Copyright Goodheart-Willcox Co., Inc. 36 Principles of Cybersecurity areas of a business or organization into information technology security domains. The commonly referenced IT domains are: • users • workstation • LAN • WAN • remote access and • system. These sections are based primarily on network infrastructure with the exception of the users. When considering security domains, you must identify the attack surface. The attack surface is all of the locations and methods that could constitute a security risk. These are the areas you need to rec- ognize in order to develop prevention and detection strategies. As part of the planning, create multiple levels of protection. Having multiple levels of protec- tion is known as defense in depth. Consider an anal- ogy from medieval times: the defense of castles, as shown in Figure 2-3. Castles were often placed on hills so defenders could scan below them for attacking forces. Trees were cleared to provide clear lines of sight around the castles. Moats were added for additional protection. Turrets provided cover for defenders who could attack incoming forces. Access to the castle was limited to entrances protected with iron gates. Each of these defensive measures is unique and separate from each other. To liken this to a business, defense in depth might include security guards to access the building. Then, employees might have to use a code to access a door User Does not have permission to change data in the folder Folder Goodheart-Willcox Publisher Figure 2-2. This user has been granted permission to read the files in the Payroll folder. However, the user cannot write (save) to the folder. This means he or she cannot make changes to the data in the folder. Gate Towers and turrets Drawbridge Moat Alexzel/Shutterstock.com Figure 2-3. Medieval castles practiced the concept of defense in depth. Multiple layers of security must be overcome to breach the castle.