Chapter 2: Architecture and Design

Chapter 2

Objective 2.1

Configuration Management

• It helps organizations to deploy systems with secure configurations
• Diagrams → Some organizations use diagrams to show processes in config management
  • These sometimes use flowchart to document decision-making process involving in modifying a configuration.
• Naming Conventions → Large organizations use naming conventions to identify standard configuration
  • Ex. department or location, and the version → Desktop_Sales_3.0
• Baseline Configuration → A baseline is a known starting point & organizations commonly use secure baseline to provide known starting points for systems.
  • Primary Benefit → improve overall security posture of systems
  • The use of baseline works in 3 steps:
    • Initial Baseline Configuration → Admins use various tools to deploy systems consistently in secure state
    • Integrity Measurements for Baseline Deviation → Automated tools monitor the systems for any baseline changes, which is a common security issue.
      • Some tools report any changes they detect
      • Other tools automatically reconfigure the systems to baseline config when they detect changes
    • Remediation → NAC methods can detect changes to baseline settings & automatically isolate or quarantine systems in a remediation network
• Configuration Management Database (CMDB) → A centralized database that stores information about the configuration items in an organization’s IT infrastructure

Data Sovereignty

• Refers to legal implications when data is stored off-site.
• If the backups are stored in other country, they are subject to that country’s laws.

Data Protection

• Data Loss Prevention(DLP) → Techniques & Technologies used to prevent data loss
  • Ex. Block the use of USB & control the use of removable media
  • Admins configure the DLP to look for specific words, phrases, character strings
  • All documents associated with the project includes a specific keyword. The DLP includes this keyword in the searches. When it detects the keyword within an email or an attachment, it blocks it
  • DLP Systems work in two different environments:
    • Host-based DLP → Uses software agents installed on systems that search those systems for the presence of sensitive information
      • It can also monitor system configuration & user actions (can block undesirable actions)
    • Network-based DLP → Sit on network & monitor outbound network traffic that contains sensitive information
      • It can block sensitive transmissions to prevent loss of sensitive information
  • DLP Mechanisms:
    • Pattern Matching → Watch for the REGEX signs of sensitive information.
      • Ex. “Confidential”
    • Watermarking → Systems or Admins apply electronic tags to sensitive documents & then the DLP system can monitor systems & networks for unencrypted content containing those tags
      • Watermarking technology is commonly used in Digital Rights Management (DRM)
• Rights Management → Refers to the technologies used to provide copyright protection from copyrighted works. → Also known as Digital Rights Management
  • Copyright laws protects original creative works
• Data Masking → Refers to modifying data to hide the original content
  • Primary reason is to protect sensitive information as PII
  • Substitution is the one method in data masking
  • 1234-5678-9101-1121 → 1234-5678-XXXX-XXXX
• Data Minimization → A process of ensuring that only data that is required for business functions is collected and maintained.
  • The best way to achieve data minimization is to simply destroy data when it is no longer necessary to meet the business purpose
• Data at rest → Any data stored on media
• Data in Transit → Data in motion → Any data sent over the network
• Data in processing → Data in use → Refers to data being used by a computer
• Anonymization → Modifies data to protect the privacy of individuals by removing all PII within a data set
• Pseudo-Anonymization → Replace PII data & other data with pseudonyms or artificial identifiers
  • Anyone with separate data with matching the pseudonyms with original data set can reverse & re-create the original data
• Anonymization is used to anonymize the data permanently. In contrast, pseudo-anonymization is used when an organization also needs the ability to reverse the process & access the original data
• Tokenization → Data tokenization replaces the sensitive data with a token.
  • The token is substitute value used in place of the sensitive data
  • A tokenization system can convert the token back into its original form
  • Credit Card Number: 1234-5678-9101-1121 → Token: 87654321

Geographical Considerations

• Off-site storages → At least one copy of backups stored off-site
• Distance → Many organizations have specific requirements related to the distance between the main site & off-site
• Location Selection → The location is often dependent on environmental issues
• Legal Implications → The legal implications related to backups depends on the data stored in the backups
• Data sovereignty → Legal Implications when data is stored off-site. If backups are stored in the different country, they are subject to that country’s laws.

Response and recovery controls

• Attempt to reverse the impact of an incident or problem after it has occurred

API Considerations

• Authentication → Strong authentication methods will prevent unauthorized entities from using the APIs
• Authorization → Authorization methods secure access to the API.
• Transport Level Security → The API should use strong security, such as TLS when transferring any traffic over the Internet.

Hashing

• MD5 → Message Digest Algorithm 5
  • Produces a 128-bit hash value (32 hexadecimal characters).
  • Widely used in the past for checksums and verifying data integrity
  • Considered insecure due to vulnerabilities to collision and pre-image attacks.
• SHA-1 → Secure Hash Algorithm 1
  • Produces a 160-bit hash value (40 hexadecimal characters).
  • Once popular for digital signatures and certificates but now considered insecure due to collision vulnerabilities.
• SHA-2 → Secure Hash Algorithm 2
  • A family of hash functions that includes SHA-224, SHA-256, SHA-384, and SHA-512
  • Produces hash values of varying lengths (224, 256, 384, or 512 bits)
  • Currently considered secure and widely used in many security protocols.
  • SHA-256: Produces a 256-bit hash value.
  • SHA-512: Produces a 512-bit hash value.
• SHA-3 → Secure Hash Algorithm 3
  • The latest member of the Secure Hash Algorithm family, designed as an alternative to SHA-2
  • Uses a different construction method called Keccak and produces hash values of varying lengths similar to SHA-2 (224, 256, 384, or 512 bits).

TLS/SSL inspection

• involves intercepting encrypted traffic between the client and server.
• TLS interception devices act as an on-path attack and decrypt traffic to scan and analyze it, often for malware or other signs of attacks, and then encrypt it to send it on to its destination.

Site Resiliency

• A recovery site is an alternate processing site that organization uses for site resiliency.
• If one site suffers a catastrophic failure, an alternate site can take over after the disaster.
• Hot Site → Would be up 24 x 7 Days a week & would be able to takeover the functionality from primary site quickly after a failure
  • It will include all equipment, software & communication capabilities of the primary site & all the data would be up to date → Mirrors the primary site’s infrastructure, including servers, networking equipment, and data storage.
  • In many cases, copies of backup tapes are stored at the Hot Site as the off-site location
  • Hot site is another active business location that has the capabilities to resume operations during a disaster
  • ETA: Few minutes to an Hour → It is ready to take over operations immediately after a disaster.
  • Hot site is the most effective disaster recovery solution for high-availability requirements.
  • A hot site is the most expensive to maintain and keep up to date.
• Cold Site → Requires power & connectivity
  • The organization brings all the equipment, software & data to the site when they activate it. → - Basic infrastructure such as power, cooling, and physical space but lacks IT equipment.
  • Minimalistic off-site facility with basic infrastructure. → Requires significant setup and configuration before it can be used.
  • A cold site is the cheapest to maintain, but it is also the most difficult to test.
• Warm Site → A warm site provides a compromise that an organization can tailor to meet its needs.
  • Contains hardware such as servers, network infrastructure, and storage but may lack up-to-date data.
  • Requires some setup and configuration before it becomes operational.
  • Hot sites are generally too expensive for most organizations, and cold sites sometimes take too long to configure for full operation.
• Mobile Site → A self-contained transportable unit with all the equipment needed for specific requirements.
• Mirrored Site → Identical to the primary location and provide 100 percent availability.
  • They use real-time transfers to send modifications from the primary location to the mirrored site.
  • Although a hot site can be up and operational within an hour, the mirrored site is always up and operational.
• Restoration Order → Organizations return the least critical functions to the primary site first.

Deception & Disruption

• Honeypots → a sweet-looking server
  • Deceive the attackers and divert them from the live network.
  • Allow observation of an attacker
• Honeynets → A group of honeypots within a separate network or zone but accessible from an organization’s primary network.
  • If the attacker is in the honeynet, he isn’t attacking the live network and administrators can observe the attacker’s actions.
• Honeyfiles → A file designed to attract the attention of an attacker (passwords.txt)
• Fake Telemetry → Corrupts the data sent over to monitoring systems & can disrupt a system
• DNS Sinkhole → A DNS server that gives incorrect results for one or more domain names
  • Investigative authorities have used sinkholes to disrupt botnets and malware.

Objective 2.2

Cloud Models

• Software as a Service (SaaS) → Includes any software or application provided to users over a network such as the Internet
  • Software that is hosted and managed by a service provider and made available to customers over the internet.
  • Google Workspace, Microsoft Office 365, Salesforce, Dropbox
• Platform as a Service (PaaS) → provides customers with a fully managed platform, including hardware, operating systems, and limited applications.
  • The vendor keeps systems up to date with current patches.
  • A platform allowing customers to develop, run, and manage applications without dealing with the infrastructure.
  • Google App Engine, Microsoft Azure, Heroku, AWS Elastic Beanstalk
• Infrastructure as a Service (IaaS) → Allows an organization to outsource its equipment requirements, including the hardware and all support operations.
  • Provides virtualized computing resources over the internet, such as virtual machines, storage, and networks.
  • The IaaS service provider owns the equipment, houses it in its data center, and performs all the required hardware maintenance.
  • Customers are responsible for all operating system updates and patches.
  • IaaS is often used as a serverless architecture. A serverless architecture allows an organization to build and run applications without managing the infrastructure.
  • IaaS Cloud Service Providers do not allow direct access to the underlying hardware in most instances
  • Ex. Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), IBM Cloud
• Anything as a Service (XaaS) → Refers to cloud-based services other than SaaS, PaaS, or IaaS. XaaS includes services such as communications, databases, desktops, storage, security, and more.
• Public Cloud → Available from third-party companies, such as Amazon, Google, Microsoft, and Apple
  • Shared infrastructure among multiple tenants
  • Managed by the cloud service provider
  • AWS, Microsoft Azure, Google Cloud
• Private Cloud → Set up for specific organizations → Host its own servers and make these servers available to internal employees through the Internet.
  • Dedicated infrastructure for one organization
  • Managed internally or outsourced
  • On-premises data centers, VMware Private Cloud
• Hybrid Cloud → A combination of two or more clouds.
  • Mix of public and private infrastructures
  • Managed by both organization and provider
  • Mix of AWS and on-premises infrastructure
• Community Cloud → Communities with shared concerns (such as shared goals, security requirements, or compliance considerations) can share cloud resources
  • Shared infrastructure for a specific community
  • Managed collaboratively by community members
  • Government agencies, research institutions sharing resources
• Multi Cloud → A cloud deployment model where the cloud consumer uses multiple public cloud services
• Cost Comparison → Public cloud < Community cloud < Hybrid cloud < Private cloud
• Security Comparison → Public Cloud < Community Cloud < Hybrid Cloud < Private Cloud
• Scalability Comparison → Private Cloud < Community Cloud < Hybrid Cloud < Public Cloud
• Deployment Speed → Private Cloud < Community Cloud < Hybrid Cloud < Public Cloud

Managed Service Provider & Managed Security Service Provider

• MSSP is a third-party vendor that provides security services for an organization
• MSP provides any IT services needed by an organization, including security services provided by an MSSP.

Edge Computing

• The practice of storing & processing data close to the devices that generate & use the data.

Fog Computing

• Almost same as edge computing
• Fog computing uses a network close to the device & may have multiple nodes sensing & processing data within the fog network.
• Edge computing stores & processes the data on single nodes or appliances.

Thin Client

• A computer with enough resources to boot & connect to a server to run specific applications or desktops
• A thin client is a lightweight computing device that relies on a server to perform most of its processing tasks
• Unlike traditional desktops or laptops, thin clients are designed to connect to a centralized server or a virtual desktop infrastructure (VDI) to access applications, data, and processing power.
• Virtual Desktop Infrastructure (VDI) → hosts a user’s desktop OS on a server.
  • A technology that allows the hosting of desktop environments on a centralized server
  • Users can access these virtual desktops from various devices, providing a consistent and secure desktop experience regardless of the user’s physical location.

Containers

• Container virtualization runs services or applications within isolated containers or application cells
• Containers doesn’t host an OS. Instead, host’s OS & kernel run the service or app within each of the containers.
• None of the apps or services can interfere with services or apps in other containers
• Benefit → It uses fewer resources & can be more efficient than a system using traditional tye II hypervisor virtualization
• Drawback → Containers must use the OS of the host

Microservices

• Microservices are the code modules designed to do one thing well
• Small code receives a value & responds with a value
• Ex. Shipping Tracker

Infrastructure as Code

• Refers to managing & provisioning data centers to define VMs & virtual networks
• It reduces the complexity of creating virtual objects by allowing admins to run a script to create them.
• Software Defined Networking (SDN) → Uses virtualization technologies to route the traffic instead of using hardware routers & switches
  • An SDN separates the data planes & control planes within a network
  • SDN separates the logic used to forward or block traffic (the data plane) & the logic used to identify the path to take (the control plane)
  • SDN implements the data plane with the software & virtualization technologies, allowing organization to move away from proprietary hardware
  • SDN can still use a routing protocols like OSPF & BGP but without the hardware routers
  • Attribute Based Access Control is commonly used in SDNs that allows admins to create data plane policies to route traffic (Use plain language instead of complex rules in ACL)
• Software Defined Visibility (SDV) → Refers to technologies used to view all network traffic
  • By adding SDV capabilities, it ensures that all traffic is viewable & can be analyzed

Serverless Architecture

A serverless architecture allows an organization to build & run applications without managing the infrastructure

Transit Gateway

• Transit gateway is used to connect VPCs to an on-premises network.

Virtualization

• VM Sprawl Avoidance → VM Sprawl occurs when an organizations has many VMs that aren’t appropriately managed.
  • Each VM adds additional load onto a server. If personnel add unauthorized VMs to physical servers, they can consume systems resources. → The servers might become slower & potentially crash.
• VM Escape Protection → VM escape is an attack allows an attacker to access the host system from within the virtual system.
  • Host systems runs an application or process on hypervisor to manage virtual systems.
  • Attacker can run code on the virtual system & interact with the hypervisor
  • A successful VM escape attack often gives the attacker unlimited control over the host system & each virtual system within the host
  • Virtual machine (VM) escape attacks rely on a flaw in the hypervisor that could allow an attacker to attack the hypervisor itself.
  • Mitigation → Isolating the VM is more effective than antivirus to prevent VM Escape

Objective 2.3

Environment

• Development → Software developers use an isolated development environment to create the application
• Test → Attempt to discover any bugs or errors in the testing stage
• Staging → Simulates the production environment &
  • It provides a complete but independent copy of the production environment.
  • It attempts to discover any bugs that might adversely impact the live environment.
• Production → The application goes live as the final product.
• Quality assurance (QA) → Ensure that an application maintains a high level of quality and meets the original requirements

Provisioning & Deprovisioning

• Refers to user accounts
• Provisioning refers to giving appropriate privileges to user account to access various resources
• Deprovisioning refers to removing access to this resources & can be simple as disabling or deleting the account

Integrity measurement

• Refers to the quality of code
• Measures the quality of code based on how extensively & effectively the code was tested throughout the development life cycle

Secure Coding Techniques

• Normalization → Refers to organizing the tables & columns to reduce redundant data & improve overall database performance.
  • First Normal Form → DB is 1NF if it follows following 3 conditions
    • Each row within the table is unique & identified with a primary key
    • Related data is contained in separate table
    • None of the columns include repeating groups
    • Ex. A customer table where each customer has a unique customer ID, and addresses are stored in a separate address table to avoid multiple address fields in the customer table.
  • Second Normal Form → Only applies to tables that have composite primary key, where two or more columns make up the full primary key
    • Database is 2NF if it meets the following criteria:
      • It is in 1NF
      • Non-primary key attributes are completely dependent on the composite primary key.
    • Ex. An order details table with a composite primary key (OrderID, ProductID) where all other attributes (e.g., Quantity, Price) are dependent on both OrderID and ProductID, and not on just one of them.
  • Third Normal Form → Helps to reduce unnecessary redundancies within database
    • Database is 3NF if it meets the following criteria:
      • It is in 2NF. This implies it is also in 1NF.
      • All columns that aren’t primary keys are only dependent on the primary key.
      • None of the columns in the table are dependent on non-primary key attributes.
    • Ex. An employee table where all non-primary key columns (e.g., EmployeeName, DepartmentID) are dependent only on the primary key (EmployeeID), and DepartmentID is linked to a separate department table instead of including department details directly.
• Stored Procedures → A group of SQL statements that execute as a whole
  • It performs data validation & handles the parameter differently & prevents SQL injection
• Obfuscation / Camouflage → Attempts to make something unclear or difficult to understand
  • Code Obfuscation → Attempts to make the code unreadable
  • Ex. removes white space, shortens variable names, and rearranges the text into a compact format
• Code Reuse → Code reuse saves time and helps prevent the introduction of new bugs.
  • Code Reuse Attack → Attacker executes the code that is meant for some other purpose
• Dead Code → Dead code is code that is never executed or used.
• Server-side vs. Client-side → Server-side validation is more secure than client- side validation
• Software Diversity → Methods that use a compiler that mimics the compilers of multiple languages
  • Adds a levels of randomness to the code allowing the same program to behave slightly differently on different systems but still achieving the same result
  • Provides additional layer of security

Automation / Scripting

• Automated courses of action → If developers make a change, the system will detect the change & verify that it doesn’t break any other part of the application
• Continuous Monitoring → Automatically monitors the code changes after every change.
• Continuous Validation → Revalidates the code after every change
• Continuous Integration → Practice of merging code changes into a version control repository regularly
• Continuous Delivery → Code changes are released automatically to a testing or a staging environment
• Continuous Deployment → Code changes are deployed automatically to the production

Scalability

• System’s ability to handle increased workload either by manually scaling up or scaling out
• Additional resources are added manually

Elasticity

• System’s ability to handle increased workload by dynamically scaling up or scaling out as the need arises
• Dynamically adds / removes resources

Vertical vs Horizontal

• Vertical → Adding more resources to the existing machine
• Horizontal → Adding more machines to the system

Objective 2.4

Authentication Methods

• Directory Services → Network OSs commonly use a directory service to streamline management & implement secure authentication
  • Used to provide secure access to the network
  • Active Directory Domain Services (ADDS) → database of objects that provides a central access point to manage users, computers & other directory objects
  • Group Policy Object (GPO) → A powerful feature in Windows environments that allows administrators to centrally manage and enforce system settings and configurations across multiple computers and users within an Active Directory domain
  • Lightweight Directory Access Protocol (LDAP) → Specifies the format & methods used to query directories, such as Microsoft ADDS
    • LDAP is extension of X.500 standard
    • LDAP used TCP port 389
    • LDAP Secure (LDAPS) encrypts data using TCP port 636
    • When client connect to a server using LDAPS, the two systems establish a TLS session & TLS encrypts all data sent between the two systems
• Federation → A federation requires a federated identity management system that all members of the federation use.
  • Members of federation agree on standard for federated identities & then exchange the information based on the standard.
  • A federated identity links user’s credentials from different network or OS, but federation treats it as one identity
  • Relying parties (RPs) (Service Provider (SP)) provide services to members of a federation.
  • An identity provider (IdP) provides identities, makes assertions about those identities, and releases information about the identity holders
• Technologies:
  • HMAC Based One Time Password (HOTP) → HMAC uses a hash function & a cryptographic key for many different cryptographic functions
    • HMAC → Hash-based Message Authentication Code
    • HOTP is open standard used for creating one-time passwords
    • The algorithm combines a secret key & incrementing counter & creates HMAC to create the hash of the result
    • It then converts the results into HOTP value of 6-8 digits
    • A password created with HOTP remains valid until it’s used
  • Time-based One Time Password (TOTP) → Similar to HOTP, but uses a timestamp instead of incrementing counter
    • One time passwords created with TOTP typically expires after 30 seconds, but the time is adjustable
  • Token Key → An electronic device about the size of remote key for a car.
    • LCD displays a number & number changes periodically, such as every 60 seconds
    • The token is synced with the server
• Smart Card Authentication → Smart cards are often used with dual-factor authentication where users have something (the smart card) and know something (such as a password or PIN).
  • Smart cards include embedded certificates used with digital signatures and encryption(Public Key Infrastructure PKI).
  • They are used to gain access to secure locations and to log on to computer systems.
• Smart Card Vs Proximity Card
  • Smart Card → A smart card is a type of card embedded with a microprocessor or memory chip that can store and process data
    • It is used for secure access, identity verification, and various other applications.
    • Contact (insertion) or contactless (RFID)
    • Significant data storage capacity
    • High security, supports encryption and secure protocols
    • More complex infrastructure required
    • Secure access, payments, ID cards
  • Proximity Card → A proximity card (or prox card) is a type of card that uses radio frequency identification (RFID) technology to communicate with a reader.
    • It is primarily used for access control systems.
    • Contactless (RFID)
    • Limited to unique identifier and minimal data
    • Basic security, susceptible to cloning and interception
    • Simple infrastructure
    • Building access, time and attendance tracking

Biometrics

• Vein → Vein matching system identify individuals using near-infrared light to view their veins
  • Many hospitals use palm scanners as a quick & easy way to identify patients & prevent patient misidentification
• Retina → Retina scanners can scan the retina of one or both eyes & use the pattern of blood vessels at the back of the eye for recognition.
  • This scanner can identify medical issues
  • This scanner requires a physical contact with the scanner
• Iris → Iris scanners use camera technologies to capture the patterns of the iris around the pupil for recognition.
  • Used in many passport-free border crossings around the world
  • It can take pictures from about 3-10 inches away
  • No need of physical contact with scanner
• Facial → Identifies people based on facial features
• Voice → Identifies who is speaking using speech recognition to identify different acoustic features
• Gait → Identifies individuals based on the way they walk
• Efficacy Rates → Refers to performance of the system under ideal conditions
• False Acceptance Rate (FAR) → Biometric system incorrectly identifies an unknown user as a registered user
• False Rejection Rate → Biometric system incorrectly rejects a registered user
• True Acceptance → Biometric system correctly identifies a registered user.
• True Rejection → Biometric system correctly rejectes an unknown user.
• Crossover Error Rate → CER is the point where the FAR crosses over FRR
  • Lower CER indicates the biometric system is more accurate

Multi-Factor Authentication (MFA)

• Factors:
  • Something You Know → Refers to shared secrets such as passwords, static code or PIN
  • Something You Have → Refers to something you can physically hold
    • Ex. Smart Card Authentication
  • Something You Are → Uses biometrics for authentication
• Attributes:
  • Somewhere You Are → Identifies user’s location
    • Many authentication system uses IP address for geolocation
    • Can be used to identify impossible travel time or risky login situations
  • Something You Can Do → Refers to actions you can take such as gestures on touch screen
  • Something You Exhibit → Refers to something you can show or display
    • Some military government organizations use Common Access Cards(CACs) or Personal Identity Verification (PIV) cards
    • They include picture of users along with personnel information such as name & badge
  • Someone You Know → Refers to someone is vouching for you

Authentication, Authorization & Accounting (AAA)

• Work together with identification to provide comprehensive access management system
• Accounting methods track user activity & record the activity in the logs
• Audit trial allows security professionals to re-create the events that proceeded as a security incident
• Logging provides accounting

Objective 2.5

Redundancy

• Redundancy adds duplications to critical systems & provides fault tolerance
• Goal → Removes each single point of failure (SPOF)
• Disk Redundancy → Allows system to continue to operate even if disk fails
  • RAID → Redundant Array of Independent Disks
    • Provides fault tolerance for disks & increases system availability
  • RAID-0 → (Striping) → It doesn’t provide any fault tolerance or redundancy
    • It includes two or more physical disks
    • Files stored on RAID-0 are spread across each of the disks
    • Benefit → Increased read & write performance. Because the file is spread across multiple disks & different parts of the file can be read from or written to each of the disks simultaneously
    • If 3x 500 GB drives used in RAID-0 → You have 1.5 TB of storage
    • Minimum Disks: 2
    • Fault Tolerance: No
  • RAID-1 → (Mirroring) → Uses two disks → Data written to one disk is also written to another disk.
    • If one disk fails, the other disk still has all data, so system can continue to operate without any availability loss
    • You can add an additional disk controller to a RAID-1 configuration to avoid disk controller as a single point of failure. Adding a second disk controller to a mirror is called disk duplexing
    • If you have two 500 GB drives in RAID-1, you will have 500 GB of storage & the other 500 GB of storage is for fault tolerance, mirrored volume.
    • Minimum Disks: 2
    • Fault Tolerance: 1
  • RAID-2, RAID-3, RAID-4 are rarely used
  • RAID 3 → Disk striping with dedicated parity
    • It has a dedicated drive containing all the parity bits.
    • It does protect against the loss of a single disk but not with distributed parity.
    • Minimum Disks: 3
    • Fault Tolerance: 1 (But not the parity disk)
  • RAID-5 → 3 or more disks are stripped together (similar to RAID-0)
    • Striping with parity
    • Equivalent of one drives includes parity information
    • This parity information is stripped across each of the drives in RAID-5 & provides fault tolerance
    • If one drive fails, the disk subsystem can read information from remaining drives & recreate the original data
    • If two of the drives fail in RAID-5, the data is lost
    • Minimum Disks: 3
    • Fault Tolerance: 1
  • RAID-6 → An extension of RAID-5 → Striping with double parity
    • Difference → It uses additional parity block & requires additional disk
    • Benefit → RAID-6 will continue to operate even if two disk drives fail
    • RAID-6 requires a minimum of 4 disks
    • Minimum Disks: 4
    • Fault Tolerance: 2
  • RAID-10 → Combines features of mirroring (RAID-1) & stripping (RAID-0) but implements the drives differently
    • Also called as → “stripe of mirrors”
    • RAID-10 is also called RAID-1+0 → Data is first mirrored & then striped
    • When adding more drives, you need to add the disks in multiple of 2, 4, 6…
    • If you have used four 500 GB drives in RAID-10, you have 1 TB of usable storage
    • Minimum Disks: 4
    • Fault Tolerance: Multiple (Tolerates up to one disk failure per mirrored pair.)
  • Comparison:
    • Number of Disks → RAID 0 < RAID 1 < RAID 5 < RAID 10
    • Read Performance → RAID 0 > RAID 10 > RAID 5 > RAID 1
    • Write Performance → RAID 0 > RAID 10 > RAID 1 > RAID 5
    • Fault Tolerance → RAID 0 < RAID 1 < RAID 5 < RAID 10
• Disk Multipath → Multipath Input / Output (I/O) is another fault tolerance method for disks
  • It uses a separate data transfer path to the storage hardware
  • If one path fails, second path handles the transfer
  • If both paths are operational, it provides increased performance
  • One method of implementing Disk Multipath is via Storage Area Network (SAN) using Fibre Channel
• Load Balancer → Load balancing increases the overall processing power of a service by sharing the load among multiple servers.
  • A load balancer uses a scheduling technique to determine where to send new requests.
  • Configurations can be active/passive or active/active.
  • Scheduling methods include round-robin and source IP address affinity
  • Source IP address affinity scheduling ensures clients are redirected to the same server for an entire session.
  • Load balancers provide a virtual IP, or VIP → Traffic sent to the VIP is directed to servers in the pool based on the load-balancing scheme
  • Load Balancer Algorithms
    • Least connection-based → takes load into consideration and sends the next request to the server with the least number of active sessions
    • Round Robin → simply distributes requests to each server in order
    • Weighted Time → Uses health checks to determine which server is currently responding the quickest, and routing traffic to that server.
    • Source IP Hash → Uses a unique hash key generated from the source and destination IP addresses to track sessions, ensuring that interrupted sessions can be seamlessly reassigned to the same server, thus allowing the sessions to continue uninterrupted.
• NIC Teaming → Allows you to group two or more network physical adapters into a single software based virtual network adapter
  • This provides increased performance. → Greater throughput and fault tolerance
  • NIC team uses load balancing algorithms to distribute outgoing traffic equally among NICs
  • Also eliminates physical NIC as single point of failure → Software detects the failure & logically removes the failed NIC
• Dual Supply → A second power supply that can power a device if the primary power supply fails.
• Managed power distribution units → Basic PDUs distribute power to devices, similar to how a power strip delivers power via multiple outlets
  • Managed PDUs (sometimes called switched PDUs) monitor the quality of power such as voltage, current, and power consumption and report these measurements to a central monitoring console
  • This allows administrators to use a single application to monitor power in all the racks within a data center.
• Storage Area Networks (SAN) → Provides block-level data storage via full network
  • Organizations use SAN to provide high speed access to disk arrays or tape libraries
  • SAN can be used for real time replication of the data
  • As soon as data changes in primary location, it is replicated to the SAN

Backup Types

• Full Backup → Back up all the data specified in the backup
  • Time → A full backup can take several hours to complete & can interfere with operations
  • Money → Performing full backup everyday requires more media & it can be expensive
    • Instead, organizations combine full backups with differential or incremental backup
  • A full backup is the easiest & quickest to restore
• Differential Backup → It starts with a full backup
  • Differential backups back up the data that has changed or different since last full backup
  • Two backups needed to restore the data: Last Full Backup + Recent Differential Backup
  • Take less time to restore
• Incremental Backup → It starts with a full backup
  • After the full backup, incremental backups back up the data that has changed since the last backup (Last full backup or Last incremental backup).
  • Last full backup + Multiple Incremental Backups till the date
  • Takes more time to restore
• Snapshot → Snapshot backup is also known as image backup
  • Captures the data at the moment in time
  • Commonly used with virtual machines
• Tape → Tape stores more media & are cheaper than other media
  • Long-term archival storage, backup solutions for large datasets.
• Network Attached Storage (NAS) → A dedicated computer used for file storage & accessible on a network
  • It can handle multiple drives & often run stripped down version of linux for simplicity & reduces the cost
  • NAS proves a file based data storage allowing users to access files on NAS devices & copy backup files to NAS devices
• Online vs Offline Backup → An online backup is a hot backup → It backs up the database while it’s operational → It captures the changes while they are occurring & applies to the backup when they are done
  • An offline backup is a cold backup performed while database is offline → Local Backup

Non-persistence

• Virtual desktops that support non-persistence serve same desktop for all users
• When a user access the remote server, it provides a desktop OS from preconfigured snapshot
• It can revert to the known state when users log off. → It rolls back to known configuration or last known good configuration
• Some bootable USB drives are live media that can save any changes to OS on the USB drive

Objective 2.6

Embedded Systems

• Field Programmable Gate Array (FPGA) → Programmable integrated circuit (IC) installed on circuit board
• Arduino → A microcontroller board, and the circuit board contains the CPU, random access memory (RAM), and read-only memory (ROM).
  • Doesn’t need any OS to run → It has firmware
  • It is used for simple repetitive tasks

ICA & SCADA Systems

• ICS typically refers to systems within large facilities such as power plants or water treatment facilities
• SCADA system typically controls the ICS by monitoring it & sending commands
• Common uses of ICS & SCADA system:
  • Manufacturing & Industrial → Can monitor every processing stage & report anomalies in real time
  • Facilities → Monitors temperature & humidity to keep the environment relatively stable
  • Energy → Oil & Gas processing
  • Logistics → Include monitoring processes within shipping facilities
• Some SCADA systems and ICSs are connected to the corporate network.

Heating, Ventilation, Air Conditioning (HVAC)

• Keeps the computing system at a proper temperature & with proper humidity

Real Time Operating System (RTOS)

• OS that reacts to an input within a specific time
• If it can’t respond within specified time, it doesn’t process the data & reports an error
• Ex. Automated assembly line to create Donuts

System on a Chip (SoC)

• An integrated circuit that includes all the functionality of a computing system within the hardware
• It typically includes an application contained within onboard memory such as ROM & Electronically Erasable Programmable (EEPROM) or flash memory
• Many mobile devices include SoC
• Integrates all the components of a computer or other electronic system into a single integrated circuit (IC)
• The Apple A14 Bionic chip used in the iPhone and iPad is an example of an SoC

Communication Considerations

• 5G → Allows to transfer data more quicker than 4G
  • 5G has limited range → This means 5G needs huge increase in infrastructure to support 5G towers & antennas.
  • 5G signals can be blocked by physical barriers like trees, walls, glass limiting the range
• Narrow Band → Narrow band signals have a very narrow frequency range
  • Commonly used in two-way systems such as walkie-talkies
• Baseband Radio → Include frequencies that are very near zero
  • Typically used to transfer data over a cable than over an air
• Zigbee → A suite of communication protocols user for smaller networks (Ex. Home Automation)
  • It’s designed to be simpler to use & cheaper than other wireless protocols
  • It has relatively low data rate & low power consumption → Zigbee devices have battery life of two or more years
  • It supports strong security including data encryption

Objective 2.7

• Signage → “Authorized Personnels Only” will deter many people from entering the restricted area
  • Discourages unwanted or unauthorized access, providing safety warnings, and helping with evacuation routes and other navigation information as part of a physical safety effort.
• Industrial Camouflage → Many organization use camouflage to hide buildings, a part of building & wide variety of other items
• Robot Sentries → It uses laser light detection sensors & 3D mapping to learn & navigate the environment, different sensors detect activity
  • Provides surveillance, monitoring, and security functions in various environments
• Two Person Integrity → A security control that requires the presence of at least two authorized individuals to perform a task
• USB data blocker → Prevents someone from writing any data to USB drive
  • Some blockers also prevents system from reading data from USB drive
• Faraday Cage → A room that prevents radio frequency signals from entering into or emanating beyond a room.
  • It includes electrical features that cause radio frequency signals to reflect back
• Air Gap → Air gap provides physical isolation with a gap of air between systems
• Screened Subnet → Also known as Demilitarized Zone
  • It is a buffered zone between a private network & internet
  • Provides a layer of protection for internet facing servers while allowing clients to connect with them
  • Helps to segment access from internal network
• Hot & Cold Aisles → Helps to regulate cooling in data centers with rows of cabinets
• Secure Data Destruction →
  • Shredding → Physically destroys the media by cutting it into small pieces.
    • Extremely effective, prevents any form of data recovery.
  • Pulping → Pulping is an additional step taken after shredding paper. It reduces the shredded paper to mash or puree.
  • Pulverizing → Pulverizing is the process of physically destroying media to sanitize it, such as with a sledge hammer (and safety goggles).
  • Degaussing → A degausser is a very powerful electronic magnet. Passing a disk through a degaussing field renders the data on tape and magnetic disk drives unreadable.
    • Effective against magnetic storage devices (HDDs, tapes).
    • Does not work on SSDs or optical media; renders device unusable.
    • You cannot reuse a hard drive once it has been degaussed.
  • Cryptographic Erase → This method involves encrypting the entire disk & then simply deleting the encryption key
    • Without the key, the data on the drive is essentially rendered unreadable
    • This is secure method because even if the data is physically recovered, it remains inaccessible without the key
  • Zero Wipe → Writes zeros to all sectors of the storage device.
    • Not effective against advanced forensic recovery methods.
  • Overwrite → Writes random or specific data patterns to storage sectors multiple times.
    • Time-consuming, may not be effective for SSDs due to wear leveling.
    • Also, known as Data Wiping / Clearing
  • Incineration → Burns the media to ashes, completely destroying the data.
  • Acid Bath → Uses strong acids to dissolve the storage media.
  • Comparison:
    • Zero Wipe < Overwrite < Degaussing < Cryptographic Erase < Shredding = Incineration = Acid Bath
  • sign a contract → The most common way to ensure that third-party secure destruction companies perform their tasks properly is to sign a contract with appropriate language and make sure that they certify the destruction of the materials they are asked to destroy.
    • Manual on-site inspection by third parties is sometimes done as part of certification.
    • Requiring pictures of every destroyed document would create a new copy, thus making it a flawed process. Thus, recording again is not recommended

Objective 2.8

• Digital Signatures → Creates hash of the message
  • In digital signature, the sender uses sender’s private key to encrypt the hash of the message.
  • The recipient uses sender’s public key to decrypt the hash of the message
• Key Stretching → An advanced technique used to increase the strength of stored passwords
  • Instead of just adding salt to the password before hashing it, key stretching applies a cryptographic stretching algorithm to salted password.
  • Benefit → Consumes more time & computing resources making hard for attackers
  • Ex. bcrypt, PBKDF2, Argon2
    • PBKDF2 → Password Based Key Derivation Function V2 → Use thousands of iterations of salting & hashing to generate encryption keys that are resilient against attack
  • They salt the password with additional bits and then send the result through a cryptographic algorithm.
  • One way of implementing it is by repeatedly using a hash function or a block cipher, increasing the effort that an attacker would need to exert to attack the resulting hashed or encrypted data.
• Key Exchange → A cryptographic method used to share cryptographic keys between two entities
• Elliptic Curve Cryptography → Doesn’t take as much processing power than other cryptographic methods → It uses mathematical equations to formulate an elliptical curve
  • It graphs points on the curve to create keys
  • Benefit of ECC keys → ECC keys are much smaller than non-ECC keys
  • ECC is more often considered with low power devices
  • ECC is used in SSL/TLS certificates to secure communications over the internet.
  • ECC is employed in cryptocurrencies (e.g., Bitcoin) for creating public/private key pairs.
• Ephemeral Keys → Ephemeral keys has short lifetime & is re-created for each session
  • Ephemeral Key Pair = Ephemeral Public Key + Ephemeral Private Key
• Perfect Forward Secrecy (PFS) → It indicates that cryptographic system generates random public keys for each session & it doesn’t use deterministic algorithm to do so.
  • This helps to ensure that systems do not reuse keys
  • Goal → The compromise of key does not compromise any past keys
• Modes of Operation →
  • Authenticated Mode → Authenticated encryption provides both confidentiality & authenticity
  • Counter Mode → CTR mode is form of authenticated encryption & CTR mode allow block ciphers to function as stream cipher
  • Unauthenticated Mode → Unauthenticated mode provides confidentiality, but not authenticity
• Blockchain → It is distributed, decentralized public ledger
  • Public Ledger → Block refers to pieces of digital information
  • Chain → Refers to public database
  • Each block has 3 parts:
    • Information about transactions
    • Information about parties involved with transaction(s)
    • A unique hash that distinguishes the block from other block
• Cipher Suites → Most symmetric algorithm use either stream cipher or block cipher
  • Stream Cipher → Encrypts data a single bit/byte at a time
    • Ex. Caesar Cipher, One-Time Pad, RC4
  • Block Cipher → Encrypts data in a specified sized block such as 64-bit or 128-bit block
    • Ex. Transposition Ciphers, Twofish, Blowfish, AES, DES
    • Cipher Block Chaining (CBC) → An operation for block ciphers that enhances security by introducing dependencies between plaintext blocks
      • By XORing each plaintext block with the previous ciphertext block, CBC ensures that identical plaintext blocks result in different ciphertext blocks, thus enhancing confidentiality.
    • Cipher Feedback (CFB) → A mode of operation of block ciphers that allows encryption of data in units smaller than the block size of the cipher
  • Stream ciphers are more efficient than block ciphers when encrypting data in continuous stream
• Symmetric Encryption → Uses same key to encrypt and decrypt the data
  • Symmetric key cryptography can also be called secret key cryptography and private key cryptography.
  • Rely on shared secret
  • RADIUS uses symmetric encryption.
  • Formula → Number of Keys required = n(n-1)/2 where n is number of people
  • Limitations:
    • Key distributions is a major problem
    • Does not implement non-repudiation
    • Not scalable → Difficult for large groups to communication using symmetric crypto
    • Keys must be regenerated often
  • Symmetric Algorithms:
    • Advanced Encryption Standard (AES) → 128 bit cipher
      • AES can use key sizes of 128, 192 & 256
      • AES is faster than 3DES
      • AES is more efficient than 3DES
      • AES is less resource intensive than 3DES
    • DES (Data Encryption Standard) → An older symmetric encryption algorithm.
      • 56 bits (with 8 bits used for parity).
    • Triple Digital Encryption Standard (3DES) → Encrypts data in 64 bit blocks
      • 3DES uses key sizes of 56 bits, 112 bits, or 168 bits.
    • Blowfish → Encrypts data in 64-bit blocks & supports key sizes between 32 & 448 bits
      • Blowfish is general purpose algorithm designed to replace DES
    • Twofish → Encrypts data in 128-bit blocks, and it supports 128, 192, 256-bit keys
    • RC4 → A stream cipher widely used in protocols like SSL/TLS (40 to 128 bits)
    • International Data Encryption Algorithm (IDEA) → A symmetric key block cipher algorithm used for encryption and decryption of data.
• Asymmetric Encryption → Uses two keys in a matched pair to encrypt and decrypt data (a public key and a private key)
  • A key element of several asymmetric encryption methods is that they require a certificate and a PKI.
  • Asymmetric encryption is strong, but very resource intensive
  • Takes a significant amount of processing power to encrypt and decrypt data as compared with symmetric encryption
  • Most cryptographic protocols that use asymmetric encryption only use it for key exchange.
  • Asymmetric Algorithms:
    • RSA (Rivest-Shamir-Adleman) → A widely used asymmetric encryption algorithm for securing data transmission. → Typically 1024, 2048, or 4096 bits.
    • DSA (Digital Signature Algorithm) → A digital signature algorithm used for verifying the authenticity of digital messages or documents. → 1024 or 2048 bits.
    • DSA (Elliptic Curve Cryptography) → A type of asymmetric cryptography based on the algebraic structure of elliptic curves over finite fields.
    • Diffie-Hellman → A key exchange algorithm used to securely exchange cryptographic keys over a public channel. → Typically 1024, 2048, or 4096 bits.
    • ECDH (Elliptic Curve Diffie-Hellman) → A variant of Diffie-Hellman using elliptic curve cryptography for key exchange.
    • ElGamal → An asymmetric encryption algorithm based on the difficulty of solving the discrete logarithm problem → Typically 1024 or 2048 bits.
• Steganography → Hides messages or other data within a file
  • Use hashing to detect changes in files that may indicate the use of steganography
• Lightweight Cryptography → Refers to cryptography deployed to smaller devices such as RFID, sensor nodes, smart cards, IOT devices
• Homomorphic Encryption → Allows data to remain encrypted while it is being processed.
  • Allows to access and manipulate the data without being able to see it because it remains encrypted.
• Common Use Cases:
  • Supporting obfuscation → Steganography is used to support obfuscation.
  • Supporting low power devices → ECC and other lightweight cryptography algorithms support deploying cryptography on low power devices.
  • Supporting low latency → OCSP supports a use case of low latency.
• Limitations:
  • Entropy → Refers to the randomness of a cryptographic algorithm.
  • Longevity → Refers to how long you can expect to use an algorithm.