CISSP Security Domains - Part 1 Notes PDF
Document Details
Uploaded by MagicJasper5520
Tags
Related
- Post-Class Quiz: Information Security and Risk Management Domain PDF
- Introduction to Cybersecurity PDF
- Security Assessments PDF
- CISSP All-in-One Exam Guide PDF - Chapter 19: Measuring Security
- CISSP All-in-One Exam Guide Chapter 21: Security Operations PDF
- Week 2: (ISC)2 Common Body of Knowledge PDF
Summary
These notes provide an overview of the CISSP security domains, with explanations and examples for each. The document covers topics including security posture assessment, risk mitigation practices and compliance aspects of security.
Full Transcript
**[CISSP= Certified Information Systems Security Professional]** **Explore the CISSP security domains, Part 1** There are **8 security domains/categories** identified by **CISSP.** Security teams use them to organize daily tasks and identify gaps in security that could cause negative consequences...
**[CISSP= Certified Information Systems Security Professional]** **Explore the CISSP security domains, Part 1** There are **8 security domains/categories** identified by **CISSP.** Security teams use them to organize daily tasks and identify gaps in security that could cause negative consequences for an organization, and to establish their **security posture.** **Security posture** -- is an organization's ability to manage its defense of critical assets and data react to change. 1. **Security and Risk management --** a. **Defining security goals and objectives:** organizations can reduce risks to critical assets and data like PII (personally identifiable information). b. **Risk mitigation processes --** is having the right procedures and rules in place to quickly reduce the impact of a risk like a breach. c. **Compliance-** is a primary method used to develop an organization's internal security policies, regulatory requirements, and independent standards. d. **Business continuity plan -** relates to an organization's ability to maintain their everyday productivity by establishing risk disaster recover plans. e. **Legal regulations-** while laws related to security and risk management are different worldwide, the overall goals are similar. f. **Incident response** g. **Vulnerability management** h. **Application security** i. **Cloud security** j. **Infrastructure security** 2. **Asset security-** This domain is focused on **securing digital and physical assets**. It's also related to the storage, maintenance, retention, and destruction of data. This means that assets such as PII or SPII should be securely handled and protected, whether stored on a computer, transferred over a network like the internet, or even physically collected. Organizations also need to have policies and procedures that ensure data is properly stored, maintained, retained, and destroyed. Knowing what data, you have and who has access to it is necessary for having a strong security posture that mitigates risk to critical assets and data. **EX:** an organization might have the security analyst oversee the destruction of hard drives to make sure that they're properly disposed of. This ensures that private data stored on those drives can't be accessed by threat actors. 3. **Security architecture and engineering --** This domain focuses on optimizing data security by **ensuring effective tools, systems, and processes are in place** to protect an organization's assets and data. One of the core concepts of secure design architecture is shared responsibility. **Shared responsibility-** means that all individuals within an organization take an active role in lowering risk and maintaining both physical and virtual security. - **Threat modeling** - **Least privilege** - **Defense in depth** - **Fail securely** - **Separation of duties** - **Keep it simple** - **Zero trust** - **Trust but verify** 4. **Communication and network security-** This domain mainly focuses on **managing and security physical networks and wireless** **communications**. Secure networks keep an organization's data and communications safe whether on-site, or in the cloud, or when connecting to services remotely. **EX:** employees working remotely in public spaces need to be protected from vulnerabilities that can occur when they use insecure Bluetooth connections or public Wi-Fi hotspots. By having security team members remove access to those types of communication channels at the organizational level, employees may be discouraged from practicing insecure behavior that could be exploited by threat actors. 5. **Identity and access management (IAM) --** This domain focuses on **access and authorization** to keep data secure by making sure users follow established policies to control and manage assets. \*As an entry-level analyst, it's essential to keep an organization's systems and data as secure as possible by ensuring user access is limited to what employees need. The goal of **IAM** is to reduce the overall risk to systems and data. **EX:** if everyone at a company is using the same administration login, there is no way to track who has access to what data. in the event of a breach, separating valid user activity from the threat actor would be impossible. There are **FOUR main components to Identity and access management (IAM):** - **Identification -** when a user verifies who they are by providing a username, an access card, or biometric data such as a fingerprint. - **Authentication --** is the verification process to prove a person's identity, such as entering a password or PIN. - **Authorization --** takes place after a user's identity has been confirmed and relates to their level of access, which depends on the role in the organization. - **Accountability --** refers to monitoring and recording user actions, like login attempts, to prove systems and data are used properly. 6. **Assessment and testing --** This domain focuses on **conducting security control testing, collecting and analyzing data, and conducting security audits** to monitor for risks, threats, and vulnerabilities. Security control testing can help an organization identify new and better ways to mitigate threats, risks, and vulnerabilities. This involves examining organizational goals and objectives and evaluating if the controls being used actually achieve those goals. Collecting and analyzing security data regularly also helps prevent threats and risks to the organization. \*Analyst might use security control testing evaluations and security assessment reports to improve existing controls or implement new controls. **EX:** An example of implementing a new control could be requiring the use of multi-factor authentication to better protect the organization from potential threats and risks. 7. **Security operations --** This domain focuses on **conducting investigations and implementing preventative measures**. Investigations begin once a security incident has been identified. This process requires a heightened sense of urgency in order to minimize potential risks to the organization. If there is an active attack, mitigating the attack and preventing it from escalating further is essential for ensuring that private information is protected from threat actors. Once the threat has been neutralized, the collection of digital and physical evidence to conduct a forensic investigation will begin. **A digital forensic investigation must take place to identify when, how and why the breach occurred**. This helps security teams determine areas for improvement and preventative measures that can be taken to mitigate future attacks. This includes using strategies, processes, and tools such as: - **Training and awareness** - **Reporting and documentation** - **Intrusion detection and prevention** - **SIEM tools ** - **Log management** - **Incident management** - **Playbooks** - **Post-breach forensics** - **Reflecting on lessons learned** The cybersecurity professionals involved in this domain work as a team to manage, prevent, and investigate threats, risks, and vulnerabilities. These individuals are trained to handle active attacks, such as large amounts of data being accessed from an organization\'s internal network, outside of normal working hours. Once a threat is identified, the team works diligently to keep private data and information safe from threat actors. 8. **Software development security --** This domain focuses on **using secure coding practice**. Secure coding practices are recommended guidelines that are used to create secure applications and services. The software development security domain is focused on using secure programming practices and guidelines to create secure applications. Having secure applications helps deliver secure and reliable services, which helps protect organizations and their users. The software development lifecycle is an efficient process used by teams to quickly build software products and features. In this process, security is an additional step. By ensuring that each phase of the software development lifecycle undergoes security reviews, security can be fully integrated into the software product. Security must be incorporated into each element of the software development life cycle, from design and development to testing and release. To achieve security, the software development process must have security in mind at each step. Security cannot be an afterthought. Performing application security tests can help ensure vulnerabilities are identified and mitigated accordingly. Having a system in place to test the programming conventions, software executables, and security measures embedded in the software is necessary. Having quality assurance and pen tester professionals ensure the software has met security and performance standards is also an essential part of the software development process. For example, an entry-level analyst working for a pharmaceutical company might be asked to make sure encryption is properly configured for a new medical device that will store private patient data. **EX:** Performing a secure design review during the design phase, secure code reviews during the development and testing phase, and penetration testing during the deployment and implementation phase ensures the security is embedded into the software product at every step. This keeps software secure and sensitive data protected and mitigates unnecessary risk to an organization. **Threats, risks, and vulnerabilities** An **asset** -- is an item perceived as having value to an organization. \*As an analyst, one of your many roles will be to handle an organization's digital and physical assets. During the lifespan, organizations acquire all types of assets, including physical office spaces, computers, customers' PII, intellectual property, such as patents or copyrighted data, and so much more. Unfortunately, organizations operate in an environment that presents multiple security threats, risks, and vulnerabilities to their assets. - **Threats-** A threat is any circumstance or event that can negatively impact assets. **EX:** an example of a threat is a social engineering attack. **Social engineering**- is a manipulation technique that exploits human error to gain private information, access or valuables. Malicious links in email messages that look like they're from legitimate companies or people is one method of social engineering known as phishing. - **Risks-** are different from threats. A **Risk** is anything that can impact the confidentiality, integrity, or availability of an asset. Risk is thought of as the likelihood of a threat occurring. **EX:** An example of a risk to an organization might ne the lack of backup protocols for making sure its stored information can be recovered in the event of an accident or security incident. Organizations tend to rate risks at different levels: **low and high, depending on possible threats and the value of an asset.** A **low-risk asset-** is information that would not harm the organization's reputation or ongoing operations and would not cause financial damage if compromised. This includes **public information** such as website content, or published research data. A **medium-risk asset-** might include information that's not available to the public and may cause some damage to the organization's **finances, reputation, or ongoing operations.** **EX:** the early release of a company's quarterly earnings could impact the value of their stock. A **high-risk asset-** is any information protected by regulations or laws, which if compromised, would have a severe negative impact on an organization's finances, ongoing operations, or reputation. This could include leaked assets with SPII, PII, or intellectual property. - **Vulnerabilities-** is a weakness that can be exploited by a threat. And it's worth noting that both a vulnerability and threat must be present for there to be a risk. **EX:** An example of vulnerabilities include: an outdated firewall, software, or application; weak passwords; or unprotected confidential data. People can also be considered vulnerability. People's actions can significantly affect an organization's internal network. Whether it's a client, external vendor, or employee, maintaining security must be a united effort. \*An entry-level analyst needs to educate and empower people to be more security conscious. **Key impacts of threats, risks and vulnerabilities** **Ransomware** -- is a malicious attack where threat actors encrypt an organization's data then demand payment to restore access. Once ransomware is deployed by an attacker, it can freeze network systems, leave devices unusable, and encrypt, or lock confidential data, making devices inaccessible. The threat actor then demands a ransom before providing a decryption key to allow organizations to return to their normal business operations. Think of a decryption key as a password provided to regain access to your data. Note that when ransom negotiations occur or data is leaked by threat actors, these events can occur through the dark web. **While many people use search engines to navigate to their social media accounts or to shop online, this is only a small part of what the web really is.** **The web-** is an interlinked network of online content that's made up of three layers: the surface web, the deep web and the dark the web. - The **surface web** is the layer that most people use. It contains content that can be accessed using a web browser. - The **deep web** generally requires authorization to access it. An organization's intranet is an example of the deep web, since it can only be accessed by employees or others who have been granted access. - The **dark web** can only be accessed by using special software. The dark web generally carries a negative connotation since it is the preferred web layer for criminals because of the secrecy that it provides. **Three key impacts of threats, risks and vulnerabilities:** 1. **Final impact-** when an organization's assets are compromised by an attack, such as the use of malware, the financial consequences can be significant for a variety of reasons. These can include interrupted production and services, the cost to correct the issue, and fines if assets are compromised because of non-compliance with laws and regulations. 2. **Identity-** organizations must decide whether to store private customer, employee, and outside vendor data, and for how long. Storing any type of sensitive data presents a risk to the organization. Sensitive data can include personally identifiable information, or PII, which can be sold or leaked through the dark web. That's because the dark web provides a sense of secrecy and threat actors may have the ability to sell data there without facing legal consequences. 3. **Damage to reputation-** a solid customer base supports an organization's mission, vision, and financial goals. An exploited vulnerability can lead customers to seek new business relationships with competitors or create bad press that causes permanent damage to an organization's reputation. The loss of customer data doesn't only affect an organization's reputation and financials, it may also result in legal penalties and fines. Organizations are strongly encouraged to take proper security measures and follow certain protocols to prevent the significant impact of threats, risks, and vulnerabilities. By using all the tools in their toolkit, security teams are better prepared to handle an event such as a ransomware attack. **NIST's Risk Management Framework** **The National Institute of Standards and Technology, NIST-** provides many frameworks that are used by security professionals to manage risks, threats, and vulnerabilities. Having a strong foundational understanding of how to mitigate and manage risks can set yourself apart from other candidates. There are **SEVEN steps in the Risk Management Framework, (RMF):** 1. **Prepare:** refers to activities that are necessary to manage security and privacy risks before a breach occurs. **\***This step will be used to monitor for risks and identify controls that can be used to reduce those risks. 2. **Categorize:** used to develop risk management processes and tasks. Security professionals then use those processes and develop tasks by thinking about how the confidentiality, integrity, and availability of systems and information can be impacted by risk. **\***Understand how to follow the processes established by your organization to reduce risks to critical assets, such as private customer information. 3. **Select:** means to choose, customize, and capture documentation of the controls that protect an organization. **\***Keeping a playbook up-to-date or helping to manage other documentation that allows you and your team to address issues more efficiently. 4. **Implement:** Implement security and privacy plans for the organization. Having good plans in place is essential for minimizing the impact of ongoing security risks. If you notice a pattern of employees constantly needing password resets, implementing a change to password requirements may help solve the issue. 5. **Assess:** means to determine if established controls are implemented correctly. An organization always wants to operate as efficiently as possible. It's essential to take the time to analyze whether the implemented protocols, procedures, and controls that are in place are meeting organizational needs. During this step, analysts identify potential weaknesses and determine whether the organization's tools, procedures, controls, and protocols should be changed to better manage potential risks. 6. **Authorize:** means being accountable for the security and privacy risks that may exist in an organization. **\***As an analyst, the authorization step could involve generating reports, developing plans of action, and establishing project milestones that are aligned to your organization's security goals. 7. **Monitor:** means to be aware of how systems are operating. Assessing and maintaining technical operations are tasks that analysts complete daily. Part of maintaining a low level of risk for an organization is known as how the current systems support the organization's security goals. If the systems in place don't meet those goals, changes may be needed. **It is important to make sure the procedures are working as intended so that risks to the organization itself, and the people it serves, are minimized.** **Glossary terms from module 1** **Terms and definitions from Course 2, Module 1** **Assess**: The fifth step of the NIST RMF that means to determine if established controls are implemented correctly **Authorize**: The sixth step of the NIST RMF that refers to being accountable for the security and privacy risks that may exist in an organization **Business** **continuity**: An organization\'s ability to maintain their everyday productivity by establishing risk disaster recovery plans **Categorize**: The second step of the NIST RMF that is used to develop risk management processes and tasks **External** **threat**: Anything outside the organization that has the potential to harm organizational assets Implement: The fourth step of the NIST RMF that means to implement security and privacy plans for an organization **Internal** **threat**: A current or former employee, external vendor, or trusted partner who poses a security risk **Monitor**: The seventh step of the NIST RMF that means be aware of how systems are operating **Prepare**: The first step of the NIST RMF related to activities that are necessary to manage security and privacy risks before a breach occurs **Ransomware**: A malicious attack where threat actors encrypt an organization's data and demand payment to restore access **Risk**: Anything that can impact the confidentiality, integrity, or availability of an asset **Risk** **mitigation**: The process of having the right procedures and rules in place to quickly reduce the impact of a risk like a breach **Security** **posture**: An organization's ability to manage its defense of critical assets and data and react to change **Select**: The third step of the NIST RMF that means to choose, customize, and capture documentation of the controls that protect an organization **Shared** **responsibility**: The idea that all individuals within an organization take an active role in lowering risk and maintaining both physical and virtual security **Social** **engineering**: A manipulation technique that exploits human error to gain private information, access, or valuables **Vulnerability:** A weakness that can be exploited by a threat