Security Engineering: CISSP, #3
()
About this ebook
Security Engineering is the third domain of the Certified Information Systems Security Professional certification. In this course we will cover the following: secure design principle and processes, fundamental concepts of security modules, security evaluation models, security capabilities of information systems, vulnerabilities in security architecture and technology components, cryptography and site and secure facility design.
Selwyn Classen
A seasoned and highly qualified IT/IS professional with over 20 years working experience within the Petrochemical industry (i.e. Supply chain management, Knowledge management, Product and Quality management, Business analysis and processing) including the Telecommunications industry.
Read more from Selwyn Classen
Risk Management and Information Systems Control Rating: 5 out of 5 stars5/5Incident Management Rating: 0 out of 5 stars0 ratings
Related to Security Engineering
Titles in the series (8)
Security and Risk Management: CISSP, #1 Rating: 4 out of 5 stars4/5Asset Security: CISSP, #2 Rating: 0 out of 5 stars0 ratingsCommunication and Network Security: CISSP, #4 Rating: 0 out of 5 stars0 ratingsSecurity Engineering: CISSP, #3 Rating: 0 out of 5 stars0 ratingsSecurity Assessment and Testing: CISSP, #6 Rating: 2 out of 5 stars2/5Identity and Access Management: CISSP, #5 Rating: 0 out of 5 stars0 ratingsSecurity Operations: CISSP, #7 Rating: 0 out of 5 stars0 ratingsSoftware Development Security: CISSP, #8 Rating: 0 out of 5 stars0 ratings
Related ebooks
Asset Security: CISSP, #2 Rating: 0 out of 5 stars0 ratingsSecurity Operations: CISSP, #7 Rating: 0 out of 5 stars0 ratingsSoftware Development Security: CISSP, #8 Rating: 0 out of 5 stars0 ratingsSecurity Assessment and Testing: CISSP, #6 Rating: 2 out of 5 stars2/5CISSP® Study Guide Rating: 3 out of 5 stars3/5CISSP Exam Study Guide: NIST Framework, Digital Forensics & Cybersecurity Governance Rating: 5 out of 5 stars5/5Security and Risk Management: CISSP, #1 Rating: 4 out of 5 stars4/5CISSP Exam Study Guide For Security Professionals: NIST Cybersecurity Framework, Risk Management, Digital Forensics & Governance Rating: 0 out of 5 stars0 ratingsCybersecurity Jobs & Career Paths: Find Cybersecurity Jobs, #2 Rating: 0 out of 5 stars0 ratingsModern Cybersecurity Practices: Exploring And Implementing Agile Cybersecurity Frameworks and Strategies for Your Organization Rating: 0 out of 5 stars0 ratingsCybersecurity Design Principles: Building Secure Resilient Architecture Rating: 0 out of 5 stars0 ratingsSecurity Operations Center - SIEM Use Cases and Cyber Threat Intelligence Rating: 0 out of 5 stars0 ratingsInfosec Management Fundamentals Rating: 5 out of 5 stars5/5Building Effective Cybersecurity Programs: A Security Manager’s Handbook Rating: 4 out of 5 stars4/5Information Security for Small and Midsized Businesses Rating: 0 out of 5 stars0 ratingsEnterprise Security: A Data-Centric Approach to Securing the Enterprise Rating: 0 out of 5 stars0 ratingsCyber Essentials: A Pocket Guide Rating: 5 out of 5 stars5/5CISSP:Cybersecurity Operations and Incident Response: Digital Forensics with Exploitation Frameworks & Vulnerability Scans Rating: 0 out of 5 stars0 ratingsOSSEC Host-Based Intrusion Detection Guide Rating: 5 out of 5 stars5/5Security Operations Center - Analyst Guide: SIEM Technology, Use Cases and Practices Rating: 4 out of 5 stars4/5Cybersecurity for Beginners : Learn the Fundamentals of Cybersecurity in an Easy, Step-by-Step Guide: 1 Rating: 0 out of 5 stars0 ratingsThe Executive's Cybersecurity Advisor: Gain Critical Business Insight in Minutes Rating: 0 out of 5 stars0 ratingsCyber Security Incident Response A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsCybersecurity Enforcement and Monitoring Solutions: Enhanced Wireless, Mobile and Cloud Security Deployment Rating: 0 out of 5 stars0 ratingsCommunication and Network Security: CISSP, #4 Rating: 0 out of 5 stars0 ratingsIdentity and Access Management: CISSP, #5 Rating: 0 out of 5 stars0 ratingsCISSP Study Guide Rating: 0 out of 5 stars0 ratingsCISSP For Dummies Rating: 4 out of 5 stars4/5
Teaching Methods & Materials For You
Speed Reading: Learn to Read a 200+ Page Book in 1 Hour: Mind Hack, #1 Rating: 5 out of 5 stars5/5Personal Finance for Beginners - A Simple Guide to Take Control of Your Financial Situation Rating: 5 out of 5 stars5/5Grit: The Power of Passion and Perseverance Rating: 4 out of 5 stars4/5How to Think Like a Lawyer--and Why: A Common-Sense Guide to Everyday Dilemmas Rating: 3 out of 5 stars3/5How to Take Smart Notes. One Simple Technique to Boost Writing, Learning and Thinking Rating: 4 out of 5 stars4/5Speed Reading: How to Read a Book a Day - Simple Tricks to Explode Your Reading Speed and Comprehension Rating: 4 out of 5 stars4/5Becoming Cliterate: Why Orgasm Equality Matters--And How to Get It Rating: 4 out of 5 stars4/5The Three Bears Rating: 5 out of 5 stars5/5How To Be Hilarious and Quick-Witted in Everyday Conversation Rating: 5 out of 5 stars5/5Fluent in 3 Months: How Anyone at Any Age Can Learn to Speak Any Language from Anywhere in the World Rating: 3 out of 5 stars3/5Principles: Life and Work Rating: 4 out of 5 stars4/5Jack Reacher Reading Order: The Complete Lee Child’s Reading List Of Jack Reacher Series Rating: 4 out of 5 stars4/5Financial Feminist: Overcome the Patriarchy's Bullsh*t to Master Your Money and Build a Life You Love Rating: 5 out of 5 stars5/5Weapons of Mass Instruction: A Schoolteacher's Journey Through the Dark World of Compulsory Schooling Rating: 4 out of 5 stars4/5The Art of Self-Directed Learning: 23 Tips for Giving Yourself an Unconventional Education Rating: 5 out of 5 stars5/5From 150 to 179 on the LSAT Rating: 4 out of 5 stars4/5The Chicago Guide to Grammar, Usage, and Punctuation Rating: 5 out of 5 stars5/5The 5 Love Languages of Children: The Secret to Loving Children Effectively Rating: 4 out of 5 stars4/5Good to Great: Why Some Companies Make the Leap...And Others Don't Rating: 4 out of 5 stars4/5Verbal Judo, Second Edition: The Gentle Art of Persuasion Rating: 4 out of 5 stars4/5How To Do Motivational Interviewing: A guidebook for beginners Rating: 5 out of 5 stars5/5The 5 Love Languages of Teenagers: The Secret to Loving Teens Effectively Rating: 4 out of 5 stars4/5Lies My Teacher Told Me: Everything Your American History Textbook Got Wrong Rating: 4 out of 5 stars4/5Raising Human Beings: Creating a Collaborative Partnership with Your Child Rating: 4 out of 5 stars4/5Why Are You Still Sending Your Kids to School? Rating: 5 out of 5 stars5/5Dumbing Us Down - 25th Anniversary Edition: The Hidden Curriculum of Compulsory Schooling Rating: 4 out of 5 stars4/5Excellent Sheep: The Miseducation of the American Elite and the Way to a Meaningful Life Rating: 4 out of 5 stars4/5
Reviews for Security Engineering
0 ratings0 reviews
Book preview
Security Engineering - Selwyn Classen
While every precaution has been taken in the preparation of this book, the publisher assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.
SECURITY ENGINEERING
First edition. April 2, 2020.
Copyright © 2020 Selwyn Classen.
Written by Selwyn Classen.
Table of Contents
Introduction
Security Engineering
What is Security Engineering and What is Next?
Secure Design Principles and Processes
Introduction to Secure Design Principles and Processes
Software/System Design Lifecycle
Requirements Phase
Design Phase
Implementation Phase
Integration and Testing Phase
Transition to Operations Phase
NIST Security Engineering Principles
Security Foundation Principles
Risk-Based Principles
Ease of Use Principles
Increase Resilience Principles
Reduce Vulnerabilities Principles
Design with Network in Mind Principles
Summary and What is Next
Fundamental Concepts of Security Models
Introduction to Fundamental Concepts of Security Models
Type of Security Models
Information Flow Security Model
Matrix-based Security Model
Multi-level Lattice Security Model
Non-interference Security Model
State Machine Security Model
Common Security Model Examples
Bell-LaPadula Confidentiality Security Model
Biba Integrity Security Model
Brewer-Nash (The Chinese Wall) Security Model
Clark Wilson Security Model
Graham-Denning Security Model
Security Architecture Frameworks
The Open Group Architecture Framework (TOGAF)
Zachman Framework
Sherwood Applied Business Security Architecture (SABSA)
Summary and What is Next
Security Evaluation Models
Introduction to Security Evaluation Models
Certification and Accreditation
Product Evaluation Models
Trusted Computer System Evaluation Criteria (TCSEC)
Information Technology Security Evaluation Criteria (ITSEC)
The Common Criteria
Security Implementation Guidelines
ISO/IEC 27001 and 27002 Security Standards
Control Objects for Information and Related Technology (COBIT)
Payment Card Industry Data Security Standard (PCI-DSS)
Summary and What is Next
Security Capabilities of Information Systems
Introduction to Security Capabilities of Information Systems
Access Control Mechanisms
Secure Memory Management
State and Layering
Cryptographic Protections
Host Firewalls and Intrusion Prevention
Auditing and Monitoring Controls
Virtualization
Summary and What is Next
Vulnerabilities in Security Architecture and Technology Components
Introduction to Vulnerabilities in Security Architecture and Technology Components
Completely Secure Any System
Vulnerability Types
The CIA Triad
Security Architecture Vulnerabilities
Technology Component Vulnerabilities
Summary and What is Next
Cryptography
Introduction to Cryptography
Cryptography Is Typically Bypassed, Not Penetrated
Basic Concept of Cryptography
Cryptography Is Not New!
The CIA Triad
Key Length
Cipher Types
Forms of Cryptography
Symmetric Cryptography
Data Encryption Standard (DES)
Double DES (2DES)
Triple-DES (3DES)
Advanced Encryption Standard (Rijndael)
Asymmetric Cryptography
Hashing Functions
Hashing Attacks
Methods of Cryptanalytic Attacks
Cryptographic Lifecycle
Cryptography Law
Summary and What is Next
Site and Facility Secure Design
Introduction to Site and Facility Secure Design
Physical Security Control Design
Crime Prevention Through Environmental Design
Physical Security Requirements and Resources
Key Facility Protection Points
Facility Access
Support Equipment Rooms
Server and Technology Component Rooms
Restricted Work Areas
Summary
Introduction
Security Engineering
Security engineering is one of the eight domains of the Certified Information Systems Security Professional certification. Or as it is commonly referred to the CISSP. In this course, we will cover the 11 topics within the security engineering domain across 7 more modules. Specifically, we will cover the following. Secure design principle and processes. Fundamental concepts of security modules. Security evaluation models. Security capabilities of information systems. Vulnerabilities in security architecture and technology components. Cryptography. And finally, site and secure facility design.
What is Security Engineering and What is Next?
To start, this quote can help set the stage for what we are going to be talking about over this course. Specifically, If you think technology can solve your security problems, then you do not understand the problems, and you do not understand technology.
I quoted Bruce Schneier here, who is a well-known cryptographer and computer security specialist. Not to upset anyone with the quote, but to help frame up a key point to take away from this course. Given that the course is titled Security Engineering, I imagine that you have thoughts of servers, applications, tools, etc., that can help solve your organization's problems. And you would be right, but they are no silver bullet.
Technology is only one piece of the solution to any security problem, which can be a slippery slope for many organizations that hope for resolution after deploying a new security technology in their environment. That is only the first step in helping resolve a problem. But the harder parts of the solution are the people and process aspects once the deployment is done, which are critical to resolving the problem's root cause versus treating the symptoms. So, what is next? In the next module, we will be talking about secure design principles and processes. What are they? How do they relate to this module? And why are they important for this course and the CISSP exam? I hope you found this information helpful, and I look forward to seeing you in the future.
Secure Design Principles and Processes
Introduction to Secure Design Principles and Processes
Secure design principles and processes are the first of the objectives of the security engineering domain of the Certified Information Systems Security Professional certification or as it is commonly referred to the CISSP. Secure design principles and processes are key concepts to understand for any information security program, as well as for the CISSP exam. Numerous other components in information security programming build upon a secure design for an organization. So without a secure design in place, it is next to impossible to perform other aspects effectively and efficiently.
In this module, I will show you how to increase security and reduce the risk for your organization through proper timing in the Software/Systems Development Lifecycle process (SDLC). Then we will outline and discuss the 33 security engineering principles, from the Engineering Principles for Information Technology Security by the National Institute of Standards and Technology (NIST), that can be implied within your organization. And lastly, as previously mentioned, the secure design principles and processes is the first objective of the security engineering domain of the CISSP exam.
Software/System Design Lifecycle
Embed security into a solution as early as possible. Not bolted on
after design or implementation is complete. You might be asking yourself, what do you mean? Cannot security just be a final check before a solution is decided by the stakeholders, designed by the architects, coded by the developers, and implemented by the engineers? Sure. That is a possible approach. But so is evaluating a new aircraft for safety right before its maiden voyage or evaluating a new skyscraper for structural soundness when the tenants are waiting outside with