The CISSP 2015 update brings new viewpoints on the key domains covered in this certification. The CISSP is already one of the broadest of all certs in that the amount of information it covers in different fields is staggering. However, breaking this down into its component domains or fields can help to chop at it bit by bit. With the new updates, each domain is a bit more streamlined – a bit easier to manage in the overall picture – and becomes easier to understand.
We will be diving into each domain over the course of the coming weeks, to see what you need to know if you have just started studying for the CISSP. Right off the bat, we can say that with very few exceptions, the old domains are gone. That’s not to say the information isn’t there anymore, its just that the perspectives on that information have shifted. The CISSP certification has always been a managerial-level certification – understanding is required for a lot of topics across a wide range of requirements. With the new update, it zeroes-in on that concept: making it easier to look at things from particular scenarios with a bird’s eye view.
With that in mind, let’s take a look at our fourth domain: Communications and Network Security (Designing and Protecting Network Security).
Almost more than any other domain in the update, this domain lines up very well with its predecessor – the two cover the same basic footprint, however the new domain covers newer technologies and methodologies than the previous one.
Network Infrastructure Concepts
Before someone can try to secure a network, they need to understand the basics of what makes a network function. Without being able to wrap your head around the theory of how a document would go from halfway around the world to your workstation, it would be very difficult to be able to secure the path that it takes to get from point to point.
OSI and TCP/IP Models
Images provided by Wikipedia
The OSI model is considered by many to be the cornerstone on which all networking and user interaction theory sits. It is a type of framework that is relatively easy to understand, and it’s possible to classify most elements to a particular primary layer. The problem with this structure is that in reality, it’s ignored most of the time. The model that most directly lines up with what is actually used on a day to day basis is the TCP/IP Model. The models themselves are very similar, both in terminology and functionality, but critically the TCP/IP model does not directly address the physical hardware that the OSI model addresses.
CISSP Instant Pricing- Resources
Hardening Network Hardware
To many, the difficult part in building a network is getting everything to talk to each other and function correctly. From the security point of view however, this is just getting started. Most devices still ship in a configuration that allows for widest possible usage, which from a setup point of view is great, but not as far as security goes. The ‘secure by default’ idea has been progressing well – many consumer-grade access points that are provided by ISPs for instance now come with WPA2 enabled and a randomized password.
Secure Communications Channels
It’s no secret that there are a lot of ways that we communicate on a daily basis that can be tracked. There are situations however where this is not only dangerous, but can cause tremendous problems for the organization – whether through locating user locations, or disseminating information that is gleaned from the conversation. This means that secure communications must be enabled and configured correctly, and insecure methods need to be blocked. For example, say that your company only wants users to use their in-house developed instant messenger client. To enforce this, other clients would then need to be blocked, so that users don’t revert back to using software that they may be more comfortable with.
Network Attacks and Mitigation
“Know your enemy and know yourself, find naught in fear for 100 battles. Know yourself but not your enemy, find level of loss and victory. Know thy enemy but not yourself, wallow in defeat every time.” Cyberattacks are coming more often than ever, and it is extremely important to know your organization’s defenses and weakpoints, as well as what attacks and vectors are used in your local area and business type. Being able to detect attacks, deal with them, and having staff trained to manage all sides of the situation is incredibly important, as well as knowing what the new attacks are that seem to be coming on a daily basis now.
The ‘Endpoint’ – the level at which primary defenses need to be active – keeps moving. Being able to have strong security on individual nodes – regardless of whether that is a workstation, a mobile or a server – is more important than ever. Making sure that your solutions work together in a cohesive mesh rather than fight against each other is absolutely vital, or else you could see a situation where you’re having to deliberately break your security just to try to get things to talk to each other. I’m not saying that this doesn’t happen, and in some cases it is required, but it should be an absolute last resort – something that happens no more than once in a blue moon.
The Mobile Office has been here for quite some time, and as a result, trying to create a solid wall to protect the network becomes difficult. Holes need to be drilled through the barrier, to allow services and devices to connect reliably from both individual users as well as other corporate locations and partners. This means being able to create secure connections regardless of whether the person is at their desk or at their vacation house in Wyoming. There are many different methods of remote access, and if the IT department does not create a secure option for this, users may find their own options and open up an unknown threat into the network.
Network Access Control Devices
Network Access Control is a friend of the admin – something that can help keep visitors from just plugging into any port they can find and going to town on the network. Sticky ports, dedicated appliances, VPN’s, single sign-on, proxy servers, the list of options available to help secure connections is huge. The nice part about these methods is that most are capable of working together with each other, so that you do not necessarily need to trust only one method. Do you want to keep ports locked at user desks but open in a conference room? Add in Single-Sign on as well. Users don’t like jumping through hoops, but if you create something that is mostly invisible and adds functionality rather than putting roadblocks in their path, they are going to want to use it.