CISSP
CISSP
CISSP
Security teams use them to organize daily tasks and identify gaps in security that could cause
negative consequences for an organization, and to establish their security posture. Security
posture refers to an organization's ability to manage its defense of critical assets and data
and react to change.
By defining security goals and objectives, organizations can reduce risks to critical assets and
data like PII, or personally identifiable information. Risk mitigation means having the right
procedures and rules in place to quickly reduce the impact of a risk like a breach.
Compliance is the primary method used to develop an organization's internal security
policies, regulatory requirements, and independent standards. Business continuity relates to
an organization's ability to maintain their everyday productivity by establishing risk disaster
recovery plans.
And finally, while laws related to security and risk management are different worldwide, the
overall goals are similar. As a security professional, this means following rules and
expectations for ethical behavior to minimize negligence, abuse, or fraud.
Asset Security.
The asset security domain is focused on securing digital and physical assets. It's also related
to the storage, maintenance, retention, and destruction of data. This means that assets such
as PII or SPII should be securely handled and protected, whether stored on a computer,
transferred over a network like the internet, or even physically collected. Organizations also
need to have policies and procedures that ensure data is properly stored, maintained,
retained, and destroyed. Knowing what data you have and who has access to it is necessary
for having a strong security posture that mitigates risk to critical assets and data.
Previously, we provided a few examples that touched on the disposal of data. For example,
an organization might have you, as a security analyst, oversee the destruction of hard drives
to make sure that they're properly disposed off. This ensures that private data stored on
those drives can't be accessed by threat actors.
For example, employees working remotely in public spaces need to be protected from
vulnerabilities that can occur when they use insecure bluetooth connections or public wifi
hotspots. By having security team members remove access to those types of communication
channels at the organizational level, employees may be discouraged from practicing insecure
behavior that could be exploited by threat actors.
For example, if everyone at a company is using the same administrator login, there is no way
to track who has access to what data. In the event of a breach, separating valid user activity
from the threat actor would be impossible.
Analysts might use security control testing evaluations and security assessment reports to
improve existing controls or implement new controls. An example of implementing a new
control could be requiring the use of multi-factor authentication to better protect the
organization from potential threats and risks.
Security Operations.
The security operations domain is focused on conducting investigations and implementing
preventative measures. Investigations begin once a security incident has been identified.
This process requires a heightened sense of urgency in order to minimize potential risks to
the organization. If there is an active attack, mitigating the attack and preventing it from
escalating further is essential for ensuring that private information is protected from threat
actors.
Once the threat has been neutralized, the collection of digital and physical evidence to
conduct a forensic investigation will begin. A digital forensic investigation must take place to
identify when, how, and why the breach occurred. This helps security teams determine areas
for improvement and preventative measures that can be taken to mitigate future attacks.
For example, performing a secure design review during the design phase, secure code
reviews during the development and testing phases, and penetration testing during the
deployment and implementation phase ensures that security is embedded into the software
product at every step. This keeps software secure and sensitive data protected, and
mitigates unnecessary risk to an organization.
Being familiar with these domains can help you better understand how they're used to
improve the overall security of an organization and the critical role security teams play. Next,
we'll discuss security threats, risks, and vulnerabilities, including ransomware, and introduce
you to the three layers of the web.
Security domains cybersecurity analysts need to know.
As an analyst, you can explore various areas of cybersecurity that interest you. One way to
explore those areas is by understanding different security domains and how they’re used to
organize the work of security professionals. In this reading you will learn more about CISSP’s
eight security domains and how they relate to the work you’ll do as a security analyst.
Graphic of the eight icons that represent the security domains from the CISSP.
All organizations must develop their security posture. Security posture is an organization’s
ability to manage its defense of critical assets and data and react to change. Elements of the
security and risk management domain that impact an organization's security posture
include:
-Incident response
-Vulnerability management
-Application security
-Cloud security
-Infrastructure security
As an example, a security team may need to alter how personally identifiable information
(PII) is treated in order to adhere to the European Union's General Data Protection
Regulation (GDPR).
This domain focuses on managing data security. Ensuring effective tools, systems, and
processes are in place helps protect an organization’s assets and data. Security architects
and engineers create these processes.
One important aspect of this domain is the concept of shared responsibility. Shared
responsibility means all individuals involved take an active role in lowering risk during the
design of a security system. Additional design principles related to this domain, which are
discussed later in the program, include:
-Threat modeling
-Least privilege
-Defense in depth
-Fail securely
-Separation of duties
-Keep it simple
-Zero trust
-Trust but verify
An example of managing data is the use of a security information and event management
(SIEM) tool to monitor for flags related to unusual login or user activity that could indicate a
threat actor is attempting to access private data.
This domain focuses on managing and securing physical networks and wireless
communications. This includes on-site, remote, and cloud communications.
Organizations with remote, hybrid, and on-site work environments must ensure data
remains secure, but managing external connections to make certain that remote workers are
securely accessing an organization’s networks is a challenge. Designing network security
controls—such as restricted network access—can help protect users and ensure an
organization’s network remains secure when employees travel or work outside of the main
office.
The identity and access management (IAM) domain focuses on keeping data secure. It does
this by ensuring user identities are trusted and authenticated and that access to physical and
logical assets is authorized. This helps prevent unauthorized users, while allowing authorized
users to perform their tasks.
Essentially, IAM uses what is referred to as the principle of least privilege, which is the
concept of granting only the minimal access and authorization required to complete a task.
As an example, a cybersecurity analyst might be asked to ensure that customer service
representatives can only view the private data of a customer, such as their phone number,
while working to resolve the customer's issue; then remove access when the customer's
issue is resolved.
The security assessment and testing domain focuses on identifying and mitigating risks,
threats, and vulnerabilities. Security assessments help organizations determine whether
their internal systems are secure or at risk. Organizations might employ penetration testers,
often referred to as “pen testers,” to find vulnerabilities that could be exploited by a threat
actor.
This domain suggests that organizations conduct security control testing, as well as collect
and analyze data. Additionally, it emphasizes the importance of conducting security audits to
monitor for and reduce the probability of a data breach. To contribute to these types of
tasks, cybersecurity professionals may be tasked with auditing user permissions to validate
that users have the correct levels of access to internal systems.
The security operations domain focuses on the investigation of a potential data breach and
the implementation of preventative measures after a security incident has occurred. This
includes using strategies, processes, and tools such as:
Security must be incorporated into each element of the software development life cycle,
from design and development to testing and release. To achieve security, the software
development process must have security in mind at each step. Security cannot be an
afterthought.
Performing application security tests can help ensure vulnerabilities are identified and
mitigated accordingly. Having a system in place to test the programming conventions,
software executables, and security measures embedded in the software is necessary. Having
quality assurance and pen tester professionals ensure the software has met security and
performance standards is also an essential part of the software development process. For
example, an entry-level analyst working for a pharmaceutical company might be asked to
make sure encryption is properly configured for a new medical device that will store private
patient data.
As an entry-level security analyst, one of your many roles will be to handle an organization's
digital and physical assets.
Let's review what threats, risks, and vulnerabilities are and discuss some common examples
of each.
As a reminder, phishing is a technique that is used to acquire sensitive data, such as user
names, passwords, or banking information.
Risks are different from threats. A risk is anything that can impact the confidentiality,
integrity, or availability of an asset. Think of a risk as the likelihood of a threat occurring. An
example of a risk to an organization might be the lack of backup protocols for making sure its
stored information can be recovered in the event of an accident or security incident.
Organizations tend to rate risks at different levels: low, medium, and high, depending on
possible threats and the value of an asset.
A low-risk asset is information that would not harm the organization's reputation or ongoing
operations, and would not cause financial damage if compromised. This includes public
information such as website content, or published research data.
A medium-risk asset might include information that's not available to the public and may
cause some damage to the organization's finances, reputation, or ongoing operations. For
example, the early release of a company's quarterly earnings could impact the value of their
stock.
So entry-level analysts need to educate and empower people to be more security conscious.
For example, educating people on how to identify a phishing email is a great starting point.
Using access cards to grant employee access to physical spaces while restricting outside
visitors is another good security measure. Organizations must continually improve their
efforts when it comes to identifying and mitigating vulnerabilities to minimize threats and
risks. Entry-level analysts can support this goal by encouraging employees to report
suspicious activity and actively monitoring and documenting employees' access to critical
assets.
Ransomware is a malicious attack where threat actors encrypt an organization's data then
demand payment to restore access. Once ransomware is deployed by an attacker, it can
freeze network systems, leave devices unusable, and encrypt, or lock confidential data,
making devices inaccessible. The threat actor then demands a ransom before providing a
decryption key to allow organizations to return to their normal business operations. Think of
a decryption key as a password provided to regain access to your data. Note that when
ransom negotiations occur or data is leaked by threat actors, these events can occur through
the dark web.
While many people use search engines to navigate to their social media accounts or to shop
online, this is only a small part of what the web really is. The web is actually an interlinked
network of online content that's made up of three layers: the surface web, the deep web,
and the dark web.
The surface web is the layer that most people use. It contains content that can be accessed
using a web browser.
The deep web generally requires authorization to access it. An organization's intranet is an
example of the deep web, since it can only be accessed by employees or others who have
been granted access.
Lastly, the dark web can only be accessed by using special software. The dark web generally
carries a negative connotation since it is the preferred web layer for criminals because of the
secrecy that it provides.
Now, let's discuss three key impacts of threats, risks, and vulnerabilities. The first impact
we'll discuss is financial impact.
When an organization's assets are compromised by an attack, such as the use of malware,
the financial consequences can be significant for a variety of reasons. These can include
interrupted production and services, the cost to correct the issue, and fines if assets are
compromised because of non-compliance with laws and regulations.
The second impact is identity theft. Organizations must decide whether to store private
customer, employee, and outside vendor data, and for how long. Storing any type of
sensitive data presents a risk to the organization. Sensitive data can include personally
identifiable information, or PII, which can be sold or leaked through the dark web. That's
because the dark web provides a sense of secrecy and threat actors may have the ability to
sell data there without facing legal consequences.
The last impact we'll discuss is damage to an organization's reputation. A solid customer
base supports an organization's mission, vision, and financial goals. An exploited
vulnerability can lead customers to seek new business relationships with competitors or
create bad press that causes permanent damage to an organization's reputation. The loss of
customer data doesn't only affect an organization's reputation and financials, it may also
result in legal penalties and fines. Organizations are strongly encouraged to take proper
security measures and follow certain protocols to prevent the significant impact of threats,
risks, and vulnerabilities. By using all the tools in their toolkit, security teams are better
prepared to handle an event such as a ransomware attack.