Geek-Guy.com

Domain 3: Security Architecture and Engineering

Exam Weight: 13%

Domain 3 is the most technical and broad domain. It covers everything from hardware architecture and the “Ring Model” to cryptography and physical site security. To master this domain, you must understand how secure systems are built from the silicon up.

1. Secure Design Principles

The foundation of engineering starts with NIST and ISO standards.

  • Security Models:
    • Bell-LaPadula: Focuses on Confidentiality. Rules: No Read Up (Simple Security Property) and No Write Down (Star Property).
    • Biba: Focuses on Integrity. Rules: No Read Down and No Write Up.
    • Clark-Wilson: Uses a “three-part relationship” (Subject, Program, Object) to ensure integrity through well-formed transactions and separation of duties.
  • The Ring Model: Protects the OS kernel (Ring 0) from applications (Ring 3).

2. Cryptography

This is a massive sub-section. You must know the “why” and “how” of encryption.

  • Symmetric: One key (Secret Key). Fast, used for bulk data. (AES, DES, 3DES, Blowfish).
  • Asymmetric: Two keys (Public/Private). Slower, used for key exchange and digital signatures. (RSA, ECC, Diffie-Hellman).
  • Hashing: One-way function for integrity. (SHA-256, SHA-3).
  • Digital Signatures: Provides Integrity, Authentication, and Non-repudiation. (Sender signs with their Private Key; Receiver verifies with Sender’s Public Key).

3. Hardware and Virtualization Security

  • TPM (Trusted Platform Module): A dedicated microcontroller designed to secure hardware through integrated cryptographic keys.
  • TEE (Trusted Execution Environment): A secure area of a main processor (e.g., Intel SGX) that ensures code and data are protected with respect to confidentiality and integrity.
  • Edge/IoT Security: Understanding the risks of “constrained devices” that lack the processing power for heavy encryption.
  • Cloud Models: * IaaS: You manage the OS and apps.
    • PaaS: You manage the apps.
    • SaaS: You manage the data.

4. Vulnerabilities in Systems

  • Buffer Overflow: An application writes more data to a block of memory than it was designed to hold.
  • Injection (SQLi, XSS): Untrusted data is sent to an interpreter as part of a command or query.
  • Side-Channel Attacks: Attacking the physical implementation of a system (e.g., power consumption or timing) rather than the algorithm itself.

5. Physical Security

If an attacker has physical access, they have “all” access.

  • Site Design: Lighting, fencing (8 feet + barbed wire for high security), and bollards.
  • Fire Suppression:
    • Class A: Common combustibles (Water/Soda Acid).
    • Class B: Flammable liquids (CO2/Halon).
    • Class C: Electrical (CO2/Non-conductive).
    • Class D: Combustible metals.
  • Media: Understand that “Dry Pipe” systems are preferred for data centers to prevent accidental water damage.