30 A Practical Guide to Security Assessments
On the whole, security certifications have been positive for the profession and
have contributed to defining the information security “body of knowledge.” The
bodies that administer the certifications will have to continue keeping up with
changes in the industry in order for the certifications to remain relevant.
As stated earlier, there has been a proliferation of the number of security certi-
fications. We will discuss some of the more popular and sought-after security cer-
tifications. These certifications can be divided into two broad categories:
•Vendor-neutral certifications
•Vendor-specific certifications
VENDOR-NEUTRAL CERTIFICATIONS
The vendor-neutral certifications are independent certifications that can include
testing on high-level broad-based security knowledge as well as knowledge of
technical security processes. The maintenance of these certifications can usually be
satisfied by taking a certain number of continuing professional education (CPE)
credits. Four popular vendor-neutral certifications are currently sought after:
CISSP — Certified Information Systems Security Professional
CISA — Certified Information Systems Auditor
SANS (GIAC) — Global Information Assurance Certification
CISM — Certified Information Security Manager
Certified Information Systems Security Professional (CISSP)
The CISSP is administered by (ISC)
2
and is considered the premier information
security certification. The CISSP certification signifies a minimum level of expertise
in a variety of areas of information security, ranging from technical security to
operational and management aspects of security. The certification exam tests candi-
dates on the ten domains of knowledge referred to as the CBK or Common Body
of Knowledge (the information below on the CBK is based on (ISC)
2
guidance on
its Web site)
15
by (ISC)
2
. The exam comprehensively tests information security and
is ideal for people who have worked in operational and management roles in security.
The exam content is mostly nontechnical and deals with security organization and
process issues such as change management, organizational practices, law, and busi-
ness continuity/disaster recovery. The ten domains of the CBK are discussed briefly
below:
Security Management Practices — The security management practices
domain focuses on the overall information security program. The focus
is on what the best information security program for a given environment
is and how to keep it up to date. The key items in this domain include:
Identification of critical information and assets
Security policies and standards
Risk assessment
AU1706_book.fm Page 30 Tuesday, August 17, 2004 11:02 AM
Evolution of Information Security 31
Security Architecture and Models — This domain of knowledge covers
security architecture concepts from the network infrastructure to the appli-
cation level. The overall security architecture, how it ensures the confi-
dentiality, integrity, and availability of the information, and some of the
standards and methods used to achieve it are discussed. Some of the key
items in this domain include:
Security architecture and associated technical controls
Security issues related to system designs
Security standards
Access Control Systems and Methodology — This domain covers princi-
ples relating to access control and the “least privilege” principle, where
a person’s access is limited to what that individual needs to perform his
or her job. This domain requires knowledge of access control and what
is appropriate based on different factors a given environment. Some of
the key items in this domain include:
Access control methodology, administration, and techniques
–Value of information
File and data ownership
Application Development Security — This domain covers security at the
application level. It covers the application development process and how
security and controls should be considered early and built into applica-
tions. It covers the risks associated with the development environment
and why the process of moving code to production needs to be properly
controlled. Some of the key items in this domain include:
Application controls
Systems development controls
Change management
Operations Security — Operations security consists of the internal control
structure of the IT infrastructure, access controls related to these resources,
and monitoring. Some of the key items in this domain include:
Computer operations
Administration and operational controls
Physical Security — Before electronic security became a significant con-
cern, physical security was the main component of security. As a result,
it is perhaps the most developed area of security. Today, physical security is
still a critical part of the overall information security program, partly evi-
denced by it being one of the ten domains of the CBK. This domain covers
all aspects of physical security including perimeter security, inside secu-
rity, environmental controls, and other physical security–related concepts.
Cryptography— The cryptography domain covers basic concepts of cryp-
tography and how they are used to ensure the confidentiality and integrity
of information. This domain covers the use of public and private key
algorithms, digital signatures, key distribution and management, and other
cryptography-related concepts.
Telecommunications, Network, and Internet Security — This domain is
probably the most technical of the ten domains. It requires an understanding
AU1706_book.fm Page 31 Tuesday, August 17, 2004 11:02 AM
32 A Practical Guide to Security Assessments
of security concepts related to telecommunications and network security
including firewalls, routers, and protocols such as Transmission Control
Protocol/Internet Protocol (TCP/IP). Different types of networks such as
local area and wide area networks along with the seven-layer Open System
Instrumentation (OSI) model and related security concepts are also dis-
cussed in this domain. On the telecommunications side, security concepts
related to Private Branch Exchange (PBX) and Integrated Services Digital
Network (ISDN) are discussed.
Business Continuity Planning — Business continuity planning and disaster
recovery are discussed at a high level. The overall methodology for devel-
oping and maintaining a business continuity plan are covered, including
identifying mission-critical processes, contingency planning strategies,
offsite storage, and plan testing and maintenance.
Law, Investigations, and Ethics — This domain covers the (ISC)
2
’s code
of ethics and the expectations for a CISSP holder from a legal and ethical
perspective. The other two key areas of this domain are investigations and
relevant laws in the information security arena.
In addition to passing the exam testing the topics listed above, a candidate for
the CISSP must also comply with an experience requirement and agree to follow
the (ISC)
2
code of ethics. As is evident by the contents of the CBK above, the
certification is for the information security generalist with experience in the informa-
tion security profession. The exam tests everything from technical network security
to security management practices. The CISSP certification is one of the most sought-
after certifications in the information security profession and indicates a proficiency
in a broad set of concepts related to information security.
Certified Information Systems Auditor (CISA)
The CISA certification is very similar to the CISSP but with more of an emphasis
on auditing. The CISA has seven domains, which are very similar to those of the
CISSP and include:
Management, Planning, and Organization of IS
•Technical Infrastructure and Operational Practices
Protection of Information Assets
Disaster Recovery and Business Continuity
Business Application System Development, Acquisition, Implementation,
and Maintenance
Business Process Evaluation and Risk Management
The IS Audit Process
Although the CISSP exam content is related more to the operations side of
security — i.e., security management practices, physical security, and the methods
used to secure (e.g., cryptography, networking security), the CISA exam content
deals more with how to ensure that these practices are functioning as they should
based on a specific company’s business requirements. Each of the domains of the
AU1706_book.fm Page 32 Tuesday, August 17, 2004 11:02 AM
Evolution of Information Security 33
CISA exam emphasizes auditing the processes and ensuring that appropriate controls
are in place and that the process is in compliance with the company’s own standards.
System Administration and Network Security Certifications (SANS)
GIAC (Global Information Assurance Certification)
The GIAC certifications are administered by SANS (SysAdmin, Audit, Network,
Security), which is one of the premier information security organizations in the
world. SANS offers training in a number of security “tracks,” and its courses are
considered among the best offered. The different tracks include areas of information
security such as intrusion detection, firewalls and perimeter protection, auditing, and
others. Students can attend the classes for a specific track and then seek the GIAC
certification. For most tracks, a corresponding certification exam exists. SANS offers
a fairly wide range of choices, resulting in a variety of students with expertise ranging
from nontechnical management to technical system administrators. Individuals with
a GIAC certification have gone through a rigorous process including submission of
a practical and passing an exam. An individual with one of the GIAC certifications
typically has hands-on real world experience. The individual tracks (as posted on
the GIAC Web site) are:
GIAC Security Essentials Certification (GSEC)
GIAC Certified Firewall Analyst (GCFW)
GIAC Certified Security Leadership (GSLC)
GIAC Certified Intrusion Analyst (GCIA)
GIAC Certified Incident Handler (GCIH)
GIAC Certified Windows Security Administrator (GCWN)
GIAC Certified UNIX Security Administrator (GCUX)
GIAC Information Security Officer (GISO)
GIAC Systems and Network Auditor (GSNA)
GIAC Certified Forensic Analyst (GCFA)
GIAC IT Security Audit Essentials (GSAE)
The contents of the individual tracks are self-explanatory, and further information
is available on the GIAC Web site.
CISM (Certified Information Security Manager)
The CISM is a relatively new certification that was developed by ISACA (which
also administers the CISA examination). The CISM, unlike the CISA, is geared
towards security management personnel who are involved in security operations.
The focus is on the business side of security rather than the technical side. Based
on the Information System Audit and Control Association’s (ISACA) own descrip-
tion, the CISM is designed to assure employers that those who have the CISM
designation have the ability to manage a security function as well as provide con-
sulting services pertaining to security.
The CISM exam is based on content from the following practice areas (this
information is from the CISM brochure on the ISACA Web site — www.isaca.org):
AU1706_book.fm Page 33 Tuesday, August 17, 2004 11:02 AM
34 A Practical Guide to Security Assessments
Information security governance Assurance that alignment exists
between the business and the specific information security strategies
Risk management — Managing information security risks to manage the
business
Information security program management — Design and development
of an information security program that aligns information security mea-
sures to security risks that the business is facing
Information security management — Oversight of information security
activities
Response management — Essentially, incident management — ability to
react in the event of a security incident
As the exam is relatively new, there was an opportunity for people with the right
experience to be grandfathered the certification. This ended in January 2004. To
obtain the CISM, you must pass the CISM exam, have at least five years work
experience in information security (three years must be in information security
management), and adhere to a Code of Ethics.
VENDOR-SPECIFIC CERTIFICATIONS
Many of the security vendors offer a certification to show a level of expertise in the
particular technology. An example is the vendors in the firewall and intrusion detec-
tion space, who have certification programs for security professionals. The vendor
certifications do not typically have an experience requirement as the vendor-neutral
certifications do, and they are usually obtained by simply taking an exam or multiple
exams. Unlike with the vendor-neutral certifications, security professionals must
take exams periodically to ensure they remain up to date with the changes in the
technology. Certain vendor certifications are very marketable, but others are consid-
ered “paper certifications” because they can be obtained by studying from a book
and involve little hands-on experience. Nevertheless, product certifications show a
minimum level of proficiency with a given product and are adding to the security
body of knowledge.
TRENDS IN INFORMATION SECURITY
As the business environment and the technologies that support it change, changes
in information security also occur. It is worth noting some of the trends the infor-
mation security industry is facing today. As we do security assessments, we have
an opportunity to see what security issues companies are facing today and how these
companies will be affected from a security perspective as the threats change and
evolve. Security professionals should always consider trends as they review business
processes, supporting technologies, security architecture, and other aspects reviewed
in a security assessment. The task of staying up to date with information security
trends and determining how they affect an organization can be daunting.
When performing a security assessment, being up to date on what is happening
in the information security world helps in providing good recommendations to
AU1706_book.fm Page 34 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.224.214.215