Upload
saanire
View
214
Download
0
Embed Size (px)
Citation preview
8/3/2019 CISSP10DomainsOfNetworkSecurity
1/5
http://www.techrepublic.com/article/build-your-skills-learn-these-10-security-domains-to-obtain-
cissp-certification/1058299
Build Your Skills: Learn these 10 security
domains to obtain CISSP certificationBy Brien M. Posey MCSE
One of the hottest but most difficult-to-achieve IT certifications is the CISSP (Certification for
Information System Security Professional) certification. To obtain this certification, you must
have three or more years of direct security professional experience, and you must pass a six-hour, 250-question exam covering the 10 security domains in the ISC2 common body of
knowledge. Obviously, the CISSP exam isnt for everyone, but even if you arent interested in
earning your CISSP certification, its worth looking at these 10 security domains.
In this Daily Drill Down, Ill explain the philosophy behind these domains and why its
important to have a basic understanding of them. Ill then briefly describe each of the 10domains.
Security domains 101
If youre a Windows network administrator, you might assume that a security domain is the typeof domain created within a Windows Server environment. However, this isnt the case. For the
purposes of this Daily Drill Down, think of a security domain as just a particular category of
security knowledge. ISC2 includes 10 security domains. These security domains are:
Access Control Systems and Methodology
Telecommunications and Network Security
Business Continuity Planning and Disaster Recovery Planning
Security Management Practices
Security Architecture and Models
Law, Investigation, and Ethics
Application and Systems Development Security
Cryptography
Computer Operations Security
Physical Security
Although all 10 of the ISC2 domains are related to computer security, not all of the domains
refer to things that you can do directly to your network. For example, one of the security
domains is Law, Investigation, and Ethics. Obviously, this particular security domain addressessome very important issues, but it has little to do with preventing an attack on your network.
Other security domains, such as Cryptography, provide tools that you can use to immediately
enhance your networks security.
As you can see, the security domains all cover different areas of security, but youre probably
http://www.techrepublic.com/article/build-your-skills-learn-these-10-security-domains-to-obtain-cissp-certification/1058299http://www.techrepublic.com/article/build-your-skills-learn-these-10-security-domains-to-obtain-cissp-certification/1058299http://www.isc2.org/http://www.techrepublic.com/article/build-your-skills-learn-these-10-security-domains-to-obtain-cissp-certification/1058299http://www.techrepublic.com/article/build-your-skills-learn-these-10-security-domains-to-obtain-cissp-certification/1058299http://www.isc2.org/8/3/2019 CISSP10DomainsOfNetworkSecurity
2/5
wondering what this has to do with security in depth. The idea behind the 10 security domains is
that you should treat each security domain as a completely independent entity. Furthermore, as
you work on a particular security domain, you should pretend that the other security domainsdont even exist and that the aspects covered by the current security domain are your only line of
defenses.
So how is this useful? Suppose that a firewall was your networks only security mechanism.
Youd make sure that the firewall was the best that it could be, because it would be your
networks only line of defense.
The same idea applies to the security domains. If you work through the security domains one at a
time, pretending that each is your only line of defense, youll work extra hard to make sure that
you take advantage of every security mechanism available through that domain. In doing so,youll create an ultra-secure network consisting of10 highly secure domains.
Likewise, because youre focusing on one domain at a time, if a failure or a security breach were
to occur in one domain, the integrity of the other domains would be preserved because the otherdomains were created completely independently.
Of course, this all probably sounds rather abstract at the moment, but as I discuss the individual
domains, youll get a much better feel for your own organizations security needs.
Access Control Systems and Methodology
The first security domain, Access Control Systems and Methodology, is the very essence of
computer security. This particular security domain deals with protecting critical systems
resources from unauthorized modification or disclosure while making those resources availableto authorized personnel. On the surface, this particular security domain would appear to include
access permissions, user names, and passwords. While these mechanisms are certainly a part of
this domain, it includes other, less obvious security mechanisms as well.
While passwords and two-factor authentication are definitely included, so are other
authentication solutions. For example, single sign-on (SSO) falls within this domain. Biometricswould also be included in the Access Control Systems and Methodology domain.
Telecommunications and Network Security
One of the largest and most encompassing of the security domains is the Telecommunicationsand Network Security domain. Its easy to think of passwords when you think of network
security. However, remember that each domain is completely independent of the other domains
and that passwords are included only in the Access Control Systems and Methodology domain.Instead, the Telecommunications and Network Security domain focuses on communications,
protocols, and network services, and the potential vulnerabilities associated with each.
While the security of communications protocols is certainly a big issue, there are other topics
associated with this domain that you might not expect. One such topic is perimeter security.
Perimeter security includes any form of access to your network from the outside world, whether
its by passing through a firewall, a remote access server, or a wireless access point. Of course,
8/3/2019 CISSP10DomainsOfNetworkSecurity
3/5
you cant really address perimeter security without also addressing extranet access control and
Internet-based attacks. Therefore, these issues are also included in this domain.
Business Continuity Planning and Disaster Recovery Planning
The next security domain is Business Continuity Planning and Disaster Recovery Planning. The
first time that I saw Business Continuity and Disaster Recovery on a list of security domains, itseemed rather strange to me. After all, security is supposed to be all about keeping out the bad
guys, right? However, as I explained earlier, the10 security domains are designed to address all
issues associated with computer security, not just those issues pertaining to passwords, hackers,and the like.
The primary issues involved in this domain are those related to dealing effectively with
catastrophic systems failures, natural disasters, and other types of service interruptions. As anadministrator, its up to you to figure out what network-related services are critical to the
survival of the organization. Once youve identified those critical services, you must figure out
how to make them available after natural disasters like fires, floods, and earthquakes, and man-
made disasters like terrorist attacks.
Planning for business continuity involves things like testing backup media, planning backupsites, developing off-site data storage facilities, and coming up with a place where your company
can temporarily set up shop after a disaster.
You could say that business continuity planning and disaster-recovery security involve yourorganizations very survival, not just the security of its data. However, data security is an issue in
this security domain as well. After all, each night you back up your most sensitive data to a tape
or some other backup media. Whats to keep someone from stealing that tape and restoring yourdata to another computer that isnt even a part of your network? As you can see, the security of
your backups is a consideration within this security domain.
Security Management Practices
The next security domain is Security Management Practices. This particular domain is one of my
favorites because its so often overlooked. The Security Management Practices domain has lessto do with computers than with people.
The primary focus of this domain is security awareness. This means educating your IT staff and
end users about security threats. Some examples of security education might be explaining tousers how to deal with the latest e-mail virus or how to spot a social engineering operation.
Another aspect of the Security Management Practices domain is risk assessment. Riskassessment means keeping a constant lookout for anything that could be a potential security
problem, and then doing something about it.
Theres a people-oriented aspect to Security Management Practices as well. Remember that a
well-organized security team operates much more efficiently during a potential security crisis
than a security team in which no one knows whos supposed to be doing what and when.
8/3/2019 CISSP10DomainsOfNetworkSecurity
4/5
Security Architecture and Models
The Security Architecture and Models domain focuses mostly on having security policies and
procedures in place. This particular security domain involves policy planning for just about everytype of security issue that Ive discussed here. Desktop security policies, data backup security
issues, and antivirus planning would all be examples of the types of policies that youd develop
as a part of this security domain.
Law, Investigation, and Ethics
One of the more interesting security domains is Law, Investigation, and Ethics. As the nameimplies, this security domain covers the legal issues associated with computer security. For
example, suppose that someone were to break into your network. In such a case, youd need not
only to know who to report the crime to, but also a knowledge of net forensics, and you must
know what constitutes an acceptable chain of evidence that will hold up in court.
The Law, Investigation, and Ethics security domain addresses internal security practices as well.
Among those areas of coverage are topics like employee surveillance and privacy laws.
Application and Systems Development Security
The Application and System Development security domain covers things like database securitymodels and the implementation of multilevel security for in-house applications. This domain also
addresses some other very interesting issues.
The first issue that this domain takes into account is what happens when an application needs adifferent set of permissions than the user whos running the application. For example, if the
application requires read, write, and execute permissions to a specific directory, and the end user
only has read permissions to that directory, then the user has a problem. Traditionally, thisproblem has been solved through the use of service accounts, but even working with service
accounts can pose security risks.
Another issue covered by this security domain is the integrity of the programming staff. How do
you ensure that your programmers arent embedding spyware into their applications? For
example, you wouldnt want your programming staff adding code to a program that wasdesigned to e-mail them your clients credit card numbers. Usually, its best to handle these types
of integrity issues through employee background checks and policies and procedures.
As you can see, there are no easy answers to the situations that Ive presented in this section.However, the Application and Systems Development Security domain is designed to help you
understand and defend yourself against these types of issues.
Cryptography
One of the most widely used security techniques today is cryptography, the encryption of data.
The Cryptography security domain is designed to help you understand how and when to useencryption. This domain also covers the various types of encryption and the mathematics behind
them. One of the more interesting issues addressed by this domain is key management
procedures in a PKI environment. After all, all of the encryption in the world wont do you any
good if your encryption keys arent secure.
8/3/2019 CISSP10DomainsOfNetworkSecurity
5/5
Computer Operations Security
The Computer Operations Security domain is one of those domains that are easy to define buttough to master. Computer operations security covers all of those things that happen while your
computers are running. An example of this would be the damage that could occur from malicious
Java script or other mobile code. Also included in this domain are any holes that could make itpossible for a hacker to bring down any part of your network, as in a denial-of-service attack.
Physical Security
On occasion, Ive heard physical security described as the three Gs: gates, guards, and guns.
Physical security primarily addresses questions about physical access to your servers and
workstations. For example, are the servers behind a locked door? Are there guards on duty? Is
there any mechanism for logging whoever goes into the computer room?
Its easy to look at the topic of physical security and just dismiss it. After all, during all the years
that Ive worked in IT, Ive seen only a few companies whose servers werent behind a locked
door. However, locks alone arent the answer. The lesson here is to take a long, hard look at yourorganizations physical security and see if its really up to par.
Safe and secure
Now that Ive shown you the10 security domains, you hopefully have a better understanding of
how focusing on each one individually can help your organization achieve an overall higher level
of security.
If youd like more information on the various security domains, specifically how-to information,
go to ISC2, the official Web site of the International Information Systems Security CertificationConsortium. The Web site contains detailed information about the CISSP certification and the
courses you can take to help you pass it.
http://www.isc2.org/http://www.isc2.org/