John Wiley & Sons (ISC)2 SSCP Systems Security Certified Practitioner Official Study Guide Cover The only SSCP study guide officially approved by (ISC)² The (ISC)² Systems Security Certified Pract.. Product #: 978-1-119-54294-0 Regular price: $54.11 $54.11 In Stock

(ISC)2 SSCP Systems Security Certified Practitioner Official Study Guide

Wills, Mike


2. Edition June 2019
688 Pages, Softcover
Wiley & Sons Ltd

ISBN: 978-1-119-54294-0
John Wiley & Sons

Buy now

Price: 57,90 €

Price incl. VAT, excl. Shipping

Further versions


The only SSCP study guide officially approved by (ISC)²

The (ISC)² Systems Security Certified Practitioner (SSCP) certification is a well-known vendor-neutral global IT security certification. The SSCP is designed to show that holders have the technical skills to implement, monitor, and administer IT infrastructure using information security policies and procedures.

This comprehensive Official Study Guide--the only study guide officially approved by (ISC)²--covers all objectives of the seven SSCP domains.
* Access Controls
* Security Operations and Administration
* Risk Identification, Monitoring, and Analysis
* Incident Response and Recovery
* Cryptography
* Network and Communications Security
* Systems and Application Security

If you're an information security professional or student of cybersecurity looking to tackle one or more of the seven domains of the SSCP, this guide gets you prepared to pass the exam and enter the information security workforce with confidence.

Foreword xxi

Introduction xxiii

Self-Assessment xlv

Part I Getting Started as an SSCP 1

Chapter 1 The Business Case for Decision Assurance and Information Security 3

Information: The Lifeblood of Business 4

Data, Information, Knowledge, Wisdom... 5

Information Is Not Information Technology 8

Policy, Procedure, and Process: How Business Gets Business Done 10

Who Is the Business? 11

"What's Your Business Plan?" 12

Purpose, Intent, Goals, Objectives 13

Business Logic and Business Processes: Transforming Assets into Opportunity, Wealth, and Success 14

The Value Chain 15

Being Accountable 17

Who Runs the Business? 19

Owners and Investors 19

Boards of Directors 20

Managing or Executive Directors and the "C-Suite" 20

Layers of Function, Structure, Management, and Responsibility 21

Plans and Budgets, Policies, and Directives 22

Summary 23

Chapter 2 Information Security Fundamentals 25

The Common Needs for Privacy, Confidentiality, Integrity, and Availability 26

Privacy 26

Confidentiality 29

Integrity 30

Availability 31

Privacy vs. Security, or Privacy and Security? 32

CIA Needs of Individuals 34

Private Business's Need for CIA 35

Government's Need for CIA 36

The Modern Military's Need for CIA 36

Do Societies Need CIA? 36

Training and Educating Everybody 38

SSCPs and Professional Ethics 38

Summary 40

Exam Essentials 40

Review Questions 44

Part II Integrated Risk Management and Mitigation 51

Chapter 3 Integrated Information Risk Management 53

It's a Dangerous World 54

What Is Risk? 55

Risk: When Surprise Becomes Disruption 59

Information Security: Delivering Decision Assurance 60

"Common Sense" and Risk Management 63

The Four Faces of Risk 65

Outcomes-Based Risk 67

Process-Based Risk 67

Asset-Based Risk 68

Threat-Based (or Vulnerability-Based) Risk 69

Getting Integrated and Proactive with Information Defense 72

Trust, but Verify 76

Due Care and Due Diligence: Whose Jobs Are These? 76

Be Prepared: First, Set Priorities 77

Risk Management: Concepts and Frameworks 78

The SSCP and Risk Management 81

Plan, Do, Check, Act 82

Risk Assessment 84

Establish Consensus about Information Risk 84

Information Risk Impact Assessment 85

The Business Impact Analysis 92

From Assessments to Information Security Requirements 92

Four Choices for Limiting or Containing Damage 94

Deter 96

Detect 96

Prevent 97

Avoid 97

Summary 100

Exam Essentials 101

Review Questions 105

Chapter 4 Operationalizing Risk Mitigation 111

From Tactical Planning to Information Security Operations 112

Operationally Outthinking Your Adversaries 114

Getting Inside the Other Side's OODA Loop 116

Defeating the Kill Chain 117

Operationalizing Risk Mitigation: Step by Step 118

Step 1: Assess the Existing Architectures 119

Step 2: Assess Vulnerabilities and Threats 126

Step 3: Select Risk Treatment and Controls 135

Step 4: Implement Controls 141

Step 5: Authorize: Senior Leader Acceptance and Ownership 146

The Ongoing Job of Keeping Your Baseline Secure 146

Build and Maintain User Engagement with Risk Controls 147

Participate in Security Assessments 148

Manage the Architectures: Asset Management and Configuration Control 151

Ongoing, Continuous Monitoring 152

Exploiting What Monitoring and Event Data Is Telling You 155

Incident Investigation, Analysis, and Reporting 159

Reporting to and Engaging with Management 160

Summary 161

Exam Essentials 161

Review Questions 166

Part III The Technologies of Information Security 173

Chapter 5 Communications and Network Security 175

Trusting Our Communications in a Converged World 176

Introducing CIANA 179

Threat Modeling for Communications Systems 180

Internet Systems Concepts 181

Datagrams and Protocol Data Units 182

Handshakes 184

Packets and Encapsulation 185

Addressing, Routing, and Switching 187

Network Segmentation 188

URLs and the Web 188

Topologies 189

"Best Effort" and Trusting Designs 193

Two Protocol Stacks, One Internet 194

Complementary, Not Competing, Frameworks 194

Layer 1: The Physical Layer 198

Layer 2: The Data Link Layer 199

Layer 3: The Network Layer 201

Layer 4: The Transport Layer 202

Layer 5: The Session Layer 206

Layer 6: The Presentation Layer 207

Layer 7: The Application Layer 208

Cross-Layer Protocols and Services 209

IP and Security 210

Layers or Planes? 211

Software-Defined Networks 212

Virtual Private Networks 213

A Few Words about Wireless 214

IP Addresses, DHCP, and Subnets 217

IPv4 Address Classes 217

Subnetting in IPv4 219

IPv4 vs. IPv6: Key Differences and Options 221

CIANA Layer by Layer 223

CIANA at Layer 1: Physical 223

CIANA at Layer 2: Data Link 226

CIANA at Layer 3: Network 228

CIANA at Layer 4: Transport 229

CIANA at Layer 5: Session 230

CIANA at Layer 6: Presentation 231

CIANA at Layer 7: Application 232

Securing Networks as Systems 233

A SOC Is Not a NOC 234

Tools for the SOC and the NOC 235

Integrating Network and Security Management 236

Summary 238

Exam Essentials 238

Review Questions 243

Chapter 6 Identity and Access Control 249

Identity and Access: Two Sides of the Same CIANA Coin 250

Identity Management Concepts 251

Identity Provisioning and Management 252

Identity and AAA 254

Access Control Concepts 255

Subjects and Objects--Everywhere! 257

Data Classification and Access Control 258

Bell-LaPadula and Biba Models 260

Role-Based 263

Attribute-Based 263

Subject-Based 264

Object-Based 264

Mandatory vs. Discretionary Access Control 264

Network Access Control 265

IEEE 802.1X Concepts 267

RADIUS Authentication 268


Implementing and Scaling IAM 270

Choices for Access Control Implementations 271

"Built-in" Solutions? 273

Multifactor Authentication 274

Server-Based IAM 276

Integrated IAM systems 277

Zero Trust Architectures 281

Summary 282

Exam Essentials 283

Review Questions 290

Chapter 7 Cryptography 297

Cryptography: What and Why 298

Codes and Ciphers: Defining Our Terms 300

Cryptography, Cryptology, or...? 305

Building Blocks of Digital Cryptographic Systems 306

Cryptographic Algorithms 307

Cryptographic Keys 308

Hashing as One-Way Cryptography 310

A Race Against Time 313

"The Enemy Knows Your System" 314

Keys and Key Management 314

Key Storage and Protection 315

Key Revocation and Zeroization 315

Modern Cryptography: Beyond the "Secret Decoder Ring" 317

Symmetric Key Cryptography 317

Asymmetric Key (or Public Key) Cryptography 318

Hybrid Cryptosystems 318

Design and Use of Cryptosystems 319

Cryptanalysis (White Hat and Black Hat) 319

Cryptographic Primitives 320

Cryptographic Engineering 320

"Why Isn't All of This Stuff Secret?" 320

Cryptography and CIANA 322

Confidentiality 322

Authentication 323

Integrity 323

Nonrepudiation 324

"But I Didn't Get That Email..." 324

Availability 325

Public Key Infrastructures 327

Diffie-Hellman-Merkle Public Key Exchange 328

RSA Encryption and Key Exchange 331

ElGamal Encryption 331

Digital Signatures 332

Digital Certificates and Certificate Authorities 332

Hierarchies (or Webs) of Trust 333

Pretty Good Privacy 337

TLS 338


Symmetric Key Algorithms and PKI 341

PKI and Trust: A Recap 342

Other Protocols: Applying Cryptography to Meet Different Needs 344

IPSec 344

S/MIME 345

DKIM 345

Blockchain 346

Access Control Protocols 348

Measures of Merit for Cryptographic Solutions 348

Attacks and Countermeasures 349

Brute Force and Dictionary Attacks 350

Side Channel Attacks 350

Numeric (Algorithm or Key) Attacks 351

Traffic Analysis, "Op Intel," and Social Engineering Attacks 352

Massively Parallel Systems Attacks 353

Supply Chain Vulnerabilities 354

The "Sprinkle a Little Crypto Dust on It" Fallacy 354

Countermeasures 355

On the Near Horizon 357

Pervasive and Homomorphic Encryption 358

Quantum Cryptography and Post-Quantum Cryptography 358

AI, Machine Learning, and Cryptography 360

Summary 361

Exam Essentials 361

Review Questions 366

Chapter 8 Hardware and Systems Security 371

Infrastructure Security Is Baseline Management 372

It's About Access Control... 373

It's Also About Supply Chain Security 374

Do Clouds Have Boundaries? 375

Infrastructures 101 and Threat Modeling 376

Hardware Vulnerabilities 379

Firmware Vulnerabilities 380

Operating Systems Vulnerabilities 382

Virtual Machines and Vulnerabilities 385

Network Operating Systems 386

MDM, COPE, and BYOD 388


Malware: Exploiting the Infrastructure's Vulnerabilities 391

Countering the Malware Threat 394

Privacy and Secure Browsing 395

"The Sin of Aggregation" 397

Updating the Threat Model 398

Managing Your Systems' Security 399

Summary 399

Exam Essentials 400

Review Questions 407

Chapter 9 Applications, Data, and Cloud Security 413

It's a Data-Driven World...At the Endpoint 414

Software as Appliances 417

Applications Lifecycles and Security 420

The Software Development Lifecycle (SDLC) 421

Why Is (Most) Software So Insecure? 424

Hard to Design It Right, Easy to Fix It? 427

CIANA and Applications Software Requirements 428

Positive and Negative Models for Software Security 431

Is Blacklisting Dead? Or Dying? 432

Application Vulnerabilities 434

Vulnerabilities Across the Lifecycle 434

Human Failures and Frailties 436

"Shadow IT:" The Dilemma of the User as Builder 436

Data and Metadata as Procedural Knowledge 438

Information Quality and Information Assurance 440

Information Quality Lifecycle 441

Preventing (or Limiting) the "Garbage In" Problem 442

Protecting Data in Motion, in Use, and at Rest 443

Data Exfiltration I: The Traditional Threat 445

Detecting Unauthorized Data Acquisition 446

Preventing Data Loss 447

Into the Clouds: Endpoint App and Data Security Considerations 448

Cloud Deployment Models and Information Security 449

Cloud Service Models and Information Security 450

Clouds, Continuity, and Resiliency 452

Clouds and Threat Modeling 453

Cloud Security Methods 455

SLAs, TORs, and Penetration Testing 456

Data Exfiltration II: Hiding in the Clouds 456

Legal and Regulatory Issues 456

Countermeasures: Keeping Your Apps and Data Safe and Secure 458

Summary 459

Exam Essentials 460

Review Questions 470

Part IV People Power: What Makes or Breaks Information Security 477

Chapter 10 Incident Response and Recovery 479

Defeating the Kill Chain One Skirmish at a Time 480

Kill Chains: Reviewing the Basics 482

Events vs. Incidents 484

Incident Response Framework 485

Incident Response Team: Roles and Structures 487

Incident Response Priorities 490

Preparation 491

Preparation Planning 491

Put the Preparation Plan in Motion 493

Are You Prepared? 494

Detection and Analysis 497

Warning Signs 497

Initial Detection 499

Timeline Analysis 500

Notification 500

Prioritization 501

Containment and Eradication 502

Evidence Gathering, Preservation, and Use 504

Constant Monitoring 505

Recovery: Getting Back to Business 505

Data Recovery 506

Post-Recovery: Notification and Monitoring 508

Post-Incident Activities 508

Learning the Lessons 509

Support Ongoing Forensics Investigations 510

Information and Evidence Retention 511

Information Sharing with the Larger IT Security Community 511

Summary 512

Exam Essentials 512

Review Questions 518

Chapter 11 Business Continuity via Information Security and People Power 525

A Spectrum of Disruption 526

Surviving to Operate: Plan for It! 529

Cloud-Based "Do-Over" Buttons for Continuity, Security, and Resilience 531

CIANA at Layer 8 and Above 537

It Is a Dangerous World Out There 539

People Power for Secure Communications 541

POTS and VoIP Security 542

Summary 543

Exam Essentials 544

Review Questions 547

Chapter 12 Risks, Issues, and Opportunities, Starting Tomorrow 553

On Our Way to the Future 554

Access Control and Zero Trust 555

AI, ML, BI, and Trustworthiness 556

Quantum Communications, Computing, and Cryptography 557

Paradigm Shifts in Information Security? 558

Perception Management and Information Security 559

Widespread Lack of Useful Understanding of Core Technologies 560

IT Supply Chain Vulnerabilities 561

Government Overreactions 561


Enduring Lessons 563

You Cannot Legislate Security 563

It's About Managing Our Security and Our Systems 563

People Put It Together 564

Maintain Flexibility of Vision 565

Accountability--It's Personal. Make It So. 565

Stay Sharp 566

Your Next Steps 567

At the Close 568

Appendix Answers to Review Questions 569

Self-Assessment 570

Chapter 2: Information Security Fundamentals 576

Chapter 3: Integrated Information Risk Management 579

Chapter 4: Operationalizing Risk Mitigation 581

Chapter 5: Communications and Network Security 583

Chapter 6: Identity and Access Control 586

Chapter 7: Cryptography 589

Chapter 8: Hardware and Systems Security 592

Chapter 9: Applications, Data, and Cloud Security 594

Chapter 10: Incident Response and Recovery 597

Chapter 11: Business Continuity via Information Security and People Power 601

Index 605
Mike Wills, SSCP, CISSP, Assistant Professor and Program Chair of Applied Information Technologies in the College of Business at Embry-Riddle Aeronautical University's Worldwide Campus. Mike has been a pioneer in ethical hacking since his days as a phone phreak. His many years of cutting-edge experience in secure systems design, development, and operation have enriched the dozens of courses he's built and taught. He created ERAU's Master of Science in Information Security and Assurance degree program and leads the university's teaching and courseware development for the Microsoft Software & Systems Academy at ERAU's 13 US teaching sites.