Security Architecture and Engineering

Question 1

Secure Design Principles

Answer 1

Least Privilege
Defence in depth
secure defaults
fail securely
Seperation of duties (SOD)
Keep it simple and small
Zero trust
Secure access service edge
privacy by design
trust but verify
shared responsibility

Question 2

least privilege (PoLP)

Answer 2

individuals are only be granted access necessary to perform their required functions
PoLP

Question 3

Seperation of duties (SOD)

Answer 3

designed to limit risk associated with critical functions/transactions
Risk mitigation : by requiring multiple individuals in carrying out sensitive transactions

Question 4

Defence in depth

Answer 4

uses multiple layers of overlapping controls to provide security
key concept: any one control may fail but all controls will not fail (hopefully)

Eg: Client pC
Patching, hardening, antivirus, app whitelisting, host based firewall, HIP etc

Question 5

Secure Defaults

Answer 5

means systems and applications are delivered in their most secure state
- some settings may be relaxed later after thorough risk analysis

Question 6

Fail securely
Note: It is usually better to lose functionality rather than security

Answer 6

means a system that encounters a critical error or failure will ‘fail closed’ as opposed to failing open

Eg: Older unix systems would often fail open in the case of critical damage to the disk

• A system reboots, detects damaged disk sectors, and tries to automatically repair via fsck command (file system check)
• if this system failed to repair, the system would boot to a single user console session, automatically logged in as root (superuser)
• this is violation of fail securely

Question 7

Keep it simple and small (KISS)

Answer 7

A design maxim
emphasizes that simple designs are more secure than complex designs
more complexity is equal to more attack surface

As systems becomes more interconnected, security will get worse

Question 8

Zero trust

Answer 8

Removes the concept of internal is trusted, external is not
assume that all traffic is untrusted

build security into the DNA of IT architecture by investing in situational awareness, and developing robust vuln and incident mgmt capabilities

Question 9

3 concepts of zero trust

Answer 9

ensure all resources are accessed securely regardless of location
Adopt a least privilege strategy, n strictly enforce access control
inspect and log all traffic

Key network components of zero trust
SDN
Network virtualization

Question 10

Perimeter design versus
zero trust

Answer 10

Traditional single perimeter defence, everything behind the firewall is trusted

Zero trust defence focusses on resource protection ( nothing is trusted)

The ‘implicit trust zone’ shrinks as much as possible from the entire private network down to an individual comp system or very small cluster

Access is granted thru a policy decision point (PDP), and corresponding policy enforcement point (PEP)

ZERO TRUST provides a set of principles/concepts around moving the PEPs/PDPs closer to the resources.

Note: Idea is to explicitly authenticate and authorise all subjects, assets, workflows that make up the enterprise

Question 11

SASE - Secure access service edge

Answer 11

SASE architecture combines networking and security as a service functions into a single cloud delivered service at the network edge

delivers converged network and security as a service capabilities, including
SD-WAN
SWG
NGFW,
CASB
ZTNA

Question 12

Trust, but Verify

Answer 12

• considered a middle step between traditional perimeter defences and zero trust
• focuses on forensic integrity of data n systems, requiring accountability via strong authentication, and enhanced logging
• states that actions on a network should be undeniable, certifiable, and tamper evident

Question 13

Privacy by design

Answer 13

framework based on embedding privacy into the design and operation of IT systems, n/w infra, and business practices

Question 14

privacy by design - 7 foundational principles

Answer 14

proactive not reactive
privacy as the default setting
privacy embedded into design
full functionality
end to end security
visibility and transparency
respect for user privacy

Question 15

Shared responsibility

Answer 15

used by cloud providers like amazon, azure, google

Question 16

Security Models

Answer 16

MAC (Mandatory access control)
Bell-LaPadula (confidentiality)
Biba (Integrity)
Lattice
Commercial - Clark-wilson

Question 17

MAC - Mandatory access control (confidentiality)

Answer 17

is a system enforced access control based on a subject’s clearance, and an object’s labels

subjects and objects have clearance and classification labels respectively

subject may access an object only if the subject’s clearance is equal to or greater than the object’s label

MAC is expensive, and difficult to implement

focussed on preserving the confidentiality

Question 18

Bell-LaPadula - BLP ( Confidentiality)

Answer 18

Deals with confidentiality
data flow model- data flows up ( top secret, secret, confidential)
2 key principles
- no read up (simple security property - NRU
- no write down (* property) - NWD

Question 19

BIBA (Integrity)

Answer 19

Deals with integrity
opposite of BLP
Data flow model where data flows down

2 key principles:
No read down ( simple integrity property)
No Write up (Integrity * property)

Question 20

Tips : security models which deal with integrity , have letter I in it

Answer 20

Eg: Biba, clark wilson, non-interference, chinese wall

Question 21

Lattice

Answer 21

deals with info flow
formalizes network security models
shows how info can / can’t flow

lattice model requires that every sub n object be labelled with one of a number of security designations

user of a certain designation can only access resources of the same designation or lower

designations - top secret, secret, confidential n unclassified

compartments - laser, nuclear, spy

Question 22

Clark-wilson (Integrity)

• hyphen reminds the seperation of duties

Answer 22

deals with integrity
ensures internal n external consistency
integrity enforced thru
- well-formed transactions
- seperation of duties

Question 23

Chinese wall model (COI)

Answer 23

proposed by Brewer n Nash
deals with conflict of interest
no info flow allowed that could cause info leakage that could lead to a COI

Question 24

Reference monitor

Answer 24

mediates subject’s access to objects
responsible for enforcing system security policies, subjects access objects
the reference monitor is always enabled, cannot be bypassed

Question 25

Trusted computing base (TCB)

Answer 25

Consists of security relevant parts of a system - that include
-access control mechanisms
-reference monitor
- the kernel
- the protective mechanisms

TCB defines a security profile including hardware, software, inter- process communication and will ensure a computing device will maintain the confidentiality, integrity and availability of the data residing on that system.(MIKE)

Question 27

Domain seperation

Answer 27

protects objects in the system
Domain: set of objects that a subject is able to access
Domain seperation - implemented by
- execution rings
- base address registers
-segmentation descriptors