CISSP Domain 3 Review – Security Architecture and Engineering

This post serves as a review for the domain 3 of the CISSP. This domain covers security architecture and engineering.

Before we start, here is a list that will help you navigate through the different sections of this domain review.

Security Architecture

This section addresses the three most common enterprise architectures:

  1. TOGAF
    • The Open Group Architecture Framework
    • It is the most used enterprise architecture.
    • An approach to developing and governing an enterprise information technology architecture.
    • High-level.
  2. Zachmann :
    • Two-dimensional.
    • On the first dimension, there are 5 questions : Why, How, What, Who, Where, and When.
    • On the second dimension, there are 6 perspectives : Executive, Business Management, Architect, Engineer, Technician, and User.
  3. SABSA
    • Sherwood Applied Business Security Architecture
    • An approach to developing risk-driven enterprise information security architecture.
    • Chain of traceability

Security Models

  1. Bell LaPadula Model
    • Confidentiality
    • Simple security property : No read up
    • Star security property : No write down
    • The model does not deal with covert channels
  2. Biba Model
    • Integrity
    • Simple integrity property : No read down
    • Star integrity property : No write up
    • Invocation property : A subject cannot invoke another subject at a higher level.
  3. Clark Wilson Model
    • Improvement of Biba model.
    • Allows well-formed transactions, separation of duties.
  4. Lipner Model
    • A combination of Bell LaPadula and Biba models.
    • Covers both confidentiality and integrity
  5. Brewer Nash Model
    • Also called: The Chinese Wall
    • Prevent conflict of interests.
  6. Graham Dening Model
    • Deals with how objects ans subjects are created, and how rights are assigned.

Security Capabilities

  1. Security Kernel : Implementation of the reference model.
  2. Processor modes
    • Privileged Mode (Kernel Mode)
    • Unprivileged Mode (Problem Mode)
  3. Secondary memory
    • Hard drive, solid state drive, CDs, USB drives,….
    • It is called secondary because it is not directly accessible by the CPU.
  4. Memory Paging
    • Operating systems can store and retrieve data from secondary memory in same-size blocks called pages. This additional memory is called Virtual memory.
    • Good if the primary memory space is limited.
  5. Memory protection key
    • Associate a process with a memory block
  6. ASLR (Address Space Layout Randomization)
    • No more predictable memory address location.
    • Prevent buffer overflow attacks.
  7. DEP : Data Execution Prevention
    • Prevent execution of code from certain memory locations.
  8. Protection rings
    • 4 rings : from 0 to 4.
    • Ring 0 : Kernel (Runswith the highest privileges)
    • Ring 3 : User applications (Run with the least privileges)

Evaluation Criteria

  1. TCSEC
    • The Orange Book.
    • Focuses on Confidentiality.
    • Levels (From Lowest to highest) :
      • D : Minimal protection
      • C1 : Discretionary security protection (DAC)
      • C2 : Controlled access protection (DAC)
      • B1 : Labeled security protection (MAC)
      • B2 : Structured protection (MAC)
      • B3 : Security domains (MAC)
      • A1 : Verified design
  2. ITSEC
    • Cover Confidentiality, Integrity and Availability
    • Target of Evaluation : Product that is evaluated.
    • Two ratings :
      • Functional levels :
        • F-C1, F-C2, F-B1, F-B2, F-B3 : Requirements for confidentiality.
        • F-IN : Requirements for integrity
        • F-AV : Requirements for availability
        • F-DI : For data integrity during data communication.
        • F-DX : For integrity and confidentiality during data communication.
      • Assurance levels :
        • E0 : Equivalent to D(TCSEC)
        • E1 : Equivalent to C1
        • E2 : Equivalent to C2
        • E3 : Equivalent to B1
        • E4 : Equivalent to B2
        • E5 : Equivalent to B3
        • E6 : Equivalent to A1
  3. Common Criteria
    • ISO 15408
    • Protection Profile : Reference document used in evaluation. It specifies security evaluation criteria.
    • Target of Evaluation : Product that is being evaluated.
    • Security Target : Document provided by the vendor of the product. It defines the security details that the product is supposed to have.
    • Levels :
      • EAL1 : Functionally tested.
      • EAL2 : Structurally tested.
      • EAL3 : Methodically tested and checked.
      • EAL4 : Methodically designed, tested and reviewed.
      • EAL5 : Semi-formally designed and tested.
      • EAL6 : Semi-formally verified design and tested.
      • EAL7 : Formally verified design and tested.

Vulnerabilities in web-based systems

OWASP Top Ten :

  1. Injection.
  2. Broken authentication.
  3. Sensitive data exposure.
  4. XML external entities (XXE).
  5. Broken access control.
  6. Security misconfiguration.
  7. Cross-site scripting (XSS).
  8. Insecure deserialization.
  9. Using components with known vulnerabilities.
  10. Insufficient logging and monitoring.


  1. Symmetric
    • The sender and receiver must both have the same secret key.
    • Block ciphers:
      • Generally used for data at rest.
      • Fixed-size blocks.
      • DES
        • Vulnerable
        • 56-bit key + 8 bits for parity.
        • 64-bit blocks
      • 2DES
        • Vulnerable to Meet-In-The-Middle attack.
      • 3DES
        • 2 keys : DES-EEE2, DES-EDE2.
        • 3 keys : DES-EEE3, DES-EDE3.
      • AES
        • Secure algorithm.
        • Blocks of 128-bits.
        • AES-128 : 128-bit key.
        • AES-192 : 192-bit key.
        • AES-256 : 256-bit key.
      • Blowfish: Vulnerable, replaced by Two-fish
      • IDEA
      • RC5 and RC6 : parameterized ciphers.
      • Block ciphers use S-Boxes (Substitution) and P-Box (Permutation).
      • Padding is added for messages that have a length not a multiple of the block length.
    • Stream ciphers:
      • 1 bit at a time
      • Use XOR operator, and keystream generator (Random bits).
      • RC4
    • Operating modes :
      • ECB : Easier, but less secure.
      • CBC : The first block of data is XORed with the IV (Initialization Vector). Every subsequent block is XORed with the previous ciphertext block.
      • For stream ciphers : CFB, OFB
      • CTR: Allows for parallel processing of the blocks using a counter value (Nonce).
    • The number of secret keys needed for n people is n(n-1)/2.
      • Creates a problem of scalability.
  2. Asymmetric
    • Used for secret key exchange, and not for bulk communication.
    • Algorithms
      • Trapdoor functions
      • Based on factoring problem
        • RSA
      • Based on discrete logarithm problem
        • Diffie Hellman : Used for key exchange.
        • El Gamal : Based on Diffie Hellman, but adds message confidentiality and digital signatures.
      • Based on elliptic curves
        • ECC : Used in smart cards and wireless.
    • Assymetric algorithms are vulnerable to quantum computers.
    • Post-quantum cryptography are cryptographic algorithms that are secure against a quantum computer attack.
  3. Key Management
    • Secure key generation
      • Using hardware-based random number generators. For example embedded in a TPM (Trusted Platform Module).
    • Secure key storage and use
      • KEKs
        • Key Encryption Keys.
        • KEKs can be generated and stored securely in an HSM.
    • Key rotation and key change
    • Key escrow
    • Key destruction
  4. Hashing
    • MD-5 : The least secure.
    • SHA-1 : Also not secure.
    • SHA-2 : 4 types
      • SHA-224 : 224-bit output.
      • SHA-256 : 256-bit output.
      • SHA-512 : 512-bit output.
  5. Digital signatures
    • When sending : The sender encrypts the hash of the message with their private key to create the digital signature, and appends it to the message
    • When receiving : The receiver decrypts the digital signature with the public key of the sender to retrieve the hash of the message, and then compares it with the hash of the message that they received.
    • Ensures integrity, authenticity and non-repudiation.
  6. Public Key infrastructure
    • Certificate Authority (CA) : Digitally signs a public key on a certificate using X.509 standard.
    • Registration authority (RA) : Verify a request for the digital certificate on behalf of the certificate authority.
    • Validation authority (VA) : Verify the validity of a digital certificate.
    • CRL : Certificate Revocation List, contains all certificates that are no longer valid.
    • OCSP : A protocol for confirming if a given digital certificate has not been revoked.
  7. Cryptographic attacks
    • Known plaintext : The attacker has access to both a plaintext and its ciphertext.
    • Ciphertext-only : The most difficult.
    • Chosen plaintext : The attacker can choose a plaintext and obtain its encryption.
    • Chosen ciphertext : The attacker can choose a ciphertext and obtain its corresponding plaintext.
    • Rainbow table : Table of pre-calculated hashes.
    • Hash Collision : When two texts generate the same hash.
    • Birthday Attack : Aims at finding two messages that have the same hash.
    • Frequency analysis : Used when the language of the plaintext is known.
    • Factoring attack : Used against RSA algorithm
    • Attack against the random number generator.

Physical security

  1. Safety of people always comes first.
  2. Server rooms and data centers
    • Secure the physical access.
    • HVAC.
    • Secure against environmental risks.
    • Fire safety.
  3. Wiring Closets and intermediate distribution facilities
    • They should also be secured, but in reality they are often neglected.
  4. Media storage facilities
    • Ensure that media will not be degraded over time
    • Controlled temperature and humidity.
    • Air filtration.
  5. Evidence storage
    • Log book to maintain chain of custody.
    • CCTV
    • Locks
  6. Fire safety
    • Classes
      • A : Solid materials (Ex: paper, wood…).
        • Extinguisher : Water, dry powder, halon.
      • B : Flammable liquids (Ex: diesel,…).
        • Extinguisher : CO², dry powder, halon.
      • C : Electrical equipment.
        • Extinguisher : CO², dry powder, halon.
      • D : Combustible metal.
        • Extinguisher : Dry powder.
      • K : Cooking equipment (Ex: Oil, animal fats…)
        • Extinguisher : Wet chemical.
    • Water sprinkler
      • Wet pipe : Water is always in the pipes. When a sprinkler head is activated, it operates instantly and independently.
      • Dry pipe : Pressurized gas is in the pipes. When a sprinkler head is activated, the water fills the pipes and the sprinkler head operates independently.
      • Deluge : When a sensor detects a fire, the water fills the pipes and all sprinkler heads operate simultaneously.
      • Pre-action : When a sensor detects a fire, the water fills the pipes but then every sprinkler head operates independently.
        • This is generally the preferred option.
      • Remember : Water sprinkler are not to be used for electrical fires.

We have now gone through all items that are covered in the domain 3 of the CISSP. If you notice that there is some important concept that I have forgotten to mention in this review, please let me know in the comments below.


Leave a Reply

Your email address will not be published. Required fields are marked *