Welcome back to the Hacking into Cybersecurity series. In our previous posts, we’ve focused more on helping you land a cybersecurity position. Here, we’re going to talk about one of the major topics we previously mentioned in passing: the domains of cybersecurity. Something we see happen in most organizations is that the domains are split into different departments under the security umbrella. This is fine for the most part, but it leads to some confusion when creating our defense in depth strategy. Bear in mind that many organizations break the domains down differently, and I’ve combined a couple of the domains below, so your mileage may vary depending on the organization overall.
Defense in Depth
Let’s start by defining defense in depth. To understand defense in depth, picture a castle from medieval times. Think of all the security measures they put in place. First, you had the moat and only a single retractable bridge across it. If you somehow made it across the moat, you had to deal with the wall. So, you made it across the moat and scaled the wall? Now the castle is at the top of the hill, you’re wearing 100 pounds of armor and weaponry, walking uphill, sometimes several miles. Some castles even had interior walls that forced you to take a certain, often very narrow, path. But you have to do all of that while archers are shooting at you, they’re rolling huge boulders down the hill at you, they’ve probably dumped something on the ground to make it slick, the list goes on and on and on. And then, when you finally breach the castle, you have to climb a whole host of stairs, usually fighting (fully rested) enemy soldiers as you go. For this reason, many would-be attackers decided castles were not worth attacking at all.
Modern-day defense in depth strategies revolve around this same concept of making an attacker go through multiple layers of defense, with one key difference: we’re applying that to our computer systems. Think about all the controls we have in place on our networks today: firewalls, authentication systems, intrusion detection and prevention systems (network- and host-based), router and switch security, operating system security, data encryption — the list goes on and on. Let’s be clear here, though: No system is unbreachable, so our goal with employing a defense in depth strategy is to put so many obstacles in the path that it’s now not worth the effort to attack.
But with all those controls, how can we jam all the knowledge needed into just one single job? Oftentimes, we don’t. We keep them separated into multiple domains of cybersecurity:
Domain 1: Security Management
The first domain I’d like to discuss has more to do with people and processes than it does with computers. Security management is one of the most overlooked domains, which I think is a shame because almost nothing we do in the other domains means anything without it. Security management is made up of several tasks:
- Risk assessments, which is the process we use to identify risks to the organization and systemically identify methods to combat those risks, usually relying on input from experts in the below domains
- Overseeing the processes for other security functions to ensure those align with business/operations processes
- Change management processes and procedures in place
- User security awareness training
Domain 2: Identity and Access Management
Usually referred to as IAM, this domain entails all the systems, processes, and procedures an organization uses to assign identities, handle authentication, and manage access control. Identity is the process of assigning each individual user and system their own unique name. Authentication is the process of establishing a method for users to prove their identity. Identity and authentication are usually carried out through the use of usernames and passwords, respectively.
Access management is generally achieved using the principle of least privilege, meaning we assign the bare minimum rights or privileges to each individual that is necessary for them to carry out their job duties. To help simplify this, the individuals responsible for IAM should be included in conversations that have an impact on access change requirements on various resources.
Domain 3: Security Engineering
Security engineering usually refers to two key subdomains: network security and computer operations security. This domain is where your technical expertise is put to use in securing both the network and hosts from attacks. It’s in this domain that we lump the following:
- Router/switch security
- Intrusion detection and prevention systems (IDS/IPS)
- Host-based security tools (such as antivirus and endpoint data loss prevention, DLP, tools)
- Email filtering
- Vulnerability scanning
Domain 4: Business Continuity
This domain of cybersecurity focuses on restoring business operations after a catastrophic event, such as a natural disaster. This includes disaster recovery and business continuity plans and procedures. Of course, we should also make sure we’re periodically reviewing these plans as well as testing them.
The business continuity domain revolves around understanding which functions of the organization are vital to the survival of that organization. Once we’ve identified these critical functions and associated systems, we should put in place procedures to ensure they are operable as soon as possible, with as little data loss as possible, in the event of catastrophic failures.
Domain 5: Compliance
As you can probably imagine, the compliance domain centers on making sure the organization has the appropriate security controls in place necessary to meet compliance with the legislation and regulations applicable to the organization. This domain usually includes understanding those regulations to the point that we then can implement the appropriate security controls, and then regularly auditing those controls. Whether those audits are performed in-house or outsourced to a third-party audit agency is usually outlined in the regulations themselves, but regardless of who is performing the audit, it will be part of the compliance domain. Now, it’s important that the compliance domain has a hand in driving our security management domain we discussed above.
Domain 6: Cryptography
The cryptography domain is one a lot of security personnel seem to struggle with, but it is probably one of the most over-analyzed domains. There’s a lot of theory that goes into cryptography, but in real life application, it’s usually as simple as a click of the right buttons. Cryptography is used to protect the confidentiality, integrity, authenticity, and non-repudiation of the information it is applied to.
Domain 7: Physical Security
A commonly overlooked domain, physical security refers to all the controls that should be applied to the physical hardware within our purview:
- Do we have fencing around our facility that forces individuals to enter and exit at the appropriately controlled point?
- Do we have security guards posted at every entrance to our organization?
- Are we securing the data center to only allow physical access to our servers to the authorized individuals?
- Do we have the proper HVAC system in place?
Domain 8: Software Development Security
Software development takes on a handful of issues regarding internally developed applications or systems:
- Providing proper secure coding training for developers
- Performing code analysis on new code (whether it be new applications or updates to existing apps)
- Overseeing development processes and procedures
- Understanding updated application feature requirements and their implications on the security of the application
Domain 9: Security Operations
The Security Operations domain is where we monitor all of the tools we discussed in the Security Engineering domain. Most SOC (Security Operations Center) positions are going to operate in this domain, as the name implies, but they need to have a good understanding of most of the other domains to be able to perform their job functions well. Some of the duties include:
- Threat hunting
- Incident Response
- Threat Intel
I hope that helps clear up the different domains you may work with if you choose to enter cybersecurity. Bear in mind that in many organizations, cybersecurity professionals will work across multiple domains, but most will have one domain they focus on more than others.