Summarize business and industry influences and associated security risks.

• Risk management of new products, new technologies and user behaviors
• New or changing business models/strategies
  • Partnerships
  • Outsourcing
  • Cloud
  • Acquisition/merger – divestiture/demerger
    • Data ownership
    • Data reclassification
• Security concerns of integrating diverse industries
  • Rules
  • Policies
  • Regulations
    • Export controls
    • Legal requirements
  • Geography
    • Data sovereignty
    • Jurisdictions
• Internal and external influences
  • Competitors
  • Auditors/audit findings
  • Regulatory entities
  • Internal and external client requirements
  • Top-level management
• Impact of de-perimeterization (e.g., constantly changing network boundary)
  • Telecommuting
  • Cloud
  • Mobile
  • BYOD
  • Outsourcing
  • Ensuring third-party providers have requisite levels of information security

Compare and contrast security, privacy policies and procedures based on organizational requirements.

• Policy and process life cycle management
  • New business
  • New technologies
  • Environmental changes
  • Regulatory requirements
  • Emerging risks
• Support legal compliance and advocacy by partnering with human resources, legal, management and other entities
• Understand common business documents to support security
  • Risk assessment (RA)
  • Business impact analysis (BIA)
  • Interoperability agreement (IA)
  • Interconnection security agreement (ISA)
  • Memorandum of understanding (MOU)
  • Service-level agreement (SLA)
  • Operating-level agreement (OLA)
  • Non-disclosure agreement (NDA)
  • Business partnership agreement (BPA)
  • Master service agreement (MSA)
• Research security requirements for contracts
  • Request for proposal (RFP)
  • Request for quote (RFQ)
  • Request for information (RFI)
• Understand general privacy principles for sensitive information
• Support the development of policies containing standard security practices
  • Separation of duties
  • Job rotation
  • Mandatory vacation
  • Least privilege
  • Incident response
  • Forensic tasks
  • Employment and termination procedures
  • Continuous monitoring
  • Training and awareness for users
  • Auditing requirements and frequency
  • Information classification

Given a scenario, execute risk mitigation strategies and controls.

• Categorize data types by impact levels based on CIA
• Incorporate stakeholder input into CIA impact-level decisions
• Determine minimum-required security controls based on aggregate score
• Select and implement controls based on CIA requirements and organizational policies
• Extreme scenario planning/worst-case scenario
• Conduct system-specific risk analysis
• Make risk determination based upon known metrics
  • Magnitude of impact based on ALE and SLE
  • Likelihood of threat
    • Motivation
    • Source
    • ARO
    • Trend analysis
  • Return on investment (ROI)
  • Total cost of ownership
• Translate technical risks in business terms
• Recommend which strategy should be applied based on risk appetite
  • Avoid
  • Transfer
  • Mitigate
  • Accept
• Risk management processes
  • Exemptions
  • Deterrence
  • Inherent
  • Residual
• Continuous improvement/monitoring
• Business continuity planning
  • RTO
  • RPO
  • MTTR
  • MTBF
• IT governance
  • Adherence to risk management frameworks
• Enterprise resilience

Analyze risk metric scenarios to secure the enterprise.

• Review effectiveness of existing security controls
  • Gap analysis
  • Lessons learned
  • After-action reports
• Reverse engineer/deconstruct existing solutions
• Creation, collection and analysis of metrics
  • KPIs
  • KRIs
• Prototype and test multiple solutions
• Create benchmarks and compare to baselines
• Analyze and interpret trend data to anticipate cyber defense needs
• Analyze security solution metrics and attributes to ensure they meet business needs
  • Performance
  • Latency
  • Scalability
  • Capability
  • Usability
  • Maintainability
  • Availability
  • Recoverability
  • ROI
  • TCO
• Use judgment to solve problems where the most secure solution is not feasible

Analyze a scenario and integrate network and security components, concepts and architectures to meet security requirements.

• Physical and virtual network and security devices
  • UTM
  • IDS/IPS
  • NIDS/NIPS
  • INE
  • NAC
  • SIEM
  • Switch
  • Firewall
  • Wireless controller
  • Router
  • Proxy
  • Load balancer
  • HSM
  • MicroSD HSM
• Application and protocol-aware technologies
  • WAF
  • Firewall
  • Passive vulnerability scanners
  • DAM
• Advanced network design (wired/wireless)
  • Remote access
  • VPN
    • IPSec
    • SSL/TLS
  • SSH
  • RDP
  • VNC
  • VDI
  • Reverse proxy
  • IPv4 and IPv6 transitional technologies
  • Network authentication methods
  • 1x
  • Mesh networks
  • Placement of fixed/mobile devices
  • Placement of hardware and applications
• Complex network security solutions for data flow
  • DLP
  • Deep packet inspection
  • Data flow enforcement
  • Network flow (S/flow)
  • Data flow diagram
• Secure configuration and baselining of networking and security components
• Software-defined networking
• Network management and monitoring tools
  • Alert definitions and rule writing
  • Tuning alert thresholds
  • Alert fatigue
• Advanced configuration of routers, switches and other network devices
  • Transport security
  • Trunking security
  • Port security
  • Route protection
  • DDoS protection
  • Remotely triggered black hole
• Security zones
  • DMZ
  • Separation of critical assets
  • Network segmentation
• Network access control
  • Quarantine/remediation
  • Persistent/volatile or non-persistent agent
  • Agent vs. agentless
• Network-enabled devices
  • System on a chip (SoC)
  • Building/home automation systems
  • IP video
  • HVAC controllers
  • Sensors
  • Physical access control systems
  • A/V systems
  • Scientific/industrial equipment
• Critical infrastructure
  • Supervisory control and data acquisition (SCADA)
  • Industrial control systems (ICS)

Analyze a scenario to integrate security controls for host devices to meet security requirements.

• Trusted OS (e.g., how and when to use it)
  • SELinux
  • SEAndroid
  • TrustedSolaris
  • Least functionality
• Endpoint security software
  • Anti-malware
  • Antivirus
  • Anti-spyware
  • Spam filters
  • Patch management
  • HIPS/HIDS
  • Data loss prevention
  • Host-based firewalls
  • Log monitoring
  • Endpoint detection response
• Host hardening
  • Standard operating environment/configuration baselining
    • Application whitelisting and blacklisting
  • Security/group policy implementation
  • Command shell restrictions
  • Patch management
    • Manual
    • Automated
      • Scripting and replication
    • Configuring dedicated interfaces
      • Out-of-band management
      • ACLs
      • Management interface
      • Data interface
    • External I/O restrictions
      • USB
      • Wireless
        • Bluetooth
        • NFC
        • IrDA
        • RF
        • 11
        • RFID
      • Drive mounting
      • Drive mapping
      • Webcam
      • Recording mic
      • Audio output
      • SD port
      • HDMI port
  • File and disk encryption
  • Firmware updates
• Boot loader protections
  • Secure boot
  • Measured launch
  • Integrity measurement architecture
  • BIOS/UEFI
  • Attestation services
  • TPM
• Vulnerabilities associated with hardware
• Terminal services/application delivery services

Analyze a scenario to integrate security controls for mobile and small form factor devices to meet security requirements.

• Enterprise mobility management
  • Containerization
  • Configuration profiles and payloads
  • Personally owned, corporate-enabled
  • Application wrapping
  • Remote assistance access
    • VNC
    • Screen mirroring
  • Application, content and data management
  • Over-the-air updates (software/firmware)
  • Remote wiping
  • SCEP
  • BYOD
  • COPE
  • VPN
  • Application permissions
  • Side loading
  • Unsigned apps/system apps
  • Context-aware management
    • Geolocation/geofencing
    • User behavior
    • Security restrictions
    • Time-based restrictions
• Security implications/privacy concerns
  • Data storage
    • Non-removable storage
    • Removable storage
    • Cloud storage
    • Transfer/backup data to uncontrolled storage
    • USB OTG
  • Device loss/theft
  • Hardware anti-tamper
    • eFuse
  • TPM
  • Rooting/jailbreaking
  • Push notification services
  • Geotagging
  • Encrypted instant messaging apps
  • Tokenization
  • OEM/carrier Android fragmentation
  • Mobile payment
    • NFC-enabled
    • Inductance-enabled
    • Mobile wallet
      • Peripheral-enabled payments (credit card reader)
  • Tethering
    • USB
    • Spectrum management
    • Bluetooth 3.0 vs. 4.1
  • Authentication
    • Swipe pattern
    • Gesture
    • Pin code
    • Biometric
      • Facial
      • Fingerprint
      • Iris scan
  • Malware
  • Unauthorized domain bridging
  • Baseband radio/SOC
  • Augmented reality
  • SMS/MMS/messaging
• Wearable technology
  • Devices
    • Cameras
    • Watches
    • Fitness devices
    • Glasses
    • Medical sensors/devices
    • Headsets
  • Security implications
    • Unauthorized remote activation/deactivation of devices or features
    • Encrypted and unencrypted communication concerns
    • Physical reconnaissance
    • Personal data theft
    • Health privacy
    • Digital forensics of collected data

Given software vulnerability scenarios, select appropriate security controls.

• Application security design considerations
  • Secure: by design, by default, by deployment
• Specific application issues
  • Unsecure direct object references
  • XSS
  • Cross-site request forgery (CSRF)
  • Click-jacking
  • Session management
  • Input validation
  • SQL injection
  • Improper error and exception handling
  • Privilege escalation
  • Improper storage of sensitive data
  • Fuzzing/fault injection
  • Secure cookie storage and transmission
  • Buffer overflow
  • Memory leaks
  • Integer overflows
  • Race conditions
    • Time of check
    • Time of use
  • Resource exhaustion
  • Geotagging
  • Data remnants
  • Use of third-party libraries
  • Code reuse
• Application sandboxing
• Secure encrypted enclaves
• Database activity monitor
• Web application firewalls
• Client-side processing vs. server-side processing
  • JSON/REST
  • Browser extensions
    • ActiveX
    • Java applets
  • HTML5
  • AJAX
  • SOAP
  • State management
  • JavaScript
• Operating system vulnerabilities
• Firmware vulnerabilities

Given a scenario, conduct a security assessment using the appropriate methods.

• Methods
  • Malware sandboxing
  • Memory dumping, runtime debugging
  • Reconnaissance
  • Fingerprinting
  • Code review
  • Social engineering
  • Pivoting
  • Open source intelligence
    • Social media
    • Whois
    • Routing tables
    • DNS records
    • Search engines
• Types
  • Penetration testing
    • Black box
    • White box
    • Gray box
  • Vulnerability assessment
  • Self-assessment
    • Tabletop exercises
  • Internal and external audits
  • Color team exercises
    • Red team
    • Blue team
    • White team

Analyze a scenario or output, and select the appropriate tool for a security assessment.

• Network tool types
  • Port scanners
  • Vulnerability scanners
  • Protocol analyzer
    • Wired
    • Wireless
  • SCAP scanner
  • Network enumerator
  • Fuzzer
  • HTTP interceptor
  • Exploitation tools/frameworks
  • Visualization tools
  • Log reduction and analysis tools
• Host tool types
  • Password cracker
  • Vulnerability scanner
  • Command line tools
  • Local exploitation tools/frameworks
  • SCAP tool
  • File integrity monitoring
  • Log analysis tools
  • Antivirus
  • Reverse engineering tools
• Physical security tools
  • Lock picks
  • RFID tools
  • IR camera

Given a scenario, implement incident response and recovery procedures.

• E-discovery
  • Electronic inventory and asset control
  • Data retention policies
  • Data recovery and storage
  • Data ownership
  • Data handling
  • Legal holds
• Data breach
  • Detection and collection
    • Data analytics
  • Mitigation
    • Minimize
    • Isolate
  • Recovery/reconstitution
  • Response
  • Disclosure
• Facilitate incident detection and response
  • Hunt teaming
  • Heuristics/behavioral analytics
  • Establish and review system, audit and security logs
• Incident and emergency response
  • Chain of custody
  • Forensic analysis of compromised system
  • Continuity of operations
  • Disaster recovery
  • Incident response team
  • Order of volatility
• Incident response support tools
  • dd
  • tcpdump
  • nbtstat
  • netstat
  • nc (Netcat)
  • memdump
  • tshark
  • foremost
• Severity of incident or breach
  • Scope
  • Impact
  • Cost
  • Downtime
  • Legal ramifications
• Post-incident response
  • Root-cause analysis
  • Lessons learned
  • After-action report

Given a scenario, integrate hosts, storage, networks and applications into a secure enterprise architecture.

• Adapt data flow security to meet changing business needs
• Standards
  • Open standards
  • Adherence to standards
  • Competing standards
  • Lack of standards
  • De facto standards
• Interoperability issues
  • Legacy systems and software/current systems
  • Application requirements
  • Software types
    • In-house developed
    • Commercial
    • Tailored commercial
    • Open source
  • Standard data formats
  • Protocols and APIs
• Resilience issues
  • Use of heterogeneous components
  • Course of action automation/orchestration
  • Distribution of critical assets
  • Persistence and nonpersistence of data
  • Redundancy/high availability
  • Assumed likelihood of attack
• Data security considerations
  • Data remnants
  • Data aggregation
  • Data isolation
  • Data ownership
  • Data sovereignty
  • Data volume
• Resources provisioning and deprovisioning
  • Users
  • Servers
  • Virtual devices
  • Applications
  • Data remnants
• Design considerations during mergers, acquisitions and demergers/divestitures
• Network secure segmentation and delegation
• Logical deployment diagram and corresponding physical deployment diagram of all relevant devices
• Security and privacy considerations of storage integration
• Security implications of integrating enterprise applications
  • CRM
  • ERP
  • CMDB
  • CMS
  • Integration enablers
    • Directory services
    • DNS
    • SOA
    • ESB

Given a scenario, integrate cloud and virtualization technologies into a secure enterprise architecture.

• Technical deployment models (outsourcing/insourcing/managed services/partnership)
  • Cloud and virtualization considerations and hosting options
    • Public
    • Private
    • Hybrid
    • Community
    • Multi-tenancy
    • Single tenancy
  • On-premise vs. hosted
  • Cloud service models
    • SaaS
    • IaaS
    • PaaS
• Security advantages and disadvantages of virtualization
  • Type 1 vs. Type 2 hypervisors
  • Container-based
  • vTPM
  • Hyperconverged infrastructure
  • Virtual desktop infrastructure
  • Secure enclaves and volumes
• Cloud augmented security services
  • Anti-malware
  • Vulnerability scanning
  • Sandboxing
  • Content filtering
  • Cloud security broker
  • Security as a service
  • Managed security service providers
• Vulnerabilities associated with comingling of hosts with different security requirements
  • VMEscape
  • Privilege elevation
  • Live VM migration
  • Data remnants
• Data security considerations
  • Vulnerabilities associated with a single server hosting multiple data types
  • Vulnerabilities associated with a single platform hosting multiple data types/owners on multiple virtual machines
• Resources provisioning and deprovisioning
  • Virtual devices
  • Data remnants

Given a scenario, integrate and troubleshoot advanced authentication and authorization technologies to support enterprise security objectives.

• Authentication
  • Certificate-based authentication
  • Single sign-on
  • 1x
  • Context-aware authentication
  • Push-based authentication
• Authorization
  • OAuth
  • XACML
  • SPML
• Attestation
• Identity proofing
• Identity propagation
• Federation
  • SAML
  • OpenID
  • Shibboleth
  • WAYF
• Trust models
  • RADIUS configurations
  • LDAP
  • AD

Given a scenario, implement cryptographic techniques.

• Techniques
  • Key stretching
  • Hashing
  • Digital signature
  • Message authentication
  • Code signing
  • Pseudo-random number generation
  • Perfect forward secrecy
  • Data-in-transit encryption
  • Data-in-memory/processing
  • Data-at-rest encryption
    • Disk
    • Block
    • File
    • Record
  • Steganography
• Implementations
  • Crypto modules
  • Crypto processors
  • Cryptographic service providers
  • DRM
  • Watermarking
  • GPG
  • SSL/TLS
  • SSH
  • S/MIME
  • Cryptographic applications and proper/improper implementations
    • Strength
    • Performance
    • Feasibility to implement
    • Interoperability
  • Stream vs. block
  • PKI
    • Wild card
    • OCSP vs. CRL
    • Issuance to entities
    • Key escrow
    • Certificate
    • Tokens
    • Stapling
    • Pinning
  • Cryptocurrency/blockchain
  • Mobile device encryption considerations
  • Elliptic curve cryptography
    • P-256 vs. P-384 vs. P521

Given a scenario, select the appropriate control to secure communications and collaboration solutions.

• Remote access
  • Resource and services
  • Desktop and application sharing
  • Remote assistance
• Unified collaboration tools
  • Conferencing
    • Web
    • Video
    • Audio
  • Storage and document collaboration tools
  • Unified communication
  • Instant messaging
  • Presence
  • Email
  • Telephony and VoIP integration
  • Collaboration sites
    • Social media
    • Cloud-based

Given a scenario, apply research methods to determine industry trends and their impact to the enterprise.

• Perform ongoing research
  • Best practices
  • New technologies, security systems and services
  • Technology evolution (e.g., RFCs, ISO)
• Threat intelligence
  • Latest attacks
  • Knowledge of current vulnerabilities and threats
  • Zero-day mitigation controls and remediation
  • Threat model
• Research security implications of emerging business tools
  • Evolving social media platforms
  • Integration within the business
  • Big Data
  • AI/machine learning
• Global IA industry/community
  • Computer emergency response team (CERT)
  • Conventions/conferences
  • Research consultants/vendors
  • Threat actor activities
  • Emerging threat sources

Given a scenario, implement security activities across the technology life cycle.

• Systems development life cycle
  • Requirements
  • Acquisition
  • Test and evaluation
  • Commissioning/decommissioning
  • Operational activities
    • Monitoring
    • Maintenance
    • Configuration and change management
  • Asset disposal
  • Asset/object reuse
• Software development life cycle
  • Application security frameworks
  • Software assurance
    • Standard libraries
    • Industry-accepted approaches
    • Web services security (WS-security)
    • Forbidden coding techniques
    • NX/XN bit use
    • ASLR use
    • Code quality
    • Code analyzers
      • Fuzzer
      • Static
      • Dynamic
  • Development approaches
    • DevOps
    • Security implications of agile, waterfall and spiral software development methodologies
    • Continuous integration
    • Versioning
  • Secure coding standards
  • Documentation
    • Security requirements traceability matrix (SRTM)
    • Requirements definition
    • System design document
    • Testing plans
  • Validation and acceptance testing
    • Regression
    • User acceptance testing
    • Unit testing
    • Integration testing
    • Peer review
• Adapt solutions to address:
  • Emerging threats
  • Disruptive technologies
  • Security trends
• Asset management (inventory control)

Explain the importance of interaction across diverse business units to achieve security goals.

• Interpreting security requirements and goals to communicate with stakeholders from other disciplines
  • Sales staff
  • Programmer
  • Database administrator
  • Network administrator
  • Management/executive management
  • Financial
  • Human resources
  • Emergency response team
  • Facilities manager
  • Physical security manager
  • Legal counsel
• Provide objective guidance and impartial recommendations to staff and senior management on security processes and controls
• Establish effective collaboration within teams to implement secure solutions
• Governance, risk and compliance committee