Cram: Key Concepts

Introduction to Key Concepts:

We will cover, at a high level, the following concepts which will be required on the exam:

3.1 - Research, Implement, and Manage Engineering Processes Using Secure Design Principles

Traditional Concepts:

• Threat Modeling: Systematic approach of identifying, assessing, and mitigating potential vulnerabilities in a system.
• Least Privilege: Grant users the minimal levels of access or permissions they need to perform their work.
• Defense in Depth: Multilayered security approach designed to provide redundancy and mitigate the potential impact of a security breach.
• Secure Defaults: Configuration settings preset by manufacturers to minimize security risks.
• Fail Securely: Systems should default to a secure state in the event of a failure.

Contemporary Concepts:

• Keep It Simple: Simplicity in design reduces the potential for security vulnerabilities.
• Zero Trust: Security model where every request is fully authenticated, authorized, and encrypted before granting access.
• Privacy by Design: Integrate data privacy protections from the initial design stages of systems or processes.
• Trust but Verify: Always verify the legitimacy of information, even from trusted sources.
• Shared Responsibility: Security is not just the responsibility of one party but should be shared among all stakeholders involved.

3.2 - Understand the Fundamental Concepts of Security Models

3.3 - Select Controls Based on System Security Requirements

3.4 - Understand Security Capabilities of Information

For instance, the application of encryption and decryption techniques to protect data (like TPN).

3.5 - Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements

Identifying potential security weaknesses in systems and implementing measures to reduce the risk of these vulnerabilities being exploited.

3.6 - Select and Determine Cryptographic Solutions

This involves choosing appropriate cryptographic techniques based on the system's security requirements.

3.7 - Understand Methods of Cryptanalytic Attacks

These attacks are covered extensively in the Attacks and Countermeasures chapter. Some examples include:

3.8 - Apply Security Principles to Site and Facility Design

3.9 - Design Site and Facility Security Controls

Zero Trust Security

• User Identity as Control Plane: This shifts the focus from merely securing the network perimeter to treating user identity as the core security element.
• Assumption of Breach: Zero Trust inherently assumes a potential compromise or breach. It operates on the premise that every request, even those from within the organization, could be a threat.

1. Identity Verification: This involves rigorous identity verification protocols to authenticate each user. For instance, multifactor authentication and strict password policies can be used.
2. Device Management: Only devices compliant with the organization's security standards are allowed access to resources. This may involve ensuring devices are updated, have enabled firewalls, and use antivirus software.
3. Application Management: Only secure, organization-approved applications are permitted access to sensitive data. These applications are regularly scanned and updated to eliminate potential vulnerabilities.
4. Data Protection: Data is encrypted both at rest and in transit to ensure its safety, even if an unauthorized entity were to gain access.

Secure Defaults

A server should come with the minimal set of open ports necessary for its operation, and an application should have all its optional features turned off by default.

Fail Securely

Trust but Verify

Privacy by Design

Applying these principles as part of a layered defense strategy (defense in depth) within a Zero Trust framework helps to ensure privacy while maintaining a robust security posture.

1. Proactive not Reactive

This principle encourages a forward-thinking approach to privacy, where potential issues and privacy breaches are anticipated and prevented before they occur, rather than addressed after the fact.

2. Privacy as Default Setting

Systems should automatically protect users' privacy; individuals shouldn't have to take extra steps to secure their private data. By default, personal data should not be collected or shared without the individual's consent.

3. Privacy Embedded into Design

Privacy is not an afterthought or an add-on feature; it's a core component that should be part of the system's design and architecture from the very beginning.

4. Positive-Sum not Zero-Sum

The positive-sum approach means that privacy and other considerations, like security or usability, can all be achieved in tandem without sacrificing one for the other. The zero-sum approach, by contrast, views privacy and other factors as trade-offs, where improving one would degrade the other.

5. End-to-End Security — Full Lifecycle Protection

This principle mandates the protection of data from the moment it's collected until its final disposition. This means securing it during storage, processing, and transmission, as well as when it is deleted or anonymized.

6. Visibility and Transparency

Organizations must be open and transparent about their data practices, including how data is collected, used, and stored. This principle is often implemented through comprehensive privacy policies and clear user communications.

7. Respect for User Privacy

Keep It Simple Stupid (KISS)

Complexity is the worst enemy of security.

—Bruce Schneier

Despite Bob's high-tech approach, security is now weaker than ever due to non-compliance and workarounds.

A good example of the KISS principle in action is the secure operating system, Qubes OS. The team behind Qubes OS chose Xen for its simplicity, despite the fact that Kernel-based Virtual Machine (KVM) has more features. While KVM may offer more functionalities, its complexity could lead to potential security vulnerabilities, reinforcing why simplicity can be paramount in cybersecurity.

Best-in-Suite vs Best-in-Breed

The Value of Simplicity

Security as a Service (SECaaS)

Internet of Things (IoT)

Smart Devices

Security Information Event Management (SIEM)

Security Orchestration Automation, & Response (SOAR)

Microservices and Service Orientated Architecture (SOA)

Containerization

Hypervisors

APIs (SOAP or REST)

Embedded Systems

Enforce solid, Lightweight and robust measure authentication practices, moving beyond 'implied trust'. Examples: like two-factor authentication, digital signatures, or certificate-based authentication.

High Performance Computing

Distributed computing encompasses a wide range of systems where tasks are spread across multiple machines to enhance performance, provide redundancy, or both.

Beyond the Typical Client-Server

• Distributed Systems' Examples:

  • SETI Project:

    • Aim: Combing the cosmos for signs of extraterrestrial life.
    • Process: Analyzing vast amounts of data.
    • Unique Aspect: Individuals can volunteer their computing resources.

  • Cryptocurrency Blockchains:

    • Aim: Securely recording and verifying transactions.
    • Process: Decentralized nodes collaborate to validate and chronicle transactions on a communal ledger.
    • Unique Aspect: Strengthens security and consensus by jointly processing extensive transactional data.

Grid Computing

Grid computing, a subset of distributed computing, harnesses the power of many loosely coupled computers to perform sizable tasks.

• Characteristics:

  • Resource Pooling: Often described as "virtual supercomputing," grid computing pools resources, sometimes from globally scattered computers.
  • Voluntary Participation: Projects like SETI@home exemplify this, where unused computing resources are tapped into.
  • Heterogeneity: Grids can consist of varied machines, possibly with different operating systems and hardware configurations.
  • Middleware Requirement: Essential for managing diverse resources, handling security, and orchestrating tasks.

• Comparison:

  • SETI Project: Fits the grid computing model where global volunteers contribute idle computer time.
  • Blockchain: A form of distributed computing due to its decentralized nature but deviates from the traditional grid model. Its focus isn't pooling computational resources for large tasks but ensuring secure transaction data and consensus.

Key concerns with Grid computing includes protecting the grid controller from takeover or influence from bad actors. 

Edge Computing

• Overview: Edge computing moves certain processing tasks closer to the location where they are needed, rather than relying solely on a central cloud-based system.

• Use Cases:

  • Internet-of-Things (IoT) Scenarios:example: Situations where real-time or near-real-time processing is vital.
    • Agriculture:Agriculture: Optimizing irrigation based on sensor data.
    • Science/Space:Space: Immediate data processing from space instruments.
    • Military:Military: Real-time strategies or drone controls based on immediate data.

Fog Computing:

• Definition: An extension of edge computing, fog computing utilizes gateway devices in the field to gather, process, and send data more efficiently.

• How It Works: Rather than sending all data directly to the cloud, fog computing aggregates and processes data at the edge first, then sends only the most relevant or processed data to the central system.

• Purpose: By collecting and correlating data centrally at the edge, fog computing minimizes latency and enhances efficiency, especially when bandwidth is a concern. 

Security in Edge and Fog Computing:

• Challenges: With numerous network-connected devices dispersed in various locations, ensuring security becomes paramount.

• Key Solutions:

  • Data Encryption: Protecting data in transit and at rest.
  • Spoofing Protection: Ensuring data integrity and verifying the sources.
  • Authentication: Confirming the legitimacy of devices and users accessing the network.

Also related: 

• Internet of Things (IoT) represents a vast network of interconnected devices, each tapping into the internet to drive automation, remote management, or AI-powered functions. This category can encompass a variety of tools and machines, from a surveillance camera to sophisticated vehicles.
• Smart devices subset of IoT devices characterized by their ability to offer customization options, typically through the installation of apps. These mobile devices, such as smartphones or tablets, can use on-device or in-the-cloud artificial intelligence (AI) processing to deliver personalized and intelligent services.

CASB (Cloud Access Security Broker)

Definition: A CASB is a security solution that sits between an organization's on-premises infrastructure and cloud provider's infrastructure. It acts as a gatekeeper, allowing organizations to extend their security policies to cloud applications.

Purpose:

1. Visibility: CASBs provide insights into unauthorized cloud usage or "Shadow IT", where users might utilize applications not sanctioned by the organization.

2. Compliance: They ensure that cloud services are used in compliance with industry regulations and organizational policies.

3. Data Security: CASBs protect sensitive data in the cloud through various means like encryption, tokenization, and access controls.

4. Threat Protection: They defend against cloud-based threats by recognizing and counteracting malicious activity.

Shadow IT:

• Issue: Departments or individual users sometimes adopt cloud applications that are not officially approved by the IT department. This is usually done with good intentions, like trying to be more productive or efficient. However, this poses a risk as the IT department has no visibility or control over these apps, potentially exposing the organization to security vulnerabilities.

• Solution: CASB solutions detect such unsanctioned applications, giving the IT department visibility and control to either integrate those apps into the official workflow (after ensuring they're secure) or block them.

Example: Imagine an employee uses a free cloud storage solution to store official documents for easier access. While their intent is to work efficiently, this can bypass official security protocols. With CASB, the IT department can detect this usage. They can then decide to either block access to that cloud storage or consider integrating it as an official tool after vetting its security.

Post-Quantum Cryptography (PQC)

PQC refers to cryptographic algorithms designed to be secure against the potential future threats posed by quantum computers. Traditional cryptographic algorithms are susceptible to quantum attacks, making PQC vital for future-proofing data security.

Symmetric Cryptography:

• Susceptibility: Fairly resilient, but not immune.
• Quantum Threat: Grover's algorithm can reduce the effective key length by half. For instance, a 256-bit key against a quantum computer is equivalent in strength to a 128-bit key against classical computers.

A 256-bit key provides 2^128 times the strength of a 128-bit key. Double the key length isn't doubling the strength

Asymmetric Cryptography:

• Susceptibility: Highly vulnerable.
• Quantum Threat: Shor's algorithm can compromise public-key algorithms like RSA and those based on the discrete logarithm problem (including Elliptic Curve Cryptography).
• Scaling Issue: Simply doubling key length only multiplies security by a factor of eight. This isn't a long-term solution.

Lattice-based Cryptography:

• Resilience: Promising as a quantum-resistant cryptographic method.
• Foundation: Based on the shortest vector problem and the closest vector problem.
• Significance: Lattice-based schemes are predominant in research regarding post-quantum cryptography, offering hope for secure communication in a quantum world.
• Lattice Definition: In mathematics and cryptography, a lattice is a regular grid or array of points in multidimensional space.
  • For visualization: Try searching "mathematical lattice 3D" on Google Images for illustrative examples.

Key Takeaway for CISSP ExamExam::

When considering quantum-resistant cryptography, think "lattice-based."

Trusted Computing Base (TCB)

• Analogy: Think of the TCB as the core of Windows 11, including its essential system files and the TPM chip. It's the foundation ensuring everything runs securely. Like how Windows 11 mandates a TPM 2.0 chip for installation, it's because the operating system wants to ensure a trusted environment from the get-go.

• This is akin to the boundaries set within Windows 11 that segregate trusted system processes from third-party apps. Just as you need special permissions to change system settings in Windows, the security perimeter ensures sensitive parts of the OS remain protected.

• Consider the User Account Control (UAC) pop-ups you encounter when trying to run or install specific apps or make system-level changes. UAC acts as a gatekeeper, similar to the reference monitor, ensuring actions are authenticated and authorized.

• This is the collection of tools and protocols within Windows 11 that enact the checks and balances of the reference monitor. If the UAC (reference monitor) tells you that you need admin permissions, the mechanisms that check for these permissions and then grant or deny access are part of the security kernel.

IT Security Evaluation Standards (unfinished)

• Overview: The Common Criteria for Information Technology Security Evaluation provides a framework for evaluating the security properties of software and hardware products.
• Key Point: It allows for an objective evaluation, ensuring a product or system meets a particular set of security standards. Many view it as the current "gold standard" in IT security evaluation.
• Relevance: CC is internationally recognized and serves as a bridge between various national criteria by providing a common standard for security evaluations.

• Overview: Developed in the U.S. during the 1980s, TCSEC was a set of criteria used for evaluating computer security within products.
• Key Point: It introduced security levels (from D to A) that represented increasing levels of security assurance and capability.
• Relevance: While it was groundbreaking in its time and influenced many future standards, it became somewhat outdated due to its focus on standalone systems and the rapid evolution of IT.

• Overview: Developed in Europe, ITSEC aimed to establish a standardized security evaluation.
• Key Point: It expanded on the ideas of TCSEC but was more flexible and comprehensive. It evaluated both the security functionality and the assurance levels of products.
• Relevance: ITSEC was an important step forward from TCSEC and laid groundwork for more international collaboration on security standards.

Why Remember TCSEC and ITSEC?

• Historical Importance: Understanding the progression of security standards is crucial. TCSEC and ITSEC represent significant milestones in the evolution of IT security evaluation criteria. They inform how and why modern standards, like the Common Criteria, have been shaped.
• Foundational Concepts: Many concepts and terminologies in modern standards can trace their roots back to TCSEC and ITSEC. Understanding them can provide deeper insights into the underpinnings of current practices.

1. Community Protection Profile (cPP):
• Nature: Black-box evaluation.
• Description: cPPs come with predefined requirements. It’s a sort of "off-the-shelf" security evaluation based on standardized needs for a particular community or sector.
• Relevance for CISSP: While foundational knowledge is useful, cPP might not be as frequently referenced in the exam as the more detailed aspects of CC.

1. Evaluation Assurance Level (EAL):
• Nature: White-box evaluation.
• Description: EAL offers a more detailed, flexible approach. Instead of using preset requirements like cPP, EAL allows for a tailored examination, where the specific claims and requirements can be set based on the unique needs of the product or system.
• Relevance for CISSP: It's essential to understand the different EAL levels (EAL1 to EAL7) and what each represents in terms of depth and rigor of evaluation.

Access Controls

1. Mandatory Access Control (MAC):
• Description: Uses a system-enforced access policy where individual object owners can't set access. Operates based on labels assigned to every object and subject.
• Hierarchical Environment: Classifications are assigned in a structured order, ranging from low to high security.
• Compartmentalized Environment: Focuses on specific clearances over domains or compartments rather than individual objects.
• Hybrid Environment: A mix of both hierarchical and compartmentalized systems where security levels possess sub-compartments.
• Key Point: Every object and subject in the MAC model has one or more predefined labels, with the system determining access based on these labels.
• Software Example: SELinux in Linux employs MAC by assigning labels to every file, process, port, etc., and uses these labels to enforce policy decisions.
2. Discretionary Access Control (DAC):
• Description: Object owners have the discretion to define accessibility.
• Software Example: NTFS in Windows or ext4 in Linux allow file creators to set permissions.
3. Non-discretionary Access Control:
• Description: Enforces system-wide access restrictions.
• Software Example: Windows Group Policy enforces controls like preventing all users in a specific OU from using USB storage.
4. Rule-based Access Control:
• Description: Access is based on predefined rules.
• Software Example: Cisco's Access Control Lists (ACLs) in their IOS or firewall solutions like pfSense. Additionally, Windows Group Policy can be viewed as implementing rule-based controls in the context of domain environments.
5. Role-Based Access Control (RBAC):
• Description: Access is based on defined job roles, each associated with specific permissions.
• Example: Azure roles such as "Global Admin", "Access Admin", or "Security Reader" allow individuals occupying these roles to access specific resources or perform certain tasks.
• Key Point: Users in RBAC are granted access based on their job function, ensuring they have the necessary permissions to execute their roles effectively.

CIA: Come back to this to properly understand it

Certification

• Definition: The systematic technical evaluation of each component within a computer system to verify its alignment with security standards.
• In simpler terms: It's like checking if each piece of a puzzle fits with the security picture we want.

Accreditation

• Definition: The formal endorsement of a certified configuration by a designated authority.
• In simpler terms: Once the system passes its "security test" (certification), an authoritative figure gives it a formal thumbs-up.

Open System

• Definition: Systems that are constructed using widely recognized and accepted industry standards, promoting easy integration with other similarly designed systems.
• In simpler terms: Like playing with LEGO bricks made by different manufacturers but all following the same design rules, ensuring they fit together.

Closed System

• Definition: Systems that rely on proprietary hardware or software, often without publicly available documentation. This often makes integration with other systems more challenging.
• In simpler terms: It's like trying to fit blocks from a specialized toy set into a generic set; they might not fit because they follow their own unique rules.

Multi-Factor Authentication (MFA)

• Something you know: This often refers to something memorized, like a PIN or password.
• Something you have: This can be a physical or digital token. Examples include a smart card, a security token, or a trusted device, like your smartphone with an authentication app.
• Something you are: These are biometrics. Examples include fingerprints, retina scans, or voice recognition.

Rights, permissions, and privileges are allocated to users based on their established identity. If a user possesses rights to a resource, they are provided authorization to use or access it.

Authentication (AuthN) vs. Authorization (AuthZ)

• AuthN (Authentication):
• Definition: The process of verifying a user's identity, proving that they are who they claim to be.
• Example: Logging into an email account with a username and password.
• AuthZ (Authorization):
• Definition: The process that comes after authentication. It determines the permissions or rights an authenticated user has, dictating what they can and cannot do within a system.
• Example: Once logged into the email account (after authentication), a user might have the authorization to read, send, or delete emails.

Cryptosystems in Authentication

• Symmetric Cryptosystems: Both parties (e.g., sender and receiver) use the same secret key to encrypt and decrypt messages.
• Asymmetric Cryptosystems: Uses a pair of keys: a public key known to everyone and a private key that remains secret. The public key is used to encrypt data, while the corresponding private key decrypts it.

Processing & Hardware

Processor States

• Single State Processors:
• Definition: Processors that can only operate at a single security level at any given time.
• Example: A system dedicated to processing only confidential-level data, without the capability to handle data of different security levels simultaneously.
• Multi-State Processors:
• Definition: Processors capable of handling data at multiple security levels concurrently.
• Example: A military system that simultaneously processes top-secret, secret, and unclassified data, ensuring that each data level remains isolated and secure.

MultiX Concepts

1. Multitasking:
• Definition: Allows for the concurrent execution of multiple applications on a computer, with the operating system managing task switching.
• Example: Listening to music while browsing the web on a personal computer.
2. Multithreading:
• Definition: Enables multiple concurrent tasks (threads) to run within a single program or process, often improving responsiveness and performance.
• Example: A word processor might have one thread for typing, another for auto-saving, and another for spell checking, all running concurrently.
3. Multiprocessing:
• Definition: Involves the use of multiple processors (or multiple cores within a single chip) in a system to enhance computing power and performance.
• Example: Modern desktop computers often have multi-core CPUs (like quad-core or octa-core) that can process several tasks simultaneously.
4. Multiprogramming:
• Definition: A technique resembling multitasking, primarily associated with mainframe systems, wherein multiple programs or tasks share the system's resources. Requires specialized programming to manage the tasks efficiently.
• Example: A mainframe managing different jobs like data processing, printing, and calculations all at once.

Memory

1. Read-Only Memory (ROM):
• Definition: Non-volatile memory with data permanently written during manufacturing.
• Characteristics: Permanent storage; contents are "burned in" at the factory.
2. Random Access Memory (RAM):
   • Static RAM (SRAM): Uses flip-flops to store each bit of data.
   • Dynamic RAM (DRAM): Uses capacitors to store each bit of data and requires periodic refreshing.
• Main volatile memory used for temporary storage while a computer is running. It loses its content when power is turned off.
• Types:
3. Programmable ROMs:
   • Definition: Memory that can be programmed once by the user after manufacturing.
   • Definition: A memory chip that can be programmed, then later erased and reprogrammed using ultraviolet light.
   • Types:
   • Ultraviolet Erasable PROM (UVEPROM): Features a small window that exposes the chip for erasure via UV light.
   • Electrically Erasable PROM (EEPROM): Can be erased by applying specific electrical voltages, allowing for more selective data manipulation than UVEPROM.
• Programmable Read-Only Memory (PROM):
• Erasable Programmable Read-Only Memory (EPROM):
4. Flash Memory:
• Definition: A derivative of EEPROM; it's non-volatile and can be electronically erased and reprogrammed.
• Characteristics: Commonly used in USB drives, SSDs, and memory cards due to its durability and quick access time.

Storage

1. Primary Storage (Memory):
• Definition: Directly accessible by the CPU. This is where the operating system, application software, and data in current use are kept so they can be quickly reached by the computer's processor.
• Examples: RAM (both SRAM and DRAM).
2. Secondary Storage:
   • Magnetic: Hard disk drives (HDDs).
   • Flash: Solid-state drives (SSDs) and USB drives.
   • Optical: CDs, DVDs, Blu-ray discs.
• Definition: Non-volatile storage mediums that store data until it is deleted or overwritten. Data from secondary storage needs to be loaded into primary storage before being processed.
• Types:
3. Access Types:
• Random Access: Storage devices where data can be read or written at any location at any time.
• Sequential Access: Storage devices where data has to be read or written sequentially. Accessing specific data means going through the data stored before it.

Security Issues with Secondary Storage

1. Unauthorized Data Extraction with Removable Media:
   • Implementing policies to restrict the use of removable media.
   • Deploying Data Loss Prevention (DLP) solutions to monitor and control data transfers.
• Description: Portable secondary storage, like USB drives, can easily be used to copy and remove data from a system, leading to data breaches.
• Mitigation:
2. Inadequate Protection Mechanisms:
   • Applying file and disk encryption.
   • Implementing robust access control policies.
• Description: Without proper access controls and encryption, sensitive data on secondary storage can be accessed by unauthorized users.
• Mitigation:
3. Data Persistence after Deletion or Formatting:
   • Employing secure deletion tools that overwrite data multiple times.
   • Physical destruction of storage for highly sensitive data.
• Description: Even after files are deleted or media is formatted, data can often still be retrieved using specialized tools, posing a risk of unauthorized data recovery.
• Mitigation:
4. Eavesdropping and Tapping on I/O Devices:
   • Using secure connections and protocols.
   • Regularly inspecting physical devices and connections for tampering, such as unexpected or unauthorized vampire taps.
   • Employing network monitoring tools to detect unusual data transfers or connections.
• Description: Input/Output (I/O) devices connected to secondary storage can be vulnerable to eavesdropping or tapping, allowing malicious actors to intercept data or introduce unauthorized entry points. For instance, a "vampire tap" can be used to clandestinely connect to a network by piercing into a coaxial cable, enabling an attacker to monitor or inject data without being easily detected.
• Mitigation:

Firmware

• Firmware is essentially specialized software stored on a ROM chip.
• While ROM provides the foundational instructions to kickstart a device, firmware provides more specific instructions to ensure the device runs smoothly.
• Apart from computers, firmware is commonly found in peripheral devices like printers to guide their operations.

Vulnerabilities, Threats, & Countermeasures

1. Process Isolation: It's like giving each process its own private room. This ensures a process only gets to access its own data, ensuring no nosy neighbors.
2. Layering: Think of it as setting up multiple security checkpoints in a building. By establishing various realms of security within a process, it limits unnecessary chatter between them.
3. Abstraction: Imagine handing over a remote to control your smart home without showing all the wiring behind the walls. Abstraction provides these 'black-box' interfaces, letting programmers interact without needing to dive deep into the complexities of algorithms or the device’s intricate details.
4. Data Hiding: This is akin to having a VIP room where only certain guests can see and access information. It ensures data isn't visible to those outside its designated security level. And for added security, hardware segmentation acts like a bouncer, reinforcing process isolation with tangible controls.

Security Policy

Cloud Computing

• Cloud Computing operates on the principle of using external processing and storage capabilities over a network connection. Prominent service providers include Azure and AWS.
• Security Considerations: There's inherent risk when entrusting sensitive and confidential data to third parties. It's crucial for cloud providers to maintain security standards that align with, or exceed, those of the individual or organization. Interestingly, many major cloud providers often surpass the security capabilities of on-premises solutions, barring extremely high-security scenarios.

CASB (Cloud Access Security Broker)

• A CASB serves as a gatekeeper, allowing organizations to extend their security policies to cloud applications. It can be situated on-premises or be cloud-based.
• Its relevance particularly spikes when discussing "shadow IT". CASBs play a pivotal role in ensuring that only secure apps are employed, data isn't housed in unauthorized locations, and all assets are appropriately sanctioned.

Security-as-a-Service (Security-aaS)

• This concept revolves around entrusting an external cloud entity with your security needs. Rather than building and managing security in-house, organizations can leverage online services tailored for protection.
• Services under this umbrella might include identity protection, security information event management, and more. In essence, consider Security-aaS as a method to outsource the intricacies of the security function, much like how SaaS operates for software.

Mobile Device and Mobile App Security

1. Mobile Device Security Features:
• Full Device Encryption: Encrypts all data on the device, making it unreadable without the decryption key.
• Remote Wiping: Allows administrators or users to erase data remotely, either on the entire device or specific sections.
• Lockout: Disables the device after a certain number of failed login attempts.
• Screen Locks: Requires a PIN, password, pattern, or biometric data to unlock the device.
• GPS Tracking: Can help locate lost or stolen devices or verify the location of a user for authentication purposes.
• Application Control: Ensures only approved apps are installed and prevents malicious or unauthorized apps.
2. Mobile Application Security:
• Key Management: Handles the generation, distribution, and storage of cryptographic keys.
• Credential Management: Safeguards user credentials and ensures secure access.
• Authentication: Validates the identity of users accessing apps.
• Geotagging: Adds geographical metadata (like location) to apps or functions. Be cautious as it may pose privacy risks.
• Encryption: Scrambles data within the app so it cannot be easily read without decryption.
• Application Whitelisting: Only allows specified applications to run, blocking all others.
• Transitive Trust/Authentication: Trust established based on another trusted entity (e.g., if A trusts B and B trusts C, then A might trust C).
3. Bring Your Own Device (BYOD):
   • Improved employee morale and job satisfaction.
   • Lower upfront costs for the organization in terms of hardware procurement.
   • Increased security risks, as personal devices might not be as secure as company-issued ones.
   • Hidden costs related to managing and securing a diverse range of personal devices/
• Definition: A policy where employees use their personal mobile devices for work-related tasks, accessing company data and resources.
• Pros:
• Cons:

Embedded Systems & Static Environments

1. Embedded Systems:
   • Motion systems (e.g., anti-lock braking system in cars)
   • Lighting systems
   • Cash registers
   • Digital signature pads
   • Wi-Fi routers
• Definition: These systems are designed for a specific function or set of functions within a larger system.
• Examples:
• They're integral to many devices and can be found in everyday appliances as well as specialized equipment.
2. Static Environments:
• Definition: Configurations like OSs, hardware, or networks set up for a particular purpose and remain unchanged despite interaction. They are resistant to alterations, even by authorized personnel like administrators.
• Example: An industrial control system (like those used in manufacturing plants) that's configured to manage machinery operations. Changes could disrupt the production process, so the environment remains static to ensure consistent performance.
3. Management & Security:
   • Network Segmentation: Dividing network into various segments to keep critical systems separate and secure.
   • Security Layers: Using multiple security measures to protect systems, akin to having multiple barriers.
   • Application Firewalls: Protects against malicious inputs or attacks targeted at applications.
   • Manual Updates: Due to the sensitivity and specificity, updates might need to be manually reviewed and applied.
   • Firmware Version Control: Ensures only approved and tested firmware versions are in use.
   • Wrappers: Additional security layers around an application or system to shield it from potential threats.
   • Control Redundancy and Diversity: Having multiple controls in place, so if one fails, another can take over or compensate.
• Both embedded systems and static environments, due to their specialized nature, require targeted security measures.
• Security Measures:

Remember: As technology evolves, the line between embedded systems and more flexible environments may blur, but the fundamental principles of securing these systems remain the same. Always prioritize the integrity and security of the system while accommodating for its intended function.

Privilege & Accountability

Principle of Least Privilege (PoLP):

Separation of Privilege:

Remember: Accountability ensures that an audit trail exists to trace operations back to their source. If permissions are granted at a higher level we know who or what did a certain operation.

Common Flaws & Vulnerabilities

Buffer Overflow

• • Definition: A flaw that happens when a program writes data to a buffer and overruns the buffer's boundary, writing data to adjacent memory.
  • Cause: Typically caused by the program's failure to verify the size of the input data before storing it in a specific memory location.
  • Consequences: Can lead to system crashes, data corruption, and even provide an entry point for attackers to execute arbitrary code.

Back Doors

• Definition: Intentional points of entry into a system or application that bypass regular security mechanisms.
• Cause: Sometimes left intentionally by developers for debugging or maintenance but can be overlooked and remain post-deployment.
• Consequences: They pose a significant security risk as attackers can exploit these to gain unauthorized access.

Privileged Programs

• Definition: Programs that have elevated permissions to perform sensitive operations.
• Cause: Can be left on a system by oversight after its deployment or for maintenance.
• Consequences: When left unchecked, they can be exploited by malicious users to perform unauthorized actions, often with significant impact due to their elevated permissions.

Time-of-check-to-time-of-use (TOCTTOU) Attacks

• Definition: A race condition wherein a system's state changes between the check (verification) time and the use (action) time.
• Example: If a system checks for a user's credentials and then, after a delay, provides access, an attacker might exploit this delay to insert malicious actions.
• Consequences: Can lead to unauthorized data access, data corruption, or privilege escalation.
• Mitigation: Ensure that the time gap between check and use is minimized or secured, or use atomic operations that combine the check and action into an indivisible operation.

Vulnerabilities arise from a mix of oversight, unintended consequences of design decisions, and the inherent complexity of software systems. Do regular security audits, code reviews, and continuous security training for developers.

Physical Security Controls

Fencing Specifications

Temperature & Humidity

Extremely low humidity, even on non-static carpets, can generate a massive 20,000-volt static discharge.

Electrical Impacts

Power may not always be clean or consistent. Electronic devices require consistent, clean power to function & avoid damage. A UPS (Uninterruptible Power Supply) can ensure clean power, and provide backup during power outages.

Lighting Specifications

Fire Classification and Suppression Agents

Fire extinguishers are categorized based on the types of fires they are designed to extinguish. Using the wrong type of extinguisher can be ineffective or even dangerous!

Fire Detection Systems

Electromagnetic Interference (EMI):

1. Common Mode Noise:

• Generated by the difference in power between the hot and ground wires of a power source operating electrical equipment.
• Also generated by the difference between the hot and neutral wires of a power source operating electrical equipment.
2. Radio Frequency Interference (RFI):
• This interference is generated by electrical appliances, light sources, electrical cables, circuits, and so on.

Static Voltage and Possible Damages:

Damage from Fire and Fire Suppression:

• Descriptive Elements of a Fire: Components of a fire are not just limited to the visually evident smoke and heat. The medium used for suppressing the fire, like water or soda acid, also plays a role in post-fire assessments and damage control.
• Smoke: Particularly detrimental to storage devices. The residue can interfere with device operations and contaminate sensitive components.
• Heat: Has the potential to damage any electronic or computer component, causing them to malfunction or fail altogether.
• Suppression Mediums: While essential for dousing flames, these can have unintended consequences. Water can cause short circuits, while other mediums might instigate corrosion or render equipment inoperative.

We should address all the potential damage, but remember that the number one concern should always be human safety. 

Water and electricity are a dangerous combination. Ensure power is cut off in the event of using water-based suppression systems near electrical equipment.

Gas Discharge Systems:

• Pros: Highly effective in suppressing fires.
• Cons: Detrimental to the environment as it's ozone-depleting. Also, it becomes a toxic gas when heated to 900°F.

Lock Types

Remember what locks can be picked and which need to be bumped for the exam

"Picking" and "bumping" are both methods to compromise locks. Picking involves using tools to manipulate the pins inside a lock, while bumping involves inserting a specially-cut key into the lock and tapping it to force the pins to jump, allowing the lock to turn. Not all locks are vulnerable to both methods.

Site Selection and Facility Design

Physical Access Control Threats

Wiring Closet Security

Visitor Protocols

Media Storage

Evidence Storage

Audit Trails & Access Logs