R
Radio-Frequency Identification,
See RFID
RADIUS (Remote Authentication Dial In User Service),
279,
318–319
RAD (Rapid Application Development),
442
RAID (Redundant Array of Inexpensive Disks),
348,
378–381
Random number generation,
126
Rapid Application Development,
See RAD
RA (risk analysis),
58–68
quantitative and qualitative,
67
threats and vulnerabilities,
58–60
RATs (Remote Access Trojans),
72
RDP (Remote Desktop Protocol),
285
Readiness checklists,
Read-through, Disaster Recovery Plans,
418
Real evidence, concept,
25
Real-time Transport Protocol,
See RTP
Reasonable searches, legality,
27–30
Reciprocal agreements, continuity of operations,
406–407
Reconstitution, disaster recovery,
393
Recovery controls, concepts,
56
Recovery phase, incident response management,
362
Recovery strategies, BCP/DRP development,
403–407
Reduced Instruction Set Computers,
See RISC
Redundant Array of Inexpensive Disks,
See RAID
Redundant network architecture,
267–268
Reference Monitor,
81,
128
Referential integrity,
452
Reformatting disks and remanence,
91
Register direct/indirect addressing,
123
Registered copyright,
33–34
Registered trademarks,
31–32
Registry, meterpreter dumps,
354–355
Regression testing, software,
337
Regulatory issues
important laws and regulations,
39–43
Reliability of utilities,
197
Remediation phase, incident response management,
362
Remote access
Content Distribution Networks,
287
desktop console access,
284
remote meeting technology,
286
Remote Authentication Dial In User Service,
See RADIUS
Remote meeting technology,
286
Remote wipe capabilities, mobile devices,
286
Replacements for Halon,
209
Reporting phase, incident response management,
361–362
Representational State Transfer,
See REST
Requirements Traceability Matrix,
See RTM
Response phase
Responsible disclosure, software vulnerabilities,
466
REST (Representational State Transfer),
142
Restricted areas, escorts,
196
Restrictions, imports/exports,
38–39
Retaking the exam,
Retention
sensitive information,
84–85
Retests, examination,
Retina scans, implementation,
306–307
Reviews
logs, access control security,
333–335
RFID (Radio-Frequency Identification) cards/tags,
191,
262–263
RFI (Remote File Inclusion),
463
Rights
Ring model, system architecture,
117–118
RIP (Routing Information Protocol),
270–271
RISC (Reduced Instruction Set Computers),
122–123
outsourcing and offshoring,
54–55
quantitative and qualitative analysis,
67
security cornerstones,
12–19
ROI (Return on Investment),
63–64
Rollback plans, change management,
374
Rotation
Rotor machines, cryptography,
156–158
Routing Information Protocol,
See RIP
RPCs (Remote Procedure Calls),
224
RPO (Recovery Point Objective),
401–402
RSN (Robust Security Networks), 802,
11i,
262
RTM (Requirements Traceability Matrix), software testing,
336
RTO (Recovery Time Objective),
401,
402
RTP (Real-time Transport Protocol), VoIP,
258
Rule-based access control,
323
S
SaaS (Software as a Service),
132–133
Safeguards
OECD privacy guidelines,
37
Return on Investment,
63–64
Safe Harbor Agreement,
38
Salts, password security,
300
SAML (Security Association Markup Language),
312
SAM (Security Account Management) files,
296
Sanctions, accountability enforcement,
17
Sanitization, data destruction,
90–92
SAN (Storage Area Networks),
256–257
Sarbanes–Oxley Act of 2002,
See SOX
SA (Security Association),
180
Savepoints, databases,
455
SB 1386 (California Senate Bill 1386),
40
SBU (Sensitive but Unclassified) object labeling,
82
Scenario questions,
SCI (Sensitive Compartmented Information),
82–83
Scoping
data security controls,
96
Screened host architecture,
275–276
Screened subnet architecture,
276
Screen scraping, remote access,
285
SDLC (Synchronous Data Link Control),
255–256
SDLC (Systems Development Life Cycle),
429,
443–447
SDN (software-defined networking),
258–259
SDSL (Symmetric Digital Subscriber Line),
283
Secret object labeling,
82
Sector by sector overwrites, SSDs,
90
Secure European System for Applications in a Multi-vendor Environment,
See SESAME
Secure hardware architecture,
119–127
Secure Multipurpose Internet Mail Extensions,
See S/MIME
Secure Real-time Transport Protocol,
See SRTP
abstraction, design concepts,
117
baselines documentation,
51–52
confidentiality, integrity and availability,
12–15
cornerstone concepts,
12–19
disclosure, alteration and destruction,
13–14
EU–US Safe Harbor Agreement,
38
formal access approval,
83
guidelines documentation,
51,
52
import/export restrictions,
38–39
intellectual property,
31–36
the (ISC)
2® Code of Ethics,
46–48
network devices and protocols,
263–277
outsourcing and offshoring,
54–55
standards documentation,
51,
52
tensions in provision,
14
Security assessment and testing,
329–345
exam objectives summary,
340
Security Association Markup Language,
See SAML
accreditation, certification and evaluation,
113–116
International Common Criteria,
115–116
secure hardware architecture,
119–127
secure operating system and software architecture,
127–131
system vulnerabilities and threats,
136–146
Security Information and Event Management,
See SIEM
Business Continuity Planning,
383–424
Executive Succession Planning,
411–412
failure and recovery metrics,
401–403
recovery strategy development,
403–407
failure and recovery metrics,
401–403
continuous monitoring,
367
Disaster Recovery Planning,
383–424
Executive Succession Planning,
411–412
failure and recovery metrics,
401–403
incident response management,
357–363
information and event management,
366–367
Intrusion Detection/Prevention systems,
363–366
preventive and detective controls,
363–371
privilege monitoring,
352
Security safeguards principles, OECD privacy guidelines,
37
Seizure of evidence,
27–30
Sensitive but Unclassified,
See SBU
Sensitive Compartmented Information,
See SCI
Sensitive information/data
exfiltration prevention,
193
retention and storage,
84–85
Sequential memory, properties,
87
Service Orientated Architecture,
See SOA
Service providers
contractual security,
44–45
SESAME (Secure European System for Applications in a Multi-vendor Environment),
318
Session Initiation Protocol,
See SIP
Session Layer (Layer 5),
224,
274
Session management
Setuid (set user ID) programs,
130–131
Shielding, Faraday Cages,
263
Shredding
Side-channel attacks,
175
Simple Integrity Axiom,
107
Simple Network Management Protocol,
See SNMP
Simple Security Property,
104,
106
Simplex communication,
220
Simulation tests, Disaster Recovery Plans,
418
Single-interlock sprinkler systems,
211
SIP (Session Initiation Protocol), VoIP,
258
Site design
heat, smoke and flame detectors,
203–204
mantraps and turnstiles,
192
restricted areas and escorts,
196
walls, floors and ceilings,
194–195
Slack space, forensics,
354
SLE (Single Loss Expectancy), risk analysis,
62
SLIP (Serial Line Internet Protocol), VPN,
280–281
S/MIME (secure Multipurpose Internet Mail Extensions),
181
SMP (symmetric multiprocessing),
122
SMTP (Simple Mail Transfer Protocol),
222,
243
SNMP (Simple Network Management Protocol),
244–245
SOAP (Simple Object Access Protocol),
142
SOA (Service Orientated Architecture),
142
Social engineering
cryptographic attacks,
172
tailgating and piggybacking,
103,
192
Soda acid, fire suppression,
208
Software
acquired, security impact assessment,
468–469
artificial neural networks,
470–471
code repository security,
448
combinatorial testing,
338
compilers, interpreters & bytecode,
431
disclosure of vulnerabilities,
466
exam objectives summary,
473
fourth-generation languages,
433
integrated product teams,
447
Object-Orientated Analysis and Design,
461–462
privilege escalation,
465
Rapid Application Development,
442
top-down vs. bottom-up,
434
security assessment and testing,
335–340
source code and assemblers,
430–431
test coverage analysis,
339
thin client applications,
135
Software-defined networking,
See SDN
Software standards, policies,
51
Something you are (type 3 Authentication),
304–308
Something you have (type 2 Authentication),
301–303
Something you know (type 1 Authentication),
294–301
SONET (Synchronous Optical Networking),
254
SOX (Sarbanes–Oxley Act of 2002),
40
SPAN (Switched Port Analyzer) ports,
266
Speed
fiber optic networks,
248
SPI (Security Parameter Index),
180
SQL (Structured Query Language),
451,
454
SRAM (Static Random Access Memory),
87,
88
SRTP (Secure Real-time Transport Protocol),
258
SSDs (Solid State Drives),
81,
89–90
SSID (Service Set Identifiers), 802,
11,
261
SSL (Secure Sockets Layer),
179,
282
Federated Identity Management,
312
Standards
data security controls,
93–96
tailoring and scoping,
81
Star Integrity Axiom (* Integrity Axiom),
107–108
Star Security Property (* security Property),
106
Stateless autoconfiguration, IPv6,
231
Static build-up, environmental controls,
203
Static testing of software,
335–336
Statutory financial damages,
23
Storage
information protection,
84–85
sensitive information,
84
STP (shielded twisted pair) cabling,
201–202
Strength of cryptography,
147
Strong authentication,
295,
303
Strong tranquility property,
106
Structured walkthroughs, Disaster Recovery Plans,
418
Subjects
access control
Harrison–Ruzzo–Ullman model,
112
lattice-based access controls,
106–107
state machine models,
105
Take-Grant Protection Model,
110
Subscription services, continuity of operations,
407
Symmetric Digital Subscriber Line,
See SDSL
Blowfish and Twofish,
168
stream and block ciphers,
160
tradeoffs with asymmetric methods,
169–170
Synchronous dynamic tokens,
302–303
Synthetic transactions, software testing,
336–337
System calls, ring model,
118
System hardening, IPv6 services,
232–233
System high mode of operation,
112
System integrity
System memory, cache,
87–88
System Owners, information security,
85–86
Systems
address space layout randomization,
126–127
Content Management Systems,
449–450
continuous monitoring,
367
hardware segmentation,
124
Highly Available clusters,
382,
416
secure hardware architecture,
119–127
secure operating system and software architecture,
127–131
vulnerabilities and threats,
136–146
web architecture vulnerabilities,
140–142
Systems Development Life Cycle,
See SDLC
System units, architecture,
119
T
Tables, relational databases,
451–452
Tabletop exercises, Disaster Recovery Plans,
418
TACACS/TACACS+ (Terminal Access Controller Access Control System),
319
Tailoring data security controls,
96
Take-Grant Protection Model,
110
TAP (Test Access Ports),
236
Task-based access control,
323
TCO (Total Cost of Ownership),
51,
62–63
TCP/IP (Transmission Control Protocol/Internet Protocol) model,
219,
225–245
encapsulation and de-multiplexing,
226
Network Access Layer,
225,
227
unicast, multicast & broadcast traffic,
236–237
TCSEC (Trusted Computer System Evaluation Criteria),
104,
113–115
TD (Top-Down) programming,
434
Team activation, disaster recovery,
393
Team building, BCP/DRP development,
397–398
Technical controls
Telecommunications management,
404–405
Templates for biometrics,
304
Temporal Key Integrity Protocol,
See TKIP
Ten Commandments of Computer Ethics,
48
Tensions, security management,
14
Termination of employees,
53
Test coverage analysis, software,
339
Testing
TFTP (Trivial File Transfer Protocol),
243
TGS (Ticket Granting Service), KERBEROS,
315–318
TGT (Ticket Granting Ticket), KERBEROS,
315–318
Third parties
access control assessments,
333
software security impact assessment,
468–469
Threats
Three pass method, examinations,
Throughput, biometrics,
305
TIFF (Tagged Image File Format),
224
Time-based synchronous dynamic tokens,
302–303
Time Exceed messages,
241
TKIP (Temporal Key Integrity Protocol),
262
TNI (Trusted Network Interpretation),
114
TOCTOU (Time of Check/Time of Use) attacks,
464–465
Topography and site selection,
196–197
Top Secret object labeling,
82
TPM (trusted platform modules),
126
TP (transformation procedure), Clark–Wilson,
108
Trans-border flows of data,
38,
39
Transformation procedure,
See TP
Transmission Control Protocol,
See TCP
Transmission Control Protocol/Internet Protocol,
See TCP/IP
Transparent virtualization,
131
Transportation of media,
97–98
Transport Layer
Transposition, cryptography,
147
Tree architecture, LANs,
251
TRIM command, SSDs,
89–90
Trivial File Transfer Protocol,
See TFTP
Trojan horse programs,
72,
138
True negative/positive events, intrusion detection,
363–364
Trusted Computer System Evaluation Criteria,
See TCSEC
Trusted Network Interpretation,
See TNI
Trustworthiness and clearance,
83
TRW-SPS (TRW Software Productivity System),
442
TTL (Time to Live) fields, traceroute,
241
Tunneling
Tuples, relational databases,
451
Two pass method, examinations,
8–9
Type 1 Authentication (something you know),
294–301
Type 2 Authentication (something you have),
301–303
Type 3 Authentication (something you are),
304–308
Type I errors, biometrics,
305
Type II errors, biometrics,
305
Typosquatting, concepts,
35–36
U
UDI (unconstrained data items),
108
Ultrasonic motion detectors,
193
Unallocated space, forensics,
353
Uninterruptible Power Supplies,
See UPSs
Unit testing, software,
337
UNIX
file authorizations,
16–17
Unlicensed bands, wireless communications,
259
Unmodified Waterfall Model,
436–438
Unregistered trademarks,
31–32
Unshielded twisted pair cabling,
See UTP
USB (Universal Serial Bus) port controls,
199–200
U.S. Department of Defense,
See DoD
Use limitation principles, OECD privacy guidelines,
37
Users
US (United States)
breach notification laws,
43
EU–US Safe Harbor Agreement,
38
security laws and regulations,
39–43
Sensitive Compartmented Information,
82–83
Utilities management,
197,
405
V
VDSL (Very High Rate Digital Subscriber Line),
283
Vendors
Version control, BCP/DRP policies,
421
Very High Rate Digital Subscriber Line,
See VDSL
Violations of policy, disciplinary processes,
17,
53
Virtual guests, hypervisor mode,
118
Virtual SANs (virtual Storage Area Networks),
257
Vital records storage,
411
VMEscape (virtualization escape),
132
VNC (Virtual Network Computing),
285
Vulnerabilities
site design and configuration,
197–199
Vulnerability scanning,
332,
373
W
Waiting times, retaking the exam,
Walkthrough, Disaster Recovery Plans,
418
Walkthrough drills, Disaster Recovery Plans,
418
WAP (Wireless Application Protocol),
286–287
Wassenaar Arrangement,
39,
160
Watchdog timers, CPUs,
122
Waterfall Model, software development,
429,
436–439
WDM (Wavelength Division Multiplexing),
248
Weak tranquility property,
106
Web Services Description Language,
See WSDL
Web of trust model, PGP,
181
Well-Formed Transactions,
108
WEP (Wired Equivalency Protocol),
261
Wet chemicals, fire suppression,
208
Wet pipe sprinkler systems,
210
White box software testing,
336
Whitelisting applications,
369
Windows
Active Directory Domains,
320
Object Request Brokers,
460
Wired Equivalency Protocol,
See WEP
Wireless Application Protocol,
See WAP
Wireless Transport Layer Security,
See WTLS
Wiring closet security,
198
WML (Wireless Markup Language),
287
WORM (Write Once Read Many) media,
92,
126
WPA2 (Wi-Fi Protected Access 2),
262
WRT (Work Recovery Time),
401,
402
WSDL (Web Services Description Language),
142
WTLS (Wireless Transport Layer Security),
286
X
XML (Extensible Markup Language),
142
XP (Extreme Programming),
429,
441
XSRF (Cross-Site Request Forgery),
465
XSS (Cross-Site Scripting),
465
Z
Zero day vulnerabilities and exploits,
373,
466
Zero-knowledge tests, penetration testing,
330