The CISSP 2015 Update brings new viewpoints on the key domains covered in this certification. The CISSP is already one of the broadest of all certs in that the amount of information it covers in different fields is staggering. However, breaking this down into its component domains or fields can help to chop at it bit by bit. With the new updates, each domain is a bit more streamlined – a bit easier to manage in the overall picture – and becomes easier to understand.
We will be diving into each domain over the course of the coming weeks, to see what you need to know if you have just started studying for the CISSP. Right off the bat we can say that, with very few exceptions, the old domains are gone. That’s not to say the information isn’t there anymore, its just that the perspectives on that information have shifted. The CISSP certification has always been a managerial-level certification – understanding is required for a lot of topics across a wide range of requirements. With the new update, it zeroes-in on that concept: making it easier to look at things from particular scenarios with a birds-eye view.
With that in mind, let’s take a look at our third domain: Security Engineering (Engineering and Management of Security).
Software Development Security
When custom programs and solutions are being developed, there are a lot of potential problem areas: Is the IDE secure? Are there any problems in the language that could be exploited easily? Are there holes in the code put there by a previous programmer? Was the program developed to separate hard-coded credentials from the standard program?
When developing code that will be used by a large group – whether consumers, companies or other organizations – it is important to be able to not only create secure code but that it is proven as such. Therefore, early on in the design cycle, it is important to know what weaknesses have been encountered before by past auditors so that history does not repeat itself. Not only will this create a more secure product, but it will reduce time to market – resulting in happier end users.
Cryptography is an excellent tool, but only when it is implemented effectively. Headlines have been made consistently over the past several years regarding solutions that either were not implemented according to best practices, ways that were discovered to get around roadblocks, or just that the protections were brute-forced into obsolescence. Knowing the requirements of your solution or objective will help to know what you need to be certain is working correctly: Do you need to secure information from prying eyes at all costs? Do you need to be certain that data is not modified in transit? Or is it enough to be able to prove that the data was sent from a particular source?
It is also important to know your responsibilities to your users that you are not putting a hole into their environment. It’s one thing to provide a solution to a problem they are having, but introducing a new attack vector along with it is an entirely different matter.
CISSP Instant Pricing- Resources
Physical (Environmental Security)
Did you know that balls and pillars in front of shops are there for security and safety reasons more often than for styling? Did you also know that just introducing grass and shrubs can help redirect foot traffic to a predictable trail? What would be more effective in your environment: patrolling guards, or a fleet of cameras and facial recognition? Knowing where people are going to be, and using passive methods to reduce security requirements, can help a great deal – regardless if you are on a budget or not. Reducing entry points to a single point of contact can help drastically improve your overall standing, but even if there is only one way in on the ground floor there are usually other ways in when there are issues with HVAC systems. In controlled environments, predictable heating and cooling are as vital and electricity and water. While it might be silly to think about, the larger or older the building you are in, the more likely you are to run into a ‘Die Hard’ scenario: someone able to infiltrate the building and use the HVAC system as a way to get around undetected.
Security Architecture & Design
Just because you are building a system from scratch doesn’t mean you have to reinvent the entire idea of security. There are dozens of well known, tried and tested security models that can be reviewed and adjusted as needed based on your requirements. The tricky part is being able to see what is more effective before you spend a small fortune on implementing a solution, only to find out that it doesn’t scale well and you need to find a new option. Once you have your solution stable and in place, it is important to be able to test it regularly – finding out where your weak spots are, seeing what kinds of countermeasures need to be put in place to eliminate threats, and train your security officers – whether information security or physical security – to be ready to handle the problems that will come up.
Security Engineering is about more than just crafting a secure environment. It’s about the entire idea of security permeating everything that the organization does – from day to day operations, to project management and auditing, to controlling the thermostat. The basic cycle of Idea, Design, Implement, Maintain covers nearly every project you could ever run into, and as with all projects that involve Engineering, the earlier a problem is identified and fixed, the less it is going to cost the organization.
Spend the time needed to brainstorm options. Find out what different vendors have to offer when you are looking at home built versus market standard grade products. Discover if it would be more efficient to bring in a third party to help set up when you are going live with a project. Finally, conduct a review as to whether or not it would make sense if you are going with a premade solution if it would reduce costs to bite the bullet up front with most costs, rather than a more expensive maintenance contract. Or perhaps your people could be trained to deal with every issue they could come across in a particular situation – that is what this domain is all about: finding out what is best for the organization, in a given environment, with a specified budget.