This is the 3rd part on my CISSP Reloaded where I am revisiting the 10 CISSP domains I studied for many years ago to see what has changed and how much of it I have retained as well as adding in my own personal thoughts, experiences and rambles into the mix. Read domain 1, intro and risk management http://www.j4vv4d.com/?p=433 and domain 2, access controls at http://www.j4vv4d.com/?p=438

Domain 3; by far the most daunting of domains when I first picked up the book all those years ago. Network security is so important yet because it’s complex, a lot of companies end up doing it wrong. It’s complex because not as many people ‘properly’ understand the security implications of the network and also because most companies don’t even know what their network comprises of.

When you go through the theory of network security, it’s a bit like travelling on the roads of a developed country whilst being aided by a comforting female voice spoken in perfect English via an onboard GPS. “After 400 yards, turn left”. All the roads are well lit, the road markings are nicely painted on and colour co-ordinated. The speed limit is observed by everybody and people maintain a safe distance from one another.

The first time you’re dropped with an incident in the middle of an organisation, you find that this road network is more like a series of half-beaten trails in some abandoned bush path. If you’re lucky, you’re given a compass and a rusty machete to try and hack your way to your destination.

This really is a big domain and neither can the CISSP material nor can I do it justice by trying to break down the concepts into one domain. Hence why the CISSP is often referred to as being an inch deep and a mile wide in terms of the knowledge it imparts. So if you’re recruiting a network security expert and they have a CISSP. Don’t assume the CISSP taught them anything usable. Of course I could say that for most domains, but this is by far most true for network security.

The CISSP material has a lot of the theory behind how networks operate, talks about the OSI Model, what TCP/IP is, gives examples of different types of networks, network monitoring and of course the be all and end all of all network security – Firewalls <insert sarcastic gasp here>.

Different books and materials will cut this domain in different ways. Personally, I like to divide this into two halves.

1.How the network works

This half has little to do with pure security, but lays the foundations of the concepts of how a network actually works. Along with network types etc.

2.Network devices

Continue reading →

This is my second post on my CISSP Reloaded where I am revisiting the 10 CISSP domains I studied for many years ago to see what has changes and how much of it I have retained as well as adding in my own personal thoughts and experiences into the mix. Read the introduction and first domain at http://www.j4vv4d.com/?p=433 

Controls

When you tell someone that they have a risk – they’ll either ignore you thinking you’re a doomsday naysayer (log it in their risk register and accept the finding). Thank you for bringing it to their attention and say their team will fix it straight away; or get that wide eyed crazy fearful look, grab you by the shoulders and shake you demanding to know what they should do before they all die.

This is where you need to be prepared with an answer. It’ which usually comes in the form of recommending controls. The types of controls you recommend can be broken down into three broad categories, protective, detective and recovery controls.

Protective Controls

As the name says, protective controls protect against threats. These are defensive measure. Although Dennis Rodman and Van Damme quoted in Double Team that the best defence is a strong offense, it’s usually illegal to go after bad guys before they’ve attacked you, so you need the next best thing which is a strong set of defensive measures to protect you.

It’s like those reporters you see providing coverage from a warzone. The poor bugger’s aren’t given a gun, but they’re given a nice PRESS labelled flak jacket and a bunch of soldiers trying to keep them safe long enough to deliver the important news that the army has achieved their key objective of blowing the shit out of a desert.

The Great Wall of China, was built as a protective control. If you can keep the enemy outside and not let them come in, then you have created a safe haven within. The control needs to be adequately strong enough to protect against the attackers. The Great Wall of China was a humongous structure which they obviously put a lot of effort into building it because it was deemed sufficient enough to stop attackers on foot and horseback. However, over time with the advent of air transport and explosives it’s pretty much useless beyond being a tourist attraction.

Like the story of the three little pigs. One made their house out of straw and the other of sticks and both of them were easily blown down by their attacker the wolf. Only the pig who built his house out of bricks was safe. But that will be only safe until the wolf doesn’t find himself a tank, or an RPG, or a bulldozer.

Just because someone says that their product or service will act as a protective control, it doesn’t mean that it will be effective. You need to understand who’s trying to get access and choose the control that will really protect you. Or rather, I should say, the control should protect you long enough for you to do something about it. Otherwise you might find yourself as the person holding a knife in a gunfight.

Detective Controls

Many will argue the case that Sean Connery was the best Bond ever. Personally i grew up more with Roger Moore so have fond memories of him in his white Safari suit delivering karate chops to render bad guys unconscious.

In one Bond film, Connery leaves his apartment but not before placing a few strands of hair at the cupboard joint and a layer of powder on his suitcase. Upon his return the hair strands have been broken and there are fingerprints embedded in the powder on the suitcase. This is a crude, but probably the most manliest set of detective controls ever used by a hero.

Having good detective controls are probably even more important than having protective controls. One cannot overstate the importance of having the ability to detect when something has gone wrong or when someone is in the process of attacking you.

A lot of food packaging has detective controls designed to ensure that the end product you receive is exactly what left the factory. So jars have lids that ‘depress’ once they have been opened. Or bottles have a plastic ring that splits on first use.

Tamper evident envelopes are used to send sensitive information such as PIN numbers for credit or debit cards.

Having detective controls means that you don’t have to be Sherlock Holmes to discover if an attack is being undertaken or someone has been rummaging through your digital drawers.

Continue reading →