IBM Cybersecurity Architecture #1: 5 Principles Flashcards
What are the 5 security principles?
- Defense in depth
- Least privilege
- Separation of Duties
- Security by Design
- KISS
Defense in Depth
Trying to create an obstacle course.
Castle example: moat, drawbridge, keep, towers, etc.
Multifactor auth, mobile device management software (right patches, right password) EDR (endpoint detection response capability, next gen antivirus software), firewalls on web server, vulnerability testing on web and app server. Access controls on the database.
NO SINGLE POINT OF FAILURE (SPOF)
Least Privilege
Only give access to people who need it and for only as long as they need it.
Constantly go back and perform audits to make sure they still need it.
Harden the system. say a webserver runs http by default, but also turns on ftp and ssh service so people can log in remotely. If you don’t absolutely need those, remove them entirely. Minimize the attack surface. Can also remove all unnecessary IDs on the system, and change the default IDs (ie change admin to another name so peopel can’t guess it)
Privilege Creep Giving people permissions they don’t need “Just in Case” which is the opposite of least priv. Should do an annual recertification campaign and make sure users need what we’re giving them.
Separation of Duties
No single point of control, force collusion from multiple bad actors to break into the system. IE two keys required.
Req > Approval > Action.
Requester is not the same as the approver. Create necessary collusion.
Secure by design
Factor security in from the beginning, design through completion. Don’t wait until application is finished to do security.
Whose job is security? Everyone from designer to administrator to user.
KISS
Security by complexity/obscurity is not good because people will just subvert the process.
If it’s harder to do the right thing than the wrong thing, people will just find shortcuts.
COMPLEXITY IS THE ENEMY OF SECURITY
Make sure defense in depth obstacle course only obstructs bad guys, not good guys.
Security by Obscurity
secrecy !== security.
Kerckhoff’s principle: crypto system should be secure if you know everything about it except the key.
We don’t want black box security because people will still break it even if they don’t know how it works.
CIA Triad
Confidentiality, integrity, availability
CIA: Confidentiality
Authorization (MFA), access control (role based access control), encryption (turn message into string of bits, then turn it back on the other side).
CIA: Integrity
An action or message is true to itself.
Need technologies to know if things have been tampered with.
Digital signatures, cryptographic functions, and MACs (message authentication codes).
It’s like blockchain, where there’s a distributed ledger we all have access to. We can always see if someone attempts to modify a record.
**
CIA: Availability
Resources should be available to authorized users.
Flooding the system with transaction requests (DoS and DDoS) will make the data unavailable.
Older technique of syn flood. Disrupt the 3 way handshake: send a syn message, just acknolwedgment back from server, and they respond with synack.
Server will reserve sources for session in anticipation. Basically the ding dong ditch of cybersecurity.
- Business context diagram
Shows relationships among different entities in the system, buyer, building, marketing team, and tradesmen (builders).
2.System context diagram
Project management in the middle, with finance, blueprints, GUI (graphical user interface), and permit system.
Example of how IT system might look.
3.Architecture overview diagram
Project database, scheduler, reports, and alerts
NIST CSF (national institute of standards cybersecurity framework)
Like the building codes for architecture, spells out
Identify: what you need to do to identify users
Protect: how you will protect things
Detect: how to detect when you have problems.
Respond: How will you respond when you’ve detected a problem.
Recover: how you will get the system back to normal.
Cybersecurity lifecycle
We want security to be done at the beginning in the risk analysis phase, not during the architecture or implementation phase.
4 As of IAM (Identity and Access Management)
Identity is your perimeter defense
Administration (what rights do you have), authentication (you are who you say you are), authorization (you can do what you want to do), and auditing (we got back and see we did the previous 3 A’s correctly).
Directories and role based access for company
Most companies will have multiple directories for things like email, crm, scm, etc.
Synced directories, meta directory, or
virtual directory that knows where to find info in other directories.
meta directory where most important info is prefetched into an enterprise directory.
What is an endpoint?
Different platforms, could be a server, desktop, laptop, mobile device, IoT (Internet of things).
Can be business or personal.
All of these devices contribute to the attack surface.
Also a software view of this, across these devices we have different OS’s.
Network Security: Firewalls, packet filtering
Comes from a physical firewall, like in connected townhouses. Creates isolation and protection from a dangerous event.
Interal and external firewall.
Packet filtering: Users send a packet when arriving, in the header they send information like their source address (coming from), their destination, and the port they want to use.
The firewall can then do packet filtering based on what’s in the header of that packet. Can look at port 80 (standard for unencrypted internet traffic), will also allow encrypted traffic (TLS, SSL).
But can also say source address has to be in the range of the external interent, don’t want someone to be spoofing and pretend their coming from the inside.
But can say they can only go directly to server, cannot go to database.
Second firewall is between the web server and the database. Will only allow traffic from the web server.
While packet filtering is a fundamental aspect of firewall functionality, modern firewalls often incorporate additional features such as stateful inspection, intrusion detection and prevention, VPN support, and application-layer filtering to provide comprehensive security capabilities.
Segmentation
How can we apply firewalls throughout our architecture to achieve various levels of security?
Bastion host: outdated but viable in early days of internet. Single firewall. Put our web server on the internet because don’t want our intranet (internal network) to be exposed to the internet.
Tri-Homed: Divided into three distinct zones (network interface cards): the external, internal, and demilitarized zones (DMZ). Each zone serves a specific purpose and has its own security policies and access controls. The external zone connects to the internet or other external networks, the internal zone houses internal resources and users, and the DMZ acts as a buffer zone between the external and internal networks, containing publicly accessible services such as web servers or email servers.
By segregating network traffic into different zones and implementing appropriate security measures, such as firewalls, intrusion detection systems, and access controls, trihomed networks help organizations optimize security and protect sensitive data from unauthorized access or external threats while facilitating necessary communication between different network segments.
Low cost and scalable, but is a single point of failure.
Basic DMZ: Uses 2 firewalls, more complex because there are different rules to administer for each firewall. Red zone (external), yellow zone (DMZ), and green zone (internal). Provide defense in depth, not relying on single security mechanism.
For example, even if external firewall fails, they still can’t get in because you can say that traffic coming to internal network has to be coming from the DMZ.
Mulit-tiered DMZ: Same as basic, but the web server, application server, and database are all split by firewalls. Implements a third firewall. More costly and complex, but more defense and greater granularity.
Seven Layer OSI common defenses
For every packet you send, there are different concerns and aspects implemented at different layers.
Implementing a security layer at the lower layer will also benefit the upper layers as well.
Application Layer: SSH (secure shell) or FTP, application specific VPN. Encrypts the data so you can connect into another device or console.
Transport Layer: TLS (transport layer security) or SSL (secure socket layer),
Network Layer: IPSEC, everything between two network addresses will be encrypted.
Data Link: PPTP (point to point tunneling protocol), and L2TP (layer 2 tunneling protocol).
SASE
Secure access server edge.
Creates a secure capability delivered on the edge. Intersection of network, security, and cloud. Basically network security plus WAN (wide area network) delivered from the cloud.
