Chapter 10 Defense-in-Depth Security Architectures Flashcards
Means each layer of security adds additional protections that help prevent a hole or flaw in another layer from allowing an attacker in
Layered security
Name the four design models used as part of a layered security design?
- Uniform protection
- Protected enclaves
- Risk or threat analysis based designs
- Information classification based designs
- Layered security design
- Provides the same level of protection to all systems or networks
- Can be expensive if every system needs to be protected at the same high level of security
Uniform protection
- Layered security design
- Can take the form of protected network segments, systems, or physical locations that have additional controls to provide additional protection
Protected enclaves
- Layered security design
- Design model that reviews Potential Threat vectors in attempts to address each of them in the design
- May not handle new or emerging threats without frequent review and updates
Risk or threat analysis based designs
- Layered security design
- Uses information classification, tagging, or other methods to guide the application of security controls
Information classification based designs
- Control intended to stop an incident from occurring by taking proactive measures to stop the threat
- i.e. firewalls, training, and security guards
Preventive controls
- Control that detects an incident and captures information about it, allowing a response like alarms or notifications
Detective controls
- Control that remediates an incident or acts to limit how much damage can result from an incident
- i.e. patching, anti-malware software, and system restores from backups
Corrective controls
Name remote services that host a service entirely on the outsourced vendors’ systems and networks.
- Software and a Service (SaaS)
- Platform as a Service (PaaS)
Layered security at an individual host level typically relies on a number of common security controls, what are they?
- Passwords or other strong authentication
- Host firewalls and host IPS software
- Data loss prevention software monitors manages protected data
- Whitelisting or blacklisting software can prevent certain applications from being run or installed on the system
- Anti-malware software for known malware instances
- Patch management and vulnerability assessment tools to ensure OS is fully patched and properly secure
- System hardening and configuration management that ensures that I needed services are turned off and that good security practices are followed
- Encryption either add a file level or full disk encryption
- File Integrity monitoring tools monitor files and directories for changes and can alert an administrator if changes occur
- Logging of events, actions, and issues is a important detective control at the host layer
A provider that usually leverages Security Suite and appliances to capture on-site and hosted data and then use central tools to analyze, report, and alert on issues that they discover
Security as a Service (SECaaS)
Combines data from multiple sources like syslogs, authentication logs, application logs, event logs, and other logs and statistics in a central location for analysis
Data aggregation and correlation
A form of encryption and hashing techniques used to protect data on the wire and at rest, and to validate that data integrity is maintained
Cryptography
Trusted protection modules (TPM) provides what three major capabilities?
- Remote attestation, allowing hardware and software configurations to be verified
- Binding which encrypts data
- Sealing, which encrypts data and sets requirements for the state of the TPM chip before decryption
Requires more than one individual to perform elements of a task to ensure that fraud or abuse do not occur
Separation of duties
Ensures continuity for roles, regardless of the reason a person leaves your organization
Succession planning
A control that requires two individuals to perform and action together
Dual control
Requires staff members to take a vacation allowing you to identify individuals who are exploiting the rights that they have
Mandatory vacation
Key considerations and questions when reviewing outsourcing include what following?
- Proper vetting - When hiring consultants, are they properly vetted, with background checks?
- Access Control
- Data ownership and control - Is your data encrypted and inaccessible to the outsourced provider?
- Employment Practices - Does the outsourced win their conduct background checks of their employees?
- Incident response processes and notification requirements - Will you be notified if there is an incident? When?
- Architectural View
- Describes how a function is performed or what is it accomplishes
- Typically shows how information flows but does not capture the technical detail about how data is transmitted, stored, or captured
Operational views
- Architectural View
- Focuses on the technologies, settings, and configurations used in an architecture.
- Can be helpful in identifying incorrect configuration and insecure design decisions
Technical views
- Architectural View
- Conveys broader information about how a system or service connects or works
- Typically less technically detailed than a technical view
- i.e network diagrams
Logical View
What are four of the most commonly encountered design issues?
- Single point of failure
- Data validation and trust problems
- User issues
- Authentication and authorization security
Ways to protect data?
- Protecting data at rest and in transit using encryption
- Validating data Integrity using file Integrity checking tools
- Implementing processes to verify data in an automated or manual fashion
- Profiling or boundary checking data based on known attributes of the data
Ways to limit user error?
- Using automated monitoring and alerting systems to detect human error
- Constraining interfaces to allow only permitted activities
- Implementing procedural checks and balances like separation of Duties and other Personnel controls
- Training and awareness programs designed to help prepare staff for the types of threats they are likely to encounter
Authentication and authorization best practices are what?
- Multi-factor Authentication
- Centralized account and privilege management and monitoring
- Privileged account usage monitoring
- Training and awareness efforts
How should security designs be maintained?
Security design should undergo periodical, and scheduled reviews
Name some reasons why an organization may retire a security policy or process
- The process our policy is no longer relevant
- It has been superseded by a newer policy or process
- The organization no longer wants to use the policy or process
