1. Select Controls Based upon Systems Security Requirements
1.1. Analysis of Security Requirements
1.1.1. Regulatory or Compliance Requirements
1.1.1.1. SOX and FISMA in the US
1.1.1.2. Companies Act in the UK
1.1.1.3. GDPR in the EU
1.1.1.4. Sector Specific Obligations like HIPAA in the US
1.1.1.5. Contractual Obligations like PCI DSS
1.1.1.6. Voluntary Compliance Programs like ISO 27001 or SOC 1/2/3 audits
1.1.2. Threat Modeling
1.1.3. Risk assessment of the system
1.2. Adopting an Information Security Framework
1.2.1. ISO27001
1.2.2. NIST SP 800-37 “Risk Management Framework”
1.2.3. NIST Cybersecurity Framework (CSF)
1.2.4. ISA624443
1.2.5. COBIT 5
1.3. Selecting Appropriate Controls
1.4. Implementation of Controls - Plan Do Act Check Cycle
1.4.1. Plan
1.4.2. Do
1.4.3. Check
1.4.4. Act
2. Understand Security Capabilities of IS’s
2.1. Memory Protection
2.1.1. OS Memory Protection
2.1.2. ASLR
2.1.3. Potential Weaknesses - Meltdown and Spectre
2.2. Virtualization
2.2.1. Type1 Hypervisor
2.2.2. Type2 Hypervisor
2.3. Secure Cryptoprocessor
2.3.1. Proprietary
2.3.2. Trusted Platform Modules (TPM)
2.3.2.1. Specified in ISO/IEC 11889
2.3.2.2. Can be used by OS, Processor BIOS, or application is OS provides access.
2.3.2.3. Use Cases
2.3.2.3.1. Public/ Private Key Generation
2.3.2.3.2. Digital Signing
2.3.2.3.3. Data Encryption
2.3.2.3.4. Verification of The State of the Machine
2.3.2.4. Processes
2.3.2.4.1. Secured I/O
2.3.2.4.2. Cryptographic Processor
2.3.2.4.3. Persistent Memory
2.3.2.4.4. Versatile Memory
2.3.2.5. Potential Weaknesses
2.3.2.5.1. Private Endorsement Key
2.3.2.5.2. Manufacturer’s Processes
2.3.3. Cryptographic Modules
2.3.3.1. FIPS 140-2 “Security Requirements for Cryptographic Modules”
2.3.3.2. ISO/IEC 15408 “Common Criteria for IT Security Evaluation”
2.3.4. Hardware Security Modules (HSM)
2.3.5. Smartcards
2.3.5.1. Timing Attacks
2.3.5.2. Power Analysis Attacks
3. Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements
3.1. Client-Based Systems
3.1.1. Vulnerabilities related to communications with the server
3.1.2. Vulnerabilities related to insecure operation of the client
3.1.3. Mitigation Strategies
3.2. Server-Based Systems
3.3. Database Systems
3.3.1. Database Specific Mitigation Strategies
3.3.2. Database Encryption
3.3.2.1. Full-Disk Encryption (FDE)
3.3.2.2. File system Level Encryption
3.3.2.3. Transparent Data Encryption (TDE)
3.3.2.4. Cell Level Encryption (CLE)
3.3.2.5. Application Level Encryption
3.3.2.6. Considerations on the Level of Encryption
3.4. Cryptographic Systems
3.4.1. Algorithm and Protocol Weaknesses
3.4.2. Implementation Weaknesses
3.4.3. Key Management Vulnerabilities
3.4.3.1. Random Number Generators
3.4.3.1.1. NIST SP800-90 series of publications
3.4.3.1.2. ISO 18031 standard
3.4.3.1.3. ANSI
3.5. Industrial Control Systems
3.5.1. ISA/IEC-62443 series of publications
3.5.2. NERC provides CIP standards.
3.5.3. ERNCIP
3.5.4. NIST SP800-82
3.5.5. CPNI
3.6. Cloud-Based Systems
3.6.1. Characteristics defined by NIST SP800-145 and ISO/IEC 17788
3.6.1.1. Broad Network Access
3.6.1.2. Measured Service
3.6.1.3. On-demand self service
3.6.1.4. Rapid elasticity and scalability
3.6.1.5. Resource pooling and multitenancy
3.6.2. Cloud Service Models
3.6.2.1. SaaS
3.6.2.2. PaaS
3.6.2.3. IaaS
3.6.3. Responsibility Trade-Off
3.6.3.1. Service Provider
3.6.3.1.1. Physical Security
3.6.3.1.2. Environmental Security
3.6.3.1.3. Hardware
3.6.3.1.4. Networking
3.6.3.2. Mutual
3.6.3.2.1. Vulnerability and Patch Management
3.6.3.2.2. Configuration Management
3.6.3.2.3. Training
3.6.3.3. Client
3.6.3.3.1. Data
3.6.3.3.2. Client & Endpoint
3.6.3.3.3. IAM
3.6.4. Types of Cloud Deployment
3.6.4.1. Public CLoud
3.6.4.2. Private Cloud
3.6.4.3. Community Cloud
3.6.4.4. Hybrid Cloud
3.7. Distributed Systems
3.8. IoT
4. Implement Site and Facility Security Controls
4.1. Physical Access Controls
4.1.1. Administrative Controls
4.1.1.1. Policies and Procedures
4.1.1.2. Facility Management
4.1.1.3. Personnel Screening and Management
4.1.1.4. Training
4.1.1.5. Maintenance and testing of technical and physical controls
4.1.1.6. Emergency and Incident Controls
4.1.2. Technical Controls
4.1.2.1. CCTV
4.1.2.2. Alarms
4.1.2.3. HVAC
4.1.2.4. Utility Power
4.1.2.5. Fire Detection and Suppression
4.1.2.6. Electronic Access Systems (card access)
4.1.2.7. Environmental Monitoring
4.1.3. Physical Controls
4.1.3.1. Facility Location and Siting
4.1.3.2. Facility Construction, Fencing, and Landscaping
4.1.3.3. Doors, Locks, Turnstiles, Mantraps, Lighting
4.1.3.4. Guards and Dogs
4.1.3.5. ID cards
4.1.4. Risk Mitigation Models
4.1.4.1. Deter
4.1.4.2. Detect
4.1.4.3. Delay
4.1.4.4. Assess
4.1.4.5. Respond
4.1.4.6. Recover
4.2. Wiring Closets / Intermediate Distribution Facilities
4.3. Server Rooms / Data Centers
4.3.1. Risk Assessment
4.3.2. Operation
4.3.2.1. Personnel (Background Checks, training, access procedures)
4.3.2.2. Maintenance
4.3.2.3. Logging, Monitoring, and Alerting
4.3.2.4. Control Testing and Auditing
4.3.2.5. Standards
4.3.2.5.1. ASHRAE
4.3.2.5.2. ANSI / BICSI 002-2014
4.3.2.5.3. EIA / TIA : ANSI / TUA-942
4.3.2.5.4. EU : EN 50600 series of standards
4.3.2.5.5. ISO / IEC 30314 series
4.3.2.5.6. Uptime Institute : Tier Standards
4.4. Media Storage Facilities
4.4.1. Temp and Humidity
4.4.2. Air filtration and air pressure against dust
4.4.3. Appropriate carpeting to minimize static electricity
4.4.4. Beware of magnetic siting of the devices
4.4.5. Beware of the lifespans of devices for backing
4.4.6. Securely destroy the media, no info leak
4.5. Evidence Storage
4.6. Restricted and Work Area Security
4.6.1. Least Privilege and Need-to-Know
4.6.2. SoD and/or Dual Control
4.6.3. Defense in Depth
4.6.4. Compliance Requirements
4.7. Utilities and Heating, Ventilation, and Air Conditioning
4.7.1. UPS Systems
4.7.1.1. Load
4.7.1.2. Capacity
4.7.1.3. Filtering
4.7.1.4. Reliability
4.7.2. Considerations with both UPS and HVAC
4.7.2.1. Regular Maintenance
4.7.2.2. Testing
4.7.2.3. System Fault Detection and Alerting
4.7.2.4. Periodic Checks and Audits
4.7.2.5. Concerns with Industrial Control System also applies
4.8. Environmental Issues
4.9. Fire Prevention, Detection, and Suppression
4.9.1. Considerations
4.9.1.1. Fire Suppression System Costs
4.9.1.2. Restoration Costs
4.9.1.3. Downtime
4.9.2. Regulations
4.9.2.1. Canada and the US - NFPA 75,76
4.9.2.2. UK - BS 6266:2011
4.9.2.3. Germany - the Vds series
4.9.3. Sprinkler Systems
4.9.3.1. Wet Pipe
4.9.3.2. Dry Pipe
4.9.3.3. Deluge Sprinkler
4.9.3.4. Pre-action Systems
4.9.3.4.1. Single Interlock Systems
4.9.3.4.2. Double Interlock Systems
4.9.4. Water Alternatives
4.9.4.1. Original Alternatives
4.9.4.1.1. CO2
4.9.4.1.2. Halon
4.9.4.2. Newer Alternatives
4.9.4.2.1. HFC-227ea
4.9.4.2.2. Fluorinated Ketone
4.9.4.2.3. Various gas mixtures
4.9.5. Controls
4.9.5.1. Physically Separate Critical Components
4.9.5.2. Fire Extinguishers
4.9.5.3. Training of the staff
4.9.6. Types of Fires
4.9.6.1. Class A: Ordinary Solid Combustibles - paper, wood, plastic
4.9.6.2. Class B: Flammable Liquids and Gases - gasoline etc.
4.9.6.3. Class C: Energized Electrical Equipment
4.9.6.4. Class D: Combustible metals - lithium metals - but not lithium ion batteries - they are Class B.
5. Engineering Processes Using Secure Design Principle
5.1. Saltzer and Schroeder’s Principle
5.1.1. Economy of Mechanism
5.1.2. Fail Safe Defaults
5.1.3. Complete Mediation
5.1.4. Open Design
5.1.5. Separation of Privilege
5.1.6. Least Privilege
5.1.7. Least Common Mechanism
5.1.8. Psychology of Acceptability
5.1.9. Work Factor
5.1.10. Compromise Recording
5.2. ISO/IEC 19249
5.2.1. Architectural Principles
5.2.1.1. Domain Separation
5.2.1.2. Layering
5.2.1.3. Encapsulation
5.2.1.4. Redundancy
5.2.1.5. Virtualization
5.2.2. Design Principles
5.2.2.1. Least Privilege
5.2.2.2. Attack Surface Minimization
5.2.2.3. Centralized Parameter Validation
5.2.2.4. Centralized General Security Services
5.2.2.5. Prep for error and exception handling
5.3. Defense in Depth
5.4. Using Security Principles
6. Understand the Fundamental Concepts of Security Models
6.1. Bell-LaPadula Model
6.2. The Biba Integrity Model
6.3. The Clark-Wilson Model
6.4. The Brewer-Nash Model
7. Assess and Mitigate Vulnerabilities in Web-Based Systems
7.1. Injection Vulnerabilities
7.2. Broken Authentication
7.3. Sensitive Data Exposure
7.4. XML External Entities
7.5. Broken Access Control
7.6. Security Misconfiguration
7.7. Cross-Site Scripting
7.7.1. Stored XSS Attack
7.7.2. Reflected XSS Attack
7.8. Using Components with Known Vulnerabilities
7.8.1. MITRE’s Common Vulnerabilities and Exposure (CVE)
7.8.2. NIST’s National Vulnerability Database(NVD)
7.9. Insufficient Logging and Monitoring
7.10. Cross-Site Request Forgery
8. Assess and Mitigate Vulnerabilities in Mobile Systems
8.1. Weak or Missing Passwords/Pins
8.2. Lack of MFA
8.3. Long Session Lifetime
8.4. Wireless Vulnerabilities (Bluetooth and WiFi)
8.5. Mobile Malware
8.6. Lack of Security Software
8.7. Unpatched Operating System or Browser
8.8. Lack of Inherent Firewall
8.9. Insecure Devices
8.10. Mobile Device Management Software(MDM)
9. Assess and Mitigate Vulnerabilities in Embedded Systems
9.1. User Interface Attacks
9.2. Physical Security
9.3. Sensor Attacks
9.4. Output Attacks
9.5. Processor Attacks
10. Apply Cryptography
10.1. Cryptographic Lifecycle
10.1.1. Management of Encrypted Data at Rest, in Storage, in Transit
10.1.2. Key Management
10.1.3. Algorithm Selection
10.1.3.1. The Type of Cryptology
10.1.3.1.1. Symmetric
10.1.3.1.2. Public Key
10.1.3.1.3. Hashing
10.1.3.1.4. Translation Vaults
10.1.3.2. The Specific Algorithm
10.1.3.3. The Key Length
10.1.3.4. If Symmetric Key, the Operating Mode
10.1.3.4.1. Electronic Code Book (ECB)
10.1.3.4.2. Cipher Block Chaining (CBC)
10.1.3.4.3. Cipher Feedback (CFB)
10.2. Cryptographic Methods
10.2.1. Cryptographic Approaches Use Cases
10.2.2. Symmetric Ciphers
10.2.2.1. Stream Ciphers
10.2.2.1.1. Synchronous
10.2.2.1.2. Self-Synchronizing
10.2.2.2. Block Ciphers
10.2.2.2.1. ECB
10.2.2.2.2. CBC
10.2.2.2.3. CFB
10.2.2.2.4. Counter Mode Encryption (CTR)
10.2.3. Hashing
10.2.4. Forward Secrecy
10.2.5. Asymmetric Encryption (Public Key Cryptography)
10.2.6. Quantum Cryptography
10.3. PKI
10.3.1. Certificate Signing Request (CSR)
10.3.2. Certificate Authority (CA)
10.3.3. X.509 Standards
10.3.4. Web Certificates
10.3.5. Validity of a Certificate
10.3.5.1. CRL
10.3.5.1.1. Online Certificate Status Protocol (OCST) defined by RFC 6960
10.3.5.2. Certificate Chains
10.3.5.2.1. DNS-based Authentication of Named Entities (DANE)
10.4. Key Management Practices
10.4.1. Secure Key Generation
10.4.2. Secure Key Storage and Use
10.4.3. Separation of Duties, Dual Controls, and Split Knowledge
10.4.4. Timely Key Rotation and Key Change
10.4.5. Key Destruction
10.5. Digital Signatures
10.5.1. Hash Collision
10.5.2. Private Key Disclosure
10.5.3. CA Compromise
10.6. Non-Repudiation
10.6.1. IETF standard RFC 3161
10.7. Integrity
10.7.1. Checksums
10.7.1.1. Luhn Algorithm by ISO/IEC 7812-1
10.7.2. Hashing
10.7.2.1. SHA-3
10.7.2.2. Hash-based Message Authentication Code (HMAC)
10.7.2.2.1. RFC-2104
10.8. Understand Methods of Cryptanalytic Attacks
10.8.1. Attack Models
10.8.1.1. Ciphertext-only Attack
10.8.1.2. Known-plaintext Attack
10.8.1.3. Chosen-plaintext Attack
10.8.1.4. Chosen-ciphertext Attack
10.8.2. Attack Primarily of Interest to Cryptographers
10.8.2.1. Linear Cryptanalysis
10.8.2.2. Differential Cryptanalysis
10.8.2.3. Cryptographic Safety Factor
10.8.3. Attacks of General Interest
10.8.3.1. Brute Force
10.8.3.1.1. Password-Based Key Derivation Function 2 (PBKDF2)
10.8.3.2. MitM Attack
10.8.3.3. Side-Channel Attacks
10.8.3.4. Birthday Attack
10.8.3.5. Related-Key Attack
10.8.3.6. Meet-in-the-Middle Attack
10.8.3.7. Replay Attack
10.8.3.8. Differential Fault Analysis (DFA)
10.8.3.9. Quantum Cryptanalysis
10.9. DRM
10.9.1. Digital Millennium Copyright Act of 1998 (DMCA)
10.9.2. The EU Copyright Dİrective
10.9.3. Encrypted Media Extensions (EME)
10.9.4. E-DRM
10.9.5. Privacy Concerns