Cissp 4
Cissp 4
Architecture
- enterprise architecture
- Security architecture
Enterprise Architecture
IT stragegy
- Business archi. - products and services
- Information archi - data and information
- Application archi - system and applications
- Technology archi - network and infrastructure
Architecture integration
All information is not equal nor constant interns of value and risk over time
An efficient security program that applies the right tehc to project most critical
assent
Security architecture
The manner in which security controls are designed, Implemented and integrated into
the system architecture.
Benefits
- Helps decision maker to investment and design
- Future state tech architecture
- Support , enable , extent security policies and standards
- manages it solutions risk consistently.
- Reduce cost and improve flexibility
- Security mechanism for end of life
Common Criteria
- Documenting security requirements
- Documenting and validating security capabilities
- promoting international cooperation in are of it security.
Capturing and analysing requirements
Regardless of which framework used
- Business requirements for key stakeholders
- Key principles and grinders for design
Type of Requirements
- Functionals - controls, assets,threaths
- Non functional - QOS, performance and reliability
- Capturing requirements - vulnerabilities assessment, risk Asse, threat modelling.
Security models
- Requirements, CIA?
- Flexible
- May need to combine more than one model.
Example:
Security policy
-NIST
ISO
Security model
Programmin code
Operating system
Lattice Model
- Used in military
- Control model
Common Criteria
- ISO/IE
C 15408 standard was first truly international product evaluation criteria
- Protection Profile
- ELA types (Evaluation Assurance Level)
- EAL1 Functionally tested - lowest
- EAL2 Structurally tested
- EAL3 Methodically tested and checked
- EAL4 Methodically designed , tested and Reviewed - Medium
- EAL5 Semi-formally designed and tested
- EAL6 semi-formally verified design and tested
- EAL7 Formally verified design and tested.
Module Topics
Access control Mechanisms
*Subject is active entity and Object Passive Entity (Subject user and object is
asset)
- Distinguish subject and object
- How sub and obj allowed to interact
- Assign identifiers to both sub n obj
- Authenticate all sub before they allowed to access resources on system
Processor State
- Support at least two Staes: supervisor (kernel mode) and problem (user mode ring
level3)
Layering
- Separate functional components thats tract in sequential and hierarchical way
- Ensure that volatile and sensitive areas are protected unauthorised access
Process Isolation
- Protect interaction with process
- Name distinguishes
- Distinct address space for each process in memory
- Virtualization :
- Type of Host
- Virtual host (Guest os)
- Physical host (Bare metal)
Type 1
Bare Metal ==> Hypervisor ==> Guest OS
- Less functionality More Secure
Type 2
Bare Metal => OS=> Virtual workstation
=> VMs
- more functionality but less secure
Common Threats
- System intergircy
- Confidentiality
- Availability
- Hardware failure
- Misses of system
- Buffer overflows memory attacks
- Denial of services
- Reverser engineering
- System hacking
State Attacks
“State attacks are also known as “race conditions”, which attempt to take advantage
of how a system handles multiple requests “
Covert Channel
- Covert - closed
- Overt - open
Two type attacks
Storage
Memory reuse
Object reuse
Timing
TOC, TOU,RC
Server Based
Warehousing - Data warehousing is collected data sources or DB.
Big Data - also called as unstructured data (Primary concern is Privacy) .
Information should be masked for sensitive data while sharing with analytical tools
Data Mining
- Running queries on databases to collect information from data warehousers.
Counter measure is data masking
Grid computing
- Used in cloud providers
Cloud computing
Cloud Security
- Refere Screenshot
Responsibility Matrix for security
Refere screenshot
Domain 2 summary
1. Asset sec is about protecting security of assets
8. Proper data classification helps the org with rules and regulation (ex
pcidss – card data to be encrypted) - Classification is of 2 types – commercial
and military - Clearance mostly used in military
12. Inventory – what, where and who owns assets - Overall objective of inv
management – accuracy of HW and SW
13. CMDB – config mgmt. DB – logical entity to maintain accuracy of secure state
across all systems - CMDB- enablers - single centralised repository, aligned to
Org processes and objectives – scalable technologies
15. Good data management practices – strategic gaols, defined roles and resp,
documentation etc
16. Cost providing data Vs cost of providing access to data need to be considered
18. Determine maintain ownership - Data owner – owns, data custodian – manages
data - Data steward – business driven responsibility – like a custodian but not
exactly – custodian examples – DB admin, app developer, proj manager etc
19. data life cycle - create store use share archive destroy - create and destroy
=data owner- others by data custodian
21. Protecting Privacy - DS – DO-DC to GDPR DS – DC-DP – most R& O and objectives
as per GDPR –LFT, storage, purpose limitation, CIA, accuracy etc.,
23. QC – based on internal std and control – due care - QA – quality audit –
quality is assessed against ext std – due diligence
26. Data Remanence - HDD –data magnetically wirtten on hard drive - SSD- solid
state drive - Flash memory
27. Track – sector and combination of them is cluster and data is stored here
28. Clearing not a technique to destroy disk but only make data unreadable and
unrecoverable – uses overwriting or zerozisation software overwrite - Random value
into Hexa decim
al values – thus rendering data unreadable -Clearing performed only once
30. Degauss – LCD – expose to strong magnetic field – physical level data
destruction - As per vendor guideline no guarantee for reuse of disk
31. Degauss not applicable for SSD only destruction- first destroy data then disk
32. Cloud – crypto erase or crypto shredding – its an encryption- first data is
encrypted and then upload data on cloud. For destruction – destroy key and destroy
data which is encrypted. Encrypt key. So destroy both keys and then data -
Physical sec of storage resp of cloud serv provider
35. 3 types - data at rest, data in transit and data in use. Only in 1st 2
encryption is possible
36. for data in use - data right management and DLP prevents copying in another
machine
37. For data in transit encryption ins imp because =even if link is intercepted
the content should not be readable
38. Data at rest – use encryption tools to balance between security and speed –
supported by strong password
40. Removable media should have title, data owner and encryption date on its
label – generally very useful for tracking but can be counter-productive in case of
destructive motive
Classifying Data
Labels
Objects have labels. A critical security step is the process of locating sensitive
information and labeling and marking it as sensitive.
SBU Sensitive but unclassified – Data that is not a matter of national security
such as health records of enlisted personnel
Security Compartments
Compartments allow for additional control over highly sensitive information. This
is called sensitive compartmented information (SCI). These compartments require a
documented and approved need to know in addition to a normal clearance such as top
secret.
Clearance
A documented approval from the data owner for a subject to access certain objects,
requiring the subject to understand all the rules and requirements for accessing
data, and consequences should the data become lost, destroyed or compromised.
Need to know
Refers to answering the question: does the user “need to know” the specific data
being accessed? Need to know is more granular than “least privilege”; unlike least
privilege which typically groups objects together, need to know access decisions
are based on each individual object.
Retention – Retention of sensitive information should not persist beyond the period
of usefulness or legal requirement whichever is greater.