CompTIA SecurityX

Security Architecture 2.0

Resilient System Design

Security Devices

Hardware or Software tools designed to protect networks and data

• Firewalls Firewalls filter inbound and outboud traffic based on predefined security rules called ACL's (Access Control Lists Types of firewalls:
  • Packet filtering Inspect only the header of the packet Can't prevent advanced attacks, IP spoofing, session hijacking
  • Stateful Monitor outgoing requests and track the state of active connections
  • Proxy Act as intermediaries between internal and external connections, making requests on behalf of a user Two Types of Proxie firewalls:
  • Circuit level (operate at the session layer)
  • Application level (Inspect traffic at the application level)
  • Kernel level proxies (filtering traffic across multiple OSI model layers with mimial delay, providing balance between securty and efficiency)
  • Next generation Application aware , types of traffic
  • Web Application Target web traffic , common attacks, CSRF, XSS
• IDS Passively detects and alerts on malicious activity
• NIDS (Network intrustion detection system) Monitors traffic through a mirrored port analyzing data for threats like network port scans or malicious payloads HIDS (Host based intrusion detection systems) Runs on individual server or endpoints, detecting suspicous traffic or file access on the specific system it is install on.
• WIDS (Wireless Intrustion detection systems) Analyze wiress systems or malicious attacks and or payloads.*
• IPS Detects, alerts and actively blocks or mitigates detected malicious activity
• NIPS (Network Intrusion prevention system) Placed directly in line with traffic and can stop attacks in real-time
• HIPS (Host based intrusion prevention systems)
• WIPS (Wireless based intrusion prevention sytems) Botth work by blocking threats like unauthorized changes or wireless atacks
• VPN's Secures communications by encrypting data across untrusted networks
• NAC systems Enforce policies to ensure devices meet security and health requirements before granting network access Three types:
• Persistant Installed directly on devices companies can control the hardware
• Non-persistant Temporarily installed and scan devices upon connection
• Agentless Do not require software installation on devices and instead run from a domain controller BYOD

Monitoring and Dectection devices

• TAPs (Test access points) Two types
• Passive , reliable does not require power
• Active , Physically interrupt the signal , regenerate and then send it to the monitor node and next communication. Capture all network traffic in real-time without interfering with operations
• Collectors Aggregate and process captured data for turther analysis
• Vulnerablility scanners Used to identify tecnical and known weaknesses in systems.
• Network traffic management Control, direction, and optimization of data flow across a network
  • Tools
    • Forward/Reverse proxies Forward / Transparent proxy - hides origin IP , internal gateway of the LAN Reverse on public interface of the network
    • content caching
    • traffic scrubbing
    • Filtering traffic
    • IP masking
    • load balancing
    • CDN's Globally distributed reverse proxies to cache content closer to end-users.
    • WAF (Web application firewall) Filters and monitors web traffic

• Availability considerations Ensures that systems, applications, services remain operational and accessible to users.

  • Load balancing Distribute incoming network traffic across multiple servers Types:
    • Round Robin - widely used algorithm (request gets forwarded to the next in line load balancer , 1st request , 2nd request and so on.)
  • least connections (Load balancer connects to the least amount of connections.)

  • Some use IP hashing method (hashes ip and maps to a server)

  • Affinity

    • persistance - requests made to same server
    • non-persistance - requests made to different servers. Practice of directing client requests to the same server to maintain session consistency
  • Interoperability Ability of different systems or components to work together seamlessly

• Scalability measured by the number of requests an asset or server can effectively support simultaneously.

  • Scaling Up (Vertical scaling) Adding more resources
  • Scaling Out (Horizontal scaling) Break down workloads into smaller pieces, or spreading out the workloads Better for long term, virtually limitless, have to design as a stateless application. Each request is treated independentaly.

• Recovery startegies

  • Backups
    • Full backups
    • Incremental (Capture changes to full backup (usually everyday))
    • Differential backup (Captures differences since the last full backup )
    • Synthetic backup (Combine full and incremental or differential)
  • failover (Enable the continuance of operations during system failures)
    • Active-active failover Both primary and backup systems are running at the same time
    • Active-standby failover One system is active while other is in standby mode

• Disaster recovery test types

  • Tabletop Team members review disaster recovery plans step-by-step
  • Parallel Backup systems are activated alongside the main systems
  • Simulation Creates a mock disaster to test, how well the team responds without shutting down anything on a production network.
  • Full interruption Systems taken offline and backups take over, demoing failover and recovery from a real disaster

• Deployment Strategies

  • Optimizing performance Focuses on ensuring applications run efficiently for users worldwide
  • Deploy servers in a different region
  • Load balancing
  • Autoscaling (AWS , Linode)
  • Caching (redis , memcache)
  • Network redundancy Ensures that services keep running smoothly, even if a system fails
  • AWS Route 53 , Azure traffic manager
  • Multi-region failver systems
  • Compliance Following the laws and regulations that dictate how data must be stored, processed, and protected.
  • GDPR (EU data)
  • ISO 27K
  • Data residency
    • Tools:
      • AWS compliance center
      • Azure Policy

---

Security Architecture

• Data States Different conditions in which data exists
• Rest (Hard drive, servers, cloud , encrypted) Types of encryption
  • Symmetric (AES 256bitt, TDE (Transparent data encryption - Used in databases to encrypt data automatically at storage level)
  • BitLocker
  • FileVault
  • Luks
• Transit (Protected with encryption i.e. TLS, IPSEC, SSH, SFTP, SCP, )
• In use (Secure processing environments)
  • Memory encryption
  • RBAC (Roled based access control)
  • ABAC (Attribute access controls)
  • Data masking
    • Partial information exposed
  • Secure enclaves (HSM, SGX intel, AMD vault)
• Data Classification Process or organizing data into categories Classification models:
• Government/Military
  • Unclassified No restrictions in viewing the data, presents no risk if disclosed to public
  • Confidential Should only be viewed by authorized people within the org or under NDA
  • Secret Restrictions on data stricter than confidential *Usually only allowed to viewed electronically via SIPRNet (Secret Internet Protocol Router Network)
  • Top secret Highest level of secretary

Categories: - Public - Internal - Confidential - Restricted - Data Labeling and Tagging Assigning markers to data to indicate its classification, sensitivity, or handling requirements Can be applied automatically or manually depending how the systems are configured. - Dirty words (Keywords found in data relating to a specific classification , like an email with certain keywords.) - Manual labeling User creates the data and adds a text-based classification label on their own Declassification - Frees up resources - Data tags - Can be used to provide additional detail on how data should be protected. - PII (Personal Identifiable Information) - SPI (Sensitive Personal Information) - PHI (Personal Health Information) - Financial or restricted data - Data format - Structured (Predefined models, i.e. CSV, JSON) - Un-structured (Not organized by a model at all, includes PPT, word docs, emails, text files, chat logs) - Data Loss Prevention Used to detect, prevent and respond to unauthorized access, transmission, or use of sensitive data Three components: - Policy server Configures rule sets that classify data based on its confidentiality, privacy or sensitivity level - Endpoint agent Enforces rules on individual client devices, even when disconnected from the corporate network. - Network agent Can identify structured and un-structured data formats and enforce DLP policies based on predefined rules - Data discovery Involves recognizing and labeling sensitive information based on predefined rules.

When a DLP system detects a rule violation - Alert System logs the incident and notifies admin but still allows the data to be transmitted. - Block Actively stops the data transfer, such as preventing a user from copying a file to an external device. - Quarantine Conducts both alert and block mode, as well as removing user access to the data entirely. - Tombstone Takes alert, block and quarantine actions and replaces the original file with a message indicating a policy violation

• Managing data at reset or transit

• Policy Enforcement

• hybrid Infrastructure Environments that combine on-premise with cloud based resources and require integrated security measures across both platforms. Extends security controls:

• Firewalls
• Encryption
• Access management
• On-premise Infrastructure Physical hardware, software and network resources that are hosted and managed directly within an organization's own facilities
• Cloud-based Infrastructure Computing resources that are delivered over the internet by third-party providers, such as AWS, Azure, and Google Cloud

• Services provided

  • IaaS (Infrastructure as a service) Rent virtualized resources allowing them to install and configure their own OS and build apps and solutions
  • PaaS (Platform as a service) Provides a complete dev platform with both infrastructure and OS sys dev tools already in place
  • SaaS (Software as a service) Ready to use software apps hosted in cloud i.e. email, CRM, ERP, hosted services.

• Third-party Integrations

  • API (Authenticated and Authorized data)
  • Principle of least privileged
  • Rate limiting
  • Input validation
  • monitoring and logging
• Attack Surface Management
  • Hardening
    • Running only essential services
    • Applying regular patches
    • Tightening system configurations
  • Defense-in-depth
  • Vulnerability management
  • Legacy components
• Control Effectiveness
  • Metrics Quantitative measures used to evaluate the performance and impact of security controls
  • Incident response time
  • number of vulnerabilities tracked within a time
  • patched compliant rate
  • false positive rates
  • Scanning Using tools to detect vulnerabilities or mis-configurations within the system
  • Assessments evaluation of security controls through audits, penetration testing, or compliance checks.
    • Compliance checks
    • pentesting
    • audits

---

Security in Systems

• Hardware Assurance Ensures physical components are secure, reliable and free from malicious alternations or defects
• Certification process Formal process of evaluating hardware components to ensure they meet specific security standards and operate as expected
• Common Criteria (Used to asses how well a product can defend against defined security threats.)
• Validation EAL (Evaluation Assurance Level) EAL 1 - 7 (tested to Formally verified design and tested.) Defines the depth
• Protection profile
• Security target
• Security requirements
  • Functional Specific security-related behaviors and features that a system must have, such as authentication mechanisms, access controls and encryption protocols.
  • Non-Functional Focus on qualities of the system, including its performance, reliability and usability
• Software Assurance
• Supply chain assurance
• Pre-deployment testing
• Post-deployment testing
• CI/CD (Continuous Integration/Continuous Deployment testing)
• EOL (end of life)