A Little about the Certified Information Systems Security Professional (CISSP) Certification – Part 1

July 21, 2020

Tweet This:
Share on LinkedIn:

By Kevin Prater, Kovarus, Practice Manager Collaboration / Security

If you’ve spent any amount of time in the network security space you’ve no doubt heard of the Certified Information Systems Security Professional (CISSP) certification. The CISSP is both well respected in the industry and, better yet, worth your time as the concepts learned will prove very valuable if your goal is a long-term security career.

I held this certification a number of years ago, but like many of us got busy with life, let it lapse only to find myself many years later thinking I wanted to pursue it again. So, I thought I’d embark on a little series of blog articles highlighting some of the key topics that I learn and re-learn over the next few months as I chase this down. Hopefully you’ll find something of value here.

CISSP

The CISSP certification encompasses a lot and is broken down into 8 broad categories that they refer to as security domains. These include:

  1. Security and risk management
  2. Asset security
  3. Security architecture and engineering
  4. Communications and network security
  5. Identity and access management
  6. Security assessment testing
  7. Security operations
  8. Software development

For the first article here, we’ll jump right into the first and largest domain, that of security and risk management. This domain is quite large and will probably span at least a couple blog posts and will be covering foundational topics like integrity, confidentiality and availability, governance principles and compliance requirements, concepts around threat modeling methodologies and risk management just to name a few. Let’s get started.

Foundations — CIA Triad

Like building any good structure we’ve got to start with a solid foundation and your security environment is no different. The most important three concepts in terms of security really revolve around confidentiality, integrity and availability known in the CISSP world as the CIA triad. A true comprehensive security strategy addresses each of these principles as they each support and rely on each other, providing that solid foundation.

With confidentiality, we’re really concerned with ensuring that whatever it is we’re trying to protect, whether it be data, objects, or user resources, these things are being kept secret and that we’ve minimized unauthorized access to those assets. We need to be able to provide these protections while data is in transit or at rest and we can do this in a number of ways including things like encryption, access controls, authentication procedures, data classification, and user training.

Seems like a no-brainer that confidentiality would be front and center when it comes to network security but there are a number of things that are actually working against you and can easily compromise those efforts. Things like stolen/weak passwords, traffic sniffing, social engineering, shoulder surfing and eavesdropping would all be considered directed attacks, but we also need to be concerned with the not so obvious: human errors, ignorance and oversight. And even mundane activities can compromise our confidentiality, so things like accessing malicious code (via malware), misrouted faxes, even documents left on printers or walking away from a PC and leaving it unlocked. These are all things we need to be concerned with when it comes to confidentiality.

Our next leg of the CIA triad is integrity. With integrity we’re ensuring that the data or asset is what it’s supposed to be and is what we think it is. If we’re maintaining integrity, we’re ensuring the data has not been changed in any way by any unauthorized manner. Integrity is very much dependent on confidentiality, so we see a lot of the same measures used to ensure it. Measures like access controls, authentication procedures, intrusion detection systems, encryption and again user training. The intent is to ensure data accuracy, authenticity and non-repudiation; removing the ability to deny having performed an action.

Things that are working against us that can affect integrity include viruses, coding errors, back doors in systems, unauthorized access, malicious code, and of course our favorite, human errors, ignorance and oversight.

The last concept we’ll cover in the triad is availability. This simply means that the data or resource is, well, available. It can be accessed in an uninterrupted fashion by authorized users, services or systems and are not subject to some sort of denial of service attack. Some of the techniques that we use to ensure availability start with proper network design, building resiliency and redundancy into the architecture for critical systems and network transport and making sure access controls and segmentation measures are effectively put in place using firewalls, routers, etc. to prevent things like DoS attacks. We want to ensure that we have proper visibility into network traffic and we’re monitoring performance, as well as ensuring proper (and regular) overall maintenance, back-up and testing.

Like confidentiality and integrity there are a number things that could inhibit availability including hardware oversubscription, poor software design/architecture, mislabeling or incorrectly classifying objects and again human error, misconfigurations and oversight.

You’re probably noticing a common thread here that’s prevalent in all three of the legs of the triad and that’s human error and oversight. That’s a tough nut to crack but something you should definitely be aware of when designing your own security environments. At Kovarus, we help clients solve challenges like these every day. Using methodologies and tools like automation through configuration management and orchestration, we’re able to help eliminate many of these issues. If you’d like to chat more I’d love to connect. Reach out to me at kprater@kovarus.com.


Looking to learn more about modernizing and automating IT? We created the Kovarus Proven Solutions Center (KPSC) to let you see what’s possible and learn how we can help you succeed. To learn more about the KPSC go to the KPSC page.

Also, follow Kovarus on LinkedIn for technology updates from our experts along with updates on Kovarus news and events.