Domain 3: Security Architecture And Engineering (Weightage 13%).
Security engineering is the process for building and maintaining information systems and sub-systems that deliver the functionalities.
This domain discusses various security models, including physical security and cryptography. It also covers the core concepts of symmetric encryption and asymmetric encryption as well as hash functions.
Security engineering is the process for building and maintaining information systems and sub-systems that deliver the required functionality. This domain discusses various secure design concepts such as layering, which separates hardware from software functionality into modular Tiers. Abstraction is basically hiding unnecessary details for the user.
The Bell-LaPadula model focuses on protecting objects’ confidentiality. It has the following properties: Security Property: “No readup”, Security Property Property: Security Property: Security Property: Security Property: Security Property: Security Property: Security Property: Security Property: Security Property: Security Property: Security Property: “No writing down”, Strong Tranquility Property, and Weak Tranquility Property
Biba is the ideal model for integrity protection. It has two rules: Integrity Axiom “No read down” or Integrity Axiom “No write up”.
Clark-Wilson, a real-world integrity system, requires subjects to have access to objects via programs. It also has two policies that are well-formed transactions as well as separation of duties. The Chinese wall model, also known as Brewer-Nash model, prevents conflict of interest from accessing multiple conflicting interests.
Next, it discusses Open systems, which use open hardware and standards, whereas closed systems use proprietary hardware or software. Secure hardware must ensure integrity and availability for users, processes, and data. It includes the system unit, motherboard and CPU.
A process is an executable program that has its data loaded into memory. A thread is a lightweight program. Multitasking allows multiple tasks (heavyweight process) to be run simultaneously on one CPU. Multiprocessing is different from multitasking in that it runs multiple processes on multiple processors. RISC (reduced instructions set computer) is one form of CPU design. RISC uses a smaller number of simpler instructions and CISC has a large number of complex machine-language instructions. A trusted platform module chip (TPM) is a processor that can provide additional security capabilities on the hardware level.
Next, it discusses memory protection, which prevents one process affecting confidentiality, integrity, and availability of another. Process isolation is a logical control that prevents one process from interfering in another. Hardware segmentation extends process isolation by mapping processes to specific locations in memory. Virtual memory allows for virtual address mapping between hardware memory and applications. WORM (write one, read many) storage is a way to ensure the integrity of data; it can be used to map between applications and hardware memory.
Next, it will cover Virtualization, Hypervisor and Cloud computing, Grid computing as well as Peer-to-peer networks (P2P), Thin clients, and Peer-to-peer network (P2P). Security architecture and design vulnerabilities are described in system threats, vulnerabilities, countermeasures, and countermeasures. It includes information about covert channels, which are communications that violate security policies. A backdoor is a shortcut that allows a user in a system to bypass security checks like username/password authentication to log in. Malware is the general term for any software that attacks an application. It also covers worms, Trojans rootkits, packers logic bombs, and other malware.