prev
next
out of 5

CISSP10DomainsOfNetworkSecurity

  • Upload
    saanire

  • View
    214

  • Download
    0

Embed Size (px)

Citation preview

  • 8/3/2019 CISSP10DomainsOfNetworkSecurity

    1/5

    http://www.techrepublic.com/article/build-your-skills-learn-these-10-security-domains-to-obtain-

    cissp-certification/1058299

    Build Your Skills: Learn these 10 security

    domains to obtain CISSP certificationBy Brien M. Posey MCSE

    One of the hottest but most difficult-to-achieve IT certifications is the CISSP (Certification for

    Information System Security Professional) certification. To obtain this certification, you must

    have three or more years of direct security professional experience, and you must pass a six-hour, 250-question exam covering the 10 security domains in the ISC2 common body of

    knowledge. Obviously, the CISSP exam isnt for everyone, but even if you arent interested in

    earning your CISSP certification, its worth looking at these 10 security domains.

    In this Daily Drill Down, Ill explain the philosophy behind these domains and why its

    important to have a basic understanding of them. Ill then briefly describe each of the 10domains.

    Security domains 101

    If youre a Windows network administrator, you might assume that a security domain is the typeof domain created within a Windows Server environment. However, this isnt the case. For the

    purposes of this Daily Drill Down, think of a security domain as just a particular category of

    security knowledge. ISC2 includes 10 security domains. These security domains are:

    Access Control Systems and Methodology

    Telecommunications and Network Security

    Business Continuity Planning and Disaster Recovery Planning

    Security Management Practices

    Security Architecture and Models

    Law, Investigation, and Ethics

    Application and Systems Development Security

    Cryptography

    Computer Operations Security

    Physical Security

    Although all 10 of the ISC2 domains are related to computer security, not all of the domains

    refer to things that you can do directly to your network. For example, one of the security

    domains is Law, Investigation, and Ethics. Obviously, this particular security domain addressessome very important issues, but it has little to do with preventing an attack on your network.

    Other security domains, such as Cryptography, provide tools that you can use to immediately

    enhance your networks security.

    As you can see, the security domains all cover different areas of security, but youre probably

    http://www.techrepublic.com/article/build-your-skills-learn-these-10-security-domains-to-obtain-cissp-certification/1058299http://www.techrepublic.com/article/build-your-skills-learn-these-10-security-domains-to-obtain-cissp-certification/1058299http://www.isc2.org/http://www.techrepublic.com/article/build-your-skills-learn-these-10-security-domains-to-obtain-cissp-certification/1058299http://www.techrepublic.com/article/build-your-skills-learn-these-10-security-domains-to-obtain-cissp-certification/1058299http://www.isc2.org/

  • 8/3/2019 CISSP10DomainsOfNetworkSecurity

    2/5

    wondering what this has to do with security in depth. The idea behind the 10 security domains is

    that you should treat each security domain as a completely independent entity. Furthermore, as

    you work on a particular security domain, you should pretend that the other security domainsdont even exist and that the aspects covered by the current security domain are your only line of

    defenses.

    So how is this useful? Suppose that a firewall was your networks only security mechanism.

    Youd make sure that the firewall was the best that it could be, because it would be your

    networks only line of defense.

    The same idea applies to the security domains. If you work through the security domains one at a

    time, pretending that each is your only line of defense, youll work extra hard to make sure that

    you take advantage of every security mechanism available through that domain. In doing so,youll create an ultra-secure network consisting of10 highly secure domains.

    Likewise, because youre focusing on one domain at a time, if a failure or a security breach were

    to occur in one domain, the integrity of the other domains would be preserved because the otherdomains were created completely independently.

    Of course, this all probably sounds rather abstract at the moment, but as I discuss the individual

    domains, youll get a much better feel for your own organizations security needs.

    Access Control Systems and Methodology

    The first security domain, Access Control Systems and Methodology, is the very essence of

    computer security. This particular security domain deals with protecting critical systems

    resources from unauthorized modification or disclosure while making those resources availableto authorized personnel. On the surface, this particular security domain would appear to include

    access permissions, user names, and passwords. While these mechanisms are certainly a part of

    this domain, it includes other, less obvious security mechanisms as well.

    While passwords and two-factor authentication are definitely included, so are other

    authentication solutions. For example, single sign-on (SSO) falls within this domain. Biometricswould also be included in the Access Control Systems and Methodology domain.

    Telecommunications and Network Security

    One of the largest and most encompassing of the security domains is the Telecommunicationsand Network Security domain. Its easy to think of passwords when you think of network

    security. However, remember that each domain is completely independent of the other domains

    and that passwords are included only in the Access Control Systems and Methodology domain.Instead, the Telecommunications and Network Security domain focuses on communications,

    protocols, and network services, and the potential vulnerabilities associated with each.

    While the security of communications protocols is certainly a big issue, there are other topics

    associated with this domain that you might not expect. One such topic is perimeter security.

    Perimeter security includes any form of access to your network from the outside world, whether

    its by passing through a firewall, a remote access server, or a wireless access point. Of course,

  • 8/3/2019 CISSP10DomainsOfNetworkSecurity

    3/5

    you cant really address perimeter security without also addressing extranet access control and

    Internet-based attacks. Therefore, these issues are also included in this domain.

    Business Continuity Planning and Disaster Recovery Planning

    The next security domain is Business Continuity Planning and Disaster Recovery Planning. The

    first time that I saw Business Continuity and Disaster Recovery on a list of security domains, itseemed rather strange to me. After all, security is supposed to be all about keeping out the bad

    guys, right? However, as I explained earlier, the10 security domains are designed to address all

    issues associated with computer security, not just those issues pertaining to passwords, hackers,and the like.

    The primary issues involved in this domain are those related to dealing effectively with

    catastrophic systems failures, natural disasters, and other types of service interruptions. As anadministrator, its up to you to figure out what network-related services are critical to the

    survival of the organization. Once youve identified those critical services, you must figure out

    how to make them available after natural disasters like fires, floods, and earthquakes, and man-

    made disasters like terrorist attacks.

    Planning for business continuity involves things like testing backup media, planning backupsites, developing off-site data storage facilities, and coming up with a place where your company

    can temporarily set up shop after a disaster.

    You could say that business continuity planning and disaster-recovery security involve yourorganizations very survival, not just the security of its data. However, data security is an issue in

    this security domain as well. After all, each night you back up your most sensitive data to a tape

    or some other backup media. Whats to keep someone from stealing that tape and restoring yourdata to another computer that isnt even a part of your network? As you can see, the security of

    your backups is a consideration within this security domain.

    Security Management Practices

    The next security domain is Security Management Practices. This particular domain is one of my

    favorites because its so often overlooked. The Security Management Practices domain has lessto do with computers than with people.

    The primary focus of this domain is security awareness. This means educating your IT staff and

    end users about security threats. Some examples of security education might be explaining tousers how to deal with the latest e-mail virus or how to spot a social engineering operation.

    Another aspect of the Security Management Practices domain is risk assessment. Riskassessment means keeping a constant lookout for anything that could be a potential security

    problem, and then doing something about it.

    Theres a people-oriented aspect to Security Management Practices as well. Remember that a

    well-organized security team operates much more efficiently during a potential security crisis

    than a security team in which no one knows whos supposed to be doing what and when.

  • 8/3/2019 CISSP10DomainsOfNetworkSecurity

    4/5

    Security Architecture and Models

    The Security Architecture and Models domain focuses mostly on having security policies and

    procedures in place. This particular security domain involves policy planning for just about everytype of security issue that Ive discussed here. Desktop security policies, data backup security

    issues, and antivirus planning would all be examples of the types of policies that youd develop

    as a part of this security domain.

    Law, Investigation, and Ethics

    One of the more interesting security domains is Law, Investigation, and Ethics. As the nameimplies, this security domain covers the legal issues associated with computer security. For

    example, suppose that someone were to break into your network. In such a case, youd need not

    only to know who to report the crime to, but also a knowledge of net forensics, and you must

    know what constitutes an acceptable chain of evidence that will hold up in court.

    The Law, Investigation, and Ethics security domain addresses internal security practices as well.

    Among those areas of coverage are topics like employee surveillance and privacy laws.

    Application and Systems Development Security

    The Application and System Development security domain covers things like database securitymodels and the implementation of multilevel security for in-house applications. This domain also

    addresses some other very interesting issues.

    The first issue that this domain takes into account is what happens when an application needs adifferent set of permissions than the user whos running the application. For example, if the

    application requires read, write, and execute permissions to a specific directory, and the end user

    only has read permissions to that directory, then the user has a problem. Traditionally, thisproblem has been solved through the use of service accounts, but even working with service

    accounts can pose security risks.

    Another issue covered by this security domain is the integrity of the programming staff. How do

    you ensure that your programmers arent embedding spyware into their applications? For

    example, you wouldnt want your programming staff adding code to a program that wasdesigned to e-mail them your clients credit card numbers. Usually, its best to handle these types

    of integrity issues through employee background checks and policies and procedures.

    As you can see, there are no easy answers to the situations that Ive presented in this section.However, the Application and Systems Development Security domain is designed to help you

    understand and defend yourself against these types of issues.

    Cryptography

    One of the most widely used security techniques today is cryptography, the encryption of data.

    The Cryptography security domain is designed to help you understand how and when to useencryption. This domain also covers the various types of encryption and the mathematics behind

    them. One of the more interesting issues addressed by this domain is key management

    procedures in a PKI environment. After all, all of the encryption in the world wont do you any

    good if your encryption keys arent secure.

  • 8/3/2019 CISSP10DomainsOfNetworkSecurity

    5/5

    Computer Operations Security

    The Computer Operations Security domain is one of those domains that are easy to define buttough to master. Computer operations security covers all of those things that happen while your

    computers are running. An example of this would be the damage that could occur from malicious

    Java script or other mobile code. Also included in this domain are any holes that could make itpossible for a hacker to bring down any part of your network, as in a denial-of-service attack.

    Physical Security

    On occasion, Ive heard physical security described as the three Gs: gates, guards, and guns.

    Physical security primarily addresses questions about physical access to your servers and

    workstations. For example, are the servers behind a locked door? Are there guards on duty? Is

    there any mechanism for logging whoever goes into the computer room?

    Its easy to look at the topic of physical security and just dismiss it. After all, during all the years

    that Ive worked in IT, Ive seen only a few companies whose servers werent behind a locked

    door. However, locks alone arent the answer. The lesson here is to take a long, hard look at yourorganizations physical security and see if its really up to par.

    Safe and secure

    Now that Ive shown you the10 security domains, you hopefully have a better understanding of

    how focusing on each one individually can help your organization achieve an overall higher level

    of security.

    If youd like more information on the various security domains, specifically how-to information,

    go to ISC2, the official Web site of the International Information Systems Security CertificationConsortium. The Web site contains detailed information about the CISSP certification and the

    courses you can take to help you pass it.

    http://www.isc2.org/http://www.isc2.org/

One Flew Over the Cuckoo's Nest

One Flew Over the Cuckoo's Nest

Documents
Who Killed God

Who Killed God

Documents
Chapter 23

Chapter 23

Documents
Plato - Symposium

Plato - Symposium

Documents
United States Constitution

United States Constitution

Documents
Simple Functions in Haskell

Simple Functions in Haskell

Documents
Bhagavad Gita

Bhagavad Gita

Documents
Star Wars Trivia!

Star Wars Trivia!

Documents
(Tesla) - The Tesla Magnetic Car Engine

(Tesla) - The Tesla Magnetic Car Engine

Documents
Fortran

Fortran

Documents
Barclays1

Barclays1

Documents
European Colinization of Latin America

European Colinization of Latin America

Documents
Disclaimer

Disclaimer

Documents
Star Wars Prequel Trilogy Trivia (Episodes I-III)

Star Wars Prequel Trilogy Trivia (Episodes I-III)

Documents
Physical Modelling Synthesis Overview

Physical Modelling Synthesis Overview

Documents
I Am a Holocaust Denier and I Am Unafraid

I Am a Holocaust Denier and I Am Unafraid

Documents
Effective Parenting: Establishing Boundaries

Effective Parenting: Establishing Boundaries

Documents
Personality Development

Personality Development

Documents
Bodybuilding - The Rock Hard Challenge (Month 1 Training)

Bodybuilding - The Rock Hard Challenge (Month 1 Training)

Documents
Venture Capital

Venture Capital

Documents
Star Wars Original Trilogy Trivia (Episodes IV-VI)

Star Wars Original Trilogy Trivia (Episodes IV-VI)

Documents
How Computer Monitors Work

How Computer Monitors Work

Documents
Keyboard Shortcuts for the Opera Browser for Mac OS X

Keyboard Shortcuts for the Opera Browser for Mac OS X

Documents
Cakes Recipes

Cakes Recipes

Documents
Rubik's cube solution

Rubik's cube solution

Documents
Do you admire Leonardo da Vinci?

Do you admire Leonardo da Vinci?

Documents
Jan Van Eyck and the Man In A Red Turban

Jan Van Eyck and the Man In A Red Turban

Documents
Basic Buffer Overflows Explained

Basic Buffer Overflows Explained

Documents
Tragic Heroes

Tragic Heroes

Documents
Explore The Levels of Creation

Explore The Levels of Creation

Documents