Introduction

The Certified Information Systems Security Professional (CISSP) is a highly valued qualification in the industry of cybersecurity. Most candidates sitting for the certification are proven professionals and specialists in IT security. The certification requires the candidate to justify his solid and comprehensive knowledge in various aspects of computer security issues. The first impression of the CISSP might seem a mere technical qualification for computer engineers and scientists. In fact, the CISSP demands a multidimensional and holistic skill set. Not only does it cover a wide range of technical competences, but also a great variety of non-technical topics ranging from compliance and security assessment to awareness training. Hence, CISSP professionals are trained to evaluate, design, launch and improve security systems for organizations. The constantly evolving cyberspace landscape makes the CISSP accreditation an asset in dealing with the increasingly sophisticated challenges.

The comprehensiveness nature of the CISSP qualification helps professionals in the cybersecurity industry complement their competencies. Hence, all of the topics covered in the CISSP are equally important. Among them, the preventive measures of security operations can be considered as the foundation module to understand the features and issues of different essential technical components. They constitute the indispensable gate for organizations to get prepared against network intrusions and security breaches. These are firewalls, intrusion detection system (IDS)/intrusion prevention system (IPS), white/blacklisting, 24h third party services, sandboxing, honeypots/honeynets and anti-malware. The candidates preparing for the CISSP are expected to be familiar with these tools and practices. This article aims at serving as the guidance for these preventive measures.

Whitelisting and Blacklisting

To begin with, whitelisting and blacklisting is an underlying perspective for plenty of preventive measures in security operations today. It serves as a guiding principle in the design and deployment of many cybersecurity tools. As suggested by the security researcher, Bruce Schneier, “the debate is far older than computers.” Computer systems and networks have considerable similarities with the physical world. The idea of authorizing people to enter a complex based on a whitelist and rejecting persona non grata according to a blacklist can be applied to the world of computers. Many security mechanisms such as firewalls, antivirus, content management systems (CMS), identity management and collaboration software are built with reference to different levels of authority for their users. Indeed, the complexity of the security environment nowadays generates challenging vulnerabilities for organizations. Military level tactics such as cyber-camouflage and counter intelligence are ubiquitous means to mislead computer defense systems into trusting fraudulent applications. Thus, one pragmatic doctrine in effectively implementing security mechanisms is the ‘blacklist all and whitelist trusted’ solution. It is to assume that all external requests of entry are distrustful and harmful for the operation environment of the organization. The system and network administrator can then define and authorize, in other words, whitelist the trusted incoming and outgoing traffic as well as Internet Protocol addresses (IP address) through a rigorous selection.  The whitelisting and blacklisting method sow the seeds for other preventive security measures.

Firewalls

The firewalls are always advised as the first and foremost precaution for organizations to defend themselves against cyberattacks. They can be either a hardware or software mechanism that blocks suspicious and unauthorized access to the Intranet of the organization. Firewalls can be primarily applied on three levels: network, application and proxy. Firstly, on the network level, firewalls are also known as packet filters. The network administrator defines and sets default values on this level to block common attack sites and add institutional requirements. Secondly, the application firewalls inspect the traffic between two applications. They can prevent suspicious application activities that might not be known to the sender/recipient. Thirdly, proxies can act as the intermediary server between two machines. It provides an additional filter to monitor the in-house traffic on the Internet. The network administrator of the organization can define internal security protocols and rules to define, control and limit the network traffic internally and externally. Firewalls are elementary protection for organizations. Establishing effective firewalls is a prerequisite in implementing and deploying further network defense measures. On the one hand, they can block known malicious IP addresses and other anomalist traffic from entering the network of the organization. On the other hand, firewalls can also restrict internal traffic from communicating with the external networks to mitigate the risk of insider threat. Sophisticated cyberattacks often take place when careless or malevolent personnel activate malignant links and downloads. Such occasions allow the attacker to install a remote access tool (RAT) to bypass the settings of firewalls. Therefore, it is a mandatory step to set up potent firewalls to lay a strong foundation for the following preventive measures of security operations.

Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)

The IDS and IPS resemble considerably each other. Both are tools to cope with network intrusions. Despite their similarities, each has its specialized purpose. The IPS is usually an integral part of the firewalls filtering unauthorized traffic from entering the computer operation environment of the organization. The administrator of the IPS can regulate a list of requirements for incoming traffic. This IPS list allows and denies traffic to pass through into the internal network of the organization. It is a useful preventive tool that complements and perfects the functionalities of the firewalls, especially on the enterprise level having incoming traffic coming from diversified origins. In addition, the IDS is developed for the purpose of intrusion visualization. It can suggest intrusion evidence and patterns for security professionals to examine, visualize and conduct network forensics and analytics.  The IPS is a meaningful method adopting the whitelisting and blacklisting principle. It is cost effective through limiting the scope of intrusion potentials. The IDS provides a further step for organizations to investigate anomalies on both their internal and external networks. Some intrusion analytics systems adopt a hybrid model having both preventive and detection features.

Anti-malware

Both firewalls and the intrusion analytics systems emphasize on protecting the network level. Following this initial security gate, CISSP candidates should be aware of the security threats and vulnerabilities regarding the application level. Installing a performing anti-malware to prevent cyberattacks slipping through the defense measures on the network layer is equally important. As a matter of fact, the notion of anti-malware can sometimes be confusing for its users. The anti-malware is an umbrella term grouping malicious codes, namely, spyware, Trojan horses, adware, virus, worms, to name a few. These codes all have specific purposes. For example, the infamous Stuxnet that played a role in crippling the Iranian nuclear weaponization project is categorized as a worm. There are many anti-malware systems with different emphasis and configuration. Therefore, seasoned cybersecurity professionals should be capable of evaluating the environment of security operations so as to select the appropriate anti-malware for the organization.

Honeypots, Honeynets and Honeyfarms

An innovative perspective of cyber-defense using deception technology has been introduced several years ago. This method focuses on building honeypots to engage the attacker so that he reveals his attacking method or identity. This technology is developed according to several key military doctrines ranging from decoy, deception to deterrence. It can be an example of IDS because it helps demonstrate in detail the pattern and development of the attack, and thus visualize them with relevant data. The honeypot strategy is a highly recommended option for organizations that are under constant attack from the same operators and patterns. Setting up honeypots and sock puppets to interact with the adversary can successfully mitigate the security threats for the organization. The effectiveness of honeypot technology is twofold. On the one hand, it can discourage and deter the attacker to continue the attack. The honeypot creator can demonstrate some warning indicators in the honeypot to achieve the impact of deterrence. On the other hand, it is an intelligent tactic to develop highly persuasive engaging content in the honeypot servers like operating systems, licensed software and data that dynamically match the preference of the attacker. Such contents should resemble as if they are an integral part of the real server. That means the honeypot administrator puts himself in the shoes of the attacker to mirror the exact attack scenario. Through interacting with the attacker, the network defender can observe and witness the deployed malware and targeted data to identify the background of the attacker. Hence, the organization can develop more comprehensively its response plan and internal policies with convincing scenarios and evidence. More significantly, having a better grasp of the tactics of the adversary is always advantageous in conflict management, be it the offensive or defensive side.

Depending on the sophistication and profoundness of the attack, it is possible to build multiple honeypots. This category is referred as honeynet or honeyfarm. Similar to the increasing value of the CISSP qualification, the honeypot technology is progressively employed in large organizations facing complicated cyberattacks. It helps security professionals conduct forensic evidence for following actions, either for internal awareness training or legal pursuit against the attacker.

CISSP Training – Resources (InfoSec)

Sandboxing

As described in the mechanism of honeypot deployment, a key feature of setting up a honeypot is to trap the adversary in an isolated environment to study his tactics and attack pattern. This confined environment is referred as the sandbox. Honeypots always work hand in hand with sandboxes. They are often created in virtual machines which are segregated from the real operating system. This is to prevent any infection and lateral development of the suspected malicious codes. For instance, the security officer can download an untrusted piece of malware and activate it to see its features and destructiveness in an isolated environment. There is the same consideration in internal software development. Testing newly developed software in a sandbox is a professional practice to avoid the same potential damages in the operation environment. Software in different development phases might be unstable and affect the normal operations. Sandboxing incomplete software and aggressive malware helps the security administrator control the risk landscape. More importantly, as sandboxes are created in separated virtual spaces, the creator can easily abandon and destroy them after examination.

24 Hour Third-Party Service

Cybersecurity is about managing various defense technologies as discussed. Thus, security professionals should also have an exhaustive understanding about the different third-party vendors and conditions of sales of the technologies they choose to integrate into their overall plan of preventive measures. If the product requires an external 24 hour monitoring, the security officer has to thoroughly study the conditions of intervention to ensure that it respects the trusted supply chain of the organization. In case of incidents and problems, the security officer should be aware of the ensured support and the service quality. This consideration is also application in outsourcing certain operation components of the organizations. The compatibility issue of the third-party products and support is worth examining. In addition, it is both a cost and strategic consideration for the organization to see if they have the relevant talents and resources to configure these third-party technologies. This can affect their in-house recruitment and personnel enrichment development process.

Conclusion

In conclusion, the CISSP qualification has high requirements for the candidates. The different preventive measures discussed in this article justify both the technical and non-technical aspects in preparing a high performing cybersecurity defense program for an organization. Firewalls, IPS and IDS, anti-malware, honeypot strategy, sandboxing as well as 24 hour third-party support are some of the many important preventive measures in the CISSP certification. Having a solid knowledge base of these measures not only contributes to succeeding the examination, but also building field competencies in handling real situations. The fast evolving challenges in cyberspace obliges the security officers to commit to life-long learning. Being a successful cybersecurity professional today is thus a process of perfection.

 

Be Safe

Section Guide

Ki Nang
Yip

View more articles from Ki Nang

Earn your CISSP the first time with InfoSec Institute and pass your exam, GUARANTEED!

Section Guide

Ki Nang
Yip

View more articles from Ki Nang