The third domain of the CISSP exam ‘Security Architecture and Engineering’ focuses on different processes, standards, structures to design a secure information system (An information system comprises of the operating system, network, equipment, and applications) These are some of the following objectives:
The CISSP certification tests a candidate’s knowledge of systems engineering processes and their lifecycle and how to integrate security into it. The different phases in a system lifecycle are planning, development, test, deployment, and maintenance. One important aspect of a secure design is that security should be built into the system and must not be an afterthought.
In addition, this sub-section expects the candidate to understand how the three system components of hardware, firmware, and software work together. The candidate is also expected to have knowledge of the common architecture frameworks such as the Zachman framework, SABSA (Sherwood applied business security architecture) framework, TOGAF (The Open Group architecture framework) and ITIL (IT Infrastructure Library)
A security model is a blueprint to implement security on an information system. The candidate is expected to know the various security models such as Bell LaPadula model, Biba model, Clark-Wilson Model, and Brewer-Nash Model, Graham-Denning model.
The Bell LaPadula model and the Biba model are both “information flow models”.
Bell LaPadula model:
The Bell LaPadula model ensures that the “confidentiality” aspect of the CIA triad is enforced. In this model, the “subject at a certain level cannot read data at a higher security level. Similarly subject at a certain level cannot write data to a lower security level”.
The Biba model which was developed after the Bell-LaPadula model enforces the integrity aspect of the CIA triad. Here, “the subject at a certain level cannot read data at a lower integrity level”. Similarly, the “subject cannot modify data at a higher integrity level”
Along with the various security models, the candidate is also expected to know the product evaluation models such as TCSEC (Trusted Computer System Evaluation Criteria), ITSEC and ‘Common Criteria’. These product evaluation models are used to verify that the information systems achieve a set of security goals.
The TCSEC also is known as the ‘Orange book’ was first published in 1983. It contains a set of standards that were used by the US Department of Defense(DoD) to evaluate its systems. The different ‘Orange book’ criteria are
Division’ D’ – Minimal protection
Division ‘C’- Discretionary protection
Division ‘B’ – Mandatory protection
Division ‘A’ – Verified protection
The TSEC focused more on the ‘confidentiality’ aspect of the CIA tried to evaluate its systems. The TCSEC has been superseded by the ‘Common criteria’.
TCSEC and ITSEC were not universally adopted and ‘Common criteria’ came into existence and it soon became the universally adopted product evaluation criteria. ‘Common criteria’ can be applied to both hardware and software products. In CC, we have to determine the ST(security target) and ToE(Target of evaluation), conformance claims and security requirements and perform product evaluation accordingly.
It has seven different assurance levels (EALs) with EAL 1 being the lowest level of assurance and EAL 7 being the highest level of assurance.
EAL 1 – Functionally tested
EAL 2: Structurally Tested
EAL 3: Methodically Tested and Checked
EAL 4: Methodically Designed, Tested and reviewed
EAL 5 – Semi-Formally Designed and Tested
EAL 6: Semi-Formally Verified Design and tested
EAL 7: Formally Verified Design and Tested
The candidate is expected to know the various security controls (policies, procedures, safeguards, and countermeasures) based on the systems security requirements. The security control categories are administrative, physical and technical.
The security controls fall into seven different types – they are preventative(preventing unauthorized action on an information system), corrective(correcting an information system after an unauthorized action), detective(detecting unauthorized action), compensating(compensate an information system for a risk or vulnerability) , deterrent(controls that are used to deter would-be attackers), directive(controls that guide the subjects to comply with a security policy) and recovery(controls that are needed to recover from a disaster)
Security is a quintessential part of an information system but implementing it without disrupting the existing architecture may be a challenge.
This sub-section contains different techniques such as access control mechanisms, secure memory management, layering and virtualization which can be used to protect systems without disrupting the system.
The candidate is expected to know the client security issues, server security issues, database systems, cryptographic systems, cloud-based systems, IoT and distributed systems of security architecture and knows how to mitigate them.
Client security issues are ‘Applets’ (which run on the client’s machine) and local caching
Since servers contain critical resources, it is but obvious that they will be attacked. Thus, servers should be designed in an effective way such that all vulnerabilities related to the server will be mitigated.
The candidate is expected to know the vulnerabilities of database systems and data warehouses which hold huge amounts of historical data for analysis. If this data were breached, organizations will lose all their historical data. In addition, ‘inference’, ‘aggregation’ are other database risks which have to be duly mitigated.
The candidate is expected to know the key terms in cryptography like encoding, decoding, plaintext, ciphertext, algorithm, symmetric encryption, asymmetric encryption and so on.
The candidate is also expected to know the different cryptographic algorithms such as DES, 3DES, AES, Blowfish, RSA.
Web-based applications are also at risk for vulnerabilities, risks, and threats. The candidate is expected to know the appropriate threats that might strike server machines, client machines and other technologies surrounding them and remediate them accordingly.
Hardening of the operating system of the server, applying vendor patches as and when they are released, assessing IDS and IPS and using application proxy firewalls are some ways in which vulnerabilities in web-based systems can be mitigated.
The candidate is also expected to know the OWASP top 10 vulnerabilities and the ways they can be mitigated.
Mobile devices whether it is smartphones, tablets or any other device are increasing in numbers and it is a necessary part of life today. With BYOD gaining more momentum in most corporate environments, each type of device that is brought into an organization brings with it, its own challenges. The CISSP candidate is expected to know the challenges of aligning BYOD with the existing security architecture. To enhance security, mobile devices should be able to remotely wipe the device
The candidate is also expected to know the risks arising from mobile workers and working remotely. Mobile workers work in an insecure environment when they move out of their corporate area. Given that there are different vectors to attack a mobile device such as SMS, email, social networking and, any smartphone app, guidance is provided by the NIST publications to protect the device.
‘Industrial control systems’ (ICS) form the core of industrial systems. These Industrial control Systems depend on embedded devices to keep them functioning. Some examples of ICS are SCADA (Supervisory control and data acquisition), distributed control systems (DCS) and programmable logic controllers (PLC)
SCADA systems are responsible for geographically large automated tasks such as electric power generation, rail systems, oil and gas refining, water treatment and distribution.
The candidate is expected to know the vulnerabilities and threats that can affect these embedded systems. The ISO 27000 series, ISO 27032:2021, IEC 62351, IEC 62443 are some standards that can be used when designing ICS systems.
This subsection consists of the cryptographic life cycle, PKI (public key infrastructure), key management processes, digital signatures and methods of cryptanalytic attacks (ciphertext-only attack, known plaintext attack, chosen plaintext attack) and more
The CISSP aspirant is expected to know all aspects of physical security as well. All sites and facilities have to be designed appropriately to enhance security.
Data center security, physical access control, and visitor management are some ways that site and facility security controls can be implemented.
We saw an overview of the ‘Security architecture and management’ domain of the CISSP exam. This is just a brief list of the sub-sections and the candidate is expected to study from the appropriate study resources to ace the exam with flying colors!