πŸ“˜Study Focus | Domain 3: Security Architecture and Engineering

πŸ“˜ Domain 3: Security Architecture and Engineering

Domain 3 is where a lot of folks hit a wall, especially with cryptography and security models.

πŸ”‘ Flashcard Topics (Deep Dive on Difficult Material)

πŸ” Cryptography (CISSP’s #1 memory trap)

🧾 Encryption Types & Use Cases

  • Symmetric Encryption (Secret Key)
    Fast, same key for encrypt/decrypt. Use for bulk data encryption (AES, DES).

  • Asymmetric Encryption (Public Key)
    Slow, uses key pair. Use for key exchange, digital signatures (RSA, ECC).

  • Hybrid Encryption
    Use asymmetric to exchange symmetric session key (e.g., TLS/SSL).

πŸ”’ Key Concepts

  • Confusion vs Diffusion
    Confusion = obscure relationship between key and ciphertext; Diffusion = spread plaintext influence.

  • Key Escrow vs Key Recovery
    Escrow = 3rd party stores keys; Recovery = organization retrieves lost keys.

  • Key Stretching (e.g., PBKDF2, bcrypt)
    Slows down brute force attacks by making keys longer/stronger.

πŸ” Block Cipher Modes

  • ECB
    *Encrypts blocks identically = bad for patterns. Don’t use.

  • CBC (Cipher Block Chaining)
    Each block XOR’d with previous. Requires IV. Susceptible to padding oracle attacks.

  • CTR (Counter)
    Turns block cipher into stream cipher. Fast, parallelizable.

  • GCM (Galois/Counter Mode)
    Modern secure mode. Provides encryption + integrity (authenticated encryption).

πŸ“œ Digital Signatures

  • What They Provide
    Authentication, integrity, and non-repudiation.

  • How They Work
    Sender signs hash with private key. Receiver verifies with public key.

πŸ› ️ PKI Components

  • Certificate Authority (CA)
    Issues digital certificates.

  • Registration Authority (RA)
    Verifies identity for the CA.

  • CRL vs OCSP
    CRL = certificate revocation list (downloaded); OCSP = real-time revocation check.

πŸ” Key Management Lifecycle

  • Steps
    Generate → Distribute → Use → Store → Rotate → Revoke → Destroy.

  • Split Knowledge vs Dual Control
    Split = no single person knows full key; Dual = two people required for access.

πŸ›️ Security Models

πŸ›‘️ Confidentiality-Focused

  • Bell-LaPadula (No Read Up, No Write Down)
    Protects secrecy — top-secret user can’t read classified doc.

πŸ“ Integrity-Focused

  • Biba (No Read Down, No Write Up)
    Protects data accuracy — low-trust user can’t tamper with high-trust data.

  • Clark-Wilson
    Uses well-formed transactions and separation of duties.

⚖️ Other Models

  • Brewer-Nash (Coca-Cola Model)
    Prevents conflict of interest; access changes based on user behavior.

  • Graham-Denning
    Describes secure creation and management of subjects/objects.

  • Take-Grant Model
    Focuses on rights propagation between subjects.

πŸ–₯️ System Architecture & Hardware

πŸ”§ Trusted Computing Base (TCB)

All hardware/software enforcing your security policy.

🧱 Security Perimeter

Boundary between TCB and rest of system — protects TCB from untrusted inputs.

🧩 Reference Monitor Concept

Always-enforcing access mediator between subjects and objects.

πŸ“˜ Security Kernel

Implements the reference monitor; part of the OS kernel.

πŸ“Š System Assurance & Evaluation

Common Criteria (ISO 15408)

  • EAL Levels (1–7)
    Higher = more confidence, more cost. EAL4 = max for commercial.

πŸ”Ž Security Labels

  • Sensitivity + Need to Know
    Used in MAC systems for multilevel security.

🧱 TEMPEST

  • Protection Against Emanations
    Prevents leakage via electromagnetic radiation.


Comments

Post a Comment

Popular posts from this blog

🧭 CISSP Study Note: Guidelines

🧭 CISSP Study Note: Guidelines πŸ” Definition Guidelines are suggested practices, recommendations, or expectations that help individuals or teams perform tasks effectively and consistently to achieve organizational goals, standards, and strategic objectives . Unlike policies or standards, guidelines are not mandatory —they offer flexibility while still encouraging best practices. 🧠 Why It Matters in Cybersecurity In a security framework, not every situation can be addressed with a rigid rule . Guidelines fill that gap by offering direction without strict enforcement , helping professionals: Make informed decisions Handle exceptions responsibly Align behavior with organizational goals Maintain consistency across teams They also support user education, secure configurations, and best practices adoption without limiting operational flexibility. πŸ“‹ Guidelines vs. Policies vs. Standards Term Binding? Purpose Policy ✅ Mandatory Defines what must be...
Read more

πŸ“ CISSP Study Note: Standards

πŸ“ CISSP Study Note: Standards πŸ” Definition Standards are specific, mandatory rules or technical specifications that define how policies must be implemented and how performance or behavior must conform to meet organizational or regulatory expectations. They are non-negotiable , measurable, and enforceable, often serving as the baseline for procedures and audits . While policies tell you what to do, standards tell you exactly how it must be done. 🧠 Why It Matters in Cybersecurity Standards are critical for ensuring consistency , reliability , and compliance across systems, teams, and departments. They help: Reduce ambiguity in control implementation Align practices with compliance frameworks Support repeatable, auditable processes Simplify training, onboarding, and cross-team coordination 🧩 Standards in the Policy Hierarchy Level Purpose Policy High-level directive—“What must be done” Standard ✅ Mandatory specification—“How it must ...
Read more

CISSP Study Note: SOC 1 vs. SOC 2 – Key Differences for the Exam

CISSP Study Note: SOC 1 vs. SOC 2 – Key Differences for the Exam Understanding the distinctions between SOC 1 and SOC 2 reports is crucial for the CISSP exam, particularly within the Security Assessment and Testing domain. These reports are part of the System and Organization Controls (SOC) framework developed by the AICPA to evaluate service organizations' controls. πŸ” What Are SOC Reports? SOC reports are independent third-party audit reports that assess the internal controls of service organizations. They help stakeholders understand how these organizations manage data and maintain compliance. 🧾 SOC 1: Focus on Financial Reporting Purpose : Evaluates controls relevant to a client's financial reporting. Audience : Primarily for auditors and users of financial statements. Use Case : Applicable when a service organization's operations could impact a client's financial reporting. Example : A payroll processing company providing services that affect ...
Read more