CompTIA® Security+ SY0-701

Exam Cram
Companion Website and Pearson Test Prep Access Code
Access interactive study tools on this book’s companion website, including
practice test software, Key Term flash card application, the essential Cram
Sheet, and more!
To access the companion website, simply follow these steps:
1. Go to www.pearsonitcertification.com/register.

2. Enter the print book ISBN: 9780138225575.

3. Answer the security question to validate your purchase.

4. Go to your account page.

5. Click on the Registered Products tab.

6. Under the book listing, click on the Access Bonus Content link.

When you register your book, your Pearson Test Prep practice test access code
will automatically be populated with the book listing under the Registered
Products tab. You will need this code to access the practice test that comes
with this book. You can redeem the code at PearsonTestPrep.com. Simply
choose Pearson IT Certification as your product group and log into the site
with the same credentials you used to register your book. Click the Activate
New Product button and enter the access code. More detailed instructions on
how to redeem your access code for both the online and desktop versions can
be found on the companion website.
If you have any issues accessing the companion website or obtaining your
Pearson Test Prep practice test access code, you can contact our support team
by going to pearsonitp.echelp.org.
This page intentionally left blank
 CompTIA ®

Security+
SY0-701
Exam Cram
Robert Shimonski
Marty M. Weiss
CompTIA® Security+ SY0-701 Exam Cram GM K12, Early
Career and
Robert Shimonski and Marty M. Weiss Professional
Copyright © 2025 by Pearson Education, Inc. Learning
All rights reserved. This publication is protected by copyright, and Soo Kang
permission must be obtained from the publisher prior to any prohibited reproduc-
Director,
tion, storage in a retrieval system, or transmission in any form or
ITP Product
by any means, electronic, mechanical, photocopying, recording, or likewise. For
Management
information regarding permissions, request forms, and the appropriate
contacts within the Pearson Education Global Rights & Permissions Department, Brett Bartow
please visit www.pearson.com/permissions. Executive Editor
No patent liability is assumed with respect to the use of the information Nancy Davis
contained herein. Although every precaution has been taken in the preparation of
this book, the publisher and author assume no responsibility for errors or omis- Development
sions. Nor is any liability assumed for damages resulting from the use of the Editor
information contained herein. Ellie C. Bru
Microsoft and/or its respective suppliers make no representations about the
suitability of the information contained in the documents and related graphics Managing Editor
published as part of the services for any purpose all such documents and related Sandra Schroeder
graphics are provided “as is” without warranty of any kind. Microsoft and/or its
respective suppliers hereby disclaim all warranties and conditions with regard to Senior Project
this information, including all warranties and conditions of merchantability, Editor
whether express, implied or statutory, fitness for a particular purpose, title and Mandie Frank
non-infringement. In no event shall Microsoft and/or its respective suppliers
be liable for any special, indirect or consequential damages or any damages Copy Editor
whatsoever resulting from loss of use, data or profits, whether in an action of Bart Reed
contract, negligence or other tortious action, arising out of or in connection with
the use or performance of information available from the services. Indexer
The documents and related graphics contained herein could include technical inac- Erika Millen
curacies or typographical errors. Changes are periodically added to the information Proofreader
herein. Microsoft and/or its respective suppliers may make improvements and/or
Jennifer Hinchliffe
changes in the product(s) and/or the program(s) described herein at any time. Partial
screen shots may be viewed in full within the software version specified. Technical Editors
Microsoft® Windows®, and Microsoft Office® are registered trademarks of the Raymond Lacoste
Microsoft Corporation in the U.S.A. and other countries. This book is not
sponsored or endorsed by or affiliated with the Microsoft Corporation. Christopher Crayton
Please contact us with concerns about any potential bias at Publishing
https://www.pearson.com/report-bias.html. Coordinator
ISBN-13: 978-0-13-822557-5 Cindy Teeters
ISBN-10: 0-13-822557-5
Designer
Library of Congress Cataloging-in-Publication Data: 2024909527
Chuti Prasertsith
$PrintCode
Compositor
Trademarks codeMantra
All terms mentioned in this book that are known to be trademarks or service
marks have been appropriately capitalized. Pearson IT Certification cannot attest
to the accuracy of this information. Use of a term in this book should not be
regarded as affecting the validity of any trademark or service mark.

Warning and Disclaimer

Every effort has been made to make this book as complete and as accurate as
possible, but no warranty or fitness is implied. The information provided is on an
“as is” basis. The authors and the publisher shall have neither liability nor respon-
sibility to any person or entity with respect to any loss or damages arising from
the information contained in this book.

Special Sales
For information about buying this title in bulk quantities, or for special sales
opportunities (which may include electronic versions; custom cover designs; and
content particular to your business, training goals, marketing focus, or branding
interests), please contact our corporate sales department at
[email protected] or (800) 382-3419.
For government sales inquiries, please contact
[email protected].
For questions about sales outside the U.S., please contact
[email protected].
Contents at a Glance
Introduction
xxvi

Part 1: General Security Concepts 1

CHAPTER 1 Security Controls3
CHAPTER 2 Fundamental Security Concepts11
CHAPTER 3 Change Management Processes and the
Impact to Security27
CHAPTER 4 Cryptographic Solutions39

Part 2: Threats, Vulnerabilities, and Mitigations 81

CHAPTER 5 Threat Actors and Motivations83
CHAPTER 6 Threat Vectors and Attack Surfaces97
CHAPTER 7 Vulnerability Types115
CHAPTER 8 Malicious Attacks and Indicators131
CHAPTER 9 Mitigation Techniques for Securing the Enterprise161

Part 3: Security Architecture 177

CHAPTER 10 Security Implications of Architecture Models179
CHAPTER 11 Enterprise Architecture Security Principles211
CHAPTER 12 Data Protection Strategies233
CHAPTER 13 Resilience and Recovery in Security Architecture247

Part 4: Security Operations 265

CHAPTER 14 Securing Resources267
CHAPTER 15 Hardware, Software, and Data Asset Management295
CHAPTER 16 Vulnerability Management307
CHAPTER 17 Security Alerting and Monitoring329
CHAPTER 18 Enterprise Security Capabilities349
CHAPTER 19 Identity and Access Management377
CHAPTER 20 Security Automation and Orchestration401
CHAPTER 21 Incident Response Activities409
CHAPTER 22 Data Sources for Supporting Investigations419
vi
CompTIA® Security+ SY0-701 Exam Cram

Part 5: Security Program Management and Oversight 425

CHAPTER 23 Effective Security Governance427
CHAPTER 24 Risk Management465
CHAPTER 25 Third-Party Risk Assessment and Management485
CHAPTER 26 Security Compliance495
CHAPTER 27 Security Audits and Assessments509
CHAPTER 28 Security Awareness Practices525
Glossary of Essential Terms
551
Cram Sheet
603
Index617

Table of Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvi

Part 1: General Security Concepts 1

CHAPTER 1:
Security Controls.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Nature of Controls. . . . . . . . . .............................. 3
Functional Use of Controls. . . .............................. 4
Preventive Controls. . . . .............................. 5
Deterrent Controls.. . . . .............................. 5
Detective Controls. . . . . .............................. 6
Corrective Controls. . . . .............................. 6
Compensating Controls. .............................. 6
Directive Controls. . . . . .............................. 7
What Next?. . . . . . . . . . . . . . .............................. 9

CHAPTER 2:
Fundamental Security Concepts.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Confidentiality, Integrity, and Availability (CIA). . . . . . ............ 12
Non-Repudiation. . . . . . . . . . . . . . . . . . . . . . . . . . . ............ 13
Authentication, Authorization, and Accounting (AAA). . ............ 13
Gap Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............ 14
Zero Trust. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............ 15
Physical Security. . . . . . . . . . . . . . . . . . . . . . . . . . . ............ 18
Bollards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............ 19
Access Control Vestibules. . . . . . . . . . . . . . . . . ............ 19
Signs, Fencing, and Gates. . . . . . . . . . . . . . . . . ............ 20
Video Surveillance. . . . . . . . . . . . . . . . . . . . . . . . . . ............ 20
Security Guards. . . . . . . . . . . . . . . . . . . . . . . . ............ 21
Access Badge. . . . . . . . . . . . . . . . . . . . . . . . . . ............ 21
Lighting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............ 21
Sensors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............ 22
Deception and Disruption Technology. . . . . . . . . . . . ............ 23
What Next?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............ 26
viii
CompTIA® Security+ SY0-701 Exam Cram

CHAPTER 3:
Change Management Processes and the Impact to Security. . . . . . . . . . . 27
Change Management. . . . . . . . . . . . . . . . . . . . . ............... 28
Business Processes Impacting Security Operations. ............... 28
Approval Process. . . . . . . . . . . . . . . . . . . . ............... 29
Ownership. . . . . . . . . . . . . . . . . . . . . . . . ............... 29
Stakeholders. . . . . . . . . . . . . . . . . . . . . . . ............... 29
Impact Analysis. . . . . . . . . . . . . . . . . . . . . ............... 30
Test Results. . . . . . . . . . . . . . . . . . . . . . . . ............... 30
Backout Plan. . . . . . . . . . . . . . . . . . . . . . . ............... 30
Maintenance Window. . . . . . . . . . . . . . . . . ............... 30
Standard Operating Procedure (SOP). . . . . . ............... 31
Technical Implications.. . . . . . . . . . . . . . . . . . . . ............... 31
Allow Lists/Deny Lists. . . . . . . . . . . . . . . . ............... 32
Restricted Activities. . . . . . . . . . . . . . . . . . ............... 32
Downtime. . . . . . . . . . . . . . . . . . . . . . . . . ............... 32
Service Restart. . . . . . . . . . . . . . . . . . . . . . ............... 33
Application Restart. . . . . . . . . . . . . . . . . . . ............... 33
Legacy Applications. . . . . . . . . . . . . . . . . . ............... 34
Dependencies. . . . . . . . . . . . . . . . . . . . . . ............... 34
Documentation. . . . . . . . . . . . . . . . . . . . . . . . . ............... 35
Version Control. . . . . . . . . . . . . . . . . . . . . . . . . ............... 36
What Next?. . . . . . . . . . . . . . . . . . . . . . . . . . . . ............... 38

CHAPTER 4:
Cryptographic Solutions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Public Key Infrastructure (PKI). . . . . . . ...................... 40
Public and Private Key Usage. . . . ...................... 41
Key Escrow. . . . . . . . . . . . . . . . . ...................... 42
Encryption. . . . . . . . . . . . . . . . . . . . . ...................... 43
Levels and Types. . . . . . . . . . . . . ...................... 44
Cryptographic Algorithms. . . . . . . ...................... 49
Symmetric Algorithms. . . . . . . . . ...................... 51
Asymmetric Algorithms.. . . . . . . . ...................... 53
Tools.. . . . . . . . . . . . . . . . . . . . . . . . . ...................... 55
Trusted Platform Module (TPM). . ...................... 55
Encryption and Data Obfuscation. ...................... 59
Steganography. . . . . . . . . . . . . . . ...................... 62
Hashing and Salting. . . . . . . . . . . ...................... 63
 ix
Contents

Digital Signatures.. . . . . . . ........................... 64

Digital Certificate. . . . . . . ........................... 67
Certificate Authority (CA). . ........................... 69
Certificate Revocation.. . . . ........................... 77
OCSP Stapling. . . . . . . . . ........................... 78
Pinning.. . . . . . . . . . . . . . ........................... 79
What Next?. . . . . . . . . . . . . . . . ........................... 80

Part 2: Threats, Vulnerabilities, and Mitigations 81

CHAPTER 5:
Threat Actors and Motivations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Threat Actors.. . . . . . . . . . . . . . . . ......................... 84
Threat Actor Attributes.. . . . . ......................... 84
Types of Threat Actors. . . . . . ......................... 85
Motivations. . . . . . . . . . . . . . . . . . ......................... 90
Data Exfiltration. . . . . . . . . . ......................... 90
Espionage. . . . . . . . . . . . . . . ......................... 91
Service Disruption. . . . . . . . . ......................... 91
Blackmail. . . . . . . . . . . . . . . ......................... 92
Financial Gain. . . . . . . . . . . . ......................... 92
Philosophical/Political Beliefs. ......................... 92
Ethical. . . . . . . . . . . . . . . . . ......................... 93
Revenge. . . . . . . . . . . . . . . . ......................... 93
Disruption/Chaos.. . . . . . . . . ......................... 93
War. . . . . . . . . . . . . . . . . . . ......................... 94
What Next?. . . . . . . . . . . . . . . . . . ......................... 96

CHAPTER 6:
Threat Vectors and Attack Surfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Types of Threat Vectors and Attack Surfaces. . .................. 98
Message-Based.. . . . . . . . . . . . . . . . . . .................. 99
Image-Based. . . . . . . . . . . . . . . . . . . . .................. 101
File-Based. . . . . . . . . . . . . . . . . . . . . . .................. 101
Voice Call. . . . . . . . . . . . . . . . . . . . . . .................. 102
Removable Device. . . . . . . . . . . . . . . . .................. 102
Vulnerable Software. . . . . . . . . . . . . . . .................. 103
Unsupported Systems and Applications. . .................. 103
Unsecured Networks. . . . . . . . . . . . . . .................. 104
Open Service Ports.. . . . . . . . . . . . . . . .................. 104
x
CompTIA® Security+ SY0-701 Exam Cram

Default Credentials. . . . . . . . . . . . ..................... 105

Supply Chain.. . . . . . . . . . . . . . . . ..................... 105
Human Vectors/Social Engineering. ..................... 106
What Next?. . . . . . . . . . . . . . . . . . . . . . ..................... 114

CHAPTER 7:
Vulnerability Types.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Application. . . . . . . . . . ................................. 116
Operating System-Based. ................................. 118
Web-Based. . . . . . . . . . ................................. 119
Hardware. . . . . . . . . . . ................................. 120
Virtualization. . . . . . . . . ................................. 121
Cloud-Specific. . . . . . . . ................................. 122
Supply Chain. . . . . . . . . ................................. 123
Cryptographic. . . . . . . . ................................. 125
Misconfiguration. . . . . . ................................. 126
Mobile Device. . . . . . . . ................................. 127
Zero-Day. . . . . . . . . . . ................................. 127
What Next?. . . . . . . . . . ................................. 130

CHAPTER 8:
Malicious Attacks and Indicators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Malware Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....... 132
Ransomware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....... 133
Trojan.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....... 133
Worm.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....... 134
Spyware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....... 134
Bloatware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....... 135
Virus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....... 136
Keylogger. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....... 136
Logic Bomb. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....... 136
Rootkit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....... 137
Physical Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....... 138
Brute-Force Attack. . . . . . . . . . . . . . . . . . . . . . . . . . . ....... 138
Radio Frequency Identification (RFID) Cloning Attack.. ....... 138
Environmental Attack. . . . . . . . . . . . . . . . . . . . . . . . . ....... 139
Network Attacks.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....... 139
Distributed Denial of Service (DDoS).. . . . . . . . . . . . . ....... 140
Domain Name System (DNS) Attacks.. . . . . . . . . . . . . ....... 142
 xi
Contents

Wireless. . . . . . . . . . . . . ............................ 144

On-Path. . . . . . . . . . . . . ............................ 147
Credential Replay.. . . . . . ............................ 147
Malicious Code. . . . . . . . ............................ 148
Application Attacks. . . . . . . . . . ............................ 148
Injection. . . . . . . . . . . . . ............................ 148
Buffer Overflow. . . . . . . . ............................ 149
Replay. . . . . . . . . . . . . . ............................ 150
Privilege Escalations. . . . . ............................ 150
Forgery.. . . . . . . . . . . . . ............................ 151
Directory Traversal.. . . . . ............................ 152
Cryptographic Attacks.. . . . . . . ............................ 153
Downgrade. . . . . . . . . . . ............................ 153
Collision. . . . . . . . . . . . . ............................ 153
Birthday. . . . . . . . . . . . . ............................ 154
Password Attacks. . . . . . . . . . . ............................ 154
Indicators of Malicious Activity. ............................ 156
What Next?. . . . . . . . . . . . . . . ............................ 160

CHAPTER 9
Mitigation Techniques for Securing the Enterprise.. . . . . . . . . . . . . . . . . . 161
Segmentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............ 162
Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............ 162
Application Allow List.. . . . . . . . . . . . . . . . . . . . . . . ............ 164
Isolation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............ 165
Patching. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............ 165
Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............ 166
Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............ 167
Least Privilege. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............ 167
Configuration Enforcement. . . . . . . . . . . . . . . . . . . . ............ 167
Decommissioning. . . . . . . . . . . . . . . . . . . . . . . . . . . ............ 168
Hardening Techniques. . . . . . . . . . . . . . . . . . . . . . . ............ 168
Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . ............ 168
Installation of Endpoint Protection.. . . . . . . . . . ............ 169
Host-based Firewall. . . . . . . . . . . . . . . . . . . . . ............ 170
Host-based Intrusion Prevention System (HIPS). ............ 170
Disabling Ports/Protocols. . . . . . . . . . . . . . . . . ............ 171
Default Password Changes. . . . . . . . . . . . . . . . ............ 173
Removal of Unnecessary Software. . . . . . . . . . . ............ 173
What Next?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............ 176
xii
CompTIA® Security+ SY0-701 Exam Cram

Part 3: Security Architecture 177

CHAPTER 10:
Security Implications of Architecture Models. . . . . . . . . . . . . . . . . . . . . . 179
Architecture and Infrastructure Concepts. . . . . . . . . . . . . . . . . . . . . . 180
Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Infrastructure as Code (IaC). . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Serverless. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Microservices.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Network Infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
On-Premises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Centralized vs. Decentralized.. . . . . . . . . . . . . . . . . . . . . . . . . . 192
Containerization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Virtualization.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
IoT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Industrial Control Systems (ICS)/Supervisory Control and Data
Acquisition (SCADA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Real-Time Operating System (RTOS). . . . . . . . . . . . . . . . . . . . 200
Embedded Systems.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
High Availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Resilience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Cost. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Responsiveness.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Scalability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Ease of Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Risk Transference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Ease of Recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Patch Availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Inability to Patch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Power. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Compute.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
What Next?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

CHAPTER 11:
Enterprise Architecture Security Principles. . . . . . . . . . . . . . . . . . . . . . . . 211
Infrastructure Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Device Placement.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Security Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
 xiii
Contents

Attack Surface. . . . . . . . . . . . . . . . . . . . . . . . . . . .......... 214

Connectivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . .......... 214
Failure Modes. . . . . . . . . . . . . . . . . . . . . . . . . . . .......... 214
Device Attribute.. . . . . . . . . . . . . . . . . . . . . . . . . .......... 215
Network Appliances. . . . . . . . . . . . . . . . . . . . . . . .......... 216
Port Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . .......... 220
Firewall Types. . . . . . . . . . . . . . . . . . . . . . . . . . . .......... 222
Secure Communication/Access.. . . . . . . . . . . . . . . . . . . .......... 224
Virtual Private Network (VPN). . . . . . . . . . . . . . . .......... 225
Remote Access. . . . . . . . . . . . . . . . . . . . . . . . . . . .......... 225
Tunneling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .......... 226
Software-Defined Wide Area Network (SD-WAN).. .......... 227
Secure Access Service Edge (SASE). . . . . . . . . . . . .......... 228
Selection of Effective Controls. . . . . . . . . . . . . . . . . . . . .......... 228
What Next?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .......... 232

CHAPTER 12:
Data Protection Strategies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Data Types. . . . . . . . . . . . . . . . . . . . . . . .................... 234
Regulated. . . . . . . . . . . . . . . . . . . . .................... 234
Trade Secret. . . . . . . . . . . . . . . . . . .................... 235
Intellectual Property. . . . . . . . . . . . . .................... 235
Legal Information. . . . . . . . . . . . . . .................... 236
Financial Information. . . . . . . . . . . . .................... 236
Human- and Non-Human-Readable.. .................... 236
Data Classifications.. . . . . . . . . . . . . . . . . .................... 237
General Data Considerations. . . . . . . . . . . .................... 238
Data States. . . . . . . . . . . . . . . . . . . .................... 239
Data Sovereignty. . . . . . . . . . . . . . . .................... 239
Geolocation.. . . . . . . . . . . . . . . . . . .................... 240
Methods to Secure Data. . . . . . . . . . . . . . .................... 240
Geographic Restrictions. . . . . . . . . . .................... 240
Encryption. . . . . . . . . . . . . . . . . . . .................... 241
Hashing. . . . . . . . . . . . . . . . . . . . . .................... 241
Masking. . . . . . . . . . . . . . . . . . . . . .................... 242
Tokenization. . . . . . . . . . . . . . . . . . .................... 242
Obfuscation. . . . . . . . . . . . . . . . . . . .................... 242
Segmentation.. . . . . . . . . . . . . . . . . .................... 243
Permission Restrictions. . . . . . . . . . . .................... 243
What Next?. . . . . . . . . . . . . . . . . . . . . . . .................... 246
xiv
CompTIA® Security+ SY0-701 Exam Cram

CHAPTER 13:
Resilience and Recovery in Security Architecture. . . . . . . . . . . . . . . . . . . 247
High Availability.. . . . . . . ................................ 248
Site Considerations.. . . . . ................................ 249
Platform Diversity. . . . . . ................................ 251
Multicloud Systems.. . . . . ................................ 252
Continuity of Operations.. ................................ 252
Capacity Planning. . . . . . ................................ 253
Testing. . . . . . . . . . . . . . ................................ 254
Backups.. . . . . . . . . . . . . ................................ 255
Onsite/Offsite. . . . . ................................ 257
Frequency. . . . . . . . ................................ 258
Encryption. . . . . . . ................................ 258
Snapshots. . . . . . . . ................................ 259
Recovery. . . . . . . . . ................................ 260
Replication. . . . . . . ................................ 260
Journaling. . . . . . . . ................................ 261
Power. . . . . . . . . . . . . . . ................................ 261
What Next?. . . . . . . . . . . ................................ 264

Part 4: Security Operations 265

CHAPTER 14:
Securing Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Secure Baselines. . . . . . . . . . . . . . . . . . . . .................... 268
Hardening Targets. . . . . . . . . . . . . . . . . . .................... 270
Mobile Devices. . . . . . . . . . . . . . . . .................... 270
Workstations. . . . . . . . . . . . . . . . . . .................... 271
Switches. . . . . . . . . . . . . . . . . . . . . .................... 272
Routers. . . . . . . . . . . . . . . . . . . . . . .................... 273
Cloud Infrastructure. . . . . . . . . . . . . .................... 273
Servers. . . . . . . . . . . . . . . . . . . . . . .................... 274
ICS/SCADA. . . . . . . . . . . . . . . . . . .................... 275
Embedded Systems.. . . . . . . . . . . . . .................... 276
RTOS.. . . . . . . . . . . . . . . . . . . . . . .................... 277
IoT Devices.. . . . . . . . . . . . . . . . . . .................... 277
Wireless Devices. . . . . . . . . . . . . . . . . . . .................... 278
Mobile Solutions. . . . . . . . . . . . . . . . . . . .................... 281
Mobile Device Management (MDM). .................... 282
 xv
Contents

Deployment Models. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... 282

Connection Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... 283
Wireless Security Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... 285
Wi-Fi Protected Access Version 3 (WPA3). . . . . . . . . . . . . . ... 285
AAA/Remote Authentication Dial-In User Service (RADIUS). ... 286
Cryptographic Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . ... 287
Authentication Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . ... 288
Application Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... 289
Sandboxing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... 290
Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... 291
What Next?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... 293

CHAPTER 15:
Hardware, Software, and Data Asset Management. . . . . . . . . . . . . . . . . . 295
Acquisition/Procurement Process. . .......................... 296
Assignment/Accounting.. . . . . . . . .......................... 297
Ownership. . . . . . . . . . . . . .......................... 297
Classification. . . . . . . . . . . . .......................... 297
Monitoring and Asset Tracking.. . . .......................... 299
Inventory. . . . . . . . . . . . . . .......................... 300
Enumeration. . . . . . . . . . . . .......................... 300
Disposal/Decommissioning. . . . . . .......................... 300
Sanitization. . . . . . . . . . . . . .......................... 301
Destruction. . . . . . . . . . . . . .......................... 302
Certification. . . . . . . . . . . . .......................... 302
Data Retention. . . . . . . . . . .......................... 303
What Next?. . . . . . . . . . . . . . . . . .......................... 305

CHAPTER 16:
Vulnerability Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Identification Methods. . . . . . . . . . . . ....................... 308
Vulnerability Scan. . . . . . . . . . . ....................... 308
Application Security. . . . . . . . . . ....................... 309
Threat Feeds. . . . . . . . . . . . . . . ....................... 311
Penetration Testing. . . . . . . . . . ....................... 314
Responsible Disclosure Program. ....................... 316
System/Process Audit. . . . . . . . . ....................... 316
Analysis. . . . . . . . . . . . . . . . . . . . . . . ....................... 316
xvi
CompTIA® Security+ SY0-701 Exam Cram

Confirmation.. . . . . . . . . . . . . . . . . . . . . . . . . ............ 317

Prioritization. . . . . . . . . . . . . . . . . . . . . . . . . . ............ 317
Common Vulnerability Scoring System (CVSS). . ............ 318
Common Vulnerability Enumeration (CVE). . . . ............ 319
Vulnerability Classification. . . . . . . . . . . . . . . . ............ 320
Exposure Factor. . . . . . . . . . . . . . . . . . . . . . . . ............ 321
Environmental Variables. . . . . . . . . . . . . . . . . . ............ 321
Industry/Organizational Impact. . . . . . . . . . . . . ............ 321
Risk Tolerance. . . . . . . . . . . . . . . . . . . . . . . . . ............ 322
Vulnerability Response and Remediation. . . . . . . . . . . ............ 322
Patching. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............ 322
Insurance. . . . . . . . . . . . . . . . . . . . . . . . . . . . ............ 323
Segmentation.. . . . . . . . . . . . . . . . . . . . . . . . . ............ 324
Compensating Controls. . . . . . . . . . . . . . . . . . ............ 324
Exceptions and Exemptions. . . . . . . . . . . . . . . . ............ 324
Validation of Remediation. . . . . . . . . . . . . . . . . . . . . ............ 325
Rescanning. . . . . . . . . . . . . . . . . . . . . . . . . . . ............ 325
Audit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............ 326
Verification. . . . . . . . . . . . . . . . . . . . . . . . . . . ............ 326
Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............ 326
What Next?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............ 328

CHAPTER 17:
Security Alerting and Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Monitoring Computing Resources. . . . . . . . . . . . . . ............. 330
Systems.. . . . . . . . . . . . . . . . . . . . . . . . . . . . ............. 330
Applications.. . . . . . . . . . . . . . . . . . . . . . . . . ............. 330
Infrastructure.. . . . . . . . . . . . . . . . . . . . . . . . ............. 331
Activities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............. 332
Log Aggregation. . . . . . . . . . . . . . . . . . . . . . ............. 332
Alerting. . . . . . . . . . . . . . . . . . . . . . . . . . . . ............. 333
Scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . ............. 334
Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . ............. 334
Archiving. . . . . . . . . . . . . . . . . . . . . . . . . . . ............. 334
Alert Response and Remediation/Validation.. . . ............. 335
Tools.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............. 336
Security Content Automation Protocol (SCAP). ............. 336
Benchmarks.. . . . . . . . . . . . . . . . . . . . . . . . . ............. 337
Agents/Agentless. . . . . . . . . . . . . . . . . . . . . . ............. 337
 xvii
Contents

Security Information and Event Management (SIEM).. . ....... 338

Antivirus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....... 341
Data Loss Prevention (DLP). . . . . . . . . . . . . . . . . . . . ....... 341
Simple Network Management Protocol (SNMP) Traps. . ....... 342
NetFlow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....... 343
Vulnerability Scanners. . . . . . . . . . . . . . . . . . . . . . . . ....... 344
What Next?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....... 347

CHAPTER 18:
Enterprise Security Capabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .............. 350
Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .............. 350
Access Lists. . . . . . . . . . . . . . . . . . . . . . . . . .............. 352
Ports/Protocols. . . . . . . . . . . . . . . . . . . . . . .............. 353
Screened Subnet. . . . . . . . . . . . . . . . . . . . . .............. 353
IDS/IPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .............. 354
Trends. . . . . . . . . . . . . . . . . . . . . . . . . . . . .............. 355
Signatures. . . . . . . . . . . . . . . . . . . . . . . . . . .............. 356
Web Filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .............. 357
Agent-Based. . . . . . . . . . . . . . . . . . . . . . . . .............. 358
Centralized Proxy.. . . . . . . . . . . . . . . . . . . . .............. 359
Universal Resource Locator (URL) Scanning.. .............. 360
Content Categorization.. . . . . . . . . . . . . . . . .............. 360
Block Rules. . . . . . . . . . . . . . . . . . . . . . . . . .............. 360
Reputation. . . . . . . . . . . . . . . . . . . . . . . . . .............. 361
Operating System Security.. . . . . . . . . . . . . . . . . . .............. 361
Group Policy. . . . . . . . . . . . . . . . . . . . . . . . .............. 362
SELinux. . . . . . . . . . . . . . . . . . . . . . . . . . . .............. 363
Implementation of Secure Protocols. . . . . . . . . . . . .............. 363
Protocol Selection. . . . . . . . . . . . . . . . . . . . .............. 363
Port Selection. . . . . . . . . . . . . . . . . . . . . . . .............. 365
Transport Method. . . . . . . . . . . . . . . . . . . . .............. 365
DNS Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . .............. 366
Email Security. . . . . . . . . . . . . . . . . . . . . . . . . . . .............. 367
DMARC, DKIM, SPF, and Gateway.. . . . . . . .............. 368
File Integrity Monitoring. . . . . . . . . . . . . . . . . . . .............. 369
Data Loss Prevention (DLP). . . . . . . . . . . . . . . . . .............. 370
Network Access Control (NAC). . . . . . . . . . . . . . . .............. 371
xviii
CompTIA® Security+ SY0-701 Exam Cram

Endpoint Detection and Response (EDR)/Extended

Detection and Response (XDR). . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
User Behavior Analytics.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
What Next?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375

CHAPTER 19:
Identity and Access Management.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Provisioning/De-provisioning User Accounts. . .................. 378
Permission Assignments and Implications. . . . .................. 379
Identity Proofing. . . . . . . . . . . . . . . . . . . . . .................. 381
Federation and Single Sign-On (SSO). . . . . . . .................. 382
Interoperability. . . . . . . . . . . . . . . . . . . . . . .................. 385
Attestation. . . . . . . . . . . . . . . . . . . . . . . . . . .................. 385
Access Controls. . . . . . . . . . . . . . . . . . . . . . .................. 386
Multifactor Authentication (MFA).. . . . . . . . . .................. 388
Implementations. . . . . . . . . . . . . . . . . .................. 389
Factors. . . . . . . . . . . . . . . . . . . . . . . . .................. 394
Password Concepts. . . . . . . . . . . . . . . . . . . . .................. 395
Password Managers. . . . . . . . . . . . . . . .................. 397
Passwordless. . . . . . . . . . . . . . . . . . . . .................. 397
Privileged Access Management Tools. . . . . . . .................. 397
What Next?. . . . . . . . . . . . . . . . . . . . . . . . . .................. 400

CHAPTER 20:
Security Automation and Orchestration. . . . . . . . . . . . . . . . . . . . . . . . . . 401
Use Cases of Automation and Scripting. . . . . . . . . . . . . . . . . . . . . ... 402
User and Resource Provisioning.. . . . . . . . . . . . . . . . . . . . . ... 402
Guard Rails. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... 403
Security Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... 403
Ticket Creation and Escalation. . . . . . . . . . . . . . . . . . . . . . ... 403
Enabling/Disabling Services and Access. . . . . . . . . . . . . . . . ... 404
Continuous Integration and Testing. . . . . . . . . . . . . . . . . . . ... 404
Integrations and Application Programming Interfaces (APIs). . ... 405
Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... 405
Other Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... 406
What Next?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... 408
 xix
Contents

CHAPTER 21:
Incident Response Activities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Incident Response Process. . ............................... 410
Training and Testing. . . . . . ............................... 411
Root Cause Analysis (RCA). ............................... 412
Threat Hunting. . . . . . . . . ............................... 413
Digital Forensics. . . . . . . . ............................... 414
What Next?. . . . . . . . . . . . ............................... 417

CHAPTER 22:
Data Sources for Supporting Investigations. . . . . . . . . . . . . . . . . . . . . . . 419
Log Data.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Data Sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
What Next?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423

Part 5: Security Program Management and Oversight 425

CHAPTER 23:
Effective Security Governance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Governing Framework. . . . . . . . . . . . . . . . . . . . . .............. 428
Types of Governance Structures. . . . . . . . . . . .............. 430
Monitoring and Revision.. . . . . . . . . . . . . . . .............. 432
Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .............. 433
Acceptable Use Policy (AUP).. . . . . . . . . . . . .............. 433
Information Security Policy. . . . . . . . . . . . . . .............. 435
Business Continuity Policies. . . . . . . . . . . . . .............. 437
Disaster Recovery Policies.. . . . . . . . . . . . . . .............. 438
Incident Response Policy.. . . . . . . . . . . . . . . .............. 440
Software Development Lifecycle Policy. . . . . .............. 441
Change Management Policy. . . . . . . . . . . . . .............. 443
Standards.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .............. 445
Procedures.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .............. 447
Guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .............. 452
External Considerations. . . . . . . . . . . . . . . . . . . . .............. 453
Regulatory and Nonregulatory Requirements. .............. 455
Industry-Specific Frameworks. . . . . . . . . . . . .............. 458
Roles and Responsibilities for Systems and Data. . . . .............. 460
What Next?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .............. 464
xx
CompTIA® Security+ SY0-701 Exam Cram

CHAPTER 24:
Risk Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Risk Identification. . . . . . . . . . . . .......................... 466
Risk Assessment. . . . . . . . . . . . . . .......................... 466
Risk Analysis. . . . . . . . . . . . . . . . .......................... 468
Qualitative Risk Analysis. . . . .......................... 469
Quantitative Risk Analysis. . . .......................... 470
Single Loss Expectancy. . . . . .......................... 471
Annual Rate of Occurrence. . .......................... 471
Annual Loss Expectancy. . . . .......................... 472
Risk Register. . . . . . . . . . . . . . . . .......................... 472
Risk Appetite and Tolerance. . . . . . .......................... 474
Risk Management Strategies. . . . . .......................... 475
Risk Reporting. . . . . . . . . . . . . . . .......................... 477
Business Impact Analysis. . . . . . . . .......................... 478
RTO and RPO.. . . . . . . . . . .......................... 479
MTTF, MTBF, and MTTR.. .......................... 479
What Next?. . . . . . . . . . . . . . . . . .......................... 483

CHAPTER 25:
Third-Party Risk Assessment and Management. . . . . . . . . . . . . . . . . . . . 485
Third-Party Risk Management.. ............................ 486
Vendor Assessment. . . . . . ............................ 486
Vendor Selection. . . . . . . ............................ 488
Agreement Types. . . . . . . ............................ 489
Vendor Monitoring. . . . . ............................ 491
Rules of Engagement. . . . ............................ 492
What Next?. . . . . . . . . . . . . . . ............................ 494

CHAPTER 26:
Security Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Compliance Reporting and Monitoring. . . ..................... 496
Compliance Reporting. . . . . . . . . . ..................... 496
Consequences of Non-Compliance.. ..................... 497
Compliance Monitoring. . . . . . . . . ..................... 499
Privacy. . . . . . . . . . . . . . . . . . . . . . . . . ..................... 501
Privacy Data Roles. . . . . . . . . . . . . ..................... 501
Data Inventory and Retention. . . . . ..................... 503
 xxi
Contents

Legal Implication of Data Privacy. . . . . . . . . . . . . . . . . . . . . . . . . 504

Right to Be Forgotten.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
What Next?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507

CHAPTER 27:
Security Audits and Assessments.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Audits and Assessments. . . . . . . . . . . . . . . .................... 510
Attestation.. . . . . . . . . . . . . . . . . . . .................... 510
Internal Audits and Assessments. . . . . .................... 511
External Audits and Assessments.. . . . .................... 512
Penetration Testing.. . . . . . . . . . . . . . . . . .................... 513
Active and Passive Reconnaissance. . . .................... 516
Physical Tests.. . . . . . . . . . . . . . . . . .................... 517
Offensive, Defensive, and Integrated. . .................... 518
Penetration Test Environments. . . . . .................... 520
What Next?. . . . . . . . . . . . . . . . . . . . . . . .................... 523

CHAPTER 28:
Security Awareness Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Security Awareness. . . . . . . . . . . . . . . . ...................... 526
Phishing Campaigns. . . . . . . . . . . ...................... 526
Anomalous Behavior Recognition.. ...................... 532
User Guidance and Training. . . . . ...................... 533
Reporting and Monitoring.. . . . . . ...................... 542
Development and Execution. . . . . ...................... 545
What Next?. . . . . . . . . . . . . . . . . . . . . ...................... 550

Glossary of Essential Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551

Cram Sheet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603

Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
About the Authors
Robert Shimonski, CASP+, CySA+, PenTest+, Security+, is a technology
executive specializing in healthcare IT for one of the largest health systems
in America. In his current role, Rob is responsible for bringing operational
support and incident response into the future with the help of new technolo-
gies such as cloud and artificial intelligence. His current focus is on deploying
securely to the cloud (Azure, AWS, and Google), DevOps, DevSecOps, and
AIOps. Rob spent many years in the technology “trenches,” handling network-
ing and security architecture, design, engineering, testing, and development
efforts for global projects. A go-to person for all things security related, Rob
has been a major force in deploying security-related systems for 25+ years.
Rob also worked for various companies reviewing and developing security
curriculum as well as other security-related books, technical articles, and pub-
lications based on technology deployment, testing, hacking, pen testing, and
many other aspects of security. Rob holds dozens of technology certifications,
including 20+ CompTIA certifications, SANS.org GIAC, GSEC, and GCIH,
as well as many vendor-based cloud-specialized certifications from Google,
Microsoft Azure, and Amazon AWS. Rob is considered a leading expert in
prepping others to achieve certification success.
Marty M. Weiss has spent his career serving in the U.S. Navy and as a civilian
helping large organizations with their information security. He has a Bachelor
of Science degree in computer studies from the University of Maryland
Global Campus and an MBA from the Isenberg School of Management at
the University of Massachusetts Amherst. He also holds several certifications,
including CISSP, CISA, and Security+. Having authored numerous acclaimed
books on information technology and security, he is now diving into his next
endeavor—a seductive romance novel where love and cybersecurity collide in a
high-stakes adventure.
Dedications
This book is dedicated to my dad, who passed during the writing of this book.
Thank you for being a great dad. You will always be remembered and missed.
—Robert Shimonski

Dedicated to those who embrace both privacy and vulnerability

in their pursuit of security.
—Marty Weiss

Acknowledgments
Robert Shimonski: Thank you to the entire team that made this book a
reality. Countless people were involved, including Carole Jelen, Nancy Davis,
Ellie Bru, Chris Crayton, Mandie Frank, Bart Reed, and Raymond Lacoste.
Without your help, this book would never be as good as it is! Also, to my
co-author Marty, thanks for being a great teammate. I would also like to thank
you, the reader, for showing interest in not only growing through learning but
for trusting our brand. Thank you!
Marty Weiss: Thank you Carole, Nancy, Ellie, Mandie, Robert, Raymond,
Chris, Bart, and the entire team that helped to bring this book together. Big
thanks to everyone special and close to me—mom, dad, siblings, 5 a.m. dream
team, Kelly, Kobe, Max, Ollie, and Anabelle. Finally, thank you Elliott for
reminding us that they should not control the digital ledger.
About the Technical Reviewers
Raymond Lacoste has dedicated his career to developing the skills of those
interested in IT. In 2001, he began to mentor hundreds of IT professionals
pursuing their Cisco certification dreams. This role led to teaching Cisco courses
full time. Raymond is currently a master instructor for Cisco Enterprise Routing
and Switching, AWS, ITIL, and Cybersecurity at StormWind Studios. Raymond
treats all technologies as an escape room, working to uncover every mystery in
the protocols he works with. Along this journey, Raymond has passed more than
120 exams, and his office wall includes certificates from Microsoft, Cisco, ISC2,
ITIL, AWS, and CompTIA. If you were visualizing Raymond’s office, you’d
probably expect the usual network equipment, certifications, and awards. Those
certainly take up space, but they aren’t his pride and joy. Most impressive, at least
to Raymond, is his gemstone and mineral collection; once he starts talking about
it, he just can’t stop. Who doesn’t get excited by a wondrous barite specimen in a
pyrite matrix? Raymond presently resides with his wife and two children in eastern
Canada, where they experience many adventures together.
Chris Crayton is a technical consultant, trainer, author, and industry-leading
technical editor. He has worked as a computer technology and networking
instructor, information security director, network administrator, network
engineer, and PC specialist. Chris has authored several print and online books
on PC repair, CompTIA A+, CompTIA Security+, and Microsoft Windows.
He has also served as technical editor and content contributor on numerous
technical titles for several of the leading publishing companies. He holds
numerous industry certifications, has been recognized with many professional
and teaching awards, and has served as a state-level SkillsUSA final competition
judge.
We Want to Hear from You!
As the reader of this book, you are our most important critic and commentator.
We value your opinion and want to know what we’re doing right, what we
could do better, what areas you’d like to see us publish in, and any other words
of wisdom you’re willing to pass our way.
We welcome your comments. You can email or write to let us know what you
did or didn’t like about this book—as well as what we can do to make our
books better.
Please note that we cannot help you with technical problems related to the topic of this book.
When you write, please be sure to include this book’s title and author as well
as your name and email address. We will carefully review your comments and
share them with the author and editors who worked on the book.
Email: [email protected]

Reader Services
Register your copy of CompTIA Security+ SY0-701 Exam Cram at
www.pearsonitcertification.com for convenient access to downloads, updates,
and corrections as they become available. To start the registration process, go
to www.pearsonitcertification.com/register and log in or create an account.*
Enter the product ISBN 9780138225575 and click Submit. When the process
is complete, you will find any available bonus content under Registered
Products.
*Be sure to check the box to indicate that you would like to hear from us to
receive exclusive discounts on future editions of this product.
Introduction
Welcome to CompTIA Security+ SY0-701 Exam Cram. This book helps you get
ready to take and pass the CompTIA Security+ SY0-701 exam.
This book is designed to remind you of everything you need to know to pass
the SY0-701 certification exam. Each chapter includes a number of practice
questions that should give you a reasonably accurate assessment of your
knowledge, and, yes, we’ve provided the answers and their explanations for
these questions. Read this book, understand the material, and you’ll stand a
very good chance of passing the real test.
Exam Cram books help you understand the subjects and materials you need
to know to pass CompTIA certification exams. Exam Cram books are aimed
strictly at test preparation and review. They do not teach you everything you
need to know about a subject. Instead, the authors streamline and highlight the
pertinent information by presenting and dissecting the
questions and problems they’ve discovered that you’re likely to encounter on a
CompTIA test.
We strongly recommend that you spend some time installing and working
with security tools and experimenting with the many network and security-
related resources provided with the various operating systems. The Security+
exam focuses on such activities and the knowledge and skills they can provide
you. Nothing beats hands-on experience and familiarity when it comes to
understanding the questions you’re likely to encounter on a certification test.
Book learning is essential, but without a doubt, hands-on experience is the best
teacher of all!
Let’s begin by looking at preparation for the exam.

How to Prepare for the Exam

This text follows the official exam objectives closely to help ensure your
success. The CompTIA exam covers five domains and 28 objectives. This
book is divided into five parts and 28 chapters, aligning with those domains
and objectives. The official objectives from CompTIA can be found at
https://www.comptia.org/training/resources/exam-objectives.
As you examine the numerous exam topics now covered in Security+, resist the
urge to panic! This book you are reading will provide you with the knowledge
 xxvii
Introduction

(and confidence) you need to succeed. You just need to make sure you read it
and follow the guidance it provides throughout your Security+ journey.

Practice Tests
This book is filled with practice exam questions to get you ready! Cram quiz-
zes end each chapter, and each question also includes a complete explanation.
In addition, the book includes two additional full practice tests in the Pearson
Test Prep software, available to you either online or as an offline Windows
application. To access the practice exams developed with this book, see the
instructions in the “Pearson Test Prep Practice Test Software” section.
In case you are interested in more practice exams than are provided with this
book, Pearson IT Certification publishes a Premium Edition eBook and Prac-
tice Test product. In addition to providing, you with two eBook files (EPUB
and PDF), this product provides you with two additional exams’ worth of
questions. The Premium Edition version also offers you a link to the
specific section in the book that presents an overview of the topic covered in
the question, allowing you to easily refresh your knowledge. Learn more at
www.pearsonitcertification.com.

Taking a Certification Exam

After you prepare for your exam, you need to register with a testing center.
You can take this exam either virtually at home or at a testing center. Make
sure you select the option that best suits you. At the time of writing, the cost
to take the Security+ exam is US$404 for individuals. Students in the United
States are eligible for a significant discount. In addition, check with your
employer, as many workplaces provide reimbursement programs for certifica-
tion exams. For more information about these discounts, you can contact a
local CompTIA sales representative, who can answer any questions you might
have. If you don’t pass, you can take the exam again for the same cost as the
first attempt until you pass. The test is administered by Pearson VUE testing
centers, with locations globally. In addition, the CompTIA Security+ certifica-
tion is a requirement for many within the U.S. military, and testing centers are
available on some military bases.
You will have 90 minutes to complete the exam. The exam consists of a maxi-
mum of 90 questions. If you have prepared, you should find that this is plenty
of time to properly pace yourself and review the exam before submission.
xxviii
CompTIA® Security+ SY0-701 Exam Cram

Arriving at the Exam Location

If you do select to take the exam at an exam location, here is what you should
know: As with any other examination, arrive at the testing center early (at least
15 minutes). Be prepared! You need to bring two forms of identification (one
with a picture). The testing center staff requires proof that you are who you
say you are and that someone else is not taking the test for you. Arrive early,
because if you are late, you will be barred from entry and will not receive a
refund for the cost of the exam.

ExamAlert
You’ll be spending a lot of time in the exam room. Plan on using the full 90 minutes
allotted for your exam and surveys. Policies differ from location to location regarding
bathroom breaks, so check with the testing center before beginning the exam.

In the Testing Center

You will not be allowed to take into the examination room study materials or
anything else that could raise suspicion that you’re cheating. This includes
practice test material, books, exam prep guides, and other test aids. The testing
center will provide you with scratch paper and a pen or pencil. These days, this
often comes in the form of an erasable whiteboard.
Examination results are available immediately after you finish the exam. After
submitting the exam, you will be notified as to whether you have passed or
failed. We trust that if you are reading this book, you will pass. The test
administrator will also provide you with a printout of your results.
 xxix
Introduction

About This Book

The ideal reader for an Exam Cram book is someone seeking certification.
However, it should be noted that an Exam Cram book is a very easily readable,
rapid presentation of facts. Therefore, an Exam Cram book is also extremely
useful as a quick reference manual.
The book is designed so that you can either read it cover to cover or jump
across chapters, as needed. Because the book chapters align with the exam
objectives, some chapters may have slight overlap on topics. Where required,
references to the other chapters are provided for you. If you need to brush up
on a topic or if you have to bone up for a second try at the exam, you can use
the index, table of contents, or Table I.1 to go straight to the topics and
questions you need to study. Beyond helping you prepare for the test, we think
you’ll find this book useful as a tightly focused reference on some of the most
important aspects of the Security+ certification.
This book includes other helpful elements in addition to the actual logical,
step-by-step learning progression of the chapters. Exam Cram books use
elements such as ExamAlerts, notes, and practice questions to make informa-
tion easier to read and absorb. This text also includes a Glossary to assist you.

Note
Reading this book from start to finish is not necessary; it is set up so that you can
quickly jump back and forth to find sections you need to study.

Use the Cram Sheet to remember last-minute facts immediately before the
exam. Use the practice questions to test your knowledge. You can always brush
up on specific topics in detail by referring to the table of contents and the
index. Even after you achieve certification, you can use this book as a rapid-
access reference manual.

Exam Objectives
Table I.1 lists the skills the SY0-701 exam measures and the chapter in which
each objective is discussed.
xxx
CompTIA® Security+ SY0-701 Exam Cram

TABLE I.1 CompTIA Security+ SY0-701 Exam Domains and Objectives

Exam Domain Objective Chapter in Book
that Covers It
1.0 General Security 1.1 Compare and contrast various Chapter 1
Concepts types of security controls.
1.0 General Security 1.2 Summarize fundamental security Chapter 2
Concepts concepts.
1.0 General Security 1.3 Explain the importance of change Chapter 3
Concepts management processes and the
impact to security.
1.0 General Security 1.4 Explain the importance of using Chapter 4
Concepts appropriate cryptographic solutions.
2.0 Threats, 2.1 Compare and contrast common Chapter 5
Vulnerabilities, and threat actors and motivations.
Mitigations
2.0 Threats, 2.2 Explain common threat vectors Chapter 6
Vulnerabilities, and and attack surfaces.
Mitigations
2.0 Threats, 2.3 Explain various types of Chapter 7
Vulnerabilities, and vulnerabilities.
Mitigations
2.0 Threats, 2.4 Given a scenario, analyze Chapter 8
Vulnerabilities, and indicators of malicious activity.
Mitigations
2.0 Threats, 2.5 Explain the purpose of mitigation Chapter 9
Vulnerabilities, and techniques used to secure the
Mitigations enterprise.
3.0 Security 3.1 Compare and contrast security Chapter 10
Architecture implications of different architecture
models.
3.0 Security 3.2 Given a scenario, apply security Chapter 11
Architecture principles to secure enterprise
infrastructure.
3.0 Security 3.3 Compare and contrast concepts Chapter 12
Architecture and strategies to protect data.
3.0 Security 3.4 Explain the importance of Chapter 13
Architecture resilience and recovery in security
architecture.
4.0 Security 4.1 Given a scenario, apply common Chapter 14
Operations security techniques to computing
resources.
4.0 Security 4.2 Explain the security implications of Chapter 15
Operations proper hardware, software, and data
asset management.
4.0 Security 4.3 Explain various activities Chapter 16
Operations associated with vulnerability
management.
 xxxi
Introduction

Exam Domain Objective Chapter in Book

that Covers It
4.0 Security 4.4 Explain security alerting and Chapter 17
Operations monitoring concepts and tools.
4.0 Security 4.5 Given a scenario, modify Chapter 18
Operations enterprise capabilities to enhance
security.
4.0 Security 4.6 Given a scenario, implement Chapter 19
Operations and maintain identity and access
management.
4.0 Security 4.7 Explain the importance of Chapter 20
Operations automation and orchestration related
to secure operations.
4.0 Security 4.8 Explain appropriate incident Chapter 21
Operations response activities.
4.0 Security 4.9 Given a scenario, use data Chapter 22
Operations sources to support an investigation.
5.0 Security Program 5.1 Summarize elements of effective Chapter 23
Management and security governance.
Oversight
5.0 Security Program 5.2 Explain elements of the risk Chapter 24
Management and management process.
Oversight
5.0 Security Program 5.3 Explain the processes associated Chapter 25
Management and with third-party risk assessment and
Oversight management.
5.0 Security Program 5.4 Summarize elements of effective Chapter 26
Management and security compliance.
Oversight
5.0 Security Program 5.5 Explain types and purposes of Chapter 27
Management and audits and assessments.
Oversight
5.0 Security Program 5.6 Given a scenario, implement Chapter 28
Management and security awareness practices.
Oversight

The Chapter Elements

Each Exam Cram book has chapters that follow a predefined structure. This
structure makes Exam Cram books easy to read and provides a familiar format
for all Exam Cram books. The following elements typically are used:
▶▶ Chapter topics

▶▶ Essential Terms and Components

▶▶ Cram Quizzes
xxxii
CompTIA® Security+ SY0-701 Exam Cram

▶▶ ExamAlerts

▶▶ Notes

▶▶ Available exam preparation software practice questions and answers

Note
Bulleted lists, numbered lists, tables, and graphics are also used where appropriate.
A picture can paint a thousand words sometimes, and tables can help to associate
different elements with each other visually.

Now let’s look at each of the elements in detail:

▶▶ Chapter topics: Each chapter contains details of all subject matter listed
in the table of contents for that particular chapter. The objective of an
Exam Cram book is to cover all the important facts without giving too
much detail. When examples are required, they are included.
▶▶ Essential Terms and Components: The start of every chapter contains
a list of terms and concepts you should understand. These are all defined
in the book’s accompanying Glossary.
▶▶ Cram Quizzes: Each chapter concludes with multiple-choice questions
to help ensure you have gained familiarity with the chapter content.
▶▶ ExamAlerts: ExamAlerts address exam-specific, exam-related informa-
tion. An ExamAlert addresses content that is particularly important,
tricky, or likely to appear on the exam. An ExamAlert looks like this:

ExamAlert
Make sure you remember the different ways in which you can access a router
remotely. Know which methods are secure and which are not.

▶▶ Notes: Notes typically contain useful information that is not directly

related to the topic currently under consideration. To avoid breaking up
the flow of the text, they are set off from the regular text.

Note
This is a note.
 xxxiii
Introduction

Other Book Elements

Most of this Exam Cram book on Security+ follows the consistent chapter
structure already described. However, there are various important elements
that are not part of the standard chapter format. These elements apply to the
entire book as a whole.
▶▶ Practice questions: Exam-preparation questions conclude each chapter.

▶▶ Answers and explanations for practice questions: These follow each

practice question, providing answers and explanations to the questions.
▶▶ Glossary: The Glossary defines important terms used in this book.

▶▶ Cram Sheet: The Cram Sheet is a quick-reference guide to important

facts and is useful for last-minute preparation. The Cram Sheet provides a
simple summary of the facts that may be most difficult to remember.
▶▶ Companion website: The companion website for your book allows you
to access several digital assets that come with your book, including the
following:
▶▶ Pearson Test Prep software (both online and Windows desktop
versions)
▶▶ Key Terms Flash Cards application
▶▶ A PDF version of the Cram Sheet

To access the book’s companion website, simply follow these steps:

1. Register your book by going to PearsonITCertification.com/register
and entering the ISBN 9780138225575.
2. Respond to the challenge questions.

3. Go to your account page and select the Registered Products tab.

4. Click the Access Bonus Content link under the product listing.

Pearson Test Prep Practice Test

Software
As noted previously, this book comes complete with the Pearson Test Prep
practice test software. These practice tests are available to you either online
or as an offline Windows application. To access the practice exams that were
developed with this book, see the following instructions.
xxxiv
CompTIA® Security+ SY0-701 Exam Cram

How to Access the Pearson Test Prep

(PTP) App
You have two options for installing and using the Pearson Test Prep applica-
tion: a web app and a desktop app. To use the Pearson Test Prep application,
start by finding the registration code that comes with the book. You can find
the code in these ways:
▶▶ You can get your access code by registering the print ISBN
(9780138225575) on pearsonitcertification.com/register. Make sure to use
the print book ISBN regardless of whether you purchased an eBook or
the print book. After you register the book, your access code will be
populated on your account page under the Registered Products tab.
Instructions for how to redeem the code are available on the book’s
companion website by clicking the Access Bonus Content link.
▶▶ If you purchase the Premium Edition eBook and Practice Test directly
from the Pearson IT Certification website, the code will be populated
on your account page after purchase. Just log in at pearsonitcertification.
com, click Account to see details of your account, and click the Digital
Purchases tab.

Note
After you register your book, your code can always be found in your account on the
Registered Products tab.

Once you have the access code, to find instructions about both the Pearson Test
Prep web app and the desktop app, follow these steps:
Step 1: Open this book’s companion website, as shown earlier in this
Introduction, under the heading, “Other Book Elements.”
Step 2: Click the Practice Test Software button.
Step 3: Follow the instructions listed there for both installing the desktop app
and using the web app.
Note that if you want to use the web app only at this point, just navigate to
pearsontestprep.com, log in using the same credentials used to register your
book or purchase the Premium Edition, and register this book’s practice tests
using the registration code you just found. The process should take only a
couple of minutes.
 xxxv
Introduction

Customizing Your Exams

In the exam settings screen, you can choose to take exams in one of three
modes:
▶▶ Study Mode

▶▶ Practice Exam Mode

▶▶ Flash Card Mode

Study Mode allows you to fully customize your exams and review answers as
you are taking the exam. This is typically the mode you use first to assess your
knowledge and identify information gaps. Practice Exam Mode locks certain
customization options, as it presents a realistic exam experience. Use this mode
when you are preparing to test your exam readiness. Flash Card Mode strips
out the answers and presents you with only the question stem. This mode is
great for late-stage preparation, when you really want to challenge yourself to
provide answers without the benefit of seeing multiple-choice options. This
mode will not provide the detailed score reports that the other two modes will,
so it should not be used if you are trying to identify knowledge gaps.
In addition to these three modes, you can select the source of your questions.
You can choose to take exams that cover all of the chapters, or you can narrow
your selection to just a single chapter or the chapters that make up specific
parts in the book. All chapters are selected by default. If you want to narrow
your focus to individual chapters, simply deselect all the chapters and then
select only those on which you wish to focus in the Objectives area.
You can also select the exam banks on which to focus. Each exam bank comes
complete with an exam of targeted questions that cover topics in every chapter.
The Cram Quizzes printed in the book are available to you and two additional
exams of unique questions. You can have the test engine serve up exams from
all banks or just from one individual bank by selecting the desired banks in the
exam bank area.
There are several other customizations you can make to your exam from the
exam settings screen, such as the time you are allowed for taking the exam, the
number of questions served up, whether to randomize questions and answers,
whether to show the number of correct answers for multiple-answer questions,
and whether to serve up only specific types of questions. You can also create
custom test banks by selecting only questions that you have marked or
questions on which you have added notes.
xxxvi
CompTIA® Security+ SY0-701 Exam Cram

Updating Your Exams

If you are using the online version of the Pearson Test Prep software, you
should always have access to the latest version of the software as well as the
exam data. If you are using the Windows desktop version, every time you
launch the software, it will check to see if there are any updates to your exam
data and automatically download any changes that were made since the last
time you used the software. You must be connected to the Internet at the time
you launch the software.
Sometimes, due to many factors, the exam data may not fully download when
you activate an exam. If you find that figures or exhibits are missing, you may
need to manually update your exams. To update a particular exam you have
already activated and downloaded, simply select the Tools tab and click the
Update Products button. Again, this is only an issue with the desktop
Windows application.
If you wish to check for updates to the Pearson Test Prep exam engine
software, Windows desktop version, simply select the Tools tab and click the
Update Application button. This will ensure you are running the latest version
of the software engine.

Contacting the Authors

Hopefully, this book provides you with the tools you need to pass the
Security+ SY0-701 exam. Feedback is appreciated. You can follow and
contact the authors on X (formerly known as Twitter) @martyweiss and
@robshimonski.
Thank you for selecting our book; we have worked to apply the same concepts
in this book that we have used in the hundreds of training classes we have
taught. Spend your study time wisely and you, too, can achieve the Security+
designation. Good luck on the exam, although if you carefully work through
this text, you will certainly minimize the amount of luck required!

Figure Credits
Figure 8.1: WannaCry
Figure 18.4: WatchGuard Technologies, Inc.
Figure 18.1, 18.2, 18.5-18.7, 19.1: Microsoft Corporation
Figure 19.2: Apple, Inc
CHAPTER 24
Risk Management
This chapter covers the following official Security+
exam objective:
▶▶ 5.2 Explain elements of the risk management process.

Essential Terms and Components

▶▶ Risk identification
▶▶ Risk assessment
▶▶ Ad hoc
▶▶ Recurring
▶▶ One-time
▶▶ Continuous
▶▶ Risk analysis
▶▶ Qualitative
▶▶ Quantitative
▶▶ Single loss expectancy (SLE)
▶▶ Annualized loss expectancy (ALE)
▶▶ Annualized rate of occurrence (ARO)
▶▶ Risk register
▶▶ Key risk indicators
▶▶ Risk owners
▶▶ Risk thresholds
▶▶ Risk tolerance
▶▶ Risk appetite
▶▶ Expansionary
▶▶ Conservative
▶▶ Neutral
▶▶ Risk management strategies
▶▶ Risk reporting
▶▶ Business impact analysis
▶▶ Recovery time objective (RTO)
466
CHAPTER 24: Risk Management

▶▶ Recovery point objective (RPO)

▶▶ Mean time to repair (MTTR)
▶▶ Mean time to between failures (MTBF)

Risk Identification
Risk identification is the initial step in the risk management process, aimed
at identifying potential threats and vulnerabilities that could adversely affect an
organization. This ensures that the organization can proactively address risks
through planning and implementation of security measures.
A threat can be thought of as the potential that a vulnerability will be identi-
fied and exploited. Analyzing threats can help an organization develop security
policies and prioritize securing resources. Threat assessments are performed to
determine the best approaches to securing the environment against a threat or
class of threats. Threats might exist, but if an environment has no vulnerabili-
ties, it faces little or no risk. Likewise, little or no risk affects environments that
have vulnerability without threat. Consider the simple analogy of a hurricane.
Few would argue that a hurricane represents a threat. However, consider a
home on the coast in Florida and a home inland in the Midwest. The former is
certainly vulnerable to a hurricane, whereas the latter is not.
Probability is the likelihood that an event will occur. In assessing risk, it is impor-
tant to estimate the probability or likelihood that a threat will occur. Assessing
the likelihood of occurrence of some types of threats is easier than assessing
other types. For example, you can use frequency data to estimate the probabil-
ity of natural disasters. You might also be able to use the mean time to failure
(MTTF) and mean time to repair (MTTR), both covered later in this chapter, to
estimate the probability of component problems. Determining the probability of
attacks by human threat sources is difficult. Threat source likelihood is assessed
using skill level, motive, opportunity, and size. Vulnerability likelihood is assessed
using ease of discovery, ease of exploit, awareness, and intrusion detection.

Risk Assessment
Risk assessment is the process of analyzing identified risks to evaluate the
likelihood of their occurrence and their potential impact. This evaluation is
required for prioritizing risks and formulating strategies to mitigate them
effectively.
 467
Risk Assessment

Risk is the possibility of, or exposure to, loss or danger from a threat. Risk
management is the process of identifying and reducing risk to a level that is
acceptable and then implementing controls to maintain that level. Risk comes
in various types. Risk can be internal, external, or multiparty. Banks provide a
great example of multiparty risk: Because of the ripple effects, issues at banks
have effects on other banks and financial systems.
To determine the relative danger of an individual threat or to measure the
relative value across multiple threats to better allocate resources designated for
risk mitigation, it is necessary to map the resources, identify threats to each,
and establish a metric for comparison. A business impact analysis (BIA) helps
identify services and technology assets as well as provides a process by which
the relative value of each identified asset can be determined if it fails one or
more of the CIA (confidentiality, integrity, and availability) requirements. The
failure to meet one or more of the CIA requirements is often a sliding scale,
with increased severity as time passes. Recovery point objectives (RPOs) and
recovery time objectives (RTOs) in incident handling, business continuity, and
disaster recovery must be considered when calculating risk. BIA, RPOs, and
RTOs are covered further later in this chapter.
Risk assessments should rarely if ever be a one-time event for an organization. The
frequency with which these are conducted, however, can vary depending on various
factors regarding the organization’s risk landscape, regulatory requirements, and
level of change across their environments. For example, a small, stable private orga-
nization may find an annual risk assessment sufficient. On the other hand, a large,
dynamic organization operating across high-risk environments, where emerging
risks may pose challenges, should opt for more frequent assessments. Generally,
risk assessments are conducted adopting the following frequencies:
▶▶ Ad hoc

▶▶ One-time

▶▶ Recurring

▶▶ Continuous

Ad hoc risk assessments are conducted in response to specific incidents or

triggers. For example, if a company encounters a significant security breach, it
would conduct an ad hoc risk assessment to understand the scope and severity
of the risk posed by the breach. Ad hoc assessments can also be made if a new
business opportunity arises, and the company needs to carry out an immediate
assessment of the associated risks.
One-time risk assessments are often conducted for specific events or changes.
For instance, when introducing a new system, launching a new product, or
468
CHAPTER 24: Risk Management

during a business merger or acquisition, a company would conduct a one-time

assessment to understand the potential risks associated with these activities.
A one-time assessment helps organizations anticipate and mitigate risks
associated with the change.
Recurring assessments are conducted at regular intervals, such as annually,
semi-annually, or quarterly, depending on the organization’s requirements and
nature of the industry. Recurring risk assessments allow organizations to stay
on top of any changes to their risk profile. The frequency depends on the level
of risk an organization faces and the rate of change in its external environment,
as well as internal factors such as a change in business strategy.
In a continuous risk assessment approach, the risk environment is monitored
in real time, and risks are assessed on an ongoing basis. This approach relies on
established key risk indicators (KRIs) to evaluate the company’s risk profile.
When thresholds are breached, risk assessments are triggered. As with other
approaches, a continuous risk assessment approach requires balancing risk vis-
ibility against resource commitment, but it may provide the most complete and
timely understanding of risk in more volatile environments.

Risk Analysis
Risk analysis helps align security objectives with business objectives. It is a pro-
cess that deals with the calculation of risk and the return on investment for secu-
rity measures. By identifying risks, estimating the effects of potential threats, and
identifying ways to mitigate these risks in a cost effective manner, organizations
can ensure that the cost of prevention does not outweigh the benefits.
The risk analysis process involves several key steps to assess and manage risk
effectively:
1. Identify threats: Recognize potential threats that could exploit
vulnerabilities.
2. Identify vulnerabilities: Determine weaknesses within the system that
could be exploited by threats.
3. Determine the likelihood of occurrence: Evaluate how probable it is
for a threat to occur and exploit a vulnerability.
4. Determine the magnitude of impact: Assess the potential severity of
the damage or loss if a threat materializes.
5. Determine the risk: Calculate the level of risk using the simple equation
Risk = Threat × Vulnerability × Impact.
 469
Risk Analysis

This process helps in understanding the complex relationship between threats,

vulnerabilities, and their potential impacts, emphasizing the importance of
assessing the likelihood that a threat will actually occur.
After identifying and assessing risks, it’s important that you categorize and
prioritize them based on their likelihood of occurrence and potential impact.
This prioritization helps in formulating appropriate response strategies:
▶▶ High-level threats may necessitate immediate corrective measures.

▶▶ Medium-level threats might require developing an action plan for reason-

able implementation.
▶▶ Low-level threats could be dealt with as feasible or might be accepted as
part of the organization’s risk threshold.

The assessment of impact alongside risk likelihood is needed to understand the

potential consequences of risk events.

ExamAlert
Risk is the product of threat, vulnerability, and impact.

Qualitative Risk Analysis

Qualitative risk analysis is a subjective approach that assesses risks based on
non-numeric criteria. It involves using techniques such as brainstorming, focus
groups, and surveys to gauge the significance of different risks and their impact.
This method allows for a relative projection of risk for each threat, using a risk
matrix or heat map to visualize the probability (from very low to very high) and
impact (from very low to very high) of potential risks.
To facilitate this assessment, Table 24.1 provides a risk matrix that can help you
understand the level of risk as either low, medium, or high for both likelihood
and impact. The table organizes risk levels based on a combination of likeli-
hood scores, ranging from very low to very high, and levels of impact, ranging
from very low to very high, resulting in the assignment of an overall risk level.

TABLE 24.1 Level of Risk Based on Likelihood and Impact

Likelihood Level of Impact
Very Low Low Moderate High Very High
Very High Medium High High High High
High Low Medium High High High
470
CHAPTER 24: Risk Management

Likelihood Level of Impact

Very Low Low Moderate High Very High
Moderate Low Medium Medium High High
Low Low Low Medium Medium High
Very Low Low Low Low Low Medium

The preceding matrix underscores the principle that risk is not just about the
potential for a threat to occur but also about the significance of its impact. By
categorizing risks into these levels, organizations can prioritize their risk man-
agement efforts more effectively, focusing on mitigating the most important
risks first.
Despite its subjective nature, and the need for expert judgment, qualitative
analysis provides essential insights into risk prioritization, especially when
quantitative data is unavailable.

Quantitative Risk Analysis

Quantitative risk analysis offers an objective means to evaluate risk, assign-
ing numerical values to the potential loss and the likelihood of risk occurrence.
This method calculates the degree of risk based on the estimation of potential
losses and the quantification of unwanted events, utilizing concepts such as sin-
gle loss expectancy (SLE), annual rate of occurrence (ARO), and annual
loss expectancy (ALE).
Quantitative analysis provides clear measures of relative risk and expected
return on investment, making it easier for senior management to comprehend
and make informed decisions. However, it requires significant effort and time
to collect and analyze all related data, making it more labor-intensive than qual-
itative analysis. Furthermore, qualitative measures tend to be less precise, more
subjective, and more difficult in assigning direct costs for measuring return on
investment (ROI) and rate of return on investment (RROI).
Because a quantitative assessment is less subjective than a qualitative one, the
process requires that a value be assigned to each of the various components.
To perform a quantitative risk assessment, an estimation of potential losses is
calculated. Next, the likelihood of some unwanted event is quantified, based
on the threat analysis. Finally, depending on the potential loss and likelihood,
the quantitative process arrives at the degree of risk. Each step relies on the
concepts of single loss expectancy, annual rate of occurrence, and annual loss
expectancy.
 471
Risk Analysis

ExamAlert
Remember the difference between quantitative (numeric) and qualitative (subjective/
relative) measures. Quantitative (think “quantity”) measures are expressed numeri-
cally, whereas qualitative (think “quality”) measures are expressed as “good” or
“bad.”

Single Loss Expectancy

Single loss expectancy (SLE) is the expected monetary loss every time a risk
occurs. SLE equals asset value multiplied by the threat exposure factor, which is
the percentage of the asset lost in a successful attack. The formula looks like
this:
Asset Value × Exposure Factor = SLE
Consider an example of SLE using denial-of-service (DoS) attacks. Firewall
logs indicate that the organization was hit hard one time per month by DoS
attacks in each of the past 6 months. You can use this historical data to estimate
that you likely will be hit 12 times per year. This information helps you calcu-
late the SLE and the ALE. (The ALE is explained in greater detail shortly.)
An asset is any resource that has value and must be protected. Determining an
asset’s value can most mean determining the cost to replace the asset if it is lost.
Simple property examples fit well here, but figuring asset value is not always so
straightforward. Other considerations could be necessary, including the value of
the asset to adversaries, the value of the asset to the organization’s mission, and
the liability issues that would arise if the asset were compromised.
The exposure factor is the percentage of loss that a realized threat could have
on a certain asset. In the DoS example, imagine that 25% of business would be
lost if a DoS attack succeeded. The daily sales from the website are $100,000,
so the SLE would be $25,000 (SLE = $100,000 × 0.25). The possibility of
certain threats is greater than that of others. Historical data presents the best
method of estimating these possibilities.

Annual Rate of Occurrence

The annual rate of occurrence (ARO) is the estimated possibility of a spe-
cific threat taking place in a 1-year time frame. The possible range of frequency
values is from 0.0 (the threat is not expected to occur) to some number whose
magnitude depends on the type and population of threat sources. When the
probability that a DoS attack will occur is 50%, the ARO is 0.5. After you
472
CHAPTER 24: Risk Management

calculate the SLE, you can calculate the ALE, which gives you the probability
of an event happening over a single year.

Annual Loss Expectancy

The annual loss expectancy (ALE) is the monetary loss that can be expected
for an asset from risk over a 1-year period. ALE equals SLE times ARO:
ALE = SLE × ARO
ALE can be used directly in a cost/benefit analysis. Going back to our earlier
example, if the SLE is estimated at $25,000 and the ARO is 0.5, the ALE is
$12,500 ($25,000 × 0.5 = $12,500). In this case, spending more than $12,500 to
mitigate risk might not be prudent because the cost would outweigh the risk.

ExamAlert
Remember the following for the exam:
▶▶ S
 LE is the expected monetary loss every time a risk occurs, and it equals Asset
Value × Exposure Factor.
▶▶ A
 RO is a numeric representation of the estimated possibility of a specific threat
taking place in a 1-year time frame.
▶▶ A
 LE is the monetary loss that can be expected for an asset from risk over a
1-year period, and it equals SLE × ARO.

Risk Register
As mentioned earlier, risk assessments should not be a one-time event. As an
organization evolves, change is inevitable. Risk management needs to be part
of a framework from which risk can easily be communicated and adapted on an
ongoing basis.
A risk register gives an organization a way to record information about identi-
fied risks, and it’s usually implemented as a specialized software program, cloud
service, or master document. Risk registers often include enterprise- and IT-
related risks. With threats and vulnerabilities identified, the organizations can
then implement controls to manage the risk appropriately. (The next section
discusses these techniques.) The risk register should contain specific details
about the risks, especially any residual risks the organization faces as a result of
 473
Risk Register

controls or mitigation techniques employed. Common contents of a risk

register include the following:
▶▶ Risk categorization groupings

▶▶ Name and description of the risk

▶▶ A measure of the risk through a risk score

▶▶ The impact to the organization if the risk is realized

▶▶ The likelihood of the risk being realized

▶▶ Mitigating controls

▶▶ Residual risk

▶▶ Contingency plans that cover what happens if the risk is realized

The items listed here are fundamental components of a risk register, provid-
ing a comprehensive overview of the organization’s potential and actual risk
landscape. However, to address the dynamic nature of risks, and to ensure an
effective and proactive approach to risk management, some other elements are
crucial and warrant further exploration.
These elements, namely key risk indicators (KRIs), risk owners, and risk
thresholds, enhance the risk register’s depth and effectiveness, ultimately
providing a more nuanced understanding of the organization’s risks.
KRIs function as early warning signs for potential increases in risk. By moni-
toring KRIs, organizations can catch and handle risk escalations before they
worsen and have an impact. KPIs measure and showcase trend lines of risk
exposure, offering a quantitative means to keep track of risk movements over
time. These KRIs, along with other features of a risk register, are an important
tool in the risk reporting process across key stakeholders.
Risk owners are individuals or teams designated with the responsibility of
managing specific risks. Assigning risk owners is valuable because it not only
encourages accountability but also ensures there’s a specific point of contact
and decision maker for each risk. It guarantees that the management of each
identified risk is streamlined and focused.
Finally, risk thresholds help an organization determine the maximum amount
of risk it can tolerate. This is a measure of the acceptable level of risk expo-
sure for the company. Once a risk crosses its respective threshold, it calls for
immediate attention. It triggers a response that could include escalated report-
ing, contingency plans, or mitigation strategies. Understanding risk thresholds
474
CHAPTER 24: Risk Management

helps in laying out a clear roadmap for when and what action needs to be taken
against the identified risks.
These items play a significant part in shaping the risk strategy of an organiza-
tion and provide more context and depth to the typical components of a risk
register.

ExamAlert
A risk register provides a single point of entry to record and report on information
about identified risks to the organization. Ad hoc and scheduled reports from a risk
register, along with KPIs and heat maps, provide useful tools for risk reporting. An
organization might have one risk register for information systems and another risk
register for enterprise risks, but the two are increasingly being combined.

The risk register serves as a strategic component for an organization and helps
ensure that an organization’s risk appetite and risk tolerance are correctly
aligned with the goals of the business.

Risk Appetite and Tolerance

Risk appetite is the total amount of risk that an organization is prepared to
accept or be exposed to at any point in time. It drives the organization’s strate-
gic decision-making process and is linked with the organization’s objectives and
strategies. Risk appetite may be categorized into three types:
▶▶ Expansionary or aggressive: Organizations with an expansionary
risk appetite are willing to take on more risk for the potential of higher
returns. These companies are often in high-growth industries where the
benefits of taking a riskier approach can result in significant returns, such
as tech startups and investment banking.
▶▶ Neutral: A company with a neutral risk appetite strikes a balance between
being too risky and overly cautious. While they don’t shy away from tak-
ing risks, they ensure this is done in a controlled and managed way. These
organizations may be mature businesses in stable markets where business
growth is consistent and returns are steady.
▶▶ Conservative: A conservative risk appetite involves low tolerance for risk
and a preference for safer investments with predictable outcomes. These
companies typically operate in highly regulated industries such as utilities
and healthcare, where the emphasis is on stability, safety, and reliability
rather than rapid growth.
 475
Risk Management Strategies

These concepts are not unlike one’s own personal behavior and risk appetite,
even if subconscious. Consider, for example, your own personal values, goals,
and objectives. Consider what activities you may or may not participate in, or
how you personally choose to invest your savings and so forth.
Risk tolerance is the specific maximum risk that an organization is ready to
handle. While risk appetite is about the overall amount of risk an organization
is willing to accept, risk tolerance drills down to more specific scenarios or risk
categories. Risk tolerance is the degree of variability in outcomes that an orga-
nization is willing to withstand.
For example, an organization might have a high risk tolerance for financial
risks if it has strong cash reserves, but a low risk tolerance for reputational risks
that could harm its brand in the marketplace.
Understanding these two concepts enables organizations to effectively manage
risk in line with their strategic goals. They can select projects or make decisions
that align with their appetite and tolerance for risk. The risk appetite and toler-
ance also guide the organization’s risk management activities, determining how
they identify, assess, analyze, and mitigate risk.
Together with the risk register, an organization’s appetite and tolerance for risk
plays an important role in helping align risk with the goals of the business. The
risk register can then provide valuable information and help drive the strategic
decision-making process to achieve those goals. It is important that the report-
ing from a risk register be clear and understandable. The outputs should be
available and visible across the business, including to management and senior
executives responsible for strategy, budget, and operations.

Risk Management Strategies

Risk management involves creating a risk register document that details all
known risks and their related mitigation strategies. Creating the risk register
involves mapping the enterprise’s expected services and data sets, as well as
identifying vulnerabilities in both implementation and procedures for each.
Risk cannot be eliminated outright in many cases, but mitigation strategies can
be integrated with policies for risk awareness training ahead of an incident.
Formal risk management deals with the alignment of four potential strategies
to respond to each identified risk:
▶▶ Avoid: Risk avoidance seeks to eliminate the vulnerability that gives rise
to a particular risk. This is the most effective solution, but it often is not
possible due to organizational requirements. For example, eliminating
476
CHAPTER 24: Risk Management

email to avoid the risk of email-borne viruses is an effective solution but

is not likely a realistic approach.
▶▶ Transfer: With risk transference, a risk or the effect of its exposure is
transferred by moving to hosted providers that assume the responsibil-
ity for recovery and restoration. Alternatively, organizations can acquire
insurance to cover the costs of equipment theft or data exposure.
Insurance related to the consequences of online attacks is known as
cybersecurity insurance.
▶▶ Accept: With risk acceptance, an organization recognizes a risk, iden-
tifies it, and accepts that it is sufficiently unlikely or of such limited
impact that corrective controls are not warranted. In such cases, this
is known as risk exemption. On the other hand, a risk exception is a
formal acknowledgment that a system or process is not compliant with
an applied standard or policy but has been permitted to operate because
the risk is acknowledged and accepted. In essence, an organization agrees
to tolerate a higher level of risk than usual due to unique circumstances.
In most cases, these are temporary, require mitigating controls be put in
place, and are given a timeline for the exception to be re-evaluated. Risk
acceptance must be a conscious choice that is documented, approved by
senior administration, and regularly reviewed.
▶▶ Mitigate: Risk mitigation involves reducing the likelihood or impact of a
risk’s exposure. Risk deterrence involves putting into place systems and
policies to mitigate a risk by protecting against the exploitation of vulner-
abilities that cannot be eliminated. Most risk management decisions focus
on mitigation and deterrence, balancing costs and resources against the
level of risk and mitigation that will result.

Bruce Schneier, a well-known cryptographer and security expert, was asked

after the tragic events of 9/11 if it would be possible to prevent such events
from happening again. “Sure,” he replied. “Simply ground all the aircraft.”
Schneier gave an example of risk avoidance, albeit one he acknowledged as
impractical in today’s society. Consider the simple example of an automobile
and its associated risks. If you drive a car, you have likely considered those risks.
The option to not drive deprives you of the many benefits the car provides
that are strategic to your individual goals in life. As a result, you have come
to appreciate mitigating controls such as seat belts and other safety features.
You accept the residual risks and might even transfer some of the risk through
a life insurance policy. Certainly, when it comes to the risks of the vehicle
itself, insurance plays a vital role. Not carrying insurance even carries risk
 477
Risk Reporting

itself because insurance is often required by law. Examples abound of people

who have even accepted that risk, making a conscious choice to drive without
insurance.
Finally, the choices you make related to risk often result in residual risk. Living
in a high-crime neighborhood might spur someone to put bars on their home’s
windows. That’s one problem seemingly mitigated. However, in case of a fire,
the bars would render common egress points in the home no longer accessible.

ExamAlert
Remember that risk can be avoided, transferred, accepted, or mitigated. Be sure you
understand the different examples of when each would apply.

Risk Reporting
Risk reporting is needed for communicating risk information to stakeholders
across the organization. Risk reporting involves the regular and ad hoc dissemi-
nation of risk-related information, from the operational level to senior manage-
ment and the board of directors, ensuring that all parties are informed about
current risks, their potential impact, and the actions taken to mitigate them.
This process provides an up-to-date picture of the organization’s risk profile to
support strategic decision-making and help foster a proactive risk management
culture.
This process benefits from the use of the risk register, which acts as a central
repository of all identified risks, their assessment, and management plans. The
risk register, as detailed previously, contains critical information that forms the
backbone of risk reporting, which includes the following:
▶▶ Risk categorization helps in understanding the types of risks (strategic,
operational, financial, compliance) the organization faces.
▶▶ Risk description and scoring provide a snapshot of each risk’s nature and
its relative priority.
▶▶ Impact, likelihood, and mitigation plans offer insights into the potential
consequences of risks and the steps taken to manage them.
▶▶ Residual risk levels highlight the remaining risk after mitigation efforts,
guiding ongoing management and monitoring.
478
CHAPTER 24: Risk Management

▶▶ Key risk indicators (KRIs) and heat maps serve as visual tools for tracking
and communicating risk status and trends over time.

Effective risk reporting ensures that this information is available and presented
in a manner that is accessible and actionable for all stakeholders, allowing for
informed discussions about risk tolerance, appetite, and strategic risk manage-
ment priorities. Risk reports should not only highlight where risks align or
deviate from the organization’s risk appetite but also signal when risk levels
approach or exceed predefined tolerance thresholds. This alignment ensures
that risk management efforts are strategic, targeted, and effective in supporting
the organization’s objectives.

Business Impact Analysis

Business impact analysis (BIA) is the process of determining the potential
impacts resulting from the interruption of time-sensitive or critical business
processes. IT risk assessment, as well as planning for both disaster recovery and
operational continuity, relies on conducting a BIA as part of the overall plan to
ensure continued operations and the capability to recover from disaster. The
BIA focuses on the relative impact of the loss of operational capability on criti-
cal business functions. Conducting a business impact analysis involves identify-
ing critical business functions and the services and technologies required for
them, along with determining the associated costs and the maximum acceptable
outage period.
For hardware-related outages, the assessment should also include the current
age of existing solutions, along with standards for the expected average time
between failures, based on vendor data or accepted industry standards. Plan-
ning strategies are intended to minimize this cost by arranging recovery actions
to restore critical functions in the most effective manner based on cost, legal or
statutory mandates, and calculations of the mean time to restore.
A business impact analysis is a key component in ensuring continued opera-
tions. For that reason, it is a major part of a business continuity plan (BCP) or
continuity of operations plan (COOP) as well. The focus is on ensuring the
continued operation of key mission and business processes. U.S. government
organizations commonly use the term mission-essential functions to refer to
functions that need to be immediately functional at an alternate site until nor-
mal operations can be restored. Essential functions for any organization require
resiliency. Organizations also must identify the dependent systems for both the
functions and the processes that are critical to the mission or business.
 479
Business Impact Analysis

A BCP must identify critical systems and components. If a disaster is wide-

spread or targets an Internet service provider (ISP) or key routing hardware
point, an organization’s continuity plan should detail options for alternate
network access. This should include dedicated administrative connections that
might be required for recovery. Continuity planning should include consider-
ations for recovery in case existing hardware and facilities are rendered inac-
cessible or unrecoverable. It should also consider the hardware configuration
details, network requirements, and utilities agreements for alternate sites.

RTO and RPO

Recovery point objective (RPO) and recovery time objective (RTO) are
important concepts of the BCP and form part of the broader risk manage-
ment strategy. RPO, which specifically refers to data backup capabilities, is the
amount of time that can elapse during a disruption before the quantity of data
lost during that period exceeds the BCP’s maximum allowable threshold. Sim-
ply put, RPO specifies the allowable data loss. It determines up to what point
in time data recovery can happen before business is disrupted. For example, if
an organization does a backup at 10:00 p.m. every day and an incident happens
at 7:00 p.m. the following day, everything that changed since the last backup
would be lost. The RPO in this context is the backup from the previous day. If
the organization set the threshold at 24 hours, the RPO would be within the
threshold because it is less than 24 hours.
The RTO is the amount of time within which a process must be restored after
a disaster to meet business continuity requirements. The RTO is how long the
organization can go without a specific application; it defines how much time is
needed to recover after a notification of process disruption.

ExamAlert
Be certain that you understand the distinction between RPO and RTO. RPO desig-
nates the amount of data that will be lost or will have to be re-entered because of
network downtime. RTO designates the amount of time that can pass before the
disruption begins to seriously impede normal business operations.

MTTF, MTBF, and MTTR

When systems fail, one of the first questions asked is, “How long will it take to
get things back up?” It is better to know the answer to such a question before
disaster strikes than to try to find the answer afterward. Fortunately, established
480
CHAPTER 24: Risk Management

mechanisms can help you determine this answer. Understanding these

mechanisms is a big part of the overall analysis of business impact.
Mean time to failure (MTTF) is the length of time a device or product is
expected to last in operation. It represents how long a product can reasonably
be expected to perform, based on specific testing. MTTF metrics supplied by
vendors about their products or components might not have been collected by
running one unit continuously until failure. Instead, MTTF data is often
collected by running many units for a specific number of hours and then is cal-
culated as an average based on when the components fail.
MTTF is one of many ways to evaluate the reliability of hardware or other
technology and is extremely important when evaluating mission-critical sys-
tems hardware. Knowing the general reliability of hardware is vital, especially
when it is part of a larger system. MTTF is used for nonrepairable products.
When MTTF is used as a measure, repair is not an option.
Mean time between failures (MTBF) is the average amount of time that
passes between hardware component failures, excluding time spent repairing
components or waiting for repairs. MTBF is intended to measure only the time
a component is available and operating. MTBF is similar to MTTF, but it is
important to understand the difference. MTBF is used for products that can
be repaired and returned to use. MTTF is used for nonrepairable products.
MTBF is calculated as a ratio of the cumulative operating time to the number
of failures for that item.
MTBF ratings can be predicted based on product experience or data supplied
by the manufacturer. MTBF ratings are measured in hours and are often used
to determine the durability of hard drives and printers. For example, typical
hard drives for personal computers have MTBF ratings of about 500,000 hours.
These risk calculations help determine the life spans and failure rates of com-
ponents. These calculations help an organization measure the reliability of a
product.
One final calculation assists with understanding approximately how long a
repair will take on a component that can be repaired. The mean time to
repair (MTTR; also called mean time to recovery) is the average time required
to fix a failed component or device and return it to production status. MTTR
is corrective maintenance. The calculation includes preparation time, active
maintenance time, and delay time. Because of the uncertainty of these factors,
MTTR is often difficult to calculate. In order to reduce the MTTR, some sys-
tems have redundancy built in so that when one subsystem fails, another takes
its place and keeps the whole system running.
Business Impact Analysis CramQuiz

ExamAlert
Mean time between failures (MTBF) is the average time before a product requires
repair. Mean time to repair (MTTR) is the average time required to fix a failed com-
ponent or device and return it to production status. On the other hand, mean time
to failure (MTTF) is the average time before a product fails and cannot be repaired.
MTBF and MTTR consider a component that can be repaired, whereas MTTF con-
siders a component that cannot be repaired.

Cram Quiz
Answer these questions. The answers follow the last question. If you cannot answer
these questions correctly, consider reading this chapter again until you can.
1. Which of the following is the monetary loss that can be expected for an asset
from risk over a year?
mm A. ALE
mm B. SLE
mm C. ARO
mm D. BIA

2. Your manager needs to know, for budgetary purposes, the average life span for
each of the firewall appliances. Which of the following should you provide?
mm A. MTBF
mm B. RPO
mm C. RTO
mm D. MTTF

3. An organization is increasingly subject to compliance regulations and is making

strong efforts to comply with them but is still concerned about issues that might
occur. Management decides to buy insurance to help cover the costs of a poten-
tial breach. Which of the following risk response techniques is the organization
using?
mm A. Avoidance
mm B. Transference
mm C. Acceptance
mm D. Mitigation
CramQuiz Business Impact Analysis

4. Which of the following equations best represents the proper assessment of

exposure to danger?
mm A. Risk = Threat × Vulnerability × Impact
mm B. Impact = Risk × Threat × Vulnerability
mm C. Vulnerability = Threat × Risk × Impact
mm D. Threat = Risk × Impact × Vulnerability

5. A security analyst needs a single point of entry to record information about

identified risks to his organization. What will allow him to do this?
mm A. ALE
mm B. Risk register
mm C. SLE
mm D. ARO

6. Which type of risk assessment uses a risk matrix/heatmap that plots the probabil-
ity of risks using a scale of low, medium, or high?
mm A. Quantitative
mm B. Adversarial
mm C. Qualitative
mm D. Environmental

7. If a single loss expectancy is $25,000 and the annual rate of occurrence is .5,
what is the annual loss expectancy?
mm A. $12,500
mm B. $25,000
mm C. $5,000
mm D. $2,500

Cram Quiz Answers

Answer 1: A. The annual loss expectancy (ALE) is the monetary loss that can be
expected for an asset from risk over a 1-year period. It is calculated by multiplying the
single loss expectancy by the annual rate of occurrence (that is, SLE × ARO). Therefore,
answers B and C are incorrect. Answer D is incorrect because this is a business impact
analysis, which is the process for determining potential impacts resulting from the inter-
ruption of business processes.
Answer 2: D. The mean time to failure (MTTF) is the length of time a device or prod-
uct is expected to last in operation. It represents how long a product can reasonably
be expected to perform, based on specific testing. Answer A is incorrect because the
mean time between failures (MTBF) is the average amount of time that passes between
What Next? CramQuiz

hardware component failures, excluding time spent repairing components or waiting

for repairs. Answers B and C are incorrect because RPO and RTO are used for risk-
mitigation planning. The recovery point objective (RPO) specifies the allowable data loss.
The recovery time objective (RTO) is the amount of time within which a process must be
restored after a disaster to meet business continuity requirements.
Answer 3: B. Insurance is a classic example of transferring risk. Answers A, C, and D
are incorrect because none of them transfers the risk from one organization to another.
Answer 4: A. Risk is a function of threats, vulnerabilities, and potential impact. Assess-
ing the level of risk is often portrayed through the simple equation Risk = Threat ×
Vulnerability × Impact. Answers B, C, and D are incorrect because threat, vulnerability,
and impact are considered together to provide an appropriate measure of risk.
Answer 5: B. A risk register is a strategic component for organizations. The register
also helps ensure that an organization’s risk tolerance and appetite are correctly aligned
with the goals of the business. A risk register provides a single point of entry to record
information about identified risks to the organization. Answer A is incorrect because the
annual loss expectancy (ALE) is the monetary loss that can be expected for an asset
from risk over a one-year period. Answer C is incorrect because single loss expectancy
(SLE) is the expected monetary loss every time a risk occurs. Answer D is incorrect
because the annual rate of occurrence (ARO) is the estimated possibility of a specific
threat taking place in a 1-year time frame.
Answer 6: C. Qualitative risk assessment can involve brainstorming, focus groups,
surveys, and other similar processes to determine asset worth and valuation to the
organization. Uncertainty is also estimated, allowing for a relative projection of qualita-
tive risk for each threat, based on its position in a risk matrix/heat map that plots the
probability (very low to very high) and impact (very low to very high). Numeric values can
be assigned to each state (very low = 1, low = 2, moderate = 3, and so on) to perform
a quasi-quantitative analysis, but because the categories are subjectively assigned, the
result remains qualitative. Answer A is incorrect because a quantitative assessment is
less subjective, and the process requires assigning a value to all the various compo-
nents. To perform a quantitative risk assessment, an estimation of potential losses is
calculated. Answers B and D are incorrect because these terms describe threat source
types, which can be adversarial, accidental, structural, or environmental, for example.
Answer 7: A. The annual loss expectancy (ALE) is the monetary loss that can be
expected for an asset from risk over a 1-year period. ALE equals the single loss expec-
tancy (SLE) times the annual rate of occurrence (ARO): that is, SLE × ARO = ALE.
So, if the SLE is $25,000 and the ARO is .5, the ALE is $12,500 (that is, $25,000 ×
.5 = $12,500). Therefore, Answers B, C, and D are incorrect.

What Next?
If you want more practice on this chapter’s exam objective before you move on,
remember that you can access all of the Cram Quiz questions on the Pearson
Test Prep software online. You can also create a custom exam by objective with
the Online Practice Test. Note any objective you struggle with and go to that
objective’s material in this chapter.
This page intentionally left blank
Index
Numbers
3DES (Triple DES), 166
802.1X, 221, 288–289

A
AAA framework, 13–14, 286–287
ABAC (attribute-based access control),
387–388
acceptable use policy (AUP), 433–435
acceptance of risk, 476
access badges, 21
access control, 386–388. See also
identity and access management
AAA framework, 13–14, 286–287
access badges, 21
access logs, 333
ACLs (access control lists), 12,
162–163, 352
deception and disruption technology,
23
overview of, 162–164
permissions, 164
physical security, 18–23
policy-driven, 16–17
standards, 446
vestibules, 19
Zero Trust, 15–18
access logs, 333
accounting, 14, 297
acknowledgement, 500
ACLs (access control lists), 12,
162–163, 352
acquisition, 296, 414
active devices, 215–216, 229
active reconnaissance, 516–517
activity monitoring, 332–336
alert response and remediation/
618
activity monitoring

validation, 335 allow lists, 32, 164

alert tuning, 336 Amazon Web Services, 185
alerting, 333 American National Standards Institute
archiving, 334–335 (ANSI), 20
log aggregation, 332–333 amplified DDoS (distributed denial-of-
service), 141–142
quarantine, 335
reporting, 334 analysis

scanning, 334 dynamic, 310

rescanning, 325–326 incident, 410
URL scanning, 360 risk, 468–472
vulnerability scans, 308–309, 421 ALE (annual loss expectancy), 472
ad hoc risk assessments, 467
ARO (annual rate of occurrence),
471–472
adaptation, security awareness
qualitative, 469–470
programs, 547
quantitative, 470
adaptive identity, 16
SLE (single loss expectancy),
Advanced Encryption Standard (AES), 470–471
166, 259, 367
steps for, 468–469
advanced persistent threats (APTs), 89
SDLC (software development lifecycle)
adversary tactics, techniques, and policy, 441
procedures (TTPs), 312
static, 290, 310
AES (Advanced Encryption Standard), vulnerability management,
166, 259, 367 316–317
agent-based tools, 337 annual loss expectancy (ALE), 472
agent-based web filters, 358 annual rate of occurrence (ARO),
agentless tools, 337 471–472
aggregation, log, 332–333 anomalous behavior recognition,
aggressive risk appetite, 474 532–533
agreement types, 489–491 anomaly-based IDSs/IPSs, 218
air gaps, 189–190 ANSI (American National Standards
Institute), 20
AIS (automated indicator sharing), 312
antimalware, 271, 274
ALE (annual loss expectancy), 472
antivirus tools, 274, 341
alerts, 333
APIs (application programming
alert mechanisms, 543
interfaces), 405
response and remediation/validation,
appetite for risk, 474–475
335
tuning, 336 appliances, network

algorithms, cryptographic
definition of, 216
asymmetric, 53–55 IDS (intrusion detection system),
218–219, 229
definition of, 43
IPS (intrusion prevention system),
key exchange, 50 218–219, 229
key length, 50–51 jump servers, 216–217, 229
key stretching, 49–50 load balancers, 219, 229
overview of, 49–50 proxy servers, 217–218, 229
symmetric, 51–53 sensors, 220, 229
 619
automation and orchestration

application allow lists, 164 asymmetric algorithms, 51–53

application attacks, 148–153 asynchronous replication, 260
buffer overflow, 149–150 attack phase, penetration testing, 516
directory traversal, 152–153 attack surfaces, 98, 214, 229
forgery, 151–152 attestation, 56, 385–386, 500, 510–511
injection, 148–149 attribute-based access control (ABAC),
privilege escalation, 150 387–388
replay attacks, 150 attributes, device, 215–216
application logs, 420 audit committees, 512
application monitoring, 330–331 audit logs, 332
application programming interfaces audits, 326
(APIs), 405 attestation, 510–511
application restart, 33 audit committees, 512
application security, 289–290, 309–311 external, 512–513
application vulnerabilities, 116–118 internal, 511–512
approval process, change management, logs, 332
29 overview of, 510
archiving, 334–335 penetration testing
ARO (annual rate of occurrence), components of, 514–515
471–472
defensive, 519
assessments
environments for, 520–521
assessment quizzes, 546 integrated, 519
attestation, 510–511 offensive, 518
external, 512–513 overview of, 513–516
internal, 511–512 phases of, 515–516
overview of, 510 physical tests, 517–518
penetration testing reconnaissance, 516–517
components of, 514–515 routine, 544
defensive, 519 system or process audits, 316
environments for, 520–521
AUP (acceptable use policy), 433–435
integrated, 519
authentication, 14
offensive, 518
device hardening, 271
overview of, 513–516
passwordless, 397
phases of, 515–516
protocols, 288–289
physical tests, 517–518
tokens, 391–393
reconnaissance, 516–517
workstations, 271
risk, 466–468
authorization, 14
self-assessments, 512
automated indicator sharing (AIS), 312
vendor, 486–488
automation and orchestration
asset management. See data asset
management benefits of, 405–406
compliance and, 500
asset tracking, 299
considerations for, 406–407
assignment/accounting, 297
620
automation and orchestration

reports, 421 boards, 431

use cases, 402–405 boatware, 135
availability, 12–13, 202 bollards, 19
avoidance of risk, 475–476 BPAs (business partner agreements),
awareness. See security awareness 490

awareness, user training for, 535–536 brand impersonation, 111

Azure, 185 Bridge Protocol Data Unit (BDPU)

Guard, 221
bring your own device (BYOD), 282–283
B brute-force attacks, 138, 155
backout plans, 30 buffer overflow, 116, 149–150
backups, 255–258 bug bounty programs, 316
definition of, 255–256 business continuity plans (BCPs), 205,
differential, 256 437–438, 478
frequency of, 258 business email compromise (BEC),
full, 256 109–110
incremental, 256 business impact analysis (BIA), 467,
478–479
onsite/offsite, 257
business partner agreements (BPAs),
badges, access, 21
490
bare-metal hypervisors, 196–197
business processes impacting security
baselines, 268–269 operations, 28–31
BCPs (business continuity plans), 205, BYOD (bring your own device), 282–283
437–438, 478
bypassing security controls, 315, 514
BDPU (Bridge Protocol Data Unit)
Guard, 221
BEC (business email compromise), C
109–110 cables, removable, 538–539
benchmarks, 337 California Consumer Privacy Act (CCPA),
BIA (business impact analysis), 467, 454, 502, 504
478–479 capacity planning, 253–254
biometrics, 389–391 CAs (certificate authorities), 66, 69–70
birthday attacks, 154 CAs (corrective actions), 413
Bitcoin, 66–67 CASB (cloud access security broker),
BitLocker, 45 228
blackmail, threat actors motivated by, 92 CCM (Cloud Controls Matrix), 459
block ciphers, 52 CCPA (California Consumer Privacy Act),
block rules, 360–361 454, 502, 504
blockchain, 66–67 cellular networks, 284
block/deny lists, 164 centralized architectures, 192–193
Bluetooth, 285 centralized proxies, 359–360
unsecured, 104 centralized structures, 431
wireless network attacks, 146 certificate revocation lists (CRLs), 77
 621
 compliance

certificate signing requests (CSRs), 72 multicloud systems, 252

certificates, 67–68 responsibility matrix, 181–183
CAs (certificate authorities), 66, 69–70 securing, 273–274
CPS (certification practice statement), third-party vendors, 185–186
70–71 vulnerabilities, 122–123
CRLs (certificate revocation lists), 77 Cloud Controls Matrix (CCM), 459
CSRs (certificate signing requests), 72 Cloud Security Alliance (CSA), 459
formats, 75–76
clustering, 248–249
OCSP stapling, 78
COBIT (Control Objectives for
pinning, 79 Information and Related Technology),
policy, 72–73 459
revocation of, 77 COBO (corporate owned, business
trust models, 71–72 only), 283
types of, 73–75 code repositories, 313
certification code signing, 74, 290
certification attestation, 511 cold sites, 250
CPS (certification practice statement), collision attacks, 153–154
70–71 Committee of Sponsoring Organizations
data asset management, 302 (COSO), 459
chain of custody, 414 committees, 431, 512
change management Common Vulnerability Scoring System
business processes impacting security (CVSS), 318–322
operations, 28–31 commonly used ports, 172
documentation, 35–36 communication encryption, 48–49
overview of, 28 compensating controls, 6–7, 324
policy, 443–444 complexity
technical implications, 31–34 of automation and orchestration, 406
version control, 36 of passwords, 395–396
chaos, threat actors motivated by, 93–94 compliance
choose your own device (CYOD), 283 audits, 511–512
CIA (confidentiality, integrity, and consequences of noncompliance,
availability), 12–13, 237 497–498
Cisco TALOS, 313 internal/external, 496–497
classifications monitoring, 499–501
data, 237–238, 297 overview of, 496
vulnerability, 320 privacy
client-based software, 103 data inventory and retention,
cloning attacks, 138 503–504
cloud computing definition of, 501
CASBs (cloud access security brokers), legal implications of, 504–505
228 privacy data roles, 501–503
definition of, 180–181 right to be forgotten, 505
hybrid considerations, 184–185 reporting, 496–497
IaC (Infrastructure as code), 186–187
622
computer resource monitoring

computer resource monitoring. See CPS (certification practice statement),

resource monitoring 70–71
confidential data, 238, 298 credentials
confidentiality, 12–13 credential replay, 147
configuration default, 105
enforcement, 167–168 critical data, 238
errors, 118 Critical vulnerabilities, 320
conflict of interest, 489 CRL (certificate revocation list), 77
connection methods, 283–285 cross-site scripting (XSS), 120,
connectivity, enterprise architecture 148–149
security, 214, 229 CrowdStrike Falcon X, 313
conservative risk appetite, 474 cryptographic attacks, 153–154
consistent training, 544 cryptographic erasure, 302
containerization, 193–195 Cryptographic Message Syntax, 367
containment phase, incident response, cryptography. See also encryption
410 algorithms
content categorization, 360 asymmetric, 53–55
content development, 545–546 key exchange, 50
continuity of operations plan (COOP), key length, 50–51
205, 252–253, 478 key stretching, 49–50
continuous integration and testing, overview of, 49–50
404–405
symmetric, 51–53
continuous risk assessments, 468
blockchain, 66–67
contractual impacts of non-compliance,
digital certificates, 67–68
498
CAs (certificate authorities), 69–70
control apps, 271
CPSs (certification practice
Control Objectives for Information and statements), 70–71
Related Technology (COBIT), 459
CSRs (certificate signing requests),
control plane, 16 72
controllers, 460, 503 formats, 75–76
cookies, 290 OCSP stapling, 78
COOP (continuity of operations plan), pinning, 79
205, 252–253, 478 policy, 72–73
COPE (corporate owned, personally revocation of, 77
enabled), 283
trust models, 71–72
corporate owned, business only (COBO),
types of, 73–75
283
digital signatures, 64–66
corrective actions (CAs), 413
key escrow, 431
corrective controls, 6
OCSP stapling, 78
COSO (Committee of Sponsoring
open public ledger, 67
Organizations), 459
PKI (public key infrastructure),
cost
428–429
automation and orchestration, 406–407
protocols, 287–288
network infrastructure, 203
public/private keys, 430–431
 623
decentralized architectures

tools data in use, 59, 239

HSM (hardware security module), data loss prevention (DLP) software,
57–58 341–342, 369, 370–371, 532
KMS (key management system), 58 data masking, 60–61, 242
secure enclave, 58 data obfuscation, 242
TPM (Trusted Platform Module), data masking, 60–61
55–57
hashing, 63–64
vulnerabilities, 125–126
overview of, 59–62
CSA (Cloud Security Alliance), 459 redaction, 61
CSR (certificate signing request), 72 salting, 63–64
custodians, 460–461 steganography, 62–63
custody, chain of, 414 tokenization, 60
CVE Details, 312 data ownership, 502
CVSS (Common Vulnerability Scoring data plane, 16
System), 318–322
data privacy. See privacy compliance
CWE, 320
data processors, 503
CYOD (choose your own device), 283
data protection
data classifications, 237–238
D data security methods, 240–243
DAC (discretionary access control), 387 data sovereignty, 239–240
dark web, 314 data states, 239
dashboards, 421 data types, 234–237
data asset management geolocation, 240
acquisition/ procurement process, 296 data roles, 501–503
assignment/accounting, 297 data segmentation, 243
certification, 302 data sources for investigation support
classification, 297–299 automated reports, 421
data classifications, 237–238 dashboards, 421
data inventory and retention, log data, 419–421
503–504 packet captures, 422
data retention, 303 vulnerability scans, 421
destruction, 302 data sovereignty, 239–240
disposal/decommissioning, 300–301 data states, 239
enumeration, 300 data subjects, 502
inventory, 300 data types, 234–237
monitoring/asset tracking, 299
data wiping, 301
ownership, 297
databases, 47
sanitization, 301–302
DDoS (distributed denial-of-service),
data at rest, 59 140–142
data controllers, 460, 503 dead zones, 279
data exfiltration, threat actors motivated decentralized architectures,
by, 90–91 192–193, 431
data in transit, 59, 239
624
deception and disruption technology

deception and disruption disabling ports/protocols, 171–172

technology, 23 disaster recovery plans (DRPs), 205,
decommissioning, 300–301 438–440
default credentials, 105 discovery phase, penetration testing,
defensive penetration testing, 519 515–516

degaussing, 301 discretionary access control (DAC), 387

demilitarized zone (DMZ), 353–354 disinformation, 108–109

denial-of-service (DoS) attacks, 171 dispersion, geographic, 251

deny lists, 32 disposal/decommissioning, 300–301

dependencies, 34 disruption/chaos, threat actors

motivated by, 93–94
deployment, 204, 282–283, 442
distinguished encoding rules (DER), 76
DER (distinguished encoding
rules), 76 distributed denial-of-service (DDoS),
140–142
design phase, SDLC (software
development lifecycle) policy, 441 diversity, platform, 251

destruction, 302 DKIM (DomainKeys Identified Mail), 368

detection phase, incident response, 410 DLL injection, 149

deterrent controls, 5 DLP (data loss prevention), 341–342,

369, 370–371
development
DMARC (Domain-based Message
SDLC (software development lifecycle)
Authentication, Reporting, and
policy, 441
Conformance), 369
security awareness programs, 545–547
DNS (Domain Name System), 364, 365
device attributes, 215–216
attacks, 142–144
device placement, 228
filtering, 366
DHCP (Dynamic Host Configuration
documentation, 35–36
Protocol) snooping, 221
domain hijacking, 142–143
diagrams, updating, 35
Domain Name System. See DNS
differential backups, 256
(Domain Name System)
digital certificates, 67–68
domain validation (DV), 73
CAs (certificate authorities), 66, 69–70
Domain-based Message Authentication,
CPSs (certification practice statements), Reporting, and Conformance
70–71 (DMARC), 369
CSRs (certificate signing requests), 72 DomainKeys Identified Mail (DKIM), 368
formats, 75–76 DoS (denial-of-service) attacks, 171
OCSP stapling, 78
downgrade attacks, 153
pinning, 79
downtime, 32–33
policy, 72–73
DRPs (disaster recovery plans), 205,
revocation of, 77 438–440
trust models, 71–72 dual power supply units (PSUs), 261
types of, 73–75 due care, 499–501
digital forensics, 414–415 due diligence, 488–489, 499–501
digital signatures, 64–66, 241 Duronio, Roger, 136–137
directive controls, 7 DV (domain validation), 73
directory traversal, 152–153
 625
endorsement key (EK)

dynamic analysis, 310 salting, 63–64

Dynamic Host Configuration Protocol steganography, 62–63
(DHCP) snooping, 221 tokenization, 60
dynamic/private ports, 171 definition of, 43–44
device hardening, 271
E digital certificates, 67–68
EAP (Extensible Authentication
CAs (certificate authorities), 66,
69–70
Protocol), 221, 229, 288–289
certificate formats, 75–76
ease of deployment, 204
certificate policy, 72–73
ease of recovery, 205
certificate types, 73–75
e-discovery, 415
CPSs (certification practice
EDR (endpoint detection and response), statements), 70–71
169, 330, 372–373
CSRs (certificate signing requests),
EFS (Encrypting File System), 45 72
EK (endorsement key), 56 OCSP stapling, 78
email, 99–100 pinning, 79
encryption, 369 revocation of, 77
phishing, 107–108 trust models, 71–72
components of, 526–528 digital signatures, 64–66
lessons from, 528 email, 369
recognizing, 528–530 file-level, 44–45
responding to, 530–531 full-disk, 44
security, 367–369 hardening with, 168–169
embedded systems, 200–201, 276 levels and types, 44–48
Encrypting File System (EFS), 45 mobile solutions, 281
encryption, 12, 166, 241, 258–259 OCSP stapling, 78
algorithms, 43–44 open public ledger, 67
asymmetric, 53–55 RTOS (Real-Time Operating System),
definition of, 43 277
key exchange, 50 servers, 274
key length, 50–51 standards, 446
key stretching, 49–50 tools
overview of, 49–50 HSM (hardware security module),
57–58
symmetric, 51–53
KMS (key management system), 58
blockchain, 66–67
secure enclave, 58
cloud infrastructure, 273
TPM (Trusted Platform Module),
communication, 48–49 55–57
cryptographic protocols, 287–288 transport, 48–49
data obfuscation workstations, 272
data masking, 60–61 end of service life (EOSL) date, 492
hashing, 63–64 end-of-life (EoL), 121, 492
overview of, 59–62 endorsement key (EK), 56
redaction, 61
626
endpoint detection and response (EDR)

endpoint detection and response (EDR), operating system security, 361–363

169, 330, 372–373 screened subnets, 353–354
endpoint logs, 420 secure protocol implementation,
endpoint protection, 169, 271 363–366
engagement, rules of, 492–493 port selection, 365
engaging content, creating, 545–546 protocol selection, 364
ENISA (European Union Agency for transport method, 365–366
Network and Information Security), 456 UBA (user behavior analytics), 373
enterprise architecture web filters, 357–361
attack surfaces, 214, 229 XDR (extended detection and
connectivity, 214, 229 response), 372–373
device attributes, 215–216 enumeration, data asset management,
300
failure modes, 214–215, 229
environmental attacks, 139
firewalls, 222–224, 229
environmental penetration testing,
access lists, 352
520–521
ports/protocols, 352
environmental variables, 321
rules, 350–351
EOL (end of life), 121, 492
infrastructure considerations, 212
ephemeral credentials, 398
network appliances
eradication phase, incident response,
definition of, 216
411
jump servers, 216–217, 229
escalation of tickets, 403–404
proxy servers, 217–218, 229
escrow, key, 431
port security, 220–222, 229
espionage, threat actors motivated by,
remote access, 225–226 91
SASE (Secure Access Service Edge),
ethical motivations of threat
228
actors, 93
SD-WAN (software-defined wide area
network), 227–228, 230 EU Digital Services Act, 498

security zones, 213, 228 European Union Agency for Network

and Information Security (ENISA),
selection of effective controls, 228–230 456
tunneling, 226–227
EV (extended validation), 74
VPNs (virtual private networks), 225
examinations, 513
enterprise security capabilities
exceptions, 324–325
DLP (data loss prevention), 370–371
exchange, key, 50
DNS filtering, 366
Execute permissions, 381
EDR (endpoint detection and
response), 372–373 execution, security awareness
programs, 545–547
email security, 367–369
exemptions, 324–325
FIM (File Integrity Monitoring),
369–370 expansionary risk appetite, 474
firewalls, 350–353 expiration of passwords, 396
IDS/IPS, 354–356 exploiting vulnerabilities, 315, 515
NAC (network access control), 371–372 exposure factors, 321
 627
FWaaS (firewall as a service)

extended detection and response (XDR), FIM (File Integrity Monitoring),

372–373 369–370
extended validation (EV), 74 financial information, 236
Extensible Access Control Markup financial motivations of threat actors, 92
Language (XACML), 387–388 Financial Services Information Sharing
Extensible Authentication Protocol and Analysis Center (FS-ISAC),
(EAP), 221, 229, 288–289 313–314
external audits and assessments, fines, noncompliance, 498
512–513 fingerprint biometrics, 390
external compliance, 497 firewalls, 222–224, 229, 350–353
external considerations, 453–455 access lists, 352
external monitoring, 500 FWaaS (firewall as a service ), 228
external threats, 84 host-based, 170
Layer 4/Layer 7, 224, 230
F logs, 420
NGFWs (next-generation firewalls),
facial recognition, 390
223–224, 230
factors, identity and access
ports/protocols, 352
management, 394–395
rules, 350–351
fail-closed, 215, 229
secure communication/access, 224–225
fail-open, 214–215, 229
UTM (unified threat management),
failover testing, 255 223, 230
failure modes, enterprise architecture WAF (web application firewall),
security, 214–215, 229 222–223, 229
false acceptance rate (FAR), 391 firmware, 120–121
false negatives, 317 flooding
false positives, 317 ping, 140
false rejection rate (FRR), 391 SYN, 141
FDE (full disk encryption), 45 forensics, digital, 414–415
Federal Identity, Credential, and Access forgery, 151–152
Management (FICAM) Roadmap, forward proxy servers, 217–218
387–388
fraffle attacks, 140
fencing, 20
frequency of backups, 258
File Integrity Monitoring (FIM),
FRR (false rejection rate), 391
369–370
FS-ISAC (Financial Services Information
File Transfer Protocol (FTP), 364, 365
Sharing and Analysis Center), 313–314
file-based threat vectors, 101
FTM (File Integrity Monitoring),
file/code repositories, 313 369–370
file-level encryption, 44–45 FTP (File Transfer Protocol), 364, 365
filtering full backups, 256
DNS, 366 Full Control permissions, 379–381
gateways, 369 full disk encryption (FDE), 45
MAC, 280
full-disk encryption, 44
web, 357–361
FWaaS (firewall as a service), 228
628
gait biometrics

G handbooks, user guidance and training,

534–535
gait biometrics, 390 hard authentication tokens, 391–393
Galois/Counter Mode Protocol, 288 hardening techniques, 270
gap analysis, 14–15 default password changes, 173
gates, 20 definition of, 168
gateways, 369 encryption, 168–169
GDPR (General Data Protection endpoint protection, 169
Regulation), 234, 455, 497, 502, 504 HIPS (host-based intrusion prevention
generators, 262 system), 170
geographic dispersion, 251 host-based firewalls, 170
geographic restrictions, 240–241 ports/protocols, disabling, 171–172
geolocation, 240 removal of unnecessary software,
173–174
GLBA (Gramm-Leach-Bliley Act), 235,
455 hardware providers, 124–125
global data privacy, 504 hardware security module (HSM), 57–58
goals, identifying, 545 hardware vulnerabilities, 120–121
Google Cloud Platform, 185 hashing, 63–64, 241
governance. See also policies Health Information Sharing and Analysis
Center (Health-ISAC), 313–314
external considerations, 453–455
Health Information Trust Alliance
governing framework, 428–429
Common Security Framework
guidelines, 428, 452–453 (HITRUST CSF), 459
industry-specific framework, 458–460 Health Insurance Portability and
monitoring, 432–433 Accountability Act (HIPAA), 235, 454,
procedures, 429, 447–452 455, 457
regulatory and nonregulatory heat maps, 278
requirements, 455–458 heuristic-based analysis, 219
revision, 432–433 high availability, 202, 248–249
roles and responsibilities, 460–462 High vulnerabilities, 320
standards, 428, 445–447 hijacking, domain, 142–143
structures, 430–431
HIPAA (Health Insurance Portability and
governing framework, 428–429 Accountability Act), 235, 454, 455, 457,
government entities, 431 504
GPOs (Group Policy Objects), 362 HIPS (host-based intrusion prevention
system), 170
Gramm-Leach-Bliley Act (GLBA), 235,
455 HITRUST CSF (Health Information
Trust Alliance Common Security
Group Policy, 361–362
Framework), 459
groups, 381, 403
HMAC-based one-time password
guard rails, 403 (HOTP), 392
guidelines, 428, 452–453 honeyfiles, 23
honeynets, 23
H honeypots, 23
hacktivists, 87 honeytokens, 23
hand geometry, 390 host-based firewalls, 170
 629
information security policy

host-based intrusion prevention system privileged access management tools,

(HIPS), 170 397–398
hosted hypervisors, 196–197 provisioning/de-provisioning user
hot sites, 250 accounts, 378–379
hotfixes, 323
SSO (single sign-on), 382–385
identity proofing, 381–382
HOTP (HMAC-based one-time
password), 392 IDS (intrusion detection system), 216,
218–219, 229, 354–356
HPKP (HTTP Public Key Pinning), 79
signatures, 356
HSM (hardware security module), 57–58
trends in, 355–356
HTTP (Hypertext Transfer Protocol), 364,
365 IEEE 802.1X, 221
HTTP Public Key Pinning (HPKP), 79 IM (instant messaging), 100–101
human vectors, 106–112 IMAP (Internet Message Access
Protocol), 364, 365
human-readable data, 236–237
immediate response, 543
hybrid cloud considerations, 184–185
impact analysis, 30
hybrid work environments, 541–542
impersonation, 109
Hypertext Transfer Protocol (HTTP), 364,
365 implementations, identity and access
management, 389–398
hypervisors, 196–197
biometrics, 389–391
hard/soft authentication tokens,
I 391–393
IaaS (infrastructure as a service), 181 security keys, 393–394
IaC (Infrastructure as code), 186–187 incident response
ICS (Industrial Control Systems), 198– digital forensics, 414–415
199, 275 phishing attempts, 530–531
identification methods, 308 policy, 440–441
identity and access management process for, 410–411
access controls, 386–388 RCA (root cause analysis), 412–413
attestation, 385–386 threat hunting, 413
factors, 394–395 training and testing, 411–412
identity proofing, 381–382 incremental backups, 256
implementations, 389–398 independent assessments, 487–488
biometrics, 389–391 independent third-party audits, 513
hard/soft authentication tokens, indicators of compromise (IOCs), 169,
391–393 312, 413
security keys, 393–394 indicators of malicious activity, 156–157
interoperability, 385 Industrial Control Systems (ICS),
MFA (multifactor authentication), 198–199, 275
388–398 industry/organizational impact,
password concepts, 395–397 vulnerability management, 321–322
password managers, 397 industry-specific framework, 458–460
passwordless authentication, 397 influence campaigns, 108–109
permissions assignment, 379–381 information security policy, 435–437
630
Information Sharing And Analysis Centers (ISACs)

Information Sharing And Analysis intrusion detection system (IDS), 216,

Centers (ISACs), 313–314 218–219, 229, 354–356
Informational vulnerabilities, 320 intrusion prevention system (IPS),
information-sharing organizations, 218–219, 229, 354–356
313–314 inventory, data, 300, 503–504
infrared sensors, 22 investigation support, data sources for
infrastructure automated reports, 421
capacity planning for, 254 dashboards, 421
IaaS (infrastructure as a service), 181 log data, 419–421
IaC (Infrastructure as code), 186–187 packet captures, 422
monitoring, 331–332 vulnerability scans, 421
Initiative for Open Authentication IOCs (indicators of compromise), 169,
(OATH), 392 312, 413
injection, 148–149 IoT (Internet of Things), 197–198,
DLL, 149 277–278
LDAP, 149 IPS (intrusion prevention system),
218–219, 229, 354–355
SQL, 149
signatures, 356
XML, 149
trends in, 355–356
inline devices, 216, 229
IPSec, 227, 230
input validation, 289
IPS/IDS logs, 420
insider threats, 86–87, 536–537
ISA (interconnection security
instant messaging (IM), 100–101
agreement), 490
insurance, 323
ISACs (Information Sharing And Analysis
integrated penetration testing, 519 Centers), 313–314
integrity, 12–13 ISO (International Organization for
intellectual property, 235 Standardization), 445–446, 458
interconnection security agreement isolation, 165
(ISA), 490 ITAM. See data asset management
interest, conflict of, 489
internal audits and assessments,
511–512
J
internal compliance, 496–497 jailbreaking, 127

internal monitoring, 500 journaling, 261

internal threats, 84 jump servers, 216–217, 229

International Organization for just-in-time permissions, 398

Standardization (ISO), 445–446, 458
Internet Message Access Protocol K
(IMAP), 364, 365
key risk indicators (KRIs), 468, 473
Internet of Things (IoT), 197–198,
277–278 keys, security, 393–394
Internet Protocol Security (IPSec), 227, EK (endorsement key), 56
230 key escrow, 431
interoperability, 385 key exchange, 50
key length, 50–51
 631
malicious updates

key stretching, 49–50 M

keyloggers, 136
MAC (mandatory access control),
KMS (key management system), 58
386–387
public/private, 430–431
MAC (Media Access Control) filtering,
SRK (storage root key), 56 221, 280
KMS (key management system), 58 machine/computer certificates, 75
known penetration test environments, maintenance phase, SDLC (software
520 development lifecycle) policy, 442
KPIs (key performance indicators), 337, maintenance windows, 30
421, 491
malicious attacks
KRIs (key risk indicators), 468, 473
application attacks, 139–147
buffer overflow, 149–150
L directory traversal, 152–153
Layer 4/Layer 7 firewalls, 224, 230 forgery, 151–152
LDAP (Lightweight Directory Access injection, 148–149
Protocol), 149, 383 privilege escalation, 150
least privilege, 167, 388 replay attacks, 150
legacy applications, 34 malware attacks, 132–137
legacy hardware, 121 boatware, 135
legal hold, 414 keyloggers, 136
legal implications, privacy, 504–505 logic bombs, 136–137
legal information, 236 ransomware, 133
length of passowrds, 395 rootkits, 137
lessons learned phase, incident spyware, 134–135
response, 411 Trojans, 133–134
licenses, loss of, 498 viruses, 136
lighting, 21–22 worms, 134
Lightweight Directory Access Protocol network attacks, 139–148
(LDAP), 149, 383 credential replay, 147
Linux permissions, 381 DDoS (distributed denial-of-
List Folder Contents permissions, service), 140–142
379–381 DNS (Domain Name System)
attacks, 142–144
load balancing, 219, 229, 248–249
malicious code, 148
local data privacy, 504
on-path, 147
Lockheed Martin, 88
wireless, 144–147
log aggregation, 332–333
physical attacks, 138–139
log data, 419–421
brute-force attacks, 138
log scanning, 334
environmental attacks, 139
logic bombs, 136–137
RFID (radio-frequency identifica-
logical segmentation, 190–191 tion), 138
loss of licenses, 498 malicious code, 148
Low vulnerabilities, 320 malicious updates, 117
632
malware

malware, 132–137 microservices, 188–189

boatware, 135 Microsoft Azure, 185
filtering, 369 Microsoft SCT (Security Compliance
keyloggers, 136 Toolkit), 269
logic bombs, 136–137 microwave sensors, 22
ransomware, 133 MIME (Multipurpose Internet Mail
rootkits, 137 Extensions), 367
spyware, 134–135 misconfiguration vulnerabilities, 126
Trojans, 133–134 misinformation, 108–109
viruses, 136 mitigation. See also access control
worms, 134 application allow lists, 164
managed service provider (MSP), 106 configuration enforcement, 167–168
management attestation, 511 encryption, 166
managerial controls, 4 hardening techniques
mandatory access control (MAC), default password changes, 173
386–387 definition of, 168
Mandiant Threat Intelligence, 313 encryption, 168–169
maps, threat, 312 endpoint protection, 169
masking, 242 HIPS (host-based intrusion
prevention system), 170
master service agreements (MSAs), 489
host-based firewalls, 170
MDM (mobile device management), 282
ports/protocols, disabling,
mean time between failures (MTBF), 171–172
479–481
removal of unnecessary software,
mean time to failure (MTTF), 466, 173–174
479–480
isolation, 165
mean time to repair (MTTR), 466, least privilege, 167
479–480
monitoring, 167
measurement of security awareness
patching, 165–166
programs, 547
risk, 476
media, removable, 538–539
segmentation, 162
Media Access Control (MAC) filtering,
221, 280 MITRE, 312, 320
Medium vulnerabilities, 320 MOA (memorandum of agreement), 490
memorandum of agreement (MOA), 490 mobile devices
memorandum of understanding (MOU), MDM (mobile device management),
490 282
memory injection, 116 securing, 270–271, 281
vulnerabilities, 127
message-based threat vectors
Modify permissions, 379–381
email, 99–100
IM (instant messaging), 100–101 monitoring, 167, 291, 299

SMS (Short Message Service), 100 activities for, 332–336

metadata logs, 421 alert response and remediation/
validation, 335
MFA (multifactor authentication), 388–
alert tuning, 336
398
 633
network attacks

alerting, 333 multifactor authentication (MFA),

archiving, 334–335 388–398
log aggregation, 332–333 Multipurpose Internet Mail Extensions
(MIME), 367
quarantine, 335
Multi-State Information Sharing and
reporting, 334
Analysis Center (MS-ISAC), 313–314
scanning, 334
applications, 330–331
definition of, 330 N
infrastructure, 331–332 NAC (network access control),
internal/external, 500 371–372
package, 311 national data privacy, 504
security awareness, 542–545 National Electrical Manufacturers
Association (NEMA), 20
security compliance, 499–501
National Institute of Standards and
in security governance, 432–433
Technology. See NIST (National
systems, 330 Institute of Standards and Technology)
tools for, 336–344 National Vulnerability Database (NVD),
agents/agentless, 337 311
antivirus, 341 nation-state threat actors, 88
benchmarks, 337 NDAs (non-disclosure agreements), 235,
DLP (data loss prevention), 489
341–342 near-field communication (NFC),
NetFlow, 343 146–147
SCAP (Security Content needs, identifying, 545
Automation Protocol), 336
negatives, false, 317
SIEM (security information and
NEMA (National Electrical
event management) systems,
331–332, 338–340 Manufacturers Association), 20

SNMP (Simple Network NetFlow, 343

Management Protocol), 342–343 network access control (NAC), 371–372
vulnerability scanners, 344 network appliances
vendors, 491–492 definition of, 216
MOU (memorandum of understanding), IDS (intrusion detection system),
490 218–219, 229
MSAs (master service agreements), 489 IPS (intrusion prevention system),
MS-ISAC (Multi-State Information
218–219, 229
Sharing and Analysis Center), 313–314 jump servers, 216–217, 229
MSP (managed service provider), 106 load balancers, 219, 229
MTBF (mean time between failures), proxy servers, 217–218, 229
479–481 sensors, 220, 229
MTTF (mean time to failure), 466, network attacks, 139–148
479–480 credential replay, 147
MTTR (mean time to repair), 466, DDoS (distributed denial-of-service),
479–480 140–142
multicloud systems, 252 DNS (Domain Name System) attacks,
142–144
634
network attacks

malicious code, 148 NIST (National Institute of Standards

on-path, 147 and Technology), 15, 382, 427,
445–446, 456, 459
wireless, 144–147
noncompliance, consequences of,
Bluetooth, 146
497–498
NFC (near-field communication),
non-disclosure agreements (NDAs), 235,
146–147
489
Wi-Fi, 144–146
non-human-readable data, 236–237
network infrastructure
nonregulatory requirements, 455–458
availability, 202
non-repudiation, 13
centralized versus decentralized,
192–193 NVD (National Vulnerability Database),
311
compute resources, 207
containerization, 193–195
cost, 203 O
definition of, 189 obfuscation, data, 242
ease of deployment, 204 data masking, 60–61
ease of recovery, 205 hashing, 63–64
embedded systems, 200–201 overview of, 59–62
ICS (Industrial Control Systems), redaction, 61
198–199
salting, 63–64
IoT (Internet of Things), 197–198
steganography, 62–63
logical segmentation, 190–191
tokenization, 60
patching, 205–206
Occupational Safety and Health
physical isolation, 189–190 Administration (OSHA), 20
power availability, 206–207 OCSP (Online Certificate Status
on-premises infrastructure, 192 Protocol), 77–78
resilience, 202–203 OCTAVE (Operationally Critical Threat,
responsiveness, 203 Asset, and Vulnerability Evaluation),
risk transference, 205 460

RTOS (Real-Time Operating System), offboarding, 448–450

200 offensive penetration testing, 518
SDN (software-defined networking), offsite backups, 257
191–192 one-time passwords (OTPs), 392
segmentation, 162
one-time risk assessments, 467–468
unsecured, 104
ongoing analysis, 544
virtualization, 195–197
Online Certificate Status Protocol
network logs, 420–421 (OCSP), 77–78
network scanning, 334 on-path network attacks, 147
neutral risk appetite, 474 on-premises infrastructure, 192
next-generation firewalls (NGFWs), onsite backups, 257
223–224, 230
Open Authorization (OAuth), 383–384
NFC (near-field communication), 146–
open public ledger, 67
147
open service ports, 104–105
NGFWs (next-generation firewalls),
223–224, 230
 635
 permissions

Open Web Application Security Project partitions, 44

(OWASP), 331 passive devices, 216, 229
open-source intelligence (OSINT), passive reconnaissance, 516–517
311–313
password attacks, 154–156
operating system security, 361–363, 420
passwordless authentication, 397
operating system-based vulnerabilities,
passwords
118–119
age of, 396–397
operational controls, 4
complexity of, 395–396
Operationally Critical Threat, Asset, and
Vulnerability Evaluation (OCTAVE), 460 default password changes, 173
Opportunistic Wireless Encryption expiration of, 396
(OWE), 286 length of, 395
orchestration management of, 397, 537–538
benefits of, 405–406 OTP (one-time password), 392
considerations for, 406–407 password concepts, 395–397
use cases of, 402–405 password vaulting, 398
organizational impact, 321 passwordless authentication, 397
organizational validation (OV), 73–74 privileged access management tools,
397–398
organized crime, 87–88
reuse of, 396
Organized Crime Control Act of 1970,
87–88 standards, 446
OSHA (Occupational Safety and Health switches, 272
Administration), 20 patching, 165–166, 205–206, 322–323
OSINT (open-source intelligence), cloud infrastructure, 274
311–313 ICS/SCADA networks, 275
Others (Linux entity), 381 servers, 274
OTP (one-time password), 392 workstations, 271
OV (organizational validation), 73–74 PCI DSS (Payment Card Industry Data
overflow, buffer, 149–150 Security Standard), 6, 235, 454, 455,
497
overwriting, 301
PEM (privacy enhanced mail), 75–76
OWASP (Open Web Application Security
Project), 331 penetration testing, 314–315, 487

OWE (Opportunistic Wireless components of, 514–515

Encryption), 286 defensive, 519
owners, 381, 473 environments for, 520–521
ownership, 29, 297, 460, 502 integrated, 519
offensive, 518

P overview of, 513–516

phases of, 515–516
P7B (PKCS#7), 76
physical tests, 517–518
PaaS (platform as a service), 182 reconnaissance, 516–517
package monitoring, 311 people, capacity planning for, 253–254
packet captures, 422 periodic reviews, 544
parallel processing, 255 permissions, 164
636
permissions

assignment of, 379–381 SDLC (software development lifecycle)

restrictions on, 243 policy, 441
personal health information (PHI), platform as a service (PaaS), 182
456–458 platform diversity, 251
personal identifiable information (PII), poisoning, DNS (Domain Name System),
234, 333, 456–458, 502–503 143–144
Personal Information Protection and policies
Electronic Documents Act (PIPEDA), acceptable use, 433–435
504
business continuity, 437–438
PFX (personal information exchange), 76
certificate, 72–73
philosophical motivations of threat
change management, 443–444
actors, 92–93
components of, 433
phishing, 107–108, 526–531
definition of, 428
components of, 526–528
disaster recovery, 438–440
lessons from, 528
incident response, 440–441
recognizing, 528–530
information security, 435–437
responding to, 530–531
SDLC (software development
physical security lifecycle), 441–443
access badges, 21 updating, 35–36
access control vestibules, 19 policy
bollards, 19 administrators, 17–18
fencing and gates, 20 enforcement, 369
lighting, 21–22 enforcement points, 18
overview of, 18 group, 361–362
physical attacks, 138–139 policy engines, 17
physical controls, 4 policy-based IDSs/IPSs, 219
physical isolation, 189–190 policy-driven access control, 16–17
security guards, 21 user guidance and training, 534–535
sensors, 22–23 political motivations of threat actors,
signs, 20 92–93
standards, 446 POP (Post Office Protocol), 364,
video surveillance, 20 365, 367
physical tests, 517–518 ports
PII (personal identifiable information), commonly used, 172
234, 333, 456–458, 502–503 disabling, 171–172
ping floods, 140 dynamic/private, 171
pinning, 79 firewalls, 353
PIPEDA (e Personal Information open, 104–105
Protection and Electronic Documents registered, 171
Act), 504
scanning, 334
PKI (public key infrastructure),
security, 220–222, 229
428–429
selection, 365
planning phase
well-known, 171
penetration testing, 515
positives, false, 317
 637
Read permissions

Post Office Protocol (POP), 364, procedures, 429, 447–452

365, 367 procedures, updating, 35–36
power availability, 206–207 process audits, 316
power redundancy, 261–262 processors, data, 460, 503
power supply units (PSUs), 261 procurement process, 296
praying password attacks, 155–156 propaganda, 108–109
preparation phase, incident response, proprietary data, 298
410
proprietary/third-party threat feeds, 313
preservation, 415
protocol implementation, 363–366
pre-shared key (PSK), 288–289
protocols
pressure sensors, 22
disabling, 171–172
pretexting, 109
firewalls, 353
principles of secure design
port selection, 172, 365
attack surfaces, 214, 229
protocol selection, 364
connectivity, 214, 229
transport method, 365–366
device attributes, 215–216
provisioning, 378–379, 402
failure modes, 214–215, 229
proxies, 217–218, 229, 359–360
network appliances
PSK (pre-shared key), 288–289
definition of, 216
public data, 237, 298
IDS (intrusion detection system),
218–219, 229 public key infrastructure (PKI),
428–429
IPS (intrusion prevention system),
218–219, 229 public keys, 430–431
jump servers, 216–217, 229
load balancers, 219, 229 Q
proxy servers, 217–218, 229
qualitative risk analysis, 469–470
sensors, 220, 229
quantitative risk analysis, 470
security zones, 213, 228
quarantine, 335
prioritization
questionnaires, 487
CVSS (Common Vulnerability Scoring
System), 318–322
vulnerability management, 317–318 R
privacy compliance race conditions, 117
data inventory and retention, 503–504 radio-frequency identification (RFID),
definition of, 501 19, 138
legal implications of, 504–505 RADIUS (Remote Authentication Dial-In
privacy data roles, 501–503 User Service), 286–287
right to be forgotten, 505 ransomware, 133
privacy enhanced mail (PEM), rate of return on investment (RROI), 469
75–76 RBAC (role-based access control), 387
private data, 238, 298 RCA (root cause analysis), 412–413
private keys, 430–431 Read & Execute permissions, 379–381
privilege escalation, 150 Read permissions, 381
privileged access management tools,
397–398
638
Real-Time Operating System (RTOS)

Real-Time Operating System (RTOS), Remote Authentication Dial-In User

200, 277 Service (RADIUS), 286–287
reconnaissance, 516–517 remote wipe, 271
recovery, 411 remote work environments, 541–542
backups, 255–258 removable devices, 102, 538–539
definition of, 255–256 replay attacks, 150
differential, 256 reporting, 326, 334, 414–415
frequency of, 258 automated, 421
full, 256 compliance, 496–497
incremental, 256 penetration testing, 516
onsite/offsite, 257 risk, 477–480
capacity planning, 253–254 BIA (business impact analysis),
COOP (continuity of operations plan), 478–479
252–253 components of, 477–478
ease of, 205 MTBF (mean time between
encryption, 258–259 failures), 479–481
goals of, 260 MTTF (mean time to failure), 466,
479–480
high availability, 248–249
MTTR (mean time to repair), 466,
journaling, 261
479–480
multicloud systems, 252
RPO (recovery point objective), 479
platform diversity, 251
RTO (recovery time objective), 479
power redundancy, 261–262
security awareness, 542–545
site considerations, 249–251
repositories, 313
snapshots, 259
rescanning, 325–326
testing, 254–255
resilience and recovery, 202–203
recovery point objective (RPO), 253, 467,
479 backups, 255–258
definition of, 255–256
recovery time objective (RTO), 253, 467,
479 differential, 256
recurring reporting and monitoring, 544 frequency of, 258
recurring risk assessments, 468 full, 256
redaction, 61 incremental, 256
reflected DDoS attacks, 141–142 onsite/offsite, 257
capacity planning, 253–254
regional data privacy, 504
COOP (continuity of operations plan),
registered ports, 171
252–253
registers, risk, 472–474
encryption, 258–259
regulated data, 234–235 goals of, 260
regulatory audits, 512–513 high availability, 248–249
regulatory requirements, 455–458 journaling, 261
remediation, vulnerability, 322–325 multicloud systems, 252
remote access, 225–226 platform diversity, 251
remote access Trojan (RAT), 134 power redundancy, 261–262
site considerations, 249–251
 639
risk analysis

snapshots, 259 MDM (mobile device management),

testing, 254–255 282
resource monitoring, 207. See also mobile devices, 270–271, 281
resource security routers, 273
activities for, 332–336 RTOS (Real-Time Operating System),
alert response and remediation/ 277
validation, 335 sandboxing, 290–291
alert tuning, 336 SCADA (Supervisory Control and Data
alerting, 333 Acquisition), 275
archiving, 334–335 servers, 274–275
log aggregation, 332–333 switches, 272–273
quarantine, 335 target hardening, 270
reporting, 334 wireless devices, 278–280
scanning, 334 wireless security settings, 285–289
applications, 330–331 workstations, 271–272
definition of, 330 responsibilities

infrastructure, 331–332 responsibility matrix, 181–183

systems, 330 roles and, 460–462
tools for, 336–344 responsible disclosure programs, 316
agents/agentless, 337 responsiveness, network infrastructure,
203
antivirus, 341
restart, application, 33
benchmarks, 337
restricted activities, 32
DLP (data loss prevention),
341–342 restricted data, 238
NetFlow, 343 retention, data, 503–504
SCAP (Security Content retina biometrics, 390
Automation Protocol), 336 return on investment (ROI), 469
SIEM (security information and
reuse of passwords, 396
event management) systems,
331–332, 338–340 revenge, threat actors motivated by, 93
SNMP (Simple Network reverse proxy servers, 218
Management Protocol), 342–343 reviews, periodic, 544
vulnerability scanners, 344 revision, in security governance,
resource provisioning, 402 432–433
resource reuse, 122 revocation of certificates, 77
resource security RFID (radio-frequency identification),
application security, 289–290 19, 138
baselines, 268–269 right to be forgotten, 505
cloud infrastructure, 273–274 right-to-audit clause, 488
connection methods, 283–285 risk acceptance, 476
deployment models, 282–283 risk analysis, 468–472
embedded systems, 276 ALE (annual loss expectancy), 472
ICS (Industrial Control Systems), 275 ARO (annual rate of occurrence),
IoT (Internet of Things), 277–278 471–472
640
risk analysis

qualitative, 469–470 vendor assessment, 486–488

quantitative, 470 vendor monitoring, 491–492
SLE (single loss expectancy), vendor selection, 488–489
470–471 tolerance, 322, 474–475
steps for, 468–469 transference of risk, 205, 476
risk management risk owners, 473
acceptance, 476 risk registers, 472–474
analysis, 468–472 risk reporting, 477–480
ALE (annual loss expectancy), 472 BIA (business impact analysis), 478–479
ARO (annual rate of occurrence), components of, 477–478
471–472
MTBF (mean time between failures),
qualitative, 469–470 479–481
quantitative, 470 MTTF (mean time to failure), 466,
SLE (single loss expectancy), 479–480
470–471 MTTR (mean time to repair), 466,
steps for, 468–469 479–480
assessment, 466–468 RPO (recovery point objective), 479
avoidance, 475–476 RTO (recovery time objective), 479
identification, 466 risk thresholds, 473–474
KRIs (key risk indicators), 468, 473 risk tolerance, 322, 474–475
levels of risk, 469 risk transference, 205, 476
mitigation, 476 ROI (return on investment), 469
reporting, 477–480 roles
BIA (business impact analysis), privacy, 501–503
478–479
RBAC (role-based access control), 387
components of, 477–478
responsibilities, 460–462
MTBF (mean time between
failures), 479–481 root cause analysis (RCA), 412–413
MTTF (mean time to failure), 466, root signing certificates, 74–75
479–480 rootkits, 137
MTTR (mean time to repair), 466, routers, 273
479–480
routine audits, 544
RPO (recovery point objective), 479
RPO (recovery point objective), 253, 467,
RTO (recovery time objective), 479 479
risk appetite, 474–475 RROI (rate of return on investment), 469
risk identification, 466
RSA Security, 88
risk owners, 473
RTO (recovery time objective), 253, 467,
risk registers, 472–474 479
risk thresholds, 473–474 RTOS (Real-Time Operating System),
risky behavior, recognizing, 532 200, 277
strategies for, 475–477 rules
third-party block, 360–361
agreement types, 489–491 of engagement, 492–493
overview of, 486 firewalls, 350–351
rules of engagement, 492–493 rule-based access control, 387
 641
security architecture

S Secure FTP (FTPS/SFTP), 366

secure protocol implementation,
SAE (Simultaneous Authentication of 363–366
Equals), 286
port selection, 365
salting, 63–64
protocol selection, 364
SAML (Security Assertion Markup
transport method, 365–366
Language), 384–385
Secure Shell (SSH), 272
SAN certificates, 74
Secure Sockets Layer (SSL), 48, 67, 366
sanctions, 498
secure web gateway (SWG), 228
sandboxing, 290–291
secured zones, 17
sanitization, 301–302
Secure/Multipurpose Internet Mail
Sarbanes-Oxley Act (SOX), 235, 455
Extensions (S/MIME), 74, 367
SASE (Secure Access Service Edge),
SecurID token, 391
228, 230
securing resources
SCADA (Supervisory Control and Data
Acquisition), 198–199, 275, 459 application security, 289–290
scanning, 334 baselines, 268–269
rescanning, 325–326 cloud infrastructure, 273–274
URL scanning, 360 connection methods, 283–285
vulnerability scans, 308–309, 421 deployment models, 282–283
embedded systems, 276
SCAP (Security Content Automation
Protocol), 336 ICS (Industrial Control Systems), 275
scheduled reports, 544 IoT (Internet of Things), 277–278
Schneier, Bruce, 476–477 MDM (mobile device management),
282
screened subnets, 353–354
mobile devices, 270–271
scripting
mobile solutions, 281
benefits of, 405–406
monitoring, 291
considerations for, 406–407
routers, 273
use cases of, 402–405
RTOS (Real-Time Operating System),
SCT (Security Compliance Toolkit), 269 277
SDLC (software development lifecycle) sandboxing, 290–291
policy, 441–443
SCADA (Supervisory Control and Data
SDN (software-defined networking), Acquisition), 275
191–192 servers, 274–275
SD-WAN (software-defined wide area switches, 272–273
network), 227–228, 230
target hardening, 270
sealed storage, 56
wireless devices, 278–280
secret data, 298
wireless security settings, 285–289
Secure Access Service Edge (SASE), workstations, 271–272
228, 230
security architecture
Secure API, 366
cloud
secure communication/access, 224–225
definition of, 180–181
secure cookies, 290
hybrid considerations, 184–185
secure enclave, 58
responsibility matrix, 181–183
642
security architecture

third-party vendors, 185–186 journaling, 261

data protection multicloud systems, 252
data classifications, 237–238 platform diversity, 251
data security methods, 240–243 power redundancy, 261–262
data sovereignty, 239–240 site considerations, 249–251
data states, 239 snapshots, 259
data types, 234–237 testing, 254–255
geolocation, 240 serverless, 187–188
enterprise architecture security Security Assertion Markup Language
principles (SAML), 384–385
attack surfaces, 214, 229 security awareness
connectivity, 214, 229 anomalous behavior recognition,
device attributes, 215–216 532–533
failure modes, 214–215, 229 development and execution, 545–547
firewalls, 222–224, 229, 350–353 overview of, 526
infrastructure considerations, 212 phishing campaigns, 526–531
network appliances, 216–220 components of, 526–528
port security, 220–222, 229 lessons from, 528
remote access, 225–226 recognizing, 528–530
SASE (Secure Access Service Edge), responding to, 530–531
228 reporting and monitoring, 542–545
SD-WAN (software-defined wide user guidance and training, 533–542
area network), 227–228, 230
hybrid/remote work environments,
security zones, 213, 229 541–542
selection of effective controls, insider threats, 536–537
228–230
operational security (OpSec),
tunneling, 226–227 540–541
VPNs (virtual private networks), password management, 537–538
225
policy and handbooks, 534–535
IaC (Infrastructure as code), 186–187
removable media and cables,
microservices, 188–189 538–539
network infrastructure, 191–192 situational awareness, 535–536
definition of, 189 social engineering, 539–540
logical segmentation, 190–191 steps for, 533–534
physical isolation, 189–190 security compliance
SDN (software-defined network- consequences of noncompliance,
ing), 191–192 497–498
resilience and recovery internal/external, 496–497
backups, 255–258 monitoring, 499–501
capacity planning, 253–254 overview of, 496
COOP (continuity of operations privacy compliance
plan), 252–253
data inventory and retention,
encryption, 258–259 503–504
goals of, 260 definition of, 501
high availability, 248–249 legal implications of, 504–505
 643
security operations

privacy data roles, 501–503 benefits of, 405–406

right to be forgotten, 505 considerations for, 406–407
reporting, 496–497 use cases of, 402–405
Security Compliance Toolkit (SCT), 269 data asset management
Security Content Automation Protocol acquisition/ procurement process,
(SCAP), 336 296
security controls assignment/accounting, 297
bypassing, 315, 514 certification, 302
compensating, 6–7, 324 classification, 297–299
corrective, 6 data retention, 303
deterrent, 5 destruction, 302
directive, 7 disposal/decommissioning, 300–301
managerial, 4 enumeration, 300
nature of, 3–4 inventory, 300
operational, 4 monitoring/asset tracking, 299
physical, 4 ownership, 297
preventative, 5 sanitization, 301–302
technical, 4 enterprise security capabilities
security governance DLP (data loss prevention),
370–371
external considerations, 453–455
DNS filtering, 366
governance structures, 430–431
EDR (endpoint detection and
governing framework, 428–429 response), 372–373
guidelines, 428, 452–453 email security, 367–369
industry-specific framework, 458–460 FIM (File Integrity Monitoring),
monitoring, 432–433 369–370
policies. See policies firewalls, 350–353
procedures, 429, 447–452 IDS/IPS, 354–356
regulatory and nonregulatory NAC (network access control),
requirements, 455–458 371–372
revision, 432–433 operating system security, 361–363
roles and responsibilities, 460–462 screened subnets, 353–354
standards, 428 secure protocol implementation,
standards documents, 445–447 363–366
security groups, 403 UBA (user behavior analytics), 373
security information and event web filters, 357–361
management (SIEM) systems, 216, XDR (extended detection and
331–332, 338–340, 543 response), 372–373
security keys, 393–394 identity and access management
EK (endorsement key), 56 access controls, 386–388
public/private, 430–431 attestation, 385–386
SRK (storage root key), 56 factors, 394–395
security logs, 333 identity proofing, 381–382
security operations implementations, 389–394
automation and orchestration interoperability, 385
644
security operations

MFA (multifactor authentication), SCADA (Supervisory Control and

388–398 Data Acquisition), 275
password concepts, 395–397 servers, 274–275
password managers, 397 switches, 272–273
passwordless authentication, 397 target hardening, 270
permissions assignment, wireless devices, 278–280
379–381 wireless security settings, 285–289
privileged access management tools, workstations, 271–272
397–398
security operations, business processes
provisioning/de-provisioning user impacting, 28–31
accounts, 378–379
security program management. See also
SSO (single sign-on),
risk management
382–385
audits and assessments
incident response
attestation, 510–511
digital forensics, 414–415
external, 512–513
process for, 410–411
internal, 511–512
RCA (root cause analysis), 412–413
overview of, 510
threat hunting, 413
penetration testing, 513–521
training and testing, 411–412
security awareness
monitoring
anomalous behavior recognition,
activities for, 332–336
532–533
applications, 330–331
development and execution,
definition of, 330 545–547
infrastructure, 331–332 overview of, 526
systems, 330 phishing campaigns, 526–531
resource monitoring, 336–344 reporting and monitoring, 542–545
securing resources user guidance and training, 533–542
application security, 289–290 security compliance
baselines, 268–269 consequences of noncompliance,
cloud infrastructure, 273–274 497–498
connection methods, 283–285 monitoring, 499–501
deployment models, 282–283 overview of, 496
embedded systems, 276 privacy compliance, 501–505
ICS (Industrial Control Systems), reporting, 496–497
275 security governance
IoT (Internet of Things), 277–278 external considerations, 453–455
MDM (mobile device management), governance structures, 430–431
282
governing framework, 428–429
mobile devices, 270–271
guidelines, 428, 452–453
mobile solutions, 281
industry-specific framework,
monitoring, 291 458–460
routers, 273 monitoring, 432–433
RTOS (Real-Time Operating policies. See policies
System), 277
procedures, 429, 447–452
sandboxing, 290–291
 645
SLE (single loss expectancy)

regulatory and nonregulatory serverless architecture, 187–188

requirements, 455–458 servers
revision, 432–433 jump, 216–217, 229
roles and responsibilities, 460–462 proxy, 217–218, 229
standards, 428 securing, 274–275
standards documents, 445–447 service disruptions, threat actors
third-party risk management motivated by, 91–92
agreement types, 489–491 service level agreements (SLAs),
overview of, 486 489–490
rules of engagement, 492–493 Service Organizational Control (SOC),
vendor assessment, 486–488 458
vendor monitoring, 491–492 service packs, 323
vendor selection, 488–489 service providers, 124
vulnerability management service restart, 33
analysis, 316–317 service set identifier (SSID), 280
application security, 309–311 services, enabling/disabling, 404
audits, 326 shadow IT, 89
confirmation, 317 Short Message Service (SMS), 100
CVSS (Common Vulnerability side loading, 127
Scoring System), 318–322 SIEM (security information and event
identification methods, 308 management) systems, 216,
penetration testing, 314–315 331–332, 338–340, 543
prioritization, 317–318 signature biometrics, 390
reporting, 326 signature-based IDSs/IPSs, 218, 356
rescanning, 325–326 signatures, digital, 64–66, 241
responsible disclosure programs, signs, 20
316
Simple Mail Transfer Protocol (SMTP),
system or process audits, 316 364, 365
threat feeds, 311–314 Simple Network Management Protocol
verification, 326 (SNMP), 342–343, 364, 365
vulnerability response and simulations, 255, 412
remediation, 322–325 Simultaneous Authentication of Equals
vulnerability scans, 308–309 (SAE), 286
security zones, 213, 228 single loss expectancy (SLE), 470–471
SED (self-encrypting drive), 46 single point of failure, 407
segmentation, 162, 190–191, 243, 324 single sign-on (SSO), 382–385
self-assessments, 512 site considerations, resilience and
self-encrypting drive (SED), 46 recovery, 249–251
self-signed certificates, 74 site surveys, 278
SELinux, 363 situational awareness, 535–536
Sender Policy Framework (SPF), 368 SLAs (service level agreements),
489–490
sensitive data, 238, 298
SLE (single loss expectancy), 470–471
sensors, 22–23, 220, 229
646
SLTT (State, Local, Tribal, and Territorial) government sectors

SLTT (State, Local, Tribal, and Territorial) SSL (Secure Sockets Layer), 48, 67, 366
government sectors, 313–314 SSO (single sign-on), 382–385
S/MIME (Secure/Multipurpose Internet stakeholders, 29
Mail Extensions), 74, 367
standard operating procedures (SOPs),
smishing, 108 31
SMS (Short Message Service), 100, 108 standards, 428, 445–447
SMTP (Simple Mail Transfer Protocol), stapling, OCSP, 78
364, 365
State, Local, Tribal, and Territorial (SLTT)
smurfing, 140 government sectors, 313–314
snapshots, 259 stateful protocol analysis, 219
SNMP (Simple Network Management statement of work (SOW), 490
Protocol), 342–343, 364, 365
states, data, 239
snooping, DHCP (Dynamic Host
static analysis, 290, 310
Configuration Protocol), 221
steganography, 62–63, 242
Snowden, Edward, 87
stewards, 460–461
SOC (Service Organizational Control),
458 STIX (Structured Threat Information
eXpression), 312
social engineering, 106–112, 539–540
storage root key (SRK), 56
Society for Worldwide Interbank
Financial Telecommunication (SWIFT), strategies, risk management, 475–477
454 stream ciphers, 52
soft authentication tokens, 391–393 stretching, key, 49–50
software as a service (SaaS), 182 Structured Threat Information
software development lifecycle (SDLC) eXpression (STIX), 312
policy, 441–443 subjects, 17, 502
software providers, 125 subnets, screened, 353–354
software updates. See updates Supervisory Control and Data
software-defined networking (SDN), Acquisition (SCADA), 198–199, 275, 459
191–192 supply chain, 105–106, 123–125, 488, 492
software-defined wide area network supportability, 407
(SD-WAN), 227–228, 230
surveillance, video, 20
sophistication of threat actors, 84
SWG (secure web gateway), 228
SOPs (standard operating procedures),
SWIFT (Society for Worldwide Interbank
31
Financial Telecommunication), 454
sovereignty, data, 239–240
switches, securing, 272–273
SOW (statement of work), 490
symmetric algorithms, 51–53
SOX (Sarbanes-Oxley Act), 235, 455
SYN floods, 141
spam filtering, 369
synchronous replication, 260
SPF (Sender Policy Framework), 368
systems, 17
spyware, 134–135
monitoring, 330
SQL injection, 120, 149
roles and responsibilities, 460–462
SRK (storage root key), 56 system event logs, 332
SSH (Secure Shell), 272 system or process audits, 316
SSID (service set identifier), 280 unsupported, 103–104
 647
threat vectors

T third-party threat feeds, 313

third-party vendors
table-top exercises, 412
cloud computing, 185–186
tabletop exercises, 254–255
IaC (Infrastructure as code), 186–187
tap/monitor devices, 216, 229
threat actors
target hardening, 270
attributes of, 84
TAXII (Trusted Automated eXchange of definition of, 84
Indicator Information), 312
hacktivists, 87
TBS (TPM Base Services), 57
insider threats, 86–87
TCG (Trusted Computing Group), 46
motivations of, 90–94
technical controls, 4
nation-state, 88
technical debt, 407
organized crime, 87–88
tehnology, capacity planning for, 254 shadow IT, 89
Telnet, 364 unskilled attackers, 86
test results, 30 threat feeds, 311–314
testing threat hunting, 413
continuous integration and testing, threat maps, 312
404–405
threat scope reduction, 16
failover, 255
threat vectors, 98. See also penetration
incident response, 411–412
testing
parallel processing, 255
default credentials, 105
penetration, 314–315, 487
definition of, 98
components of, 514–515
file-based, 101
defensive, 519
human vectors/social engineering,
environments for, 520–521 106–112
integrated, 519 insider, 536–537
offensive, 518 internal/external, 84
overview of, 513–516 malicious attacks
phases of, 515–516 application attacks, 148–153
physical tests, 517–518 cryptographic attacks, 153–154
resilience and recovery, 254–255 indicators of, 156–157
SDLC (software development lifecycle) malware attacks, 132–137
policy, 442
network attacks, 139–148
security controls, 315
password attacks, 154–156
simulation, 255
physical attacks, 138–139
tabletop exercises, 254–255
message-based
test results, 30
email, 99–100
TFTP (Trivial File Transfer Protocol), 364
IM (instant messaging), 100–101
third-party risk management
SMS (Short Message Service), 100
overview of, 486
open service ports, 104–105
rules of engagement, 492–493
removable devices, 102
vendor assessment, 486–488
resources and funding for, 84
vendor monitoring, 491–492
supply chain, 105–106
vendor selection, 486–488
648
threat vectors

unsecured networks, 104 Transport Layer Security (TLS), 48, 67,

unsupported systems and applications, 226–227, 230
103–104 transport method, 365–366
verifying, 315, 514 trends, IDS/IPS, 355–356
voice calls, 101 Triple DES (3DES), 166
vulnerable software, 103 Trivial File Transfer Protocol (TFTP), 364
thresholds, risk, 473–474 Trojans, 133–134
ticket creation and escalation, trust models, 71–72
403–404
Trusted Automated eXchange of
time-based one-time password (TOTP), Indicator Information (TAXII), 312
392
Trusted Computing Group (TCG), 46
time-of-check to time-of-use (TOCTOU),
Trusted Platform Module (TPM), 47,
117
55–57, 296
time-of-day restrictions, 388
TTPs (adversary tactics, techniques, and
TLS (Transport Layer Security), 48, procedures), 312
226–227, 230
tunneling, 226–227, 366
TOCTOU (time-of-check to time-of-use),
Twitter, 498
117
Type 1 hypervisors, 196–197
tokenization, 60, 242
Type 2 hypervisors, 196–197
tolerance for risk, 322, 474–475
types, data, 234–237
top secret data, 298
typosquatting, 111–112
TOTP (time-based one-time password),
392
TPM (Trusted Platform Module), 47, U
55–57, 296
UBA (user behavior analytics), 373
TPM Base Services (TBS), 57
UBS PaineWebber, 136–137
trade secrets, 235
UEBA (user and entity behavior
training. See also security awareness analytics) systems, 532
incident response, 411–412 unexpected behavior, recognizing, 532
user, 533–542 unified threat management (UTM), 223,
hybrid/remote work environments, 230
541–542
unintentional behavior, recognizing, 532
insider threats, 536–537
uninterruptible power supply (UPS),
operational security (OpSec), 261–262
540–541
Universal Resource Locator (URL)
password management, 537–538 redirection, 143
policy and handbooks, 534–535
unknown penetration test environments,
removable media and cables, 520
538–539
unnecessary software, removing,
situational awareness, 535–536 173–174
social engineering, 539–540 unsecured networks, 104
steps for, 533–534 unskilled attackers, 86
transference of risk, 205, 476 unsupported systems and applications,
transit, data in, 239 103–104
transport encryption, 48–49 updates, 271, 323
 649
 vulnerabilities

updating virtual machines, 122, 259

diagrams, 35 virtual private networks (VPNs), 225,
policies/procedures, 35–36 230, 366
UPS (uninterruptible power supply), virtualization, 121–122, 195–197
261–262 viruses, 136
URL (Universal Resource Locator) vishing, 108
redirection, 143 VM (virtual machine) escape, 122
URL scanning, 360 voice calls, as threat vectors, 101
use, data in, 239 voice phishing, 108
user accounts, provisioning/ voiceprint, 390
de-provisioning, 378–379
VPNs (virtual private networks), 225,
user and entity behavior analytics 230, 366
(UEBA) systems, 532
VulnDB, 312
user attestation, 511
vulnerabilities. See also penetration
user behavior analytics (UBA), 373 testing; threat vectors
user certificates, 75 application, 116–118
user guidance and training, 533–542 classification of, 320
hybrid/remote work environments, cloud-specific, 122–123
541–542
cryptographic, 125–126
insider threats, 536–537
hardware, 120–121
operational security (OpSec), 540–541
malicious attacks
password management, 537–538
application attacks, 148–153
policy and handbooks, 534–535
cryptographic attacks, 153–154
removable media and cables,
538–539 indicators of, 156–157
situational awareness, 535–536 malware attacks, 132–137
social engineering, 539–540 network attacks, 139–148
steps for, 533–534 password attacks, 154–156
user provisioning, 402 physical attacks, 138–139
management of
UTM (unified threat management), 223,
230 analysis, 316–317
application security, 309–311

V audits, 326
confirmation, 317
variables, environmental, 321
CVSS (Common Vulnerability
vein/blood vessel biometics, 390 Scoring System), 318–322
vendors environmental variables, 321
agreement types, 489–491 exploiting vulnerabilities, 315
assessment of, 486–488 exposure factors, 321
monitoring, 491–492 identification methods, 308
selection of, 488–489 industry/organizational impact,
version control, 36 321–322
vestibules, access control, 19 penetration testing, 314–315
prioritization, 317–318
video surveillance, 20
reporting, 326
650
vulnerabilities

rescanning, 325–326 3), 285–286, 288

responsible disclosure programs, wildcard certificates, 74
316 Windows permissions, 379–381
risk tolerance, 322
Wired Equivalent Privacy (WEP), 287
system or process audits, 316
wired networks, unsecured, 104
threat feeds, 311–314
wireless network attacks, 144–147
verification, 326
Bluetooth, 146
vulnerability classification, 320
NFC (near-field communication),
vulnerability databases, 312 146–147
vulnerability response and remedia- unsecured networks, 104
tion, 322–325
Wi-Fi, 144–146
vulnerability scans, 308–309
wireless security, 278–280, 285–289
misconfiguration, 126
WO (work order), 490
mobile devices, 127
work environments, hybrid/remote,
operating system-based vulnerabilities,
541–542
118–119
work order (WO), 490
response and remediation, 322–325
workstations, securing, 271–272
scanning for, 308–309, 334, 344, 421
supply chain, 123–125 worms, 134

virtualization, 121–122 WPA (Wi-Fi Protected Access), 287

web-based, 119–120 WPA2 (Wi-Fi Protected Access Version
2), 287–288
zero-day, 127–128
WPA3 (Wi-Fi Protected Access Version
vulnerable software, 103
3), 285–286, 288
Write permissions, 381
W
WAF (web application firewall), 222–223, X
229
X.509 certificates, 67–68
war, threat actors motivated by, 94
XACML (Extensible Access Control
warm sites, 250
Markup Language), 387–388
watering hole attacks, 110
XDR (extended detection and response),
web application firewall (WAF), 222–223, 372–373
229
XML injection, 149
web filters, 357–361
XSS (cross-site scripting), 120,
web-based vulnerabilities, 119–120 148–149
well-known ports, 171
WEP (Wired Equivalent Privacy), 287 Y-Z
Wi-Fi, 144–146, 284
Zero Trust architecture (ZTA), 15–18
Wi-Fi Enhanced Open, 286
Zero Trust network access (ZTNA), 228
WPA (Wi-Fi Protected Access), 287
zero-day vulnerability, 127–128
WPA2 (Wi-Fi Protected Access Version
2), 287–288 zones, security, 17, 213, 228
WPA3 (Wi-Fi Protected Access Version ZTE, 498