Introduction xxvii
Assessment Test xlv
Chapter 1 Defending Against Cybersecurity Threats 1
Cybersecurity Objectives 2
Evaluating Security Risks 3
Identify Threats 5
Identify Vulnerabilities 7
Determine Likelihood, Impact, and Risk 7
Reviewing Controls 8
Building a Secure Network 8
Network Access Control 9
Firewalls and Network Perimeter Security 10
Network Segmentation 13
Defense through Deception 14
Secure Endpoint Management 15
Hardening System Configurations 15
Patch Management 15
Group Policies 16
Endpoint Security Software 17
Penetration Testing 17
Planning a Penetration Test 18
Conducting Discovery 18
Executing a Penetration Test 19
Communicating Penetration Test Results 20
Training and Exercises 20
Reverse Engineering 20
Isolation and Sandboxing 21
Reverse Engineering Software 21
Reverse Engineering Hardware 22
Summary 23
Exam Essentials 24
Lab Exercises 25
Activity 1.1: Create an Inbound Firewall Rule 25
Activity 1.2: Create a Group Policy Object 25
Activity 1.3: Write a Penetration Testing Plan 26
Activity 1.4: Security Tools 27
Review Questions 28
Chapter 2 Reconnaissance and Intelligence Gathering 33
Footprinting 34
Active Reconnaissance 35
Mapping Networks and Discovering Topology 35
Port Scanning and Service Discovery Techniques and Tools 37
Passive Footprinting 43
Log and Configuration Analysis 43
Harvesting Data from DNS and Whois 51
Information Aggregation and Analysis Tools 58
Information Gathering Using Packet Capture 58
Gathering Organizational Intelligence 59
Organizational Data 59
Electronic Document Harvesting 60
Detecting, Preventing, and Responding to Reconnaissance 63
Capturing and Analyzing Data to Detect Reconnaissance 63
Preventing Reconnaissance 65
Summary 66
Exam Essentials 67
Lab Exercises 68
Activity 2.1: Port Scanning 68
Activity 2.2: Write an Intelligence Gathering Plan 68
Activity 2.3: Intelligence Gathering Techniques 69
Review Questions 70
Chapter 3 Designing a Vulnerability Management Program 75
Identifying Vulnerability Management Requirements 76
Regulatory Environment 76
Corporate Policy 79
Identifying Scan Targets 80
Determining Scan Frequency 81
Configuring and Executing Vulnerability Scans 83
Scoping Vulnerability Scans 83
Configuring Vulnerability Scans 84
Scanner Maintenance 88
Developing a Remediation Workflow 90
Reporting and Communication 91
Prioritizing Remediation 94
Testing and Implementing Fixes 94
Overcoming Barriers to Vulnerability Scanning 95
Summary 96
Exam Essentials 97
Lab Exercises 98
Activity 3.1: Installing a Vulnerability Scanner 98
Activity 3.2: Running a Vulnerability Scan 98
Review Questions 99
Chapter 4 Analyzing Vulnerability Scans 103
Reviewing and Interpreting Scan Reports 104
Understanding CVSS 106
Validating Scan Results 111
False Positives 112
Documented Exceptions 112
Understanding Informational Results 112
Reconciling Scan Results with Other Data Sources 114
Trend Analysis 114
Common Vulnerabilities 115
Server and Endpoint Vulnerabilities 116
Network Vulnerabilities 123
Virtualization Vulnerabilities 129
Internet of Things (IoT) 130
Web Application Vulnerabilities 131
Summary 134
Exam Essentials 135
Lab Exercises 136
Activity 4.1: Interpreting a Vulnerability Scan 136
Activity 4.2: Analyzing a CVSS Vector 136
Activity 4.3: Remediating a Vulnerability 137
Review Questions 138
Chapter 5 Building an Incident Response Program 143
Security Incidents 144
Phases of Incident Response 145
Preparation 146
Detection and Analysis 146
Containment, Eradication, and Recovery 148
Post-Incident Activity 148
Building the Foundation for Incident Response 150
Policy 150
Procedures and Playbooks 151
Documenting the Incident Response Plan 151
Creating an Incident Response Team 152
Incident Response Providers 153
CSIRT Scope of Control 154
Coordination and Information Sharing 154
Internal Communications 155
External Communications 155
Classifying Incidents 155
Threat Classification 156
Severity Classification 157
Summary 160
Exam Essentials 161
Lab Exercises 162
Activity 5.1: Incident Severity Classification 162
Activity 5.2: Incident Response Phases 162
Activity 5.3: Developing an Incident Communications Plan 163
Review Questions 164
Chapter 6 Analyzing Symptoms for Incident Response 169
Analyzing Network Events 170
Capturing Network Events 170
Network Monitoring Tools 174
Detecting Common Network Issues 179
Handling Network Probes and Attacks 183
Detecting Scans and Probes 183
Detecting Denial-of-Service and Distributed Denial-of-Service
Attacks 184
Detecting Other Network Attacks 186
Detecting and Finding Rogue Devices 187
Investigating Host Issues 188
System Resources 189
Malware and Unauthorized Software 192
Unauthorized Access, Changes, and Privileges 193
Investigating Service and Application Issues 194
Application and Service Monitoring 194
Application and Service Issue Response and Restoration 196
Detecting Attacks on Applications 197
Summary 198
Exam Essentials 198
Lab Exercises 199
Activity 6.1: Identify a Network Scan 199
Activity 6.2: Write a Service Issue Response Plan 200
Activity 6.3: Security Tools 201
Review Questions 202
Chapter 7 Performing Forensic Analysis 207
Building a Forensics Capability 208
Building a Forensic Toolkit 208
Training and Certification 212
Understanding Forensic Software 212
Capabilities and Application 212
Conducting a Forensic Investigation 216
The Forensic Process 216
Target Locations 218
Acquiring and Validating Drive Images 219
Imaging Live Systems 224
Acquiring Other Data 225
Forensic Investigation: An Example 229
Importing a Forensic Image 229
Analyzing the Image 231
Reporting 234
Summary 236
Exam Essentials 236
Lab Exercises 237
Activity 7.1: Create a Disk Image 237
Activity 7.2: Conduct the NIST Rhino Hunt 238
Activity 7.3: Security Tools 239
Review Questions 240
Chapter 8 Recovery and Post-Incident Response 245
Containing the Damage 246
Segmentation 248
Isolation 249
Removal 251
Evidence Gathering and Handling 252
Identifying Attackers 253
Incident Eradication and Recovery 253
Reconstruction and Reimaging 255
Patching Systems and Applications 255
Sanitization and Secure Disposal 256
Validating the Recovery Effort 258
Wrapping Up the Response 258
Managing Change Control Processes 258
Conducting a Lessons-Learned Session 259
Developing a Final Report 259
Summary 260
Exam Essentials 260
Lab Exercises 261
Activity 8.1: Incident Containment Options 261
Activity 8.2: Incident Response Activities 263
Activity 8.3: Sanitization and Disposal Techniques 263
Review Questions 265
Chapter 9 Policy and Compliance 269
Understanding Policy Documents 270
Policies 270
Standards 273
Procedures 274
Guidelines 275
Exceptions and Compensating Controls 276
Complying with Laws and Regulations 277
Adopting a Standard Framework 278
NIST Cybersecurity Framework 279
ISO 27001 282
Control Objectives for Information and Related Technologies (COBIT)
282
Sherwood Applied Business Security Architecture (SABSA) 283
The Open Group Architecture Framework (TOGAF) 283
Information Technology Infrastructure Library (ITIL) 285
Implementing Policy-Based Controls 285
Security Control Verification and Quality Control 286
Summary 287
Exam Essentials 287
Lab Exercises 288
Activity 9.1: Policy Documents 288
Activity 9.2: Using a Cybersecurity Framework 288
Activity 9.3: Compliance Auditing Tools 288
Review Questions 289
Chapter 10 Defense-in-Depth Security Architectures 293
Understanding Defense in Depth 294
Layered Security 294
Control Types and Classification 298
Implementing Defense in Depth 299
Layered Security and Network Design 299
Layered Host Security 305
Logging, Monitoring, and Validation 306
Cryptography 307
Policy, Process, and Standards 308
Outsourcing and Personnel Security 310
Analyzing Security Architecture 311
Analyzing Security Requirements 312
Reviewing Architecture 312
Common Issues 313
Reviewing a Security Architecture 317
Maintaining a Security Design 319
Summary 320
Exam Essentials 320
Lab Exercises 321
Activity 10.1: Review an Application Using the OWASP
Application Security Architecture Cheat Sheet 321
Activity 10.2: Review a NIST Security Architecture 322
Activity 10.3: Security Architecture Terminology 323
Review Questions 324
Chapter 11 Identity and Access Management Security 329
Understanding Identity 330
Identity Systems and Security Design 332
Threats to Identity and Access 335
Understanding Security Issues with Identities 336
Attacking AAA Systems and Protocols 336
Targeting Account Creation, Provisioning, and Deprovisioning
341
Preventing Common Exploits of Identity and Authorization 343
Acquiring Credentials 343
Identity as a Security Layer 345
Identity and Defense-in-Depth 346
Securing Authentication and Authorization 346
Detecting Attacks and Security Operations 352
Understanding Federated Identity and Single Sign-On 353
Federated Identity Security Considerations 354
Federated Identity Design Choices 355
Federated Identity Technologies 357
Federation Incident Response 361
Summary 362
Exam Essentials 362
Lab Exercises 363
Activity 11.1: Federated Security Scenario 363
Activity 11.2: Onsite Identity Issues Scenario 364
Activity 11.3: Identity and Access Management Terminology 365
Review Questions 366
Chapter 12 Software Development Security 371
Understanding the Software Development Life Cycle 372
Software Development Phases 373
Software Development Models 375
Designing and Coding for Security 380
Common Software Development Security Issues 381
Secure Coding Best Practices 381
Application Testing 384
Information Security and the SDLC 384
Code Review Models 385
Formal Code Review 387
Software Security Testing 388
Analyzing and Testing Code 389
Web Application Vulnerability Scanning 391
Summary 394
Exam Essentials 394
Lab Exercises 395
Activity 12.1: Review an Application Using the Owasp Application
Security Architecture Cheat Sheet 395
Activity 12.2: Learn about Web Application Exploits from WebGoat
396
Activity 12.3: SDLC Terminology 396
Review Questions 397
Chapter 13 Cybersecurity Toolkit 401
Host Security Tools 402
Antimalware and Antivirus 402
EMET 403
Sysinternals 404
Monitoring and Analysis Tools 405
Syslog 406
Security Information and Event Management (SIEM) 407
Network Monitoring 409
Scanning and Testing Tools 411
Network Scanning 412
Vulnerability Scanning 412
Exploit Frameworks 415
Password Cracking and Recovery 416
Network Security Tools 418
Firewalls 418
Network Intrusion Detection and Prevention 418
Host Intrusion Prevention 420
Packet Capture 421
Command-Line Network Tools 423
Web Proxies 426
OpenSSL 428
Web Application Security Tools 429
Web Application Firewalls 429
Interception Proxies 430
Fuzzers 431
Forensics Tools 433
Hashing 433
Imaging 434
Forensic Suites 435
Mobile Forensics 436
Summary 436
Appendix A Answers to the Review Questions 437
Chapter 1: Defending Against Cybersecurity Threats 438
Chapter 2: Reconnaissance and Intelligence Gathering 439
Chapter 3: Designing a Vulnerability Management Program 441
Chapter 4: Analyzing Vulnerability Scans 443
Chapter 5: Building an Incident Response Program 444
Chapter 6: Analyzing Symptoms for Incident Response 446
Chapter 7: Performing Forensic Analysis 448
Chapter 8: Recovery and Post-Incident Response 449
Chapter 9: Policy and Compliance 451
Chapter 10: Defense-in-Depth Security Architectures 453
Chapter 11: Identity and Access Management Security 456
Chapter 12: Software Development Security 458
Appendix B Answers to the Lab Exercises 461
Chapter 1: Defending Against Cybersecurity Threats 462
Chapter 2: Reconnaissance and Intelligence Gathering 462
Chapter 4: Analyzing Vulnerability Scans 463
Chapter 5: Building an Incident Response Program 464
Chapter 6: Analyzing Symptoms for Incident Response 465
Chapter 7: Performing Forensic Analysis 466
Chapter 8: Recovery and Post-Incident Response 467
Chapter 9: Policy and Compliance 470
Chapter 10: Defense-in-Depth Security Architectures 471
Chapter 11: Identity and Access Management Security 472
Chapter 12: Software Development Security 473
Index 475
Mike Chapple, PhD, CySA+, CISSP, Security+, is Senior Director for
IT Service Delivery at the University of Notre Dame overseeing
information security, data governance, IT architecture, project
management, strategic planning and product management functions and
teaches undergraduate courses on Information Security.
David Seidl, CISSP, GPEN, GCIH is the Senior Director for Campus
Technology Services at Notre Dame. As Senior Director for CTS, he
is responsible for central platform and operating system support,
database administration and services, identity and access
management, application services, and email and digital signage.
|
Ask a Question About this Product More... |
|
