Domain 3: Architecture & Design

1. Explain use cases & purposes for frameworks, best practices, and secure configurations guides.
   • Understand regulations such as GDPR, HIPAA, GLBA
2. Given a scenario, implement secure network architecture concepts.
3. Given a scenario, implement secure systems design.
4. Explain the importance of secure staging deployment concepts.
5. Explain the security implications of embedded systems.
6. Summarize secure application development and deployment concepts.
7. Summarize cloud and virtualization concepts.
8. Explain how resiliency and automation strategies reduce risk.
9. Explain the importance of physical security controls.

---

1. Frameworks, best practices, & secure configurations.

When designing organizational security architecture, in addition to regulations, components take into consideration industry-standards, frameworks & guidelines.

• Industry standards: specific, mandatory controls based on policies.
• Guidelines: provide recommendations or best practices.
• Frameworks: generally consists of more components than a guideline, and sets the basis for implementation and management of security controls.
• Benchmarks & Secure Configuration Guides
• Defense in Depth / Layered Security

Frameworks

Frameworks can be created by national or international entities.

• Regulatory: created by government agencies and are mandatory by law.
• Non-regulatory: developed by agencies that provide technology, metrics, or standards development for the better of science and industry.
• Industry-specific frameworks: developed for specific industry frames (such as HIPAA for medicine).

Industry Standard Frameworks

• ISO: International Organization for Standardization
• NIST: National Institute of Standards and Technology
• PCI-DSS: Payment Card Industry Data Security Standard
• NERC: North American Electirc Reliability Corporation
• CIS: Center for Internet Security
• OWASP: Open Web Application Security Project

ISO Standards

• IEC 27001:2013 - Information security management systems, Requirements.
  • Requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.
  • Requirements for assessment and treatment of information security risks tailored to the needs of the organization.
• IEC 27002:2013 - Code of practice for information security controls.
  • Guidelines and security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s).
  • Information Security Policies
  • Organization of Information Security
  • Human Resource Security
  • Asset Management
  • Access Control
  • Cryptography
  • Physical and Environmental Security
  • Operation Security: Procedures and Responsibilities
  • Communication Security
  • System Acquisition, Development and Maintenance
  • Supplier Relationships
  • Incident Management
  • Business Continuity Management
• IEC 27003:2017 - Information security management systems, Guidance.
• IEC 27004:2016 - Information security management, Monitoring, Measurement, Analysis & Evaluation.
• IEC 27005:2018 - Information security risk management.
• IEC 27017:2015: Code of practice for information security controls for cloud services.
  • Guidelines for information security controls applicable to the provision and use of cloud services.
  • Additional implementation guidance for relevant controls specified in IEC 27002:2013.
  • Additional controls with implementation guidance that specifically relate to cloud services.

NIST: National Institute of Standards and Technology

• US National Standards
• Computer Security Resource Center (CSRC) provides NIST's cybersecurity and information security related projects, publications, news and events.
• NIST Cybersecurity Framework (NIST CSF) is a group of related standards that are designed to provide guidance on cybersecurity.
  • SP 800-30: Guide for conducting Risk Assessments.
  • SP 800-35: Guide to Information Technology Security Services.
  • SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations.
  • SP 80053A: Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans.

PCI-DSS: Payment Card Industry Data Security Standard

• Used by Visa, Mastercard, American Express, and Discover, to create common security controls for protection of Card Holder Data (CHD).
• Any organization processing credit cards must be compliant.
• Levels of compliance differ.

Benchmarks / Secure Configuration Guides

General purpose guides for securing OS, networks and applications.

• DoD Security Technical Implementation Guides (STIGs): technical guidance to "lock down" information systems/software that might otherwise be vulnerable to a malicious computer attack.
• Center for Internet Security Benchmarks: best practices for the secure configuration of a target system.
• Platform/vendor-specific guides
  • Network
    • Cisco
  • OS
    • Microsoft TechNet
    • Macintosh
    • Linux
  • Web Server
    • Microsoft IIS
    • Apache

Defense in Depth / Layered Security

• Defense in depth: Coordinate use of multiple security countermeasures to information assets.
• Segmentation: Splitting a computer network into zones or subnetworks based on business function or security needs, using:
  • Physical devices (Routers/Switches)
  • Virtual Local Area Networks (VLANs)
  • Air Gaps
• Control Diversity: Addressing a security concern using multiple controls, that don't depend on another.
  • Administrative / Process
  • Technical
• Vendor Diversity: Addressing a security concern using multiple vendor products, that don't depend on each other.
• User Training: Reduces the imapct of threats & vulnerabilities.

---

2. Network Architecture

• Security Zones / Topologies
• Security device placement
• VPN / Tunneling
• SDN: Software Defined Network
• Honeypots / Honeynets

Security Zones / Topologies

Each zone on a network is separated based on organizational role or level of security (Segregation, Segmentation & Isolation).

• DMZ
  • Network segment located between protected (internal) and unprotected (public) networks.
  • Provides a buffer zone / defense-in-depth.
  • Usually set-up using firewalls.
  • Contains hardened systems that need to reach each network segment (i.e, email, web, or DNS servers)
• Extranet / Intranet
  • Extranet is a private network that uses Internet technology and public telecommunication system to securely share part of a business's information or operations with suppliers, vendors, partners, customers, or other businesses.
  • Intranet, is websites/applications that are only accessible within the organization's network.
• Wireless segmentation
  • Separating wireless access on an internal network / creating a buffer between wireless and wired networks.
  • Separating guest wireless access from internal networks. Often allows only internet access.
  • Controlled by 801.1X Port-based access control.
  • MAC filtering, restricting access based on the devices.

Security device placement

Where should security devices be on a corporate network.

• Firewalls / UTM
• IDS/IPS
• VPN
• Proxies
• Load balancers
• SIEM, log collection / correlation
• DDoS mitigation (border router)

VPN / Tunneling

• Private network connection through an unsecured public network.
• Use to connect LANS
• Remote devices appear as if they are local.
• Methods:
  • Site-to-site (connect LANs across the internet)
  • Remote access (connect users or devices to a corporate network)
  • Remote Access Server (RAS)

SDN: Software Defined Network

• Entire network is virtualized
• Allows for easier network segmentation
• Allows administrators to place virtualized security devices anywhere

The SDN architecture is:

• Directly programmable
• Agile
• Centrally managed
• Programmatically configured
• Open standards-based and vendor-neutral

Honeypots / Honeynets

Systems or networks exposed to capture malicious activity, gather investigation evidence, and study attack strategies. Separated from any business network.

---

3. Secure System Design

• Hardware / Firmware security
• OS Types
• OS Security hardening

Hardware / Firmware security

• FDE: Full Disk Encryption
  • Bitlocker
  • Veracrypt
• SED: Self-Encrypting Drive
  • Automatically encrypts / decrypts a drive
  • Media Encryption Key (MEK)
  • Key Encryption Key (KEK), supplied by user
• TPM: Trusted Platform Modules: specialized chip on an endpoint device that stores encryption keys specific to the host system for hardware authentication. Usually on the system motherboard.
• HSM: Hardware Security Modules: physical computing device that safeguards and manages digital keys for strong authentication and provides crypto processing. These modules traiditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server.
• BIOS: Basic Input/Output System: boot up configuration.
• UEFI: Unified Extensible Firmware Interface: modern boot-up configuration.
• Secure boot and attestation: creates a cryptographic hash of the BIOS/UEFI OS boot loader and drivers and compares that against a stored hash. This is done to prevent rootkits and boot sector viruses.
• RoT: Root of Trust: highly reliable hardware, firmware, and software components that perform specific, critical functions.
• Suply Chain: confirming the origin of hardware is secure.

OS Types

• Network (CISCO)
• Server (Windows Server / Linux)
• Workstation
• Appliance (IoT)
• Kiosk (public computer)
• Mobile OS

OS Security hardening

• Trusted OS baseline
• Secure configurations
• Least functionality / single purpose
• Disabling unnecesary ports and services
• Disable default accounts/passwords
• Application whitelisting
• Patch management process

---

4. Secure Staging & Deployment

• Secure baseline in compliance with security standards and benchmarks
• Environments
• Integrity Measurement, monitory systems, against the baseline for any deviatons.
  • Tripwire
  • Hash checking

---

5. Embedded Systems

One that has software embedded within the computer hardware, usually within Read Only Memory (ROM). A computer system with a dedicated function within a larger mechanical or electrical system.

• SoC: System on a Chip: integrated circuit that integrates all components of a computer or other electroc systems on a single computer chip.
• Real-Time OS (RTOSs): OS intended to serve real-time applications that process data as it comes in, typically without buffer delays. Designed to have zero latency.
• Internet of Things (IoT): system of interrelated computing devices, mechanical and digital machines, objects, animals, or people that are provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.
• Smart devices:
  • Wearable technology (watches, medical devices), often communicate through Bluetooth.
  • Home automation (security, cameras, locks, lights, thermostats, sound systems, personal assistants), often communicate through wi-fi.
• ICS: Industrial Control Systems: several types of control systems and associated instrumentation used for industrial process control.
• SCADA: Supervisor Control and Data Acquisition: collects data from factories, plants, or other remote locations and forwards it to a central computer that manages / controls the system.
• PLC: Programmable Logic Controllers: single use computers used in manufacturing.
• HVAC: Heating, Ventilation and Air Conditioning Systems: regulate air flow and temperature.
• Security:
  • Network partitioning / segmentation
  • Access Control
  • Monitoring
• Printers / Multi-function devices (MFDs)
  • Used for networked printing, scanning and copying
  • Web accessible
  • Generally little access controls
• Special Purpose Devices
  • Medical devices (Pacemakers, Insulin pumps)
  • Vehicles (Trucks & Autos)
  • Aircraft / Unmanned Areal Vehicles (UAV)

Securing Embedded Devices

• Secure by design and default
• Security integrated into the technology
• System hardening
• Shielded from electromagnetic interference
• Network security, encryption using TLS
• Security verification
• Automated patching
• Anomaly alerts

---

6. Secure App Development

• Secure DevOps (DevSecOps)
• Change Management / Version Control
• Secure coding techniques

DevSecOps

• Security integrated into all of your development operations, which includes database design, programming, and infrastructure.
• Having security practices integrated into the entire software delivery cycle.
• Address security concerns at the beginning of projects.
• Add automated security testing techniques.

Characteristics

• Continuous integration: security in every step with updates from a centralized, controlled repository.
• Security automation: repeatable, scripted tasks.
• Baselining: reference points that require completion and approval of a set of predifined project requirements to prevent uncontrolled change and lesson vulnerabilities.
• Immutable systems: no changing to systems in place. They maintain a known, documented, and repeatable configuration.
• Infrastructure As Code (IaC): programmable infrastructure. Infrastructure configuration is included with application code.

Change Management / Version Control

Control and manage software changes is needed for quality and security.

• Prevents tampering or changing the source code or executables.
• Tracks software file changes or application code changes.
  • Historical data on changes to files.
  • Traceability.
• Uses distributed storage for code.
• Branchng and merging capabiltiies.

Secure coding techniques

• Authentication
  • No hard-coding credentials into code.
  • Use of cookies.
• Proper error handling
  • Errors should be generic / not divulge specific system or application information.
  • Comments should not be visible in the end-product.
• Product input validation
  • Scrub & validate input from outside / untrusted sources.
  • Use of default values and character limitations.
• Normalization
  • Conversion of data to its anticipated, simplest known form.
• Stored procedures
  • Associated with database queries / precompiled SQL statements.
• Code reuse/dead code
  • Reusing existing software modules should be validated for vulnerabilities.
  • Dead code (no longer provides useful function) should be purged.
• Use of third-party libraries and SDKs
  • Use trusted sources.
  • Check for CVE.
• Code signing
  • Signing executable code using a certificate-based signature to prove the author's identity and provide code integrity.
• Data exposure
  • Encryption of sensitive data at all times (in transit and at rest)
• Encryption
  • Standard encryption algorithms, hashing, and digital signatures.
  • TLS for data in transit.
• Obfuscation/camouflage
  • Hiding back-end code
  • Prevents code from being reverse-engineered
• Memory management
  • Vulnerabilities may explot improper memory utilization (buffer overflow)
• Server-side vs client-side execution and validation
  • Server-side protects against malicious attemps by user to bypass validation before sending data to server.

---

7. Summarize cloud and virtualization concepts

NIST SP800-145: "Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.

• Cloud Computing Types
• Essential Characteristics
• Cloud Computing Service Models
• Cloud Storage - Network Storage
• Virtualization
  • Security for Virtualization

Cloud Computing Types

• On-Premise: Servers at organization's location.
• Hosted: Servers outsourced to an external provider.
• Cloud: Using shared servers.

Essential Characteristics

• On-demand self-service
• Broad network access
• Resource pooling
• Rapid elasticity or expansion
• Measured service

Cloud Computing Service Models

• Software as a Service (SaaS): Capability provided to the consumer is to use the provider's applications running on a cloud infrastructure. Applications are accessible from various client devices through either a thin client interface, or a program interface. Consumer does not maage or control the underlying cloud infrastructure, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

• Platform as a Service (PaaS): Capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. Consumer does not manage or control the underlying cloud infrastructure, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.

• Infrastructure as a Service (IaaS): Capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include OS and applications. Consumer does not manage or control the underlying clod unfrastructure but has control over OS, sotrage, and deployed applications, and possibly limited control of selecting networking components (i.e., host firewalls).

Cloud Storage - Network Storage

• DAS: Direct attached storage
• NAS: Network area storage
• SANs: Storage area networks

Virtualization

• Hypervisors: Underlying technology that creates and runs virtual machines. Presents the guest operating systems with a virtual operating platform and manages the execution of the guest operating systems.
  • Native/bare-metal: works directly on top of hardware.
  • Hosted: works directly on top of OS.
• Containers: Lightweight, stand-alone, executable package of software that includes everything needed to run it: code, runtime, system tools, system libraries, settings.
  • Replacing or used with hypervisors.
• VDE: Virtual Desktop Environment: Desktop virtualization.
• VDI: Virtual Desktop Infrastructure: User's desktop is running inside a virtual machine that resides on a server. A form of VDE that enables fully personalized desktops for each user.

Security for Virtualization

• VM Escape Protection: leaving an assigned VM.
• VM Sprawl Avoidance: overusing shared resources.
• CASB: Cloud Access Security Broker: security policy enforcement points.
• Security as a service: subscription-based business model for acquiring and managing security functions (virtual SOC).

---

3.8 Resiliency and Automation strategies

• Automation/scripting
• Frameworks and Templates
• Master Image
• Manging Cloud Risk
• Fault Tolerance
• RAID Storage

Automation/scripting

• Reduces risk through repeatable processes and automated courses of action.
• Continuous monitoring: Leveraging sophisticated monitors and sensors.
• Configuration validation.
• OS scripting languages (Bash, PowerShell).

Frameworks and Templates

• See 3.1 for common Frameworks (NIST, ISO, PCI DSS).
• System baselines using standard templates.
• Compare current state against a desired state.

Master Image

• aka "Gold" image.
• Creating a model OS verified as "clean".
• Used for system restores.
• Needs to be secured.

Managing Cloud Risk

• Nonpersistence: Temporary system images. Snapshot of known, good state.
• Elasticity / Scalability: Adjusting resources as needed.
• High Availability: Measures, such as redundancy, failover, and mirroring, used to keep services and systems operational.
• Redundancy: Replicating systems usually at multiple sites. Associated with failover.
• Distributive allocation / Load balancing:dDistributing burden across multiple systems.

Fault Tolerance

Ability of a system to sustain operations in the event of a component failure.

• Two key components
  • Spare parts
  • Electrical power
    • Surge protection
    • Uniterruptible Power Supply (UPS)
    • Backup power / generators

RAID Storage

Windows has a built-in capability to set up a software RAID that combines multiple disk drive components into a single logical unit for purpose of providing fault tolerance or enhance the performance of your storage subsystem.

• Redundant Array of Inexpensive Disks.
• Focuses on availability of data.
• RAID Types
  1. Disk striping
  2. Disk mirroring
  3. Disk striping with a parity disk
  4. Disk striping with parity

---

9. Physical Security & Environmental Controls

• Concepts
• Lighting
• Perimter Security
• Safes / Locking Cabinets
• Locks
• Physical Access Control
• Faraday Cage / Shielding
• Personnel Access Controls
  • Site Access Controls (Key Card)
  • Biometric Access Controls
• Detection
• Environmental Controls
• Fire Prevention, Detection & Suppresion
• Video Surveillance / Cameras

Concepts

We try to accomplish a layering / defense-in-depth security.

• Protection
  • Locks
  • Barriers: Walls, Fences
• Deterrence
  • Guards / Dogs
  • Lighting (should be in protected, locked, and centralized areas).
• Delay
  • Barricades / Bollards
• Detection
  • Cameras
  • Motion Detection

Lighting

• Continuous lighting: even amount of illumination across an area.
• Controlled lighting: such a way that does not blind its neighbors or any passing vehicles.
• Standby lighting: configured to turn on/off at different times, so that potential intruders think that different areas of the facility are popualted.
• Redundant or backup lightning: should be available in case of power failures or emergencies.
• Response Area Illumination: takes place when an IDS detects suspicious activities and turns on lights within the specified area.

Perimeter Security

• Fencing, Gates and Cages.
• Varying heights, gauge, and mesh.
• Natural landscaping.
• CPTED: Crime Prevention Through Environmental Design.

Safes / Locking Cabinets

• Safes
  • Control access
  • Fireproof
  • Tamper resistant and evident
• Locking cabinets for paper & electronics
• Computer cable locks
• Key management
  • Who has keys
  • Where are they stored
  • Key duplication

Locks

• Combination locks > keys
• Cipher locks / electronic locks
• Lock grades
  1. Comercial
  2. Heavy duty residential / light commercial
  3. Residential throw away locks
• Cylinder categories
  • Low: no pick or drill resistance provided
  • Medium: a little pick resistance
  • High: higher degree of pick resistance

Physical Access Control

• Turnstiles
• Mantrap
  • Double doors, where only one can be opened at a time.
  • Used to control personnel access.
  • Manually operated or automatic.
  • Only room for one person.

Faraday Cage / Shielding

Shielding is the process of preventing electronic emissions from your computer systems from being used to gather intelligence and preventing outside electronic emissions from disrupting information-rpocessing abilitiesl.

Faraday Cage/Shield is an enclosure used to block electromagnetic fields. It may be foremd by a continuous covering of conductivem aterial or by a mesh of such materials.

Personnel Access Controls

Different technologies to grant access to a building.

• User activated: user does something (Swipe cards, biometrics).
• Proximity devices/transponders: system recognizes the presence of an object.

Site Access Controls (Key Cards)

• Centralized access control (card readers, central computer, and electronic door latches).
• Pros: easy to use, provides an audit record, easy to change access permissions.
• Cons: can be used by others if lost, people may "tailgate".

Biometric Access Controls

• Based upon a specific biometric measurement.
• Fingerprints, iris scan, retina scan, hand scan, voice, facial recognition, others.
• Greater confidence of claimed identity.

Detection

• Motion detection: location monitoring and alarms based on movement.
• Infrared detection: detects changes in infrared radation, thermal heat.

Environmental Controls

• HVAC: Heating, Ventilation, Air Conditioning
  • Redundancy
  • Backup power / UPS
  • Zone-based heating & cooling
• Hot and cold aisles
• Fire suppression

Fire Prevention, Detection & Suppression

• Fire Prevention includes training employees on how to react, supplying the right equipment, enabling fire suppresion supply, proper storage of combustible elements, etc.
• Fire Detection includes alarms, manual detection pull boxes, automatic detection response systems with sensors, etc.
• Fire Suppression is the use of a suppression agent to put out a fire.
  • Fire extinguishers
  • Fixed systems
  • Water
  • Halon and halon substitutes
  • Foams
  • Dry Powders
  • CO2
  • Soda Acid

Fire Extinguisher Ratings

• A: Wood and paper
• B: Flammable liquids
• C: Electrical
• D: Flammable metals

Sprinkler Systems

• Wet pipe: filled with pressurized water.
• Dry pipe: fills with water only when activated.
• Deluge: discharges water from all sprinklers when activated.
• Pre-Action: dry pipe that converts to a wet pipe when an alarm is activated.
• Foam water sprinkler: uses water and fire-retardant foam.
• Gaseous fire suprresion: displaces oxygen.

Video Surveillance / Cameras

• Supplements security guards and other monitoring mechanisms.
• Provide PoV (Point of view) not easily achieved with guards.
• Locations
  • Entrances
  • Exits
  • Loading bays
  • Stairwells
  • Refuse collection areas

CCTV (Closed circuits television) considerations

• Purpose: detect, assess, and/or identify intruders.
• CCTV environment can be internal or external.
• Field of view: area to be monitored.
• Illumination: lighting, natural or artificial.
• Integration with other security controls.