Security Architecture and Engineering
Table of Contents
- Implement and manage engineering processes using secure design principles
- Understand the fundamental concepts of security models
- Select controls based upon systems security requirements
- Understand security capabilities of information systems
- Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
- Assess and mitigate vulnerabilities in web-based systems
- Assess and mitigate vulnerabilities in mobile systems
- Assess and mitigate vulnerabilities in embedded devices
- Apply cryptography
- Key Terms
- Apply security principles to site and facility design
- Implement site and facility security controls
Study Areas
Implement and manage engineering processes using secure design principles
Study Notes
Understand the fundamental concepts of security models
Study Notes
Select controls based upon systems security requirements
Study Notes
Understand security capabilities of information systems
Study Notes
Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
- Client-based systems
- Server-based systems
- Database systems
- Cryptographic systems
- Industrial Control Systems (ICS)
- Cloud-based systems
- Distributed systems
- Internet of Things (IoT)
Study Notes
Assess and mitigate vulnerabilities in web-based systems
Study Notes
Assess and mitigate vulnerabilities in mobile systems
Study Notes
Assess and mitigate vulnerabilities in embedded devices
Study Notes
Apply cryptography
- Cryptographic life cycle (e.g., key management,algorithm selection)
- Cryptographic methods (e.g., symmetric,asymmetric, elliptic curves)
- Public Key Infrastructure (PKI)
- Key management practices
- Digital signatures
- Non-repudiation
- Integrity (e.g., hashing)
- Understand methods of cryptanalytic attacks
- Digital Rights Management (DRM)
Study Notes
History of cryptography is testable
need to know the definitions and terms used within cryptography
What are the goals of cryptography?
- Confidentiality: making sure that data remains private
- Enforced through two main types of systems:
- Symmetric cryptosystems > uses a shared key that both parties know
- Asymmetric cryptosystem > each participant uses an individual private and public key
- Integrity
- This is ensuring that data is not altered
- The message is not changed between the sender and receiver
- This is achieved using message digests or, digital signatures
- Authentication
- Authentication is the process of confirming the identity that the person or system claims to be
- This process usually occurs using a challenge and response process
- Nonrepudiation
- Nonrepudiation means that it can be proven true that an action or process was completed by a person or system
- It can also be used to ensure that a message was indeed sent by the person that the receive expected it to be
- An example, if a file is changed, an auditing system would record the action taken, along with the authenticated users details
- Cryptography can be used to protect data in motion, at rest and in use.
Key Terms
- Cipher
- a cryptographic algorithm
- Data at rest
- data that is stored (hdd, usb drives, blob storage)
- Data in motion / transit
- data that is being transmitted from one system to another via a network
- Data in use
- data that is stored in active memory (such as RAM) that is being accessed by a process or thread
Apply security principles to site and facility design
Study Notes
Implement site and facility security controls
- Wiring closets/intermediate distribution facilities
- Server rooms/data centers
- Media storage facilities
- Evidence storage
- Restricted and work area security
- Utilities and Heating, Ventilation, and Air Conditioning (HVAC)
- Environmental issues
- Fire prevention, detection, and suppression