One of the hottest but most difficult-to-achieve IT certifications is the CISSP (Certification for Information System Security Professional) certification. To obtain this certification, you must have three or more years of direct security professional experience, and you must pass a six-hour, 250-question exam covering the 10 security domains in the ISC2 common body of knowledge. Obviously, the CISSP exam isn’t for everyone, but even if you aren’t interested in earning your CISSP certification, it’s worth looking at these 10 security domains.
In this Daily Drill Down, I’ll explain the philosophy behind these domains and why it’s important to have a basic understanding of them. I’ll then briefly describe each of the 10 domains.
Security domains 101
If you’re a Windows network administrator, you might assume that a security domain is the type of domain created within a Windows Server environment. However, this isn’t the case. For the purposes of this Daily Drill Down, think of a security domain as just a particular category of security knowledge. ISC2 includes 10 security domains. These security domains are:
- Access Control Systems and Methodology
- Telecommunications and Network Security
- Business Continuity Planning and Disaster Recovery Planning
- Security Management Practices
- Security Architecture and Models
- Law, Investigation, and Ethics
- Application and Systems Development Security
- Computer Operations Security
- Physical Security
Although all 10 of the ISC2 domains are related to computer security, not all of the domains refer to things that you can do directly to your network. For example, one of the security domains is Law, Investigation, and Ethics. Obviously, this particular security domain addresses some very important issues, but it has little to do with preventing an attack on your network. Other security domains, such as Cryptography, provide tools that you can use to immediately enhance your network’s security.
As you can see, the security domains all cover different areas of security, but you’re probably wondering what this has to do with security in depth. The idea behind the 10 security domains is that you should treat each security domain as a completely independent entity. Furthermore, as you work on a particular security domain, you should pretend that the other security domains don’t even exist and that the aspects covered by the current security domain are your only line of defenses.
So how is this useful? Suppose that a firewall was your network’s only security mechanism. You’d make sure that the firewall was the best that it could be, because it would be your network’s only line of defense.
The same idea applies to the security domains. If you work through the security domains one at a time, pretending that each is your only line of defense, you’ll work extra hard to make sure that you take advantage of every security mechanism available through that domain. In doing so, you’ll create an ultra-secure network consisting of10 highly secure domains.
Likewise, because you’re focusing on one domain at a time, if a failure or a security breach were to occur in one domain, the integrity of the other domains would be preserved because the other domains were created completely independently.
Of course, this all probably sounds rather abstract at the moment, but as I discuss the individual domains, you’ll get a much better feel for your own organization’s security needs.
Access Control Systems and Methodology
The first security domain, Access Control Systems and Methodology, is the very essence of computer security. This particular security domain deals with protecting critical systems resources from unauthorized modification or disclosure while making those resources available to authorized personnel. On the surface, this particular security domain would appear to include access permissions, user names, and passwords. While these mechanisms are certainly a part of this domain, it includes other, less obvious security mechanisms as well.
While passwords and two-factor authentication are definitely included, so are other authentication solutions. For example, single sign-on (SSO) falls within this domain. Biometrics would also be included in the Access Control Systems and Methodology domain.
Telecommunications and Network Security
One of the largest and most encompassing of the security domains is the Telecommunications and Network Security domain. It’s easy to think of passwords when you think of network security. However, remember that each domain is completely independent of the other domains and that passwords are included only in the Access Control Systems and Methodology domain. Instead, the Telecommunications and Network Security domain focuses on communications, protocols, and network services, and the potential vulnerabilities associated with each.
While the security of communications protocols is certainly a big issue, there are other topics associated with this domain that you might not expect. One such topic is perimeter security. Perimeter security includes any form of access to your network from the outside world, whether it’s by passing through a firewall, a remote access server, or a wireless access point. Of course, you can’t really address perimeter security without also addressing extranet access control and Internet-based attacks. Therefore, these issues are also included in this domain.
Business Continuity Planning and Disaster Recovery Planning
The next security domain is Business Continuity Planning and Disaster Recovery Planning. The first time that I saw Business Continuity and Disaster Recovery on a list of security domains, it seemed rather strange to me. After all, security is supposed to be all about keeping out the bad guys, right? However, as I explained earlier, the10 security domains are designed to address all issues associated with computer security, not just those issues pertaining to passwords, hackers, and the like.
The primary issues involved in this domain are those related to dealing effectively with catastrophic systems failures, natural disasters, and other types of service interruptions. As an administrator, it’s up to you to figure out what network-related services are critical to the survival of the organization. Once you’ve identified those critical services, you must figure out how to make them available after natural disasters like fires, floods, and earthquakes, and man-made disasters like terrorist attacks.
Planning for business continuity involves things like testing backup media, planning backup sites, developing off-site data storage facilities, and coming up with a place where your company can temporarily set up shop after a disaster.
You could say that business continuity planning and disaster-recovery security involve your organization’s very survival, not just the security of its data. However, data security is an issue in this security domain as well. After all, each night you back up your most sensitive data to a tape or some other backup media. What’s to keep someone from stealing that tape and restoring your data to another computer that isn’t even a part of your network? As you can see, the security of your backups is a consideration within this security domain.
Security Management Practices
The next security domain is Security Management Practices. This particular domain is one of my favorites because it’s so often overlooked. The Security Management Practices domain has less to do with computers than with people.
The primary focus of this domain is security awareness. This means educating your IT staff and end users about security threats. Some examples of security education might be explaining to users how to deal with the latest e-mail virus or how to spot a social engineering operation.
Another aspect of the Security Management Practices domain is risk assessment. Risk assessment means keeping a constant lookout for anything that could be a potential security problem, and then doing something about it.
There’s a people-oriented aspect to Security Management Practices as well. Remember that a well-organized security team operates much more efficiently during a potential security crisis than a security team in which no one knows who’s supposed to be doing what and when.
Security Architecture and Models
The Security Architecture and Models domain focuses mostly on having security policies and procedures in place. This particular security domain involves policy planning for just about every type of security issue that I’ve discussed here. Desktop security policies, data backup security issues, and antivirus planning would all be examples of the types of policies that you’d develop as a part of this security domain.
Law, Investigation, and Ethics
One of the more interesting security domains is Law, Investigation, and Ethics. As the name implies, this security domain covers the legal issues associated with computer security. For example, suppose that someone were to break into your network. In such a case, you’d need not only to know who to report the crime to, but also a knowledge of net forensics, and you must know what constitutes an acceptable chain of evidence that will hold up in court.
The Law, Investigation, and Ethics security domain addresses internal security practices as well. Among those areas of coverage are topics like employee surveillance and privacy laws.
Application and Systems Development Security
The Application and System Development security domain covers things like database security models and the implementation of multilevel security for in-house applications. This domain also addresses some other very interesting issues.
The first issue that this domain takes into account is what happens when an application needs a different set of permissions than the user who’s running the application. For example, if the application requires read, write, and execute permissions to a specific directory, and the end user only has read permissions to that directory, then the user has a problem. Traditionally, this problem has been solved through the use of service accounts, but even working with service accounts can pose security risks.
Another issue covered by this security domain is the integrity of the programming staff. How do you ensure that your programmers aren’t embedding spyware into their applications? For example, you wouldn’t want your programming staff adding code to a program that was designed to e-mail them your client’s credit card numbers. Usually, it’s best to handle these types of integrity issues through employee background checks and policies and procedures.
As you can see, there are no easy answers to the situations that I’ve presented in this section. However, the Application and Systems Development Security domain is designed to help you understand and defend yourself against these types of issues.
One of the most widely used security techniques today is cryptography, the encryption of data. The Cryptography security domain is designed to help you understand how and when to use encryption. This domain also covers the various types of encryption and the mathematics behind them. One of the more interesting issues addressed by this domain is key management procedures in a PKI environment. After all, all of the encryption in the world won’t do you any good if your encryption keys aren’t secure.
Computer Operations Security
The Computer Operations Security domain is one of those domains that are easy to define but tough to master. Computer operations security covers all of those things that happen while your computers are running. An example of this would be the damage that could occur from malicious Java script or other mobile code. Also included in this domain are any holes that could make it possible for a hacker to bring down any part of your network, as in a denial-of-service attack.
On occasion, I’ve heard physical security described as the three G’s: gates, guards, and guns. Physical security primarily addresses questions about physical access to your servers and workstations. For example, are the servers behind a locked door? Are there guards on duty? Is there any mechanism for logging whoever goes into the computer room?
It’s easy to look at the topic of physical security and just dismiss it. After all, during all the years that I’ve worked in IT, I’ve seen only a few companies whose servers weren’t behind a locked door. However, locks alone aren’t the answer. The lesson here is to take a long, hard look at your organization’s physical security and see if it’s really up to par.
Safe and secure
Now that I’ve shown you the10 security domains, you hopefully have a better understanding of how focusing on each one individually can help your organization achieve an overall higher level of security.
If you’d like more information on the various security domains, specifically how-to information, go to ISC2, the official Web site of the International Information Systems Security Certification Consortium. The Web site contains detailed information about the CISSP certification and the courses you can take to help you pass it.