would use the model to assess the vendor’s practices.
66. D. VxLANs are designed to overcome two limitations of traditional VLANs:
the limit of no more than 4,096 VLANs imposed by the 12-bit VLAN ID
(VID) field, and the need for VLANs to be connected to the same router port.
Accordingly, VxLANs are mostly used by cloud service providers with hundreds
of customers and by large organizations with a global presence.
67. D. These are all issues that are directly related to Kerberos. These items are as
follows:
• The Key Distribution Center (KDC) can be a single point of failure. If
the KDC goes down, no one can access needed resources. Redundancy is
necessary for the KDC.
• The KDC must be scalable to handle the number of requests it receives in
a timely manner.
• Secret keys are temporarily stored on the users’ workstations, which means it is
possible for an intruder to obtain these cryptographic keys.
• Session keys are decrypted and reside on the users’ workstations, either in
a cache or in a key table. Again, an intruder can capture these keys.
• Kerberos is vulnerable to password guessing. The KDC does not know if
a dictionary attack is taking place.
356
26-AppA.indd 1198 06/09/21 1:35 PM

68. A. Yes, the company should implement the control, as the value would be $25,000.
The cost/benefit calculation is (ALE before implementing safeguard) – (ALE after
implementing safeguard) – (annual cost of safeguard) = value of safeguard to the
organization, which in this case is $100,000 – $45,000 – $30,000 = $25,000.
69. D. The correct mappings for the individual standards are as follows:
• ISO/IEC 27002: Code of practice for information security controls
• ISO/IEC 27003: ISMS implementation guidance
• ISO/IEC 27004: ISMS monitoring, measurement, analysis, and evaluation
• ISO/IEC 27005: Information security risk management
• ISO/IEC 27007: ISMS auditing guidelines
70. B. Just-in-time (JIT) access temporarily elevates users to the necessary privileged
access to perform a specific task, on a specific asset, for a short time. This
approach mitigates the risk of privileged account abuse by reducing the time a
threat actor has to gain access to a privileged account. While this could reduce
some of the workload on the IT staff, it would have no impact on the time
needed to reset a multitude of passwords.
71. C. End-to-end encryption happens within the applications. IPSec encryption
takes place at the network layer. PPTP encryption takes place at the data link
layer. Link encryption takes place at the data link and physical layers.
72. A. Hierarchical storage management (HSM) provides continuous online backup
functionality. It combines hard disk technology with the cheaper and slower
optical or tape jukeboxes. Storage area network (SAN) is made up of several
storage systems that are connected together to form a single backup network.
73. C. The common law system is the only one that is based on previous
interpretations of the law. This means that the system consists of both laws and
court decisions in specific cases. Torts can be (and usually are) part of a common
law system, but that would be an incomplete answer to this question.
74. B. It is important that evidence be relevant, complete, sufficient, and reliable to
the case at hand. These four characteristics of evidence provide a foundation for
a case and help ensure that the evidence is legally permissible.
75. B. Risk-based access control estimates the risk associated with a particular request
in real time and, if it doesn’t exceed a given threshold, grants the subject access to
the requested resource. This estimate can be based on multiple factors, including
the risk history of similar requests. It is possible to improve a rule-based access
control mechanism over time (based on historical data), but that would have to
be a manual process and wouldn’t happen in real time.
76. C. SOAP enables programs running on different operating systems and written in
different programming languages to communicate over web-based communication
methods. SOAP is an XML-based protocol that encodes messages in a web service
environment. SOAP actually defines an XML schema or a structure of how
357
26-AppA.indd 1199 06/09/21 1:35 PM

communication is going to take place. The SOAP XML schema defines how objects
communicate directly.
77. A. Each answer lists the correct definition mapping.
78. C. For an enterprise security architecture to be successful in its development
and implementation, the following items must be understood and followed:
strategic alignment, process enhancement, business enablement, and security
effectiveness.
79. A. The OECD is an international organization where member countries come
together to address economic, social, and governance challenges of a globalized
economy. Thus, the OECD came up with guidelines for the various countries to
follow so data is properly protected and everyone follows the same type of rules.
80. A. The Zachman Framework is for business enterprise architectures, not security
enterprises. The proper definition mappings are as follows:
• Zachman Framework Model for the development of enterprise
architectures developed by John Zachman
• TOGAF Model and methodology for the development of enterprise
architectures developed by The Open Group
• DoDAF U.S. Department of Defense architecture framework that ensures
interoperability of systems to meet military mission goals
• SABSA Model and methodology for the development of information
security enterprise architectures
81. B. The ISO/IEC 27000 series provides a high-level overview of security program
requirements, while COBIT maps IT goals to enterprise goals to stakeholder
needs through a series of transforms called cascading goals. COBIT specifies
13 enterprise and 13 alignment goals that take the guesswork out of ensuring we
consider all dimensions in our decision-making processes.
82. D. This model was not built upon the SABSA model. All other characteristics are
true.
83. D. The Operationally Critical Threat, Asset, and Vulnerability Evaluation
(OCTAVE) relies on the idea that the people working in a given environment best
understand what is needed and what kind of risks they are facing. This places the
people who work inside the organization in the power positions of being able to
make the decisions regarding what is the best approach for evaluating the security
of their organization.
84. B. An enterprise architecture framework is a conceptual model in which an
architecture description is organized into multiple architecture views, where
each view addresses specific concerns originating with the specific stakeholders.
Individual stakeholders have a variety of system concerns, which the architecture
must address. To express these concerns, each view applies the conventions of its
architecture viewpoint.
358
26-AppA.indd 1200 06/09/21 1:35 PM

85. C. Fault tree analysis follows this general process. First, an undesired effect is
taken as the root, or top, event of a tree of logic. Then, each situation that has the
potential to cause that effect is added to the tree as a series of logic expressions.
Fault trees are then labeled with actual numbers pertaining to failure probabilities.
86. D. Security effectiveness deals with metrics, meeting service level agreement
(SLA) requirements, achieving return on investment (ROI), meeting set baselines,
and providing management with a dashboard or balanced scorecard system.
These are ways to determine how useful the current security solutions and
architecture as a whole are performing.
87. D. Each answer provides the correct definition of the four levels that can be
assigned to an organization during its evaluation against the CMMI model. This
model can be used to determine how well the organization’s processes compare
to CMMI best practices and to identify areas where improvement can be made.
Maturity Level 1 is Initial.
88. B. The ISRM policy should address all of the items listed except specific physical
controls. Policies should not specify any type of controls, whether they are
administrative, physical, or technical.
89. C. Each of these items should be considered before committing to an outsource
partner or vendor.
90. D. The steps normally involved in the discovery of electronically stored information,
or e-discovery, are identifying, preserving, collecting, processing, reviewing,
analyzing, and producing the data in compliance with the court order. Data
remanence is not part of e-discovery, though it could influence the process.
91. C. ISO/IEC 27004:2016, which is used to assess the effectiveness of an ISMS
and the controls that make up the security program as outlined in ISO/IEC
27001. ISO/IEC 27004 provides guidance for ISMS monitoring, measurement,
analysis, and evaluation.
92. B. Content distribution networks (CDNs) work by replicating content across
geographically dispersed nodes. This means that regional users (those closest to
a given node) will see improved responsiveness and could have tailored content
delivered to them. It also means that mounting a successful DDoS attack is much
more difficult. An ARP spoofing attack, however, takes place on the local area
network and is therefore unrelated to the advantages of CDNs.
93. A. A CASB is a system that provides visibility and security controls for cloud
services. A CASB monitors what users do in the cloud and applies whatever
policies and controls are applicable to that activity.
94. C. A federated identity is a portable identity, and its associated entitlements, that
can be used across business boundaries. It allows a user to be authenticated across
multiple IT systems and enterprises. Single sign-on (SSO) allows users to enter
credentials one time and be able to access all resources in primary and secondary
network domains, but is not the best answer because it doesn’t specifically address
the capability to provide authentication across enterprises. A federated identity is
a kind of SSO, but not every SSO implementation is federated.
359
26-AppA.indd 1201 06/09/21 1:35 PM

95. B. HTML came from SGML, which came from GML. A markup language is a
way to structure text and data sets, and it dictates how these will be viewed and
used. When developing a web page, a markup language enables you to control
how the text looks and some of the actual functionality the page provides.
96. A. XML is a universal and foundational standard that provides a structure
for other independent markup languages to be built from and still allow for
interoperability. Markup languages with various functionalities were built from
XML, and while each language provides its own individual functionality, if they
all follow the core rules of XML, then they are interoperable and can be used
across different web-based applications and platforms.
97. B. A role-based access control (RBAC) model is based on the necessary operations
and tasks a user needs to carry out to fulfill her responsibilities within an organization.
This type of model lets access to resources be based on the user’s roles. In hierarchical
RBAC, role hierarchies define an inheritance relation among roles.
98. C. Diameter is a more diverse centralized access control administration technique
than RADIUS and TACACS+ because it supports a wide range of protocols
that often accompany wireless technologies. RADIUS supports PPP, SLIP, and
traditional network connections. TACACS+ is a RADIUS-like protocol that is
Cisco-proprietary. Kerberos is a single sign-on technology, not a centralized access
control administration protocol that supports all stated technologies.
99. A. An authoritative system of record (ASOR) is a hierarchical tree-like structure
system that tracks subjects and their authorization chains. The authoritative
source is the “system of record,” or the location where identity information
originates and is maintained. It should have the most up-to-date and reliable
identity information.
100. A. User provisioning refers to the creation, maintenance, and deactivation of
user objects and attributes as they exist in one or more systems, directories, or
applications, in response to business processes.
101. D. OpenID Connect (OIDC) is a simple authentication layer built on top of
the OAuth 2.0 protocol. It allows transparent authentication and authorization
of client resource requests. Though it is possible to use OAuth, which is an
authorization standard, for authentication, you would do so by leveraging its
OpenID Connect layer. Diameter and Kerberos are not well-suited for IDaaS.
102. A. The Service Provisioning Markup Language (SPML) allows for the exchange
of provisioning data between applications, which could reside in one organization
or many. SPML allows for the automation of user management (account
creation, amendments, revocation) and access entitlement configuration related
to electronically published services across multiple provisioning systems. SPML
also allows for the integration and interoperation of service provisioning requests
across various platforms.
360
26-AppA.indd 1202 06/09/21 1:35 PM

103. B. In this scenario, Lynn is considered the principal, the airline company is
considered the identity provider, and the hotel company that receives the user’s
authentication information from the airline company web server is considered
the service provider. Security Assertion Markup Language (SAML) provides
the authentication pieces to federated identity management systems to allow
business-to-business (B2B) and business-to-consumer (B2C) transactions.
104. A. A service-oriented architecture (SOA) is way to provide independent services
residing on different systems in different business domains in one consistent
manner. This architecture is a set of principles and methodologies for designing
and developing software in the form of interoperable services.
105. B. The Bell-LaPadula model enforces the confidentiality aspects of access control
and consists of three main rules. The simple security rule states that a subject
at a given security level cannot read data that resides at a higher security level.
The *-property rule (star property rule) states that a subject in a given security
level cannot write information to a lower security level. Finally, the strong star
property rule states that a subject who has read and write capabilities can only
perform both of those functions at the same security level; nothing higher and
nothing lower.
106. D. In the system design phase, the software development team gathers system
requirement specifications and determines how the system will accomplish design
goals, such as required functionality, compatibility, fault tolerance, extensibility,
security, usability, and maintainability. The attack surface analysis, together
with the threat model, inform the developers’ decisions because they can look at
proposed architectures and competing designs from the perspective of an attacker.
This allows them to develop a more defensible system. Though it is possible to
start the threat model during the earlier phase of requirements gathering, this
modeling effort is normally not done that early. Furthermore, the attack surface
cannot be properly studied until there is a proposed architecture to analyze.
Performing this activity later in the SDLC is less effective and usually results in
security being “bolted on” instead of “baked in.”
107. B. OAuth is an open standard for authorization to third parties. It lets you
authorize a web application to use something that you control at a different
website. For instance, if users wanted to share an article in the web app directly to
their LinkedIn account, the system would ask them for access to their accounts in
LinkedIn. If they agree, they’d see a pop-up from LinkedIn asking whether they
want to authorize the web app to share a post. If they agree to this, the web app
gains access to all their contacts until they rescind this authorization.
108. A. Each CPU type has a specific architecture and set of instructions that it
can carry out. The application must be developed to work within this CPU
architecture and compiled into machine code that can run on it. This is why one
application may work on an Intel processor but not on an AMD processor. There
are portable applications that can work on multiple architectures and operating
systems, but these rely on a runtime environment.
361
26-AppA.indd 1203 06/09/21 1:35 PM

109. C. According to Veracode, seven in ten applications use at least one open-source
software library with a security flaw, which makes those applications vulnerable.
This estimate doesn’t include proprietary libraries, which are probably even more
insecure because they haven’t been subjected to the same amount of scrutiny as
open-source ones. This is the main risk in using software libraries.
110. A. Dynamic application security testing (DAST), which is also known as
dynamic analysis, refers to the evaluation of a program in real time, while it is
running. It is the only one of the answers that is effective for analyzing software
without having access to the actual source code.
111. C. Attackers have identified programming errors in operating systems that allow
them to “starve” the system of its own memory. This means the attackers exploit
a software vulnerability that ensures that processes do not properly release their
memory resources. Memory is continually committed and not released, and the
system is depleted of this resource until it can no longer function. This is an
example of a denial-of-service attack.
112. A. Attribute-based access control (ABAC) is based on attributes of any component
of the system. It is the most granular of the access control models.
113. A. The primary reason to use Kerberos is that the principals do not trust each
other enough to communicate directly; they only trust the Key Distribution
Center (KDC). This is a strength, not a weakness, of the system, but it does
point to the fact that if only the KDC can vouch for identities, this creates a
single point of failure. The fact that secret keys are stored on users’ workstations,
albeit temporarily, presents an attack opportunity for threat actors, who can also
perform password attacks on the system.
114. A. The depth of field refers to the portion of the environment that is in focus
when shown on the monitor. The depth of field varies, depending upon the size
of the lens opening, the distance of the object being focused on, and the focal
length of the lens. The depth of field increases as the size of the lens opening
decreases, the subject distance increases, or the focal length of the lens decreases.
So if you want to cover a large area and not focus on specific items, it is best to
use a wide-angle lens and a small lens opening.
115. B. In a preaction system, a link must melt before the water will pass through the
sprinkler heads, which creates the delay in water release. This type of suppression
system is best in data-processing environments because it allows time to deactivate
the system if there is a false alarm.
116. B. A preaction system has a link that must melt before water is released. This is
the mechanism that provides the delay in water release. A deluge system has wide
open sprinkler heads that allow a lot of water to be released quickly. It does not
have a delaying component.
362
26-AppA.indd 1204 06/09/21 1:35 PM

117. D. CPTED encourages natural surveillance, the goal of which is to make criminals
feel uncomfortable by providing many ways observers could potentially see them
and to make all other people feel safe and comfortable by providing an open
and well-designed environment. The other answers refer to the other three
CPTED strategies, which are natural access control, territorial reinforcement, and
maintenance, respectively.
118. D. The Zachman Framework is a two-dimensional model that uses six basic
communication interrogatives (What, How, Where, Who, When, and Why)
intersecting with different viewpoints (Executives, Business Managers, System
Architects, Engineers, Technicians, and Enterprise-wide) to give a holistic
understanding of the enterprise. This framework was developed in the 1980s and
is based on the principles of classical business architecture that contain rules that
govern an ordered set of relationships.
119. B. The communication between two pieces of the same software product that
reside on different computers needs to be controlled, which is why session
layer protocols even exist. Session layer protocols take on the functionality of
middleware, enabling software on two different computers to communicate.
120. A. The data link layer has two sublayers: the Logical Link Control (LLC) and
Media Access Control (MAC) layers. The LLC sublayer provides a standard
interface for whatever network protocol is being used. This provides an
abstraction layer so that the network protocol does not need to be programmed
to communicate with all of the possible MAC-level protocols (Ethernet, WLAN,
frame relay, etc.).
121. C. A Class B address range is usually too large for most companies, and a Class C
address range is too small, so CIDR provides the flexibility to increase or decrease
the class sizes as necessary. CIDR is the method to specify more flexible IP address
classes.
122. A. 802.1AE is the IEEE MAC Security (MACSec) standard, which defines a
security infrastructure to provide data confidentiality, data integrity, and data
origin authentication. Where a VPN connection provides protection at the higher
networking layers, MACSec provides hop-by-hop protection at layer 2.
123. D. 802.1AR provides a unique ID for a device. 802.1AE provides data encryption,
integrity, and origin authentication functionality. 802.1AF carries out key agreement
functions for the session keys used for data encryption. Each of these standards
provides specific parameters to work within an 802.1X EAP-TLS framework.
124. A. As information systems security professionals, if we discover a vulnerability, we
have an ethical obligation to properly disclose it to the appropriate parties. If the
vulnerability is in our own product, we need to notify our customers and partners
as soon as possible. If it is in someone else’s product, we need to notify the vendor
or manufacturer immediately so they can fix it. The goal of ethical disclosure is
to inform anyone who might be affected as soon as feasible, so a patch can be
developed before any threat actors become aware of the vulnerability.
363
26-AppA.indd 1205 06/09/21 1:35 PM

125. C. The HOSTS file resides on the local computer and can contain static
hostname-to-IP mapping information. If you do not want your system to query
a DNS server, you can add the necessary data in the HOSTS file, and your
system will first check its contents before reaching out to a DNS server. Some
people use these files to reduce the risk of an attacker sending their system a
bogus IP address that points them to a malicious website.
126. B. VLAN hopping attacks allow attackers to gain access to traffic in various
VLAN segments. An attacker can have a system act as though it is a switch.
The system understands the tagging values being used in the network and the
trunking protocols, and can insert itself between other VLAN devices and gain
access to the traffic going back and forth. Attackers can also insert tagging values
to manipulate the control of traffic at the data link layer.
127. B. The most common cloud service models are
• Infrastructure as a Service (IaaS) Cloud service providers offer the
infrastructure environment of a traditional data center in an on-demand
delivery method.
• Platform as a Service (PaaS) Cloud service providers deliver a computing
platform, which can include an operating system, database, and web server as
a holistic execution environment.
• Software as a Service (SaaS) Cloud service providers give users access to
specific application software (e.g., CRM, e-mail, and games).
128. C. Software-defined networking (SDN) is an approach to networking that relies
on distributed software to provide unprecedented agility and efficiency. Using
SDN, it becomes much easier to dynamically route traffic to and from newly
provisioned services and platforms. It also means that a service or platform can
be quickly moved from one location to another and the SDN will just as quickly
update traffic-flow rules in response to this change.
129. A. Parallel tests are similar to simulation tests, except that parallel tests include
moving some of the systems to the offsite facility. Simulation tests stop just short
of the move. Parallel tests are effective because they ensure that specific systems
work at the new location, but the test itself does not interfere with business
operations at the main facility.
130. B. While DRP and BCP are directed at the development of plans, business
continuity management (BCM) is the holistic management process that should
cover both of them. BCM provides a framework for integrating resilience with
the capability for effective responses in a manner that protects the interests of
the organization’s key stakeholders. The main objective of BCM is to allow the
organization to continue to perform business operations under various conditions.
BCM is the overarching approach to managing all aspects of BCP and DRP.
364
26-AppA.indd 1206 06/09/21 1:35 PM

131. B. An external audit (sometimes called a second-party audit) is one conducted by

(or on behalf of ) a business partner to verify contractual obligations. Though this
audit could be conducted by a third party (e.g., an auditing firm hired by either
party), it is still considered an external audit because it is being done to satisfy an
external entity.
132. A. Duress is the use of threats or violence against someone in order to force them
to do something they don’t want to do. A popular example of a countermeasure
for duress is the use of panic buttons by bank tellers. A panic room could
conceivably be another solution, but it would only work if employees are able
to get in and lock the door before an assailant can stop them, which makes it
a generally poor approach.
133. A. The Wassenaar Arrangement implements export controls for “Conventional
Arms and Dual-Use Goods and Technologies.” The main goal of this arrangement
is to prevent the buildup of military capabilities that could threaten regional and
international security and stability. So, everyone is keeping an eye on each other
to make sure no one country’s weapons can take everyone else out. One item the
agreement deals with is cryptography, which is considered a dual-use good
because it can be used for both military and civilian purposes. The agreement
recognizes the danger of exporting products with cryptographic functionality
to countries that are in the “offensive” column, meaning that they are thought to
have friendly ties with terrorist organizations and/or want to take over the world
through the use of weapons of mass destruction.
134. A. The civil (code) law system is used in continental European countries such as
France and Spain. It is a different legal system from the common law system used
in the United Kingdom and United States. A civil law system is rule-based law,
not precedent-based. For the most part, a civil law system is focused on codified
law—or written laws.
135. C. FMEA is a method for determining functions, identifying functional
failures, and assessing the causes of failure and their failure effects through a
structured process. It is commonly used in product development and operational
environments. The goal is to identify where something is most likely going to
break and either fix the flaws that could cause this issue or implement controls to
reduce the impact of the break.
136. B. Each of these items would be assigned a numeric value in a quantitative risk
analysis. Each element is quantified and entered into equations to determine
total and residual risks. Quantitative risk analysis is more of a scientific or
mathematical approach to risk analysis compared to qualitative.
137. A. Aggregation and inference go hand in hand. For example, a user who uses data
from a public database to figure out classified information is exercising aggregation
(the collection of data) and can then infer the relationship between that data and
the data the user does not have access to. This is called an inference attack.
365
26-AppA.indd 1207 06/09/21 1:35 PM

138. B. This option is not a risk, but a (probably unrealistic) benefit, so it cannot
be the right answer. The other three options are all risks associated with an
unmanaged patching model.
139. B. Clustering algorithms are frequently used for anomaly detection. Classifiers
are helpful when trying to determine whether a binary file is malware or detect
whether an e-mail is spam. Predictive machine learning models can be applied
wherever historical numerical data is available and work by estimating what the
value of the next data point should be, which makes them very useful for network
flow analysis (e.g., when someone is exfiltrating large amounts of data from the
network).
140. A. Breach and attack simulations (BAS) are automated systems that launch
simulated attacks against a target environment and then generate reports on their
findings. They are meant to be run regularly (even frequently) and be realistic,
but not to cause any adverse effect to the target systems. They are usually a much
more affordable approach than red teaming, even if you use an internal team.
141. A. Maximum tolerable downtime (MTD) is the outage time that can be endured
by an organization, and the recovery time objective (RTO) is an allowable
amount of downtime. The RTO value (13 hours) is smaller than the MTD value
(24 hours) because the MTD value represents the time after which an inability
to recover significant operations will mean severe and perhaps irreparable damage
to the organization’s reputation or bottom line. The RTO assumes that there
is a period of acceptable downtime. This means that a company can be out of
production for a certain period of time (RTO) and still get back on its feet. But
if the company cannot get production up and running within the MTD window,
the company is sinking too fast to properly recover.
142. C. High availability (HA) is a combination of technologies and processes that
work together to ensure that critical functions are always up and running at the
necessary level. To provide this level of high availability, a company has to have a
long list of technologies and processes that provide redundancy, fault tolerance,
and failover capabilities.
366
26-AppA.indd 1208 06/09/21 1:35 PM

All-In-One / CISSP® All-in-One Exam Guide, Ninth Edition / Maymí / 737-6 / Appendix B
Objective Map
APPENDIX
B
All-in-One Coverage
Domain Objective Ch # Heading
Domain 1: Security and Risk Management
1.1 Understand, adhere to, and promote 1 Professional Ethics
professional ethics
1.1.1 (ISC)2 Code of Professional Ethics 1 (ISC)2 Code of
Professional Ethics
1.1.2 Organizational code of ethics 1 Organizational Code of
Ethics
1.2 Understand and apply security concepts 1 Fundamental Cybersecu-
(confidentiality, integrity, and availability, rity Concepts and Terms
authenticity and nonrepudiation)
1.3 Evaluate and apply security 1 Security Governance
governance principles Principles
1.3.1 Alignment of the security function to business 1 Aligning Security to Busi-
strategy, goals, mission, and objectives ness Strategy
1.3.2 Organizational processes (e.g., acquisitions, 1 Organizational Processes
divestitures, governance committees)
1.3.3 Organizational roles and responsibilities 1 Organizational Roles and
Responsibilities
1.3.4 Security control frameworks 4 Security Control
Frameworks
1.3.5 Due care/due diligence 3 Due Care vs. Due
Diligence
1.4 Determine compliance and other 3 Compliance
requirements Requirements
1.4.1 Contractual, legal, industry standards, and 3 Contractual, Legal,
regulatory requirements Industry Standards,
and Regulatory
Requirements
1.4.2 Privacy requirements 3 Privacy Requirements
1.5 Understand legal and regulatory issues 3 Laws and Regulations
that pertain to information security in
a holistic context
367
27-AppB.indd 1209 06/09/21 1:38 PM

All-in-One Coverage
1.5.1 Cybercrimes and data breaches 3 Cybercrimes and Data
Breaches
1.5.2 Licensing and Intellectual Property (IP) 3 Licensing and
requirements Intellectual Property
Requirements
1.5.3 Import/export controls 3 Import/Export Controls
1.5.4 Transborder data flow 3 Transborder Data Flow
1.5.5 Privacy 3 Privacy
1.6 Understand requirements for investigation 3 Requirements for
types (i.e., administrative, criminal, civil, Investigations
regulatory, industry standards)
1.7 Develop, document, and implement 1 Security Policies,
security policy, standards, procedures, Standards, Procedures,
and guidelines and Guidelines
1.8 Identify, analyze, and prioritize Business 2 Business Continuity
Continuity (BC) requirements
1.8.1 Business Impact Analysis (BIA) 2 Business Impact Analysis
1.8.2 Develop and document the scope and the 2 Business Continuity
plan
1.9 Contribute to and enforce personnel 1 Personnel Security
security policies and procedures
1.9.1 Candidate screening and hiring 1 Candidate Screening and
Hiring
1.9.2 Employment agreements and policies 1 Employment Agreements
and Policies
1.9.3 Onboarding, transfers, and termination 1 Onboarding, Transfers
processes and Termination
Processes
1.9.4 Vendor, consultant, and contractor agree- 1 Vendors, Consultants,
ments and controls and Contractors
1.9.5 Compliance policy requirements 1 Compliance Policies
1.9.6 Privacy policy requirements 1 Privacy Policies
1.10 Understand and apply risk management 2 Risk Management
concepts Concepts
1.10.1 Identify threats and vulnerabilities 2 Identifying Threats and
Vulnerabilities
1.10.2 Risk assessment/analysis 2 Assessing Risks
1.10.3 Risk response 2 Responding to Risks
1.10.4 Countermeasure selection and 2 Countermeasure Selec-
implementation tion and Implementation
368
27-AppB.indd 1210 06/09/21 1:38 PM

All-in-One Coverage
1.10.5 Applicable types of controls (e.g., preventive, 2 Types of Controls
detective, corrective)
1.10.6 Control assessments (security and privacy) 2 Control Assessments
1.10.7 Monitoring and measurement 2 Monitoring Risks
1.10.8 Reporting 2 Risk Reporting
1.10.9 Continuous improvement (e.g., Risk maturity 2 Continuous
modeling) Improvement
1.10.10 Risk frameworks 4 Risk Frameworks
1.11 Understand and apply threat modeling 9 Threat Modeling
concepts and methodologies
1.12 Apply Supply Chain Risk Management 2 Supply Chain Risk
(SCRM) concepts Management
1.12.1 Risks associated with hardware, software, 2 Risks Associated with
and services Hardware, Software, and
Services
1.12.2 Third-party assessment and monitoring 2 Other Third-Party Risks
1.12.3 Minimum security requirements 2 Minimum Security
Requirements
1.12.4 Service level requirements 2 Service Level
Agreements
1.13 Establish and maintain a security 1 Security Awareness,
awareness, education, and training Education, and Training
program Programs
1.13.1 Methods and techniques to present awareness 1 Methods and Techniques
and training (e.g., social engineering, phishing, to Present Awareness
security champions, gamification) and Training
1.13.2 Periodic content reviews 1 Periodic Content
Reviews
1.13.3 Program effectiveness evaluation 1 Program Effectiveness
Evaluation
2.1 Identify and classify information 5 Information and Assets
and assets
2.1.1 Data classification 5 Data Classification
2.1.2 Asset classification 5 Asset Classification
2.2 Establish information and asset handling 5 Classification
requirements
2.3 Provision resources securely 5 Secure Provisioning
2.3.1 Information and asset ownership 5 Ownership
369
27-AppB.indd 1211 06/09/21 1:38 PM

All-in-One Coverage
2.3.2 Asset inventory (e.g., tangible, intangible) 5 Inventories
2.3.3 Asset management 5 Managing the Life Cycle
of Assets
2.4 Manage data lifecycle 5 Data Life Cycle
2.4.1 Data roles (i.e., owners, controllers, 5 Data Roles
custodians, processors, users/subjects)
2.4.2 Data collection 5 Data Collection
2.4.3 Data location 5 Where in the World
Is My Data?
2.4.4 Data maintenance 5 Data Maintenance
2.4.5 Data retention 5 Data Retention
2.4.6 Data remanence 5 Data Remanence
2.4.7 Data destruction 5 Data Destruction
2.5 Ensure appropriate asset retention (e.g., 5 Asset Retention
End-of-Life (EOL), End-of-Support (EOS))
2.6 Determine data security controls and 6 Data Security Controls
compliance requirements
2.6.1 Data states (e.g., in use, in transit, at rest) 6 Data States
2.6.2 Scoping and tailoring 6 Scoping and Tailoring
2.6.3 Standards selection 6 Standards
2.6.4 Data protection methods (e.g., Digital Rights 6 Data Protection Methods
Management (DRM), Data Loss Prevention
(DLP), Cloud Access Security Broker (CASB))
3.1 Research, implement and manage 9 Secure Design Principles
engineering processes using secure
design principles
3.1.1 Threat modeling 9 Threat Modeling
3.1.2 Least privilege 9 Least Privilege
3.1.3 Defense in depth 9 Defense in Depth
3.1.4 Secure defaults 9 Secure Defaults
3.1.5 Fail securely 9 Fail Securely
3.1.6 Separation of Duties (SoD) 9 Separation of Duties
3.1.7 Keep it simple 9 Keep It Simple
3.1.8 Zero Trust 9 Zero Trust
3.1.9 Privacy by design 9 Privacy by Design
370
27-AppB.indd 1212 06/09/21 1:38 PM

All-in-One Coverage
3.1.10 Trust but verify 9 Trust But Verify
3.1.11 Shared responsibility 9 Shared Responsibility
3.2 Understand the fundamental concepts of 9 Security Models
security models (e.g., Biba, Star Model,
Bell-LaPadula)
3.3 Select controls based upon systems secu- 9 Security Requirements
rity requirements
3.4 Understand security capabilities of 9 Security Capabilities of
Information Systems (IS) (e.g., memory Information Systems
protection, Trusted Platform Module
(TPM), encryption/decryption)
3.5 Assess and mitigate the vulnerabilities 7 General System
of security architectures, designs, and Architectures
solution elements
3.5.1 Client-based systems 7 Client-Based Systems
3.5.2 Server-based systems 7 Server-Based Systems
3.5.3 Database systems 7 Database Systems
3.5.4 Cryptographic systems 8 Cryptosystems
3.5.5 Industrial Control Systems (ICS) 7 Industrial Control
Systems
3.5.6 Cloud-based systems (e.g., Software as a 7 Cloud-Based Systems
Service (SaaS), Infrastructure as a Service
(IaaS), Platform as a Service (PaaS))
3.5.7 Distributed systems 7 Distributed Systems
3.5.8 Internet of Things (IoT) 7 Internet of Things
3.5.9 Microservices 7 Microservices
3.5.10 Containerization 7 Containerization
3.5.11 Serverless 7 Serverless
3.5.12 Embedded systems 7 Embedded Systems
3.5.13 High-Performance Computing (HPC) systems 7 High-Performance
Computing Systems
3.5.14 Edge computing systems 7 Edge Computing
Systems
3.5.15 Virtualized systems 7 Virtualized Systems
3.6 Select and determine cryptographic 8 Cryptography Definitions
solutions and Concepts
3.6.1 Cryptographic life cycle (e.g., keys, 8 Cryptographic Life Cycle
algorithm selection)
371
27-AppB.indd 1213 06/09/21 1:38 PM

All-in-One Coverage
3.6.2 Cryptographic methods (e.g., symmetric, 8 Cryptographic Methods
asymmetric, elliptic curves, quantum)
3.6.3 Public Key Infrastructure (PKI) 8 Public Key Infrastructure
3.6.4 Key management practices 8 Key Management
3.6.5 Digital signatures and digital certificates 8 Digital Signatures
Digital Certificates
3.6.6 Non-repudiation 8 Cryptosystems
3.6.7 Integrity (e.g., hashing) 8 Cryptosystems
3.7 Understand methods of 8 Integrity
cryptanalytic attacks
3.7.1 Brute force 8 Brute Force
3.7.2 Ciphertext only 8 Ciphertext-Only Attacks
3.7.3 Known plaintext 8 Known-Plaintext Attacks
3.7.4 Frequency analysis 8 Frequency Analysis
3.7.5 Chosen ciphertext 8 Chosen-Ciphertext
Attacks
3.7.6 Implementation attacks 8 Implementation Attacks
3.7.7 Side-channel 8 Side-Channel Attacks
3.7.8 Fault injection 8 Fault Injection
3.7.9 Timing 8 Side-Channel Attacks
3.7.10 Man-in-the-Middle (MITM) 8 Man-in-the-Middle
3.7.11 Pass the hash 8 Replay Attacks
3.7.12 Kerberos exploitation 17 Weaknesses of Kerberos
3.7.13 Ransomware 8 Ransomware
3.8 Apply security principles to site and 10 Security Principles
facility design
3.9 Design site and facility security controls 10 Site and Facility Controls
3.9.1 Wiring closets/intermediate distribution 10 Distribution Facilities
facilities
3.9.2 Server rooms/data centers 10 Data Processing Facilities
3.9.3 Media storage facilities 10 Media Storage
3.9.4 Evidence storage 10 Evidence Storage
3.9.5 Restricted and work area security 10 Restricted Areas
372
27-AppB.indd 1214 06/09/21 1:38 PM

All-in-One Coverage
3.9.6 Utilities and Heating, Ventilation, and Air 10 Utilities
Conditioning (HVAC)
3.9.7 Environmental issues 10 Environmental Issues
3.9.8 Fire prevention, detection, and suppression 10 Fire Safety
3.9.9 Power (e.g., redundant, backup) 10 Electric Power
4.1 Assess and implement secure design 13 Applying Secure Design
principles in network architectures Principles to Network
Architectures
4.1.1 Open System Interconnection (OSI) and 11 Network Reference
Transmission Control Protocol/Internet Models
Protocol (TCP/IP) models
4.1.2 Internet Protocol (IP) networking (e.g., 11 Internet Protocol
Internet Protocol Security (IPSec), Internet Networking
Protocol (IP) v4/6)
4.1.3 Secure protocols 13 Secure Protocols
4.1.4 Implications of multilayer protocols 13 Multilayer Protocols
4.1.5 Converged protocols (e.g., Fiber Channel 13 Converged Protocols
Over Ethernet (FCoE), Internet Small
Computer Systems Interface (iSCSI), Voice
over Internet Protocol (VoIP))
4.1.6 Micro-segmentation (e.g., Software Defined 13 Network Segmentation
Networks (SDN), Virtual eXtensible Local Area
Network (VXLAN), Encapsulation, Software-
Defined Wide Area Network (SD-WAN))
4.1.7 Wireless networks (e.g., Li-Fi, Wi-Fi, Zigbee, 12 Wireless Networking
satellite) Fundamentals
4.1.8 Cellular networks (e.g., 4G, 5G) 12 Mobile Wireless
Communication
4.1.9 Content Distribution Networks (CDN) 14 Content Distribution
Networks
4.2 Secure network components 14 Network Devices
4.2.1 Operation of hardware (e.g., redundant 14 Operation of Hardware
power, warranty, support)
4.2.2 Transmission media 14 Transmission Media
4.2.3 Network Access Control (NAC) devices 14 Network Access Control
Devices
4.2.4 Endpoint security 14 Endpoint Security
373
27-AppB.indd 1215 06/09/21 1:38 PM

All-in-One Coverage
4.3 Implement secure communication 15 All of Chapter 15
channels according to design
4.3.1 Voice 15 Voice Communications
4.3.2 Multimedia collaboration 15 Multimedia
Collaboration
4.3.3 Remote access 15 Remote Access
4.3.4 Data communications 11 Data Communications
Foundations
4.3.5 Virtualized networks 15 Virtualized Networks
4.3.6 Third-party connectivity 15 Third-Party Connectivity
5.1 Control physical and logical access to assets 17 Controlling Physical and
Logical Access
5.1.1 Information 17 Information Access Control
5.1.2 Systems 17 System and Application
Access Control
5.1.3 Devices 17 Access Control to Devices
5.1.4 Facilities 17 Facilities Access Control
5.1.5 Applications 17 System and Application
Access Control
5.2 Manage identification and authentication 16 Identification, Authen-
of people, devices, and services tication, Authorization,
and Accountability
5.2.1 Identity Management (IdM) implementation 16 Identity Management
5.2.2 Single/Multi-Factor Authentication (MFA) 16 Identification and
Authentication
5.2.3 Accountability 16 Accountability
5.2.4 Session management 16 Session Management
5.2.5 Registration, proofing, and establishment 16 Registration and
of identity Proofing of Identity
5.2.6 Federated Identity Management (FIM) 16 Federated Identity
Management
5.2.7 Credential management systems 16 Credential Management
5.2.8 Single Sign On (SSO) 16 Single Sign-On
5.2.9 Just-In-Time (JIT) 16 Just-in-Time Access
5.3 Federated identity with a third-party 16 Federated Identity with
service a Third-Party Service
5.3.1 On-premise 16 On-Premise
374
27-AppB.indd 1216 06/09/21 1:38 PM

All-in-One Coverage
5.3.2 Cloud 16 Cloud
5.3.3 Hybrid 16 Hybrid
5.4 Implement and manage authorization 17 Authorization
mechanisms Mechanisms
5.4.1 Role Based Access Control (RBAC) 17 Role-Based Access
Control
5.4.2 Rule based access control 17 Rule-Based Access
Control
5.4.3 Mandatory Access Control (MAC) 17 Mandatory Access
Control
5.4.4 Discretionary Access Control (DAC) 17 Discretionary Access
Control
5.4.5 Attribute Based Access Control (ABAC) 17 Attribute-Based Access
Control
5.4.6 Risk based access control 17 Risk-Based Access
Control
5.5 Manage the identity and access 17 Managing the Identity
provisioning lifecycle and Access Provisioning
Life Cycle
5.5.1 Account access review (e.g., user, system, 17 System Account Access
service) Review
5.5.2 Provisioning and deprovisioning 17 Provisioning
(e.g., on /off boarding and transfers) Deprovisioning
5.5.3 Role definition (e.g., people assigned 17 Role Definitions
to new roles)
5.5.4 Privilege escalation (e.g., managed service 17 Privilege Escalation
accounts, use of sudo, minimizing its use) Managed Service
Accounts
5.6 Implement authentication systems 17 Implementing
Authentication and
Authorization Systems
5.6.1 OpenID Connect (OIDC)/Open 17 OpenID Connect
Authorization (Oauth) Oauth
5.6.2 Security Assertion Markup Language (SAML) 17 Access Control and
Markup Languages
5.6.3 Kerberos 17 Kerberos
5.6.4 Remote Authentication Dial-In User Service 17 Remote Access Control
(RADIUS)/Terminal Access Controller Access Technologies
Control System Plus (TACACS+)
375
27-AppB.indd 1217 06/09/21 1:38 PM

All-in-One Coverage
6.1 Design and validate assessment, test, 18 Test, Assessment, and
and audit strategies Audit Strategies
6.1.1 Internal 18 Internal Audits
6.1.2 External 18 External Audits
6.1.3 Third-party 18 Third-Party Audits
6.2 Conduct security control testing 18 Testing Technical
Controls
6.2.1 Vulnerability assessment 18 Vulnerability Testing
6.2.2 Penetration testing 18 Penetration Testing
6.2.3 Log reviews 18 Log Reviews
6.2.4 Synthetic transactions 18 Synthetic Transactions
6.2.5 Code review and testing 18 Code Reviews
6.2.6 Misuse case testing 18 Misuse Case Testing
6.2.7 Test coverage analysis 18 Test Coverage
6.2.8 Interface testing 18 Interface Testing
6.2.9 Breach attack simulations 18 Breach Attack
Simulations
6.2.10 Compliance checks 18 Compliance Checks
6.3 Collect security process data 19 Security Process Data
(e.g., technical and administrative)
6.3.1 Account management 19 Account Management
6.3.2 Management review and approval 19 Management Review
and Approval
6.3.3 Key performance and risk indicators 19 Key Performance and
Risk Indicators
6.3.4 Backup verification data 19 Backup Verification
6.3.5 Training and awareness 19 Security Training and
Security Awareness
Training
6.3.6 Disaster Recovery (DR) and Business 19 Disaster Recovery and
Continuity (BC) Business Continuity
6.4 Analyze test output and generate report 19 Reporting
6.4.1 Remediation 19 Remediation
6.4.2 Exception handling 19 Exception Handling
6.4.3 Ethical disclosure 19 Ethical Disclosure
376
27-AppB.indd 1218 06/09/21 1:38 PM

All-in-One Coverage
6.5 Conduct or facilitate security audits 18 Conducting Security
Audits
6.5.1 Internal 18 Conducting Internal
Audits
6.5.2 External 18 Conducting and
Facilitating External Audits
6.5.3 Third-party 18 Facilitating Third-Party
Audits
7.1 Understand and comply 22 Investigations
with investigations
7.1.1 Evidence collection and handling 22 Evidence Collection and
Handling
7.1.2 Reporting and documentation 22 Reporting and
Documenting
7.1.3 Investigative techniques 22 Other Investigative
Techniques
7.1.4 Digital forensics tools, tactics, 22 Digital Forensics Tools,
and procedures Tactics, and Procedures
7.1.5 Artifacts (e.g., computer, network, mobile 22 Forensic Artifacts
device)
7.2 Conduct logging and monitoring 21 Logging and Monitoring
activities
7.2.1 Intrusion detection and prevention 21 Intrusion Detection and
Prevention Systems
7.2.2 Security Information and Event 21 Security Information and
Management (SIEM) Event Management
7.2.3 Continuous monitoring 21 Continuous Monitoring
7.2.4 Egress monitoring 21 Egress Monitoring
7.2.5 Log management 21 Log Management
7.2.6 Threat intelligence (e.g., threat feeds, threat 21 Threat Intelligence
hunting)
7.2.7 User and Entity Behavior Analytics (UEBA) 21 User and Entity Behavior
Analytics
7.3 Perform Configuration Management (CM) 20 Configuration
(e.g., provisioning, baselining, Management
automation)
377
27-AppB.indd 1219 06/09/21 1:38 PM

All-in-One Coverage
7.4 Apply foundational security 20 Foundational Security
operations concepts Operations Concepts
7.4.1 Need-to-know/least privilege 20 Need-to-Know/Least
Privilege
7.4.2 Separation of Duties (SoD) and 20 Separation of Duties and
responsibilities Responsibilities
7.4.3 Privileged account management 20 Privileged Account
Management
7.4.4 Job rotation 20 Job Rotation
7.4.5 Service Level Agreements (SLAs) 20 Service Level
Agreements
7.5 Apply resource protection 20 Resource Protection
7.5.1 Media management 20 Hierarchical Storage
Management
7.5.2 Media protection techniques 20 Resource Protection
7.6 Conduct incident management 22 Overview of Incident
Management
7.6.1 Detection 22 Detection
7.6.2 Response 22 Response
7.6.3 Mitigation 22 Mitigation
7.6.4 Reporting 22 Reporting
7.6.5 Recovery 22 Recovery
7.6.6 Remediation 22 Remediation
7.6.7 Lessons learned 22 Lessons Learned
7.7 Operate and maintain detective and 21 Preventive and Detective
preventative measures Measures
7.7.1 Firewalls (e.g., next generation, web 21 Firewalls
application, network)
7.7.2 Intrusion Detection Systems (IDS) and 21 Intrusion Detection and
Intrusion Prevention Systems (IPS) Prevention Systems
7.7.3 Whitelisting/blacklisting 21 Whitelisting and
Blacklisting
7.7.4 Third-party provided security services 21 Outsourced Security
Services
7.7.5 Sandboxing 21 Sandboxing
7.7.6 Honeypots/honeynets 21 Honeypots and
Honeynets
378
27-AppB.indd 1220 06/09/21 1:38 PM

All-in-One Coverage
7.7.7 Anti-malware 21 Antimalware Software
7.7.8 Machine learning and Artificial Intelligence 21 Artificial Intelligence
(AI) based tools Tools
7.8 Implement and support patch and 20 Vulnerability and Patch
vulnerability management Management
7.9 Understand and participate in change 20 Change Management
management processes
7.10 Implement recovery strategies 23 Recovery Strategies
7.10.1 Backup storage strategies 23 Data Backup
7.10.2 Recovery site strategies 23 Recovery Site Strategies
7.10.3 Multiple processing sites 23 Multiple Processing Sites
7.10.4 System resilience, High Availability (HA), 23 Availability
Quality of Service (QoS), and fault tolerance
7.11 Implement Disaster Recovery (DR) 23 Disaster Recovery
processes Processes
7.11.1 Response 23 Response
7.11.2 Personnel 23 Personnel
7.11.3 Communications 23 Communications
7.11.4 Assessment 23 Assessment
7.11.5 Restoration 23 Restoration
7.11.6 Training and awareness 23 Training and Awareness
7.11.7 Lessons learned 23 Lessons Learned
7.12 Test Disaster Recovery Plans (DRP) 23 Testing Disaster
Recovery Plans
7.12.1 Read-through/tabletop 23 Checklist Test
Tabletop Exercises
7.12.2 Walkthrough 23 Structured Walkthrough
Test
7.12.3 Simulation 23 Simulation Test
7.12.4 Parallel 23 Parallel Test
7.12.5 Full interruption 23 Full-Interruption Test
7.13 Participate in Business Continuity (BC) 23 Business Continuity
planning and exercises
7.14 Implement and manage physical security 20 Physical Security
7.14.1 Perimeter security controls 20 External Perimeter
Security Controls
7.14.2 Internal security controls 20 Internal Security Controls
379
27-AppB.indd 1221 06/09/21 1:38 PM

All-in-One Coverage
7.15 Address personnel safety and 20 Personnel Safety and
security concerns Security
7.15.1 Travel 20 Travel
7.15.2 Security training and awareness 20 Security Training and
Awareness
7.15.3 Emergency management 20 Emergency Management
7.15.4 Duress 20 Duress
8.1 Understand and integrate security in the 24 Software Development
Software Development Life Cycle (SDLC) Life Cycle
8.1.1 Development methodologies (e.g., Agile, 24 Development Method-
Waterfall, DevOps, DevSecOps) ologies
8.1.2 Maturity models (e.g., Capability Maturity 24 Maturity Models
Model (CMM), Software Assurance Maturity
Model (SAMM))
8.1.3 Operation and maintenance 24 Operations and Mainte-
nance Phase
8.1.4 Change management 24 Change Management
8.1.5 Integrated Product Team (IPT) 24 Integrated Product Team
8.2 Identify and apply security controls in 25 Security Controls for
software development ecosystems Software Development
8.2.1 Programming languages 25 Programming Languages
and Concepts
8.2.2 Libraries 25 Software Libraries
8.2.3 Tool sets 25 Tool Sets
8.2.4 Integrated Development Environment (IDE) 25 Development Platforms
8.2.5 Runtime 25 Runtime Environments
8.2.6 Continuous Integration and Continuous 25 Continuous Integration
Delivery (CI/CD) and Delivery
8.2.7 Security Orchestration, Automation, and 25 Security Orchestration,
Response (SOAR) Automation, and
Response
8.2.8 Software Configuration Management (SCM) 25 Software Configuration
Management
8.2.9 Code repositories 25 Code Repositories
8.2.10 Application security testing (e.g., Static 25 Application Security
Application Security Testing (SAST), Dynamic Testing
Application Security Testing (DAST))
380
27-AppB.indd 1222 06/09/21 1:38 PM

All-in-One Coverage
8.3 Assess the effectiveness of 25 Software Security
software security Assessments
8.3.1 Auditing and logging of changes 25 Change Management
8.3.2 Risk analysis and mitigation 25 Risk Analysis and
Mitigation
8.4 Assess security impact of acquired 25 Assessing the Security of
software Acquired Software
8.4.1 Commercial-off-the-shelf (COTS) 25 Commercial Software
8.4.2 Open source 25 Open-Source Software
8.4.3 Third-party 25 Third-Party Software
8.4.4 Managed services (e.g., Software as a Service 25 Managed Services
(SaaS), Infrastructure as a Service (IaaS),
Platform as a Service (PaaS))
8.5 Define and apply secure coding guidelines 25 Secure Software Devel-
and standards opment
8.5.1 Security weaknesses and vulnerabilities at 25 Source Code Vulner-
the source-code level abilities
8.5.2 Security of Application Programming 25 Application Program-
Interfaces (APIs) ming Interfaces
8.5.3 Secure coding practices 25 Secure Coding Practices
8.5.4 Software-defined security 25 Software-Defined
Security
381
27-AppB.indd 1223 06/09/21 1:38 PM

Shon Harris Audio Book

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Shon Harris Audio Book

Uploaded by

Copyright:

Available Formats

CISSP ALL-IN-ONE EXAM GUIDE,

Domain 2: Asset Security

00-FM.indd 30 11/09/21 12:40 PM

Domain 5: Identity and Access Management (IAM)

00-FM.indd 30 11/09/21 12:40 PM

Domain 8: Software Development Security

00-FM.indd 31 11/09/21 12:40 PM

00-FM.indd 37 11/09/21 12:40 PM

00-FM.indd 38 11/09/21 12:40 PM

Exposure And causes an

01-ch01.indd 10 15/09/21 12:31 PM

01-ch01.indd 11 15/09/21 12:31 PM

Risk analysis Process

Risk analysis Tactical management Organizational

Figure 1-2 A complete security program contains many items.

01-ch01.indd 12 15/09/21 12:31 PM

Assets Motivation Process People Location Time

Contextual The Business risk Business Business Business Business time

01-ch01.indd 14 15/09/21 12:31 PM

Figure 1-3 Policy

Guidelines Recommended but optional

01-ch01.indd 31 15/09/21 12:31 PM

Awareness Training Education

01-ch01.indd 41 15/09/21 12:31 PM

02-ch02.indd 55 15/09/21 12:35 PM

02-ch02.indd 58 15/09/21 12:35 PM

Threat Actor Can Exploit This Vulnerability To Cause This Effect

02-ch02.indd 62 15/09/21 12:35 PM

Top-level failure event is

Failure Event B Failure Event C Failure Event D

AND symbol means that

Failure Event E Failure Event F

Figure 2-3 Fault tree and logic components

02-ch02.indd 71 15/09/21 12:35 PM

Single Loss Annualized Rate of Annualized Loss

02-ch02.indd 75 15/09/21 12:35 PM

Figure 2-4 Qualitative risk matrix: likelihood vs. consequences (impact)

02-ch02.indd 76 15/09/21 12:35 PM

Threat = Hacker Effectiveness

02-ch02.indd 77 15/09/21 12:35 PM

Attribute Quantitative Qualitative

02-ch02.indd 78 15/09/21 12:35 PM

PLAN COLLECT INFORMATION DEFINE

RISK MITIGATION RISK AVOIDANCE

RISK TRANSFERENCE RISK ACCEPTANCE

Figure 2-5 How a risk management program can be set up

02-ch02.indd 80 15/09/21 12:35 PM

Potential threat Virus scanners

Rule-based access control

Virtual private networks (VPNs)

Policies and procedures

Figure 2-6 Defense-in-depth

02-ch02.indd 84 15/09/21 12:35 PM

Control Type: Preventive Detective Corrective Deterrent Recovery Compensating

02-ch02.indd 87 15/09/21 12:35 PM

02-ch02.indd 89 15/09/21 12:35 PM

Figure 2-7 Risk

Very Low Medium High Very

02-ch02.indd 94 15/09/21 12:35 PM

Level Maturity Characteristics

02-ch02.indd 96 15/09/21 12:35 PM

Software Distributor Customers

02-ch02.indd 97 15/09/21 12:35 PM

Communication and consultation