Skip to main content

Miscellaneous Concepts

Introduction to Key Concepts:

We will cover, at a high level, the following concepts which will be required on the exam:

3.1 - Research, Implement, and Manage Engineering Processes Using Secure Design Principles

Traditional Concepts:

  • Threat Modeling: Systematic approach of identifying, assessing, and mitigating potential vulnerabilities in a system.
  • Least Privilege: Grant users the minimal levels of access or permissions they need to perform their work.
  • Defense in Depth: Multilayered security approach designed to provide redundancy and mitigate the potential impact of a security breach.
  • Secure Defaults: Configuration settings preset by manufacturers to minimize security risks.
  • Fail Securely: Systems should default to a secure state in the event of a failure.

Contemporary Concepts:

  • Keep It Simple: Simplicity in design reduces the potential for security vulnerabilities.
  • Zero Trust: Security model where every request is fully authenticated, authorized, and encrypted before granting access.
  • Privacy by Design: Integrate data privacy protections from the initial design stages of systems or processes.
  • Trust but Verify: Always verify the legitimacy of information, even from trusted sources.
  • Shared Responsibility: Security is not just the responsibility of one party but should be shared among all stakeholders involved.

3.2 - Understand the Fundamental Concepts of Security Models

Examples: Biba model, Bell-LaPadula model, and State Transition model.

3.3 - Select Controls Based on System Security Requirements

This involves identifying appropriate security measures based on the specific security requirements of a system.

3.4 - Understand Security Capabilities of Information

For instance, the application of encryption and decryption techniques to protect data (like TPN).

3.5 - Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements

Identifying potential security weaknesses in systems and implementing measures to reduce the risk of these vulnerabilities being exploited.

3.6 - Select and Determine Cryptographic Solutions

This involves choosing appropriate cryptographic techniques based on the system's security requirements.

3.7 - Understand Methods of Cryptanalytic Attacks

These attacks are covered extensively in the Attacks and Countermeasures chapter. Some examples include:

Bruce ForceCiphertext OnlyKnown PlaintextFrequency Analysis
Chosen CiphertextImplementation AttacksSide-Channel AttacksFault Injection
Timing AttacksMan-in-the-Middle AttacksPass the Hash AttacksKerberos Exploitation

3.8 - Apply Security Principles to Site and Facility Design

This involves integrating security considerations into the design and layout of physical spaces where systems or information are housed.

3.9 - Design Site and Facility Security Controls

Establishing security measures in the physical environment to protect system and information resources. This could involve barriers, surveillance, or controlled access points, among others.

Zero Trust Security


Zero Trust Security seeks to address the shortcomings of traditional perimeter-based security models. At its core, it operates on the principle of "never trust, always verify."

Key Elements:

  • User Identity as Control Plane: This shifts the focus from merely securing the network perimeter to treating user identity as the core security element.
  • Assumption of Breach: Zero Trust inherently assumes a potential compromise or breach. It operates on the premise that every request, even those from within the organization, could be a threat.
Core Components of Zero Trust Security:

  1. Identity Verification: This involves rigorous identity verification protocols to authenticate each user. For instance, multifactor authentication and strict password policies can be used.
  2. Device Management: Only devices compliant with the organization's security standards are allowed access to resources. This may involve ensuring devices are updated, have enabled firewalls, and use antivirus software.
  3. Application Management: Only secure, organization-approved applications are permitted access to sensitive data. These applications are regularly scanned and updated to eliminate potential vulnerabilities.
  4. Data Protection: Data is encrypted both at rest and in transit to ensure its safety, even if an unauthorized entity were to gain access.
Example: Consider a digital library that hosts thousands of rare and valuable books. In the past, this library used a simple username-password system for access. However, they faced a series of breaches due to stolen credentials and decided to move towards a Zero Trust Security model.

Under the Zero Trust approach, every access request to the digital library is treated as a potential threat, regardless of whether it comes from a long-time member or a new visitor.

Each user is required to verify their identity via multifactor authentication. The library also checks the security status of the device making the request to ensure it doesn't pose a risk. Only approved reading apps can access the digital books, and all the data is encrypted to protect it from unauthorized access.

In this way, the digital library successfully transitions to a Zero Trust Security model, ensuring the safety and integrity of its rare and valuable collection.

Secure Defaults

This principle states that the default configuration of any system, application, or service should inherently reflect a restrictive and conservative enforcement of the security policy. In essence, systems should be 'secure out of the box'. This principle applies not only to the practices within your organization, but also to the expectations you should have of your hardware, software, and service vendors.

A server should come with the minimal set of open ports necessary for its operation, and an application should have all its optional features turned off by default.

Fail Securely

"Fail Securely" dictates that components should default to a state that denies access when a failure occurs, rather than granting access. This principle ensures that even in the event of an unexpected system or application failure, security is maintained.

Example: if an authentication server fails, the system should not allow all users to log in freely; instead, it should prevent all users from logging in until the issue is resolved. This principle protects against unauthorized access that could occur during system malfunctions or failures.

image.png

Trust but Verify

Historically, Trust but Verify was the norm in security. Under this principle, once a user gained access to the 'secured' area of a system (for example, after entering a password), they were largely trusted to move within that area without constant verification.

However, the evolution of cyber threats rendered this approach inadequate. Adversaries learned how to bypass initial security checks or exploit the trust granted within the system. Imagine a burglar breaking into a house and then freely roaming inside, asking the family for sensitive information. Any sensible person wouldn't trust the burglar just because they're already inside the house.

This realization led to the emergence of Zero Trust Security. This modern model operates on the belief that threats can come from anywhere, even from within the system. Therefore, it continuously verifies the identity of everyone and everything trying to connect to the system, regardless of their prior status. This strategy is akin to having security cameras in every room of the house, not just at the entrance. By doing so, the system can better fortify itself against potential threats.

Privacy by Design

Privacy by Design is a framework that integrates privacy considerations into the fabric of systems, technologies, policies, and design processes. It's rooted in seven foundational principles outlined by the International Association of Privacy Professionals (IAPP).

Applying these principles as part of a layered defense strategy (defense in depth) within a Zero Trust framework helps to ensure privacy while maintaining a robust security posture.

1. Proactive not Reactive

This principle encourages a forward-thinking approach to privacy, where potential issues and privacy breaches are anticipated and prevented before they occur, rather than addressed after the fact.

2. Privacy as Default Setting

Systems should automatically protect users' privacy; individuals shouldn't have to take extra steps to secure their private data. By default, personal data should not be collected or shared without the individual's consent.

3. Privacy Embedded into Design

Privacy is not an afterthought or an add-on feature; it's a core component that should be part of the system's design and architecture from the very beginning.

4. Positive-Sum not Zero-Sum

The positive-sum approach means that privacy and other considerations, like security or usability, can all be achieved in tandem without sacrificing one for the other. The zero-sum approach, by contrast, views privacy and other factors as trade-offs, where improving one would degrade the other.

5. End-to-End Security — Full Lifecycle Protection

This principle mandates the protection of data from the moment it's collected until its final disposition. This means securing it during storage, processing, and transmission, as well as when it is deleted or anonymized.

6. Visibility and Transparency

Organizations must be open and transparent about their data practices, including how data is collected, used, and stored. This principle is often implemented through comprehensive privacy policies and clear user communications.

7. Respect for User Privacy

User-centric privacy means giving users control over their data. They should be informed about their data use and have the power to opt in or out. It also includes complying with regulations like the General Data Protection Regulation (GDPR), which strengthens individuals' privacy rights.

Keep It Simple Stupid (KISS)

Complexity is the worst enemy of security.
—Bruce Schneier
The KISS principle is a timeless concept that extends beyond cybersecurity. At its core, the principle argues that simpler designs are often the best.
Let's take Bob, the enthusiastic cybersecurity manager, unveils a security system so intricate that it takes 10 authentication steps and referencing a 500-page manual to send an email:
  • During the launch, Bob asks Alice, the CEO, to demo the system. She spends 15 minutes to log in, only to get blocked: "Suspicious activity detected."
  • In the following weeks, employees become so frustrated with the cumbersome system that they start to bypass it.
  • They share passwords, keep themselves permanently logged in, and even start using personal email for official communication. 

Despite Bob's high-tech approach, security is now weaker than ever due to non-compliance and workarounds.

A good example of the KISS principle in action is the secure operating system, Qubes OS. The team behind Qubes OS chose Xen for its simplicity, despite the fact that Kernel-based Virtual Machine (KVM) has more features. While KVM may offer more functionalities, its complexity could lead to potential security vulnerabilities, reinforcing why simplicity can be paramount in cybersecurity.

Best-in-Suite vs Best-in-Breed

"Best-in-suite" and "best-in-breed" are two approaches to choosing software solutions. "Best-in-suite" refers to a collection of products that work well together because they're from the same vendor. In contrast, "best-in-breed" selects the best product for each function, regardless of the vendor.

For example, choosing a single vendor like Microsoft for your organization's needs would mean using Office 365 for document collaboration, Outlook for email, and Teams for communication. This is a best-in-suite approach. It simplifies defense-in-depth because these products are designed to integrate smoothly, minimizing compatibility issues and gaps in security.

image.png


On the other hand, a best-in-breed approach might involve selecting Google Docs for document collaboration, Outlook for email, and Slack for communication, because each is arguably the best in its respective category. However, integrating these disparate systems can create complexity and potential vulnerabilities.

The Value of Simplicity

Simplicity helps to avoid configuration mistakes and leads to better-integrated and smarter security layers. It doesn't necessarily mean you'll have a single security vendor, but you may have fewer vendors, and you'll likely rely on a standardized suite that serves as your organization's foundation.

For instance, you might choose a Google suite for all your collaborative needs or a Microsoft 365 suite, but not both. Simplicity allows organizations to focus on incremental improvements, rather than striving for unattainable perfection.

Security as a Service (SECaaS)


Security as a Service, often abbreviated as SECaaS, refers to a cloud computing model where security services are provided remotely by an online entity. Instead of an organization having to maintain its own security infrastructure and team, it outsources these functions to a SECaaS provider. These services can encompass a broad range of security aspects, including intrusion detection, malware scanning, data loss prevention, and more.

Security Information Event Management (SIEM)

Imagine a city, buzzing with life, people going about their business, and traffic flowing through its veins. Now, imagine this city is your network, and the SIEM is the high-tech surveillance system constantly monitoring the city's heartbeat.

SIEM, or Security Information Event Management, serves as the control tower of this bustling metropolis. It gathers data from various sources across the network, akin to the many CCTV cameras across our city, watching for unusual activities and traffic anomalies.

Like a seasoned detective, it sifts through this wealth of information, interpreting it, looking for clues and patterns. It utilizes advanced technologies like User Behavior Analytics (UBA), Artificial Intelligence (AI), and Machine Learning (ML) to identify potential threats. Imagine our control tower spotting a suspicious vehicle, moving erratically through traffic, and sounding the alarm - that's the SIEM alerting the security teams of potential threats before they escalate, keeping our city safe and secure.

Security Orchestration Automation, & Response (SOAR)

Now, enter SOAR, the highly efficient and proactive police force of our city. When the SIEM control tower spots a potential threat and sounds the alarm, the Security Orchestration Automation, & Response (SOAR) springs into action.

Acting as a centralized command center, SOAR organizes the response to these alerts. Equipped with a playbook for different threat scenarios - like our police force having specific protocols for dealing with a suspicious vehicle, a burglary, or a missing person - SOAR ensures a swift and effective response. It could be an automated chase by drone or a single-click authorization for a roadblock - the response depends on the nature of the threat.

Working in unison, SIEM and SOAR create a harmonious symphony of modern cybersecurity. The vigilant eyes of SIEM, combined with the quick response of SOAR, provide a comprehensive defense mechanism, keeping our city - your network - safe from threats.

Microservices and Service Orientated Architecture (SOA)

Service-Oriented Architecture (SOA) is all about creating distinct, user-accessible services that operate in a black-box fashion. However, you might not hear much about it these days. Its relevance has faded somewhat as it's been largely replaced by a newer concept: microservices. Let's take a real-world example: constructing a building. SOA would be akin to building separate rooms (services) in a house (the application). Each room has a specific function but doesn't need to know the specifics of the others; it operates in a 'black-box' fashion.

Microservices are essentially more refined services that perform specific functions. They represent a modern twist on the traditional SOA model, but they're better suited for cloud computing environments. For instance, they're designed to perform optimally on containerized platforms such as Docker or Kubernetes. Continuing with our example, as times change, though, we find ourselves preferring an open-floor concept (microservices). This newer approach still has discrete areas serving different purposes, but they're more integrated, flexible, and cloud-oriented, like a modern home designed for the digital age.

At the coding level, it's crucial to spot potential vulnerabilities early in the development lifecycle. This task can be accomplished using tools such as static code analysis and dynamic testing. These should be integrated early in the Continuous Integration/Continuous Delivery (CI/CD) process. The goal is to pinpoint and correct deficiencies before the product is released, enhancing its security and reliability.

Identifying vulnerabilities in this 'construction' process is like hiring a building inspector to identify flaws in your house's design or construction. Static code analysis (SAST) is like the pre-construction blueprint examination, ensuring everything seems solid before building commences. Dynamic testing (DAST), on the other hand, is akin to checking the house's stability and function after it's been built. These are vital steps to make sure your building, or in our case, your application, is secure and functioning as expected.

Finally, think of static code analysis like a routine health check-up, except for your code. It's also known as Static Application Security Testing (SAST), which we'll dive into more in domain 8. Similarly, dynamic testing is another method of ensuring your code's health. It's also referred to as Dynamic Application Security Testing (DAST), and we'll explore it further as well.

Containerization

Containerization is a flexible, efficient way to package applications for multiple platforms, distinct from virtualization. It's akin to packing only necessary items in a suitcase, as opposed to taking your entire house on a trip.

Containers don't carry a full operating system, making them lighter and quicker than virtual machines. They share the host system's OS kernel, enhancing resource usage efficiency.

Containerization excels in software development, offering consistent functioning across various environments. It reduces discrepancies between local and production environments, improving the development lifecycle's efficiency.

image.png


In terms of security, containerization's focus spans two main areas: DevOps and application-level security. For DevOps, it offers isolation at the container level, safeguarding against potential vulnerabilities in one container affecting others. This is a key aspect of DevOps security, ensuring a contained environment for each service or microservice, reducing the risk of system-wide failures or breaches.

Regarding application-level security, containerization emphasizes authentication (AuthN) and authorization (AuthZ). Authentication verifies the identity of a user, device, or system. Authorization, on the other hand, determines what permissions an authenticated entity has, dictating what it can and cannot do. These security measures further bolster the application's protection within the container, contributing to a safer deployment and operational environment.

Hypervisors

At its core, a hypervisor, sometimes known as a VMM, is responsible for creating, managing, and operating virtual machines (VMs).
  • Type I Hypervisor is directly installed on the system hardware, the Type I hypervisor doesn’t require a host operating system. It's sometimes referred to as a "bare-metal hypervisor." Renowned examples include QubesOS, Proxmox, and VMWare ESXI.
  • Type II Hypervisor is a "hosted" hypervisor. It sits atop a conventional operating system, acting as an additional software layer. This configuration has the hypervisor leveraging the underlying OS for its operations.

APIs (SOAP or REST)

APIs, or Application Programming Interfaces, are sets of exposed interfaces that enable programmatic interaction between services. Essentially, they're like a menu in a restaurant, offering predefined ways to interact with a service.

In the past, SOAP (Simple Object Access Protocol) was the predominant standard. However, REST (Representational State Transfer) is now the more commonly adopted standard due to its simplicity and compatibility with web technologies.

A classic example of API usage can be found in Amazon's early days. Jeff Bezos instituted a policy stating that any service created should be made available for other teams or businesses through APIs. Similarly, many modern digital platforms, such as Twitter, Google, and Facebook, provide APIs for developers to interact with their services, fostering an ecosystem of interconnected apps and services.

RESTful APIs operate over the HTTP/HTTPS protocol, offering API endpoints for different services. They're stateless, meaning each request from a client to a server must contain all the information needed to understand and process the request.

When it comes to security, all communications between the client and server should be encrypted, typically using SSL/TLS for HTTPS connections. Access to APIs should be limited and controlled using API keys, acting as unique identifiers for users or services. These keys should be stored, distributed, and transmitted securely to prevent unauthorized access. Remember, the handling of API keys is as important as the protection of passwords or any other sensitive data.

Embedded Systems

Embedded systems are compact computer systems embedded within larger devices, crucial for Internet of Things (IoT) devices. Examples include printers, GPS drones, and semi-autonomous vehicles.

In a printer, the embedded system processes printing commands and manages resources. GPS drones use them to process geolocation data and control flight. In semi-autonomous vehicles, they handle tasks from obstacle detection to internal systems management.

Enforce solid, Lightweight and robust measure authentication practices, moving beyond 'implied trust'. Examples: like two-factor authentication, digital signatures, or certificate-based authentication.

High Performance Computing

Distributed computing encompasses a wide range of systems where tasks are spread across multiple machines to enhance performance, provide redundancy, or both.

Beyond the Typical Client-Server

  • Distributed Systems' Examples:

    • SETI Project:

      • Aim: Combing the cosmos for signs of extraterrestrial life.
      • Process: Analyzing vast amounts of data.
      • Unique Aspect: Individuals can volunteer their computing resources.

    • Cryptocurrency Blockchains:

      • Aim: Securely recording and verifying transactions.
      • Process: Decentralized nodes collaborate to validate and chronicle transactions on a communal ledger.
      • Unique Aspect: Strengthens security and consensus by jointly processing extensive transactional data.

Grid Computing

Grid computing, a subset of distributed computing, harnesses the power of many loosely coupled computers to perform sizable tasks.

  • Characteristics:

    • Resource Pooling: Often described as "virtual supercomputing," grid computing pools resources, sometimes from globally scattered computers.
    • Voluntary Participation: Projects like SETI@home exemplify this, where unused computing resources are tapped into.
    • Heterogeneity: Grids can consist of varied machines, possibly with different operating systems and hardware configurations.
    • Middleware Requirement: Essential for managing diverse resources, handling security, and orchestrating tasks.

  • Comparison:

    • SETI Project: Fits the grid computing model where global volunteers contribute idle computer time.
    • Blockchain: A form of distributed computing due to its decentralized nature but deviates from the traditional grid model. Its focus isn't pooling computational resources for large tasks but ensuring secure transaction data and consensus.

Key concerns with Grid computing includes protecting the grid controller from takeover or influence from bad actors. 

Edge Computing

  • Overview: Edge computing moves certain processing tasks closer to the location where they are needed, rather than relying solely on a central cloud-based system.

  • Internet-of-Things (IoT) example: Situations where real-time or near-real-time processing is vital.
    • Agriculture: Optimizing irrigation based on sensor data.
    • Science/Space: Immediate data processing from space instruments.
    • Military: Real-time strategies or drone controls based on immediate data.

Fog Computing:

  • Definition: An extension of edge computing, fog computing utilizes gateway devices in the field to gather, process, and send data more efficiently.

  • How It Works: Rather than sending all data directly to the cloud, fog computing aggregates and processes data at the edge first, then sends only the most relevant or processed data to the central system.

  • Purpose: By collecting and correlating data centrally at the edge, fog computing minimizes latency and enhances efficiency, especially when bandwidth is a concern. 

Security in Edge and Fog Computing:

  • Challenges: With numerous network-connected devices dispersed in various locations, ensuring security becomes paramount.

  • Key Solutions:

    • Data Encryption: Protecting data in transit and at rest.
    • Spoofing Protection: Ensuring data integrity and verifying the sources.
    • Authentication: Confirming the legitimacy of devices and users accessing the network.

Also related: 

  • Internet of Things (IoT) represents a vast network of interconnected devices, each tapping into the internet to drive automation, remote management, or AI-powered functions. This category can encompass a variety of tools and machines, from a surveillance camera to sophisticated vehicles.
  • Smart devices subset of IoT devices characterized by their ability to offer customization options, typically through the installation of apps. These mobile devices, such as smartphones or tablets, can use on-device or in-the-cloud artificial intelligence (AI) processing to deliver personalized and intelligent services.

CASB (Cloud Access Security Broker)

Definition: A CASB is a security solution that sits between an organization's on-premises infrastructure and cloud provider's infrastructure. It acts as a gatekeeper, allowing organizations to extend their security policies to cloud applications.

Purpose:

  1. Visibility: CASBs provide insights into unauthorized cloud usage or "Shadow IT", where users might utilize applications not sanctioned by the organization.

  2. Compliance: They ensure that cloud services are used in compliance with industry regulations and organizational policies.

  3. Data Security: CASBs protect sensitive data in the cloud through various means like encryption, tokenization, and access controls.

  4. Threat Protection: They defend against cloud-based threats by recognizing and counteracting malicious activity.

Shadow IT:

  • Issue: Departments or individual users sometimes adopt cloud applications that are not officially approved by the IT department. This is usually done with good intentions, like trying to be more productive or efficient. However, this poses a risk as the IT department has no visibility or control over these apps, potentially exposing the organization to security vulnerabilities.

  • Solution: CASB solutions detect such unsanctioned applications, giving the IT department visibility and control to either integrate those apps into the official workflow (after ensuring they're secure) or block them.

Example: Imagine an employee uses a free cloud storage solution to store official documents for easier access. While their intent is to work efficiently, this can bypass official security protocols. With CASB, the IT department can detect this usage. They can then decide to either block access to that cloud storage or consider integrating it as an official tool after vetting its security.

Post-Quantum Cryptography (PQC)

PQC refers to cryptographic algorithms designed to be secure against the potential future threats posed by quantum computers. Traditional cryptographic algorithms are susceptible to quantum attacks, making PQC vital for future-proofing data security.

Symmetric Cryptography:

  • Susceptibility: Fairly resilient, but not immune.
  • Quantum Threat: Grover's algorithm can reduce the effective key length by half. For instance, a 256-bit key against a quantum computer is equivalent in strength to a 128-bit key against classical computers.

A 256-bit key provides 2^128 times the strength of a 128-bit key. Double the key length isn't doubling the strength

Asymmetric Cryptography:

  • Susceptibility: Highly vulnerable.
  • Quantum Threat: Shor's algorithm can compromise public-key algorithms like RSA and those based on the discrete logarithm problem (including Elliptic Curve Cryptography).
  • Scaling Issue: Simply doubling key length only multiplies security by a factor of eight. This isn't a long-term solution.

Lattice-based Cryptography:

  • Resilience: Promising as a quantum-resistant cryptographic method.
  • Foundation: Based on the shortest vector problem and the closest vector problem.
  • Significance: Lattice-based schemes are predominant in research regarding post-quantum cryptography, offering hope for secure communication in a quantum world.
  • Lattice Definition: In mathematics and cryptography, a lattice is a regular grid or array of points in multidimensional space.
    • For visualization: Try searching "mathematical lattice 3D" on Google Images for illustrative examples.

Key Takeaway for CISSP Exam: When considering quantum-resistant cryptography, think "lattice-based."

Trusted Computing Base (TCB)

  • Analogy: Think of the TCB as the core of Windows 11, including its essential system files and the TPM chip. It's the foundation ensuring everything runs securely. Like how Windows 11 mandates a TPM 2.0 chip for installation, it's because the operating system wants to ensure a trusted environment from the get-go.
Security Perimeter:
  • This is akin to the boundaries set within Windows 11 that segregate trusted system processes from third-party apps. Just as you need special permissions to change system settings in Windows, the security perimeter ensures sensitive parts of the OS remain protected.
Reference Monitor:
  • Consider the User Account Control (UAC) pop-ups you encounter when trying to run or install specific apps or make system-level changes. UAC acts as a gatekeeper, similar to the reference monitor, ensuring actions are authenticated and authorized.
Security Kernel:
  • This is the collection of tools and protocols within Windows 11 that enact the checks and balances of the reference monitor. If the UAC (reference monitor) tells you that you need admin permissions, the mechanisms that check for these permissions and then grant or deny access are part of the security kernel.

IT Security Evaluation Standards (unfinished)


Common Criteria (CC) - ISO/IEC 15408:
  • Overview: The Common Criteria for Information Technology Security Evaluation provides a framework for evaluating the security properties of software and hardware products.
  • Key Point: It allows for an objective evaluation, ensuring a product or system meets a particular set of security standards. Many view it as the current "gold standard" in IT security evaluation.
  • Relevance: CC is internationally recognized and serves as a bridge between various national criteria by providing a common standard for security evaluations.
Trusted Computer System Evaluation Criteria (TCSEC) - often called the "Orange Book":
  • Overview: Developed in the U.S. during the 1980s, TCSEC was a set of criteria used for evaluating computer security within products.
  • Key Point: It introduced security levels (from D to A) that represented increasing levels of security assurance and capability.
  • Relevance: While it was groundbreaking in its time and influenced many future standards, it became somewhat outdated due to its focus on standalone systems and the rapid evolution of IT.
Information Technology Security Evaluation Criteria (ITSEC):
  • Overview: Developed in Europe, ITSEC aimed to establish a standardized security evaluation.
  • Key Point: It expanded on the ideas of TCSEC but was more flexible and comprehensive. It evaluated both the security functionality and the assurance levels of products.
  • Relevance: ITSEC was an important step forward from TCSEC and laid groundwork for more international collaboration on security standards.

Why Remember TCSEC and ITSEC?

  • Historical Importance: Understanding the progression of security standards is crucial. TCSEC and ITSEC represent significant milestones in the evolution of IT security evaluation criteria. They inform how and why modern standards, like the Common Criteria, have been shaped.
  • Foundational Concepts: Many concepts and terminologies in modern standards can trace their roots back to TCSEC and ITSEC. Understanding them can provide deeper insights into the underpinnings of current practices.
Focus on Common Criteria (CC):
While TCSEC and ITSEC are historically vital, the Common Criteria has effectively replaced them as the international standard for IT security evaluation. As a CISSP candidate, while it's essential to be aware of TCSEC and ITSEC, most of your attention should be on understanding the intricacies and applications of the Common Criteria, given its current global relevance and adoption.

CC:
1 Description of assets (Assumptions and Security Policies)

2 Identification of threats

3 Analysis and rating  of threats (Safety Risk Analysis)

4 Determination of Security Objectives (System & Environment objectives)

5 Selection of security requirements

6 Repeat

(Draw as flowchart)

Two Types of CC:

  1. Community Protection Profile (cPP):
    • Nature: Black-box evaluation.
    • Description: cPPs come with predefined requirements. It’s a sort of "off-the-shelf" security evaluation based on standardized needs for a particular community or sector.
    • Relevance for CISSP: While foundational knowledge is useful, cPP might not be as frequently referenced in the exam as the more detailed aspects of CC.
  1. Evaluation Assurance Level (EAL):
    • Nature: White-box evaluation.
    • Description: EAL offers a more detailed, flexible approach. Instead of using preset requirements like cPP, EAL allows for a tailored examination, where the specific claims and requirements can be set based on the unique needs of the product or system.
    • Relevance for CISSP: It's essential to understand the different EAL levels (EAL1 to EAL7) and what each represents in terms of depth and rigor of evaluation.
Comparison of Security Evaluation standards

Evaluation Level
TCSEC
ITSEC
Common Criteria (CC)
Description
Lowest Assurance
D
F-D+E0
EAL1 - Functionally Tested
Mild protection against casual or inadvertent attempts to breach the system's security.
Basic Assurance
C1
F-C1+E1
EAL2 - Structurally Tested
As above, with a focus on more structured security evaluation processes.

C2
F-C2+E2
EAL3 - Methodically Tested & Checked
As above, but with more refined controls and checks.
Medium Assurance
B1
F-B1+E3
EAL4 - Methodically Designed, Tested, and Reviewed
Advanced protection with more comprehensive testing and detailed security design practices.

B2
F-B2+E4
EAL5 - Semi-Formally Designed and Tested
More rigorous requirements with vulnerability analysis and further development controls.
High Assurance
B3
F-B3+E5
EAL6 - Semi-Formally Verified Design and Tested
Full or near-full assurance with very detailed security engineering practices.

A1
F-B3+E6
EAL7 - Formally Verified Design and Tested
The highest level of security assurance, with extremely strict formal methods and specifications.

Access Controls

  1. Mandatory Access Control (MAC):
    • Description: Uses a system-enforced access policy where individual object owners can't set access. Operates based on labels assigned to every object and subject.
    • Hierarchical Environment: Classifications are assigned in a structured order, ranging from low to high security.
    • Compartmentalized Environment: Focuses on specific clearances over domains or compartments rather than individual objects.
    • Hybrid Environment: A mix of both hierarchical and compartmentalized systems where security levels possess sub-compartments.
    • Key Point: Every object and subject in the MAC model has one or more predefined labels, with the system determining access based on these labels.
    • Software Example: SELinux in Linux employs MAC by assigning labels to every file, process, port, etc., and uses these labels to enforce policy decisions.
  2. Discretionary Access Control (DAC):
    • Description: Object owners have the discretion to define accessibility.
    • Software Example: NTFS in Windows or ext4 in Linux allow file creators to set permissions.
  3. Non-discretionary Access Control:
    • Description: Enforces system-wide access restrictions.
    • Software Example: Windows Group Policy enforces controls like preventing all users in a specific OU from using USB storage.
  4. Rule-based Access Control:
    • Description: Access is based on predefined rules.
    • Software Example: Cisco's Access Control Lists (ACLs) in their IOS or firewall solutions like pfSense. Additionally, Windows Group Policy can be viewed as implementing rule-based controls in the context of domain environments.
  5. Role-Based Access Control (RBAC):
    • Description: Access is based on defined job roles, each associated with specific permissions.
    • Example: Azure roles such as "Global Admin", "Access Admin", or "Security Reader" allow individuals occupying these roles to access specific resources or perform certain tasks.
    • Key Point: Users in RBAC are granted access based on their job function, ensuring they have the necessary permissions to execute their roles effectively.

CIA: Come back to this to properly understand it

Certification

  • Definition: The systematic technical evaluation of each component within a computer system to verify its alignment with security standards.
  • In simpler terms: It's like checking if each piece of a puzzle fits with the security picture we want.

Accreditation

  • Definition: The formal endorsement of a certified configuration by a designated authority.
  • In simpler terms: Once the system passes its "security test" (certification), an authoritative figure gives it a formal thumbs-up.

Open System

  • Definition: Systems that are constructed using widely recognized and accepted industry standards, promoting easy integration with other similarly designed systems.
  • In simpler terms: Like playing with LEGO bricks made by different manufacturers but all following the same design rules, ensuring they fit together.

Closed System

  • Definition: Systems that rely on proprietary hardware or software, often without publicly available documentation. This often makes integration with other systems more challenging.
  • In simpler terms: It's like trying to fit blocks from a specialized toy set into a generic set; they might not fit because they follow their own unique rules.

Multi-Factor Authentication (MFA)

Multi-factor authentication requires two or more of the following methods to validate a user's identity:

  • Something you know: This often refers to something memorized, like a PIN or password.
  • Something you have: This can be a physical or digital token. Examples include a smart card, a security token, or a trusted device, like your smartphone with an authentication app.
  • Something you are: These are biometrics. Examples include fingerprints, retina scans, or voice recognition.

Rights, permissions, and privileges are allocated to users based on their established identity. If a user possesses rights to a resource, they are provided authorization to use or access it.

Authentication (AuthN) vs. Authorization (AuthZ)

  • AuthN (Authentication):
    • Definition: The process of verifying a user's identity, proving that they are who they claim to be.
    • Example: Logging into an email account with a username and password.
  • AuthZ (Authorization):
    • Definition: The process that comes after authentication. It determines the permissions or rights an authenticated user has, dictating what they can and cannot do within a system.
    • Example: Once logged into the email account (after authentication), a user might have the authorization to read, send, or delete emails.

Cryptosystems in Authentication

Authentication can be facilitated through various cryptographic methods:
  • Symmetric Cryptosystems: Both parties (e.g., sender and receiver) use the same secret key to encrypt and decrypt messages.
  • Asymmetric Cryptosystems: Uses a pair of keys: a public key known to everyone and a private key that remains secret. The public key is used to encrypt data, while the corresponding private key decrypts it.

Processing & Hardware

Processor States

  • Single State Processors:
    • Definition: Processors that can only operate at a single security level at any given time.
    • Example: A system dedicated to processing only confidential-level data, without the capability to handle data of different security levels simultaneously.
  • Multi-State Processors:
    • Definition: Processors capable of handling data at multiple security levels concurrently.
    • Example: A military system that simultaneously processes top-secret, secret, and unclassified data, ensuring that each data level remains isolated and secure.

MultiX Concepts

  1. Multitasking:
    • Definition: Allows for the concurrent execution of multiple applications on a computer, with the operating system managing task switching.
    • Example: Listening to music while browsing the web on a personal computer.
  2. Multithreading:
    • Definition: Enables multiple concurrent tasks (threads) to run within a single program or process, often improving responsiveness and performance.
    • Example: A word processor might have one thread for typing, another for auto-saving, and another for spell checking, all running concurrently.
  3. Multiprocessing:
    • Definition: Involves the use of multiple processors (or multiple cores within a single chip) in a system to enhance computing power and performance.
    • Example: Modern desktop computers often have multi-core CPUs (like quad-core or octa-core) that can process several tasks simultaneously.
  4. Multiprogramming:
    • Definition: A technique resembling multitasking, primarily associated with mainframe systems, wherein multiple programs or tasks share the system's resources. Requires specialized programming to manage the tasks efficiently.
    • Example: A mainframe managing different jobs like data processing, printing, and calculations all at once.

Memory

  1. Read-Only Memory (ROM):
    • Definition: Non-volatile memory with data permanently written during manufacturing.
    • Characteristics: Permanent storage; contents are "burned in" at the factory.
  2. Random Access Memory (RAM):
    • Static RAM (SRAM): Uses flip-flops to store each bit of data.
    • Dynamic RAM (DRAM): Uses capacitors to store each bit of data and requires periodic refreshing.
    • Main volatile memory used for temporary storage while a computer is running. It loses its content when power is turned off.
    • Types:
  3. Programmable ROMs:
    • Definition: Memory that can be programmed once by the user after manufacturing.
    • Definition: A memory chip that can be programmed, then later erased and reprogrammed using ultraviolet light.
    • Types:
      • Ultraviolet Erasable PROM (UVEPROM): Features a small window that exposes the chip for erasure via UV light.
      • Electrically Erasable PROM (EEPROM): Can be erased by applying specific electrical voltages, allowing for more selective data manipulation than UVEPROM.
    • Programmable Read-Only Memory (PROM):
    • Erasable Programmable Read-Only Memory (EPROM):
  4. Flash Memory:
    • Definition: A derivative of EEPROM; it's non-volatile and can be electronically erased and reprogrammed.
    • Characteristics: Commonly used in USB drives, SSDs, and memory cards due to its durability and quick access time.

Storage

  1. Primary Storage (Memory):
    • Definition: Directly accessible by the CPU. This is where the operating system, application software, and data in current use are kept so they can be quickly reached by the computer's processor.
    • Examples: RAM (both SRAM and DRAM).
  2. Secondary Storage:
    • Magnetic: Hard disk drives (HDDs).
    • Flash: Solid-state drives (SSDs) and USB drives.
    • Optical: CDs, DVDs, Blu-ray discs.
    • Definition: Non-volatile storage mediums that store data until it is deleted or overwritten. Data from secondary storage needs to be loaded into primary storage before being processed.
    • Types:
  3. Access Types:
    • Random Access: Storage devices where data can be read or written at any location at any time.
    • Sequential Access: Storage devices where data has to be read or written sequentially. Accessing specific data means going through the data stored before it.

Security Issues with Secondary Storage

  1. Unauthorized Data Extraction with Removable Media:
    • Implementing policies to restrict the use of removable media.
    • Deploying Data Loss Prevention (DLP) solutions to monitor and control data transfers.
    • Description: Portable secondary storage, like USB drives, can easily be used to copy and remove data from a system, leading to data breaches.
    • Mitigation:
  2. Inadequate Protection Mechanisms:
    • Applying file and disk encryption.
    • Implementing robust access control policies.
    • Description: Without proper access controls and encryption, sensitive data on secondary storage can be accessed by unauthorized users.
    • Mitigation:
  3. Data Persistence after Deletion or Formatting:
    • Employing secure deletion tools that overwrite data multiple times.
    • Physical destruction of storage for highly sensitive data.
    • Description: Even after files are deleted or media is formatted, data can often still be retrieved using specialized tools, posing a risk of unauthorized data recovery.
    • Mitigation:
  4. Eavesdropping and Tapping on I/O Devices:
    • Using secure connections and protocols.
    • Regularly inspecting physical devices and connections for tampering, such as unexpected or unauthorized vampire taps.
    • Employing network monitoring tools to detect unusual data transfers or connections.
    • Description: Input/Output (I/O) devices connected to secondary storage can be vulnerable to eavesdropping or tapping, allowing malicious actors to intercept data or introduce unauthorized entry points. For instance, a "vampire tap" can be used to clandestinely connect to a network by piercing into a coaxial cable, enabling an attacker to monitor or inject data without being easily detected.
    • Mitigation:

Firmware

  • Firmware is essentially specialized software stored on a ROM chip.
  • While ROM provides the foundational instructions to kickstart a device, firmware provides more specific instructions to ensure the device runs smoothly.
  • Apart from computers, firmware is commonly found in peripheral devices like printers to guide their operations.

Vulnerabilities, Threats, & Countermeasures

  1. Process Isolation: It's like giving each process its own private room. This ensures a process only gets to access its own data, ensuring no nosy neighbors.
  2. Layering: Think of it as setting up multiple security checkpoints in a building. By establishing various realms of security within a process, it limits unnecessary chatter between them.
  3. Abstraction: Imagine handing over a remote to control your smart home without showing all the wiring behind the walls. Abstraction provides these 'black-box' interfaces, letting programmers interact without needing to dive deep into the complexities of algorithms or the device’s intricate details.
  4. Data Hiding: This is akin to having a VIP room where only certain guests can see and access information. It ensures data isn't visible to those outside its designated security level. And for added security, hardware segmentation acts like a bouncer, reinforcing process isolation with tangible controls.

Security Policy


The role is to inform and guide the design, development, implementation, testing, and maintenance of some particular system.

We start with our organisation security policy and that gives us the rules that we need to adhere to designing and implementing a solution to resolve a problem. It could be an organisation, it could be a governing body. PCIEDSS for example gives out information relating to credit card data for example.

Cloud Computing

  • Cloud Computing operates on the principle of using external processing and storage capabilities over a network connection. Prominent service providers include Azure and AWS.
  • Security Considerations: There's inherent risk when entrusting sensitive and confidential data to third parties. It's crucial for cloud providers to maintain security standards that align with, or exceed, those of the individual or organization. Interestingly, many major cloud providers often surpass the security capabilities of on-premises solutions, barring extremely high-security scenarios.

CASB (Cloud Access Security Broker)


  • A CASB serves as a gatekeeper, allowing organizations to extend their security policies to cloud applications. It can be situated on-premises or be cloud-based.
  • Its relevance particularly spikes when discussing "shadow IT". CASBs play a pivotal role in ensuring that only secure apps are employed, data isn't housed in unauthorized locations, and all assets are appropriately sanctioned.

Security-as-a-Service (Security-aaS)


  • This concept revolves around entrusting an external cloud entity with your security needs. Rather than building and managing security in-house, organizations can leverage online services tailored for protection.
  • Services under this umbrella might include identity protection, security information event management, and more. In essence, consider Security-aaS as a method to outsource the intricacies of the security function, much like how SaaS operates for software.

Mobile Device and Mobile App Security

  1. Mobile Device Security Features:
    • Full Device Encryption: Encrypts all data on the device, making it unreadable without the decryption key.
    • Remote Wiping: Allows administrators or users to erase data remotely, either on the entire device or specific sections.
    • Lockout: Disables the device after a certain number of failed login attempts.
    • Screen Locks: Requires a PIN, password, pattern, or biometric data to unlock the device.
    • GPS Tracking: Can help locate lost or stolen devices or verify the location of a user for authentication purposes.
    • Application Control: Ensures only approved apps are installed and prevents malicious or unauthorized apps.
  2. Mobile Application Security:
    • Key Management: Handles the generation, distribution, and storage of cryptographic keys.
    • Credential Management: Safeguards user credentials and ensures secure access.
    • Authentication: Validates the identity of users accessing apps.
    • Geotagging: Adds geographical metadata (like location) to apps or functions. Be cautious as it may pose privacy risks.
    • Encryption: Scrambles data within the app so it cannot be easily read without decryption.
    • Application Whitelisting: Only allows specified applications to run, blocking all others.
    • Transitive Trust/Authentication: Trust established based on another trusted entity (e.g., if A trusts B and B trusts C, then A might trust C).
  3. Bring Your Own Device (BYOD):
    • Improved employee morale and job satisfaction.
    • Lower upfront costs for the organization in terms of hardware procurement.
    • Increased security risks, as personal devices might not be as secure as company-issued ones.
    • Hidden costs related to managing and securing a diverse range of personal devices/
    • Definition: A policy where employees use their personal mobile devices for work-related tasks, accessing company data and resources.
    • Pros:
    • Cons:

Embedded Systems & Static Environments

  1. Embedded Systems:
    • Motion systems (e.g., anti-lock braking system in cars)
    • Lighting systems
    • Cash registers
    • Digital signature pads
    • Wi-Fi routers
    • Definition: These systems are designed for a specific function or set of functions within a larger system.
    • Examples:
    • They're integral to many devices and can be found in everyday appliances as well as specialized equipment.
  2. Static Environments:
    • Definition: Configurations like OSs, hardware, or networks set up for a particular purpose and remain unchanged despite interaction. They are resistant to alterations, even by authorized personnel like administrators.
    • Example: An industrial control system (like those used in manufacturing plants) that's configured to manage machinery operations. Changes could disrupt the production process, so the environment remains static to ensure consistent performance.
  3. Management & Security:
    • Network Segmentation: Dividing network into various segments to keep critical systems separate and secure.
    • Security Layers: Using multiple security measures to protect systems, akin to having multiple barriers.
    • Application Firewalls: Protects against malicious inputs or attacks targeted at applications.
    • Manual Updates: Due to the sensitivity and specificity, updates might need to be manually reviewed and applied.
    • Firmware Version Control: Ensures only approved and tested firmware versions are in use.
    • Wrappers: Additional security layers around an application or system to shield it from potential threats.
    • Control Redundancy and Diversity: Having multiple controls in place, so if one fails, another can take over or compensate.
    • Both embedded systems and static environments, due to their specialized nature, require targeted security measures.
    • Security Measures:

Remember: As technology evolves, the line between embedded systems and more flexible environments may blur, but the fundamental principles of securing these systems remain the same. Always prioritize the integrity and security of the system while accommodating for its intended function.

Privilege & Accountability

Principle of Least Privilege (PoLP):

  • Definition: Ensures that users or processes are granted only the permissions they need to perform their specific job function and nothing more.
  • Applications:
    • System Processes: Only vital processes should run in supervisory or privileged mode to reduce the risk of malicious activities.
    • Role-Based Access Control (RBAC): Assigning permissions based on roles within an organization. For instance, a data analyst might have read access to a database but not write or delete permissions.

Separation of Privilege:

  • Definition: Requires multiple conditions or checks before a particular privilege is granted or an action is performed.
  • Applications:
    • System Operations: Requiring two separate keys or tokens to decrypt sensitive data.
    • Role Separation: An individual may have approval authority for a transaction, but a different individual must execute or finalize it. For instance, in financial institutions, a person requesting a funds transfer might not be the same person authorizing or executing it. 

Remember: Accountability ensures that an audit trail exists to trace operations back to their source. If permissions are granted at a higher level we know who or what did a certain operation.

Common Flaws & Vulnerabilities

Buffer Overflow

    • Definition: A flaw that happens when a program writes data to a buffer and overruns the buffer's boundary, writing data to adjacent memory.
    • Cause: Typically caused by the program's failure to verify the size of the input data before storing it in a specific memory location.
    • Consequences: Can lead to system crashes, data corruption, and even provide an entry point for attackers to execute arbitrary code.

Back Doors

  • Definition: Intentional points of entry into a system or application that bypass regular security mechanisms.
  • Cause: Sometimes left intentionally by developers for debugging or maintenance but can be overlooked and remain post-deployment.
  • Consequences: They pose a significant security risk as attackers can exploit these to gain unauthorized access.

Privileged Programs

  • Definition: Programs that have elevated permissions to perform sensitive operations.
  • Cause: Can be left on a system by oversight after its deployment or for maintenance.
  • Consequences: When left unchecked, they can be exploited by malicious users to perform unauthorized actions, often with significant impact due to their elevated permissions.

Time-of-check-to-time-of-use (TOCTTOU) Attacks

  • Definition: A race condition wherein a system's state changes between the check (verification) time and the use (action) time.
  • Example: If a system checks for a user's credentials and then, after a delay, provides access, an attacker might exploit this delay to insert malicious actions.
  • Consequences: Can lead to unauthorized data access, data corruption, or privilege escalation.
  • Mitigation: Ensure that the time gap between check and use is minimized or secured, or use atomic operations that combine the check and action into an indivisible operation.

Vulnerabilities arise from a mix of oversight, unintended consequences of design decisions, and the inherent complexity of software systems. Do regular security audits, code reviews, and continuous security training for developers.

Functional Order of Security Controls

Physical Security Controls

Control Type
Examples
Administrative:
Focused on policies and procedures.
Facility construction and selection; Site management; Personnel controls; Awareness training; Emergency response and procedure
Logical (Technical):
Deals with technological methods to enforce security.
Access controls; Intrusion detection systems; Alarms
Physical:
Tangible methods to prevent unauthorized access.
Fencing; Lighting; Locks; Construction materials; Mantraps; Guard dogs; Bollards; Security guards

Fencing Specifications


Objective
Imperial
Metric
Deter casual trespasser
3-4 feet
0.9-1.2 m
Challenging to climb
6-7 feet
1.8-2.1 m
Deter dedicated intruders
8 feet + barbed wire
2.4 m + barbed wire

Temperature & Humidity


Specification
Value
Ideal Temperature
60-75°F (15-23°C)
Damage Threshold
175°F (general devices) / 100°F (storage devices)
Ideal Humidity
40-60%

Extremely low humidity, even on non-static carpets, can generate a massive 20,000-volt static discharge.

Electrical Impacts

Term
Description
Example
Blackout
Extended loss of power
Power outage during a storm
Brownout
Sustained low voltage
Voltage drops due to grid overload
Fault
Brief loss of power
Disruption due to tripped breaker
Surge
Extended high voltage
Malfunctioning transformer
Spike
Brief high voltage
Lightning strike
Sag
Short-duration low voltage
Heavy equipment startup

Power may not always be clean or consistent. Electronic devices require consistent, clean power to function & avoid damage. A UPS (Uninterruptible Power Supply) can ensure clean power, and provide backup during power outages.

Lighting Specifications


Specification
Value
Height
8 feet
Illumination
2 foot-candles

Fire Classification and Suppression Agents

Fire Class
Type
Description
Suppression Material
Additional Notes
A
ASH
Fires involving common combustibles such as wood, paper, etc.
Water or soda acid
Most common type of fire. Soda acid: a mixture of sodium bicarbonate and sulfuric acid.
B
BOIL
Fires involving alcohol, oil, and other petroleum products.
Gas or soda acid
Never use water; it can spread the flammable liquid and worsen the fire.
C
CONDUCTIVE
Electrical fires fed by electricity, possibly occurring in equipment or wiring.
Non-conductive gases
Fire can transition to another class if electricity source is shut off.
D
DILITHIUM
Fires involving burning metals.
Dry powder
Less commonly known and can be hazardous if not properly addressed.
K
KITCHEN
Fires in kitchens, often involving burning oil or grease.
Wet chemicals

Fire extinguishers are categorized based on the types of fires they are designed to extinguish. Using the wrong type of extinguisher can be ineffective or even dangerous!

Fire Detection Systems

Detection Type
Description
Smoke Sensing
Detects the presence of smoke.
Flame Sensing
Recognizes the characteristics of flames.
Heat Sensing
Detects unusual increases in temperature.

Electromagnetic Interference (EMI):

  1. Common Mode Noise:

    • Generated by the difference in power between the hot and ground wires of a power source operating electrical equipment.
    • Also generated by the difference between the hot and neutral wires of a power source operating electrical equipment.
  2. Radio Frequency Interference (RFI):
    • This interference is generated by electrical appliances, light sources, electrical cables, circuits, and so on.

Static Voltage and Possible Damages:

Static Voltage (V)
Possible Damage
40
Destruction of sensitive circuits and other components
1000
Scrambling of monitor displays
1500
Destruction of hard drive data
2000
Abrupt system shutdown
4000
Printer jam or component damage
17000
Permanent circuit damage

Damage from Fire and Fire Suppression:

  • Descriptive Elements of a Fire: Components of a fire are not just limited to the visually evident smoke and heat. The medium used for suppressing the fire, like water or soda acid, also plays a role in post-fire assessments and damage control.
  • Smoke: Particularly detrimental to storage devices. The residue can interfere with device operations and contaminate sensitive components.
  • Heat: Has the potential to damage any electronic or computer component, causing them to malfunction or fail altogether.
  • Suppression Mediums: While essential for dousing flames, these can have unintended consequences. Water can cause short circuits, while other mediums might instigate corrosion or render equipment inoperative.

We should address all the potential damage, but remember that the number one concern should always be human safety. 

Water Suppression Systems
System Type
Key Features
Description
Ideal For
Preaction
- Closed sprinkler heads - Pipes with compressed air
- Electrically operated valve
The system awaits two triggers: one for the detection system and another to activate the sprinkler.
Areas with both humans and computers
Wet Pipe
- Pipes filled with water
- Activates at a predefined temperature
A traditional system where water is always ready to discharge.
Standard indoor environments
Dry Pipe
- Closed sprinkler heads - Pipes with compressed air
- Valve controlled by air pressure
Water is released when the compressed air pressure drops.
Areas where water might freeze, e.g., parking garages
Deluge
- Open and large sprinkler heads
- Empty pipes at normal air pressure
- Controlled by a deluge valve
Designed to deliver a large quantity of water over a large area quickly.
High-hazard areas with rapid fire spread concerns

Water and electricity are a dangerous combination. Ensure power is cut off in the event of using water-based suppression systems near electrical equipment.

Gas Discharge Systems:

Effectiveness: Generally, gas discharge systems are more effective than water discharge systems for extinguishing fires.
Safety Concern: These systems function by removing oxygen from the environment. Hence, they should not be used in areas where people are present due to asphyxiation risks.
Halon:
  • Pros: Highly effective in suppressing fires.
  • Cons: Detrimental to the environment as it's ozone-depleting. Also, it becomes a toxic gas when heated to 900°F.
Given the environmental and health concerns of Halon, several replacements have been introduced:
FM-200 (HFC-227ea)
CEA-410 or CEA-308
NAF-S-III (HCFC Blend A)
FE-13 (HCFC-23)
Argon (IG55)
Argonite (IG01)
Inergen (IG421)
Aero-K

Lock Types

Remember what locks can be picked and which need to be bumped for the exam

Lock TypeAuthentication TypeDetailsPicking VulnerabilityBumping VulnerabilityPhoto
Electronic Combination Locks (Cipher Locks)Something you knowRequires a known combinationNot applicableNot applicable[Insert Photo]
Key Card SystemsSomething you haveRequires a physical cardNot applicableNot applicable[Insert Photo]
Biometric SystemsSomething you areUses unique human characteristicsNot applicableNot applicable[Insert Photo]
Conventional Locks (Pin Tumbler)Traditional lock and keyEasily picked/bumpedVulnerableVulnerable[Insert Photo]
Pick and Bump Resistant LocksEnhanced traditional lockHarder to pickMore resistantSome are bump-resistant[Insert Photo]
Tubular LocksTraditional lock and keyRequires specialized pickVulnerableLess common[Insert Photo]
Wafer LocksTraditional lock and keySimilar to pin tumblersVulnerableLess common but possible[Insert Photo]
Disc-detainer LocksTraditional lock and keyRequires specialized disc-picking toolsVulnerableNot typically susceptible[Insert Photo]
Sidebar & High-Security (e.g., Medeco)Enhanced traditional lockComplex designsMore resistantSome are bump-resistant[Insert Photo]
Electronic and Smart LocksElectronic authenticationMight be vulnerable to electronic hackingNot applicableNot applicable[Insert Photo]

"Picking" and "bumping" are both methods to compromise locks. Picking involves using tools to manipulate the pins inside a lock, while bumping involves inserting a specially-cut key into the lock and tapping it to force the pins to jump, allowing the lock to turn. Not all locks are vulnerable to both methods.

For the exam:
Know the different physical controls related to entry
Mantrap, Bollard, list others as a table that will come up on CISSP as a table if necessary

Site Selection and Facility Design

  1. Site Selection:

    • Visibility matters: assess the surrounding area, accessibility, and natural disaster risks.
    • Be cautious about potential hazards: e.g., flooding or bad neighborhood locations.

  2. Facility Design:

    • Determine security needs before construction.
    • Possible considerations: using bollards if ram raiding is a concern.
    • Design secure workspaces.
    • Unequal access: High-value areas should have restricted access.
    • Place valuable and confidential assets at the heart or center of protection.
    • Central servers/computers should prioritize security. Although human-compatible, prioritize safety measures, especially for fire suppression.

Physical Access Control Threats

  1. Access controls should be complemented with security guards or monitoring systems.
  2. Beware of abuses such as:
    • Propping open secured doors.
    • Bypassing locks or controls.
    • Masquerading: using someone else's ID for access (e.g., contractors).
    • Piggybacking: following someone through secured access without proper authorization.

Wiring Closet Security

  1. Central connection point for networking cables to equipment like patch panels, switches, and routers.
  2. Main focus: Prevent unauthorized physical access.
  3. Risks include theft, damage, or introducing eavesdropping devices. Software protections won't deter physical threats.

Visitor Protocols

  1. For restricted areas, establish clear visitor protocols.
  2. Typically assign an escort and monitor visitors closely.
  3. Track visitor actions to prevent malicious activity.

Media Storage

  1. Purpose: securely store blank, reusable, and installation media.
  2. Concerns: theft, data corruption, unintended data recovery.
  3. Protections:
    • Locked cabinets/safes.
    • Designated librarian or custodian.
    • Check-in/out processes.
    • Media sanitization.

Evidence Storage

  1. Use for retaining logs, drive images, snapshots for recovery, and investigations.
  2. Concerns: theft, unauthorized access.
  3. Protections:
    • Locked storage.
    • Isolated storage facilities.
    • Offline storage.
    • Access restrictions & activity tracking.
    • Data hashing & encryption.

Audit Trails & Access Logs

  1. Tools for overseeing physical access control.
  2. Can be created manually (security guards) or automatically (smartcards/readers).
  3. CCTV can verify access logs; e.g., matching sign-in logs with visual records.
  4. Critical for post-incident reconstruction to understand the event sequence.
Back to top