Architecture and Design
Overview
In this unit, students will learn how to secure environments, especially when dealing with the cloud and hybrid-type models.
Standards
CompTIA Security+ (SYO-601) Objectives 2.1 – 2.8
Cyber Connections
Networks and Internet
Hardware and Software
Threats and Vulnerabilities
Digital Citizenship
Section Title
Lessons
Accordion Items
Title
2.1 - Explain the importance of security concepts in an enterprise environment
Content
- Configuration management
- Diagrams
- Baseline configuration
- Standard naming conventions
- Internet protocol (IP) schema
- Data sovereignty
- Data protection
- Data loss prevention (DLP)
- Masking
- Encryption
- At rest
- In transit/motion
- In processing
- Tokenization
- Rights management
- Hardware security module (HSM)
- Geographical considerations
- Cloud access security broker (CASB)
- Response and recovery controls
- Secure Sockets Layer (SSL)/Transport Layer Security (TLS) inspection
- Hashing
- API considerations
- Site resiliency
- Hot site
- Cold site
- Warm site
- Deception and disruption
- Honeypots
- Honeyfiles
- Honeynets
- Fake telemetry
- DNS sinkhole
Title
2.2 - Summarize virtualization and cloud computing concepts
Content
- Cloud models
- Infrastructure as a service (IaaS)
- Platform as a service (PaaS)
- Software as a service (SaaS)
- Anything as a service (XaaS)
- Public
- Community
- Private
- Hybrid
- Cloud service providers
- Managed service provider (MSP)/ managed security service provider (MSSP)
- On-premises vs. off-premises
- Fog computing
- Edge computing
- Thin client
- Containers
- Microservices/API
- Infrastructure as code
- Software-defined networking (SDN)
- Software-defined visibility (SDV)
- Serverless architecture
- Services integration
- Resource policies
- Transit gateway
- Virtualization
- Virtual machine (VM) sprawl avoidance
- VM escape protection
Title
2.3 - Summarize secure application development, deployment, and automation concepts
Content
- Environment
- Development
- Test
- Staging
- Production
- Quality assurance (QA)
- Provisioning and deprovisioning
- Integrity measurement
- Secure coding techniques
- Normalization
- Stored procedures
- Obfuscation/camouflage
- Code reuse/dead code
- Server-side vs. client-side execution and validation
- Memory management
- Use of third-party libraries and software development kits (SDKs)
- Data exposure
- Open Web Application Security Project (OWASP)
- Software diversity
- Compiler
- Binary
- Automation/scripting
- Automated courses of action
- Continuous monitoring
- Continuous validation
- Continuous integration
- Continuous delivery
- Continuous deployment
- Elasticity
- Scalability
- Version control
Title
2.4 - Summarize authentication and authorization design concepts
Content
- Authentication methods
- Directory services
- Federation
- Attestation
- Technologies
- Time-based onetime password (TOTP)
- HMAC-based one-time password (HOTP)
- Short message service (SMS)
- Token key
- Static codes
- Authentication applications
- Push notifications
- Phone call
- Smart card authentication
- Biometrics
- Fingerprint
- Retina
- Iris
- Facial
- Voice
- Vein
- Gait analysis
- Efficacy rates
- False acceptance
- False rejection
- Crossover error rate
- Multifactor authentication (MFA) factors and attributes
- Factors
- Something you know
- Something you have - Something you are
- Attributes
- Somewhere you are
- Something you can do
- Something you exhibit
- Someone you know
- Factors
- Authentication, authorization, and accounting (AAA)
- Cloud vs. on-premises requirements
Title
2.5 - Given a scenario, implement cybersecurity resilience
Content
- Redundancy - Geographic dispersal
- Disk
- Redundant array of inexpensive disks RAID) levels
- Multipath
- Network
- Load balancers
- Network interface card (NIC) teaming
- Power
- Uninterruptible power supply (UPS)
- Generator - Dual supply - Managed power distribution units (PDUs)
- Replication
- Storage area network
- VM
- On-premises vs. cloud
- Backup types
- Full
- Incremental
- Snapshot
- Differential
- Tape
- Disk
- Copy
- Network-attached storage (NAS)
- Storage area network
- Cloud
- Image
- Online vs. offline
- Offsite storage
- Distance considerations
- Non-persistence
- Revert to known state
- Last known-good configuration
- Live boot media
- High availability
- Scalability
- Restoration order
- Diversity
- Technologies
- Vendors
- Crypto
- Controls
Title
2.6 - Explain the security implications of embedded and specialized systems
Content
- Embedded systems
- Raspberry Pi
- Field-programmable gate array (FPGA)
- Arduino
- Supervisory control and data acquisition (SCADA)/industrial control system (ICS)
- Facilities
- Industrial
- Manufacturing
- Energy
- Logistics
- Internet of Things (IoT)
- Sensors
- Smart devices
- Wearables
- Facility automation
- Weak defaults
- Specialized - Medical systems
- Vehicles
- Aircraft
- Smart meters
- Voice over IP (VoIP)
- Heating, ventilation, air conditioning (HVAC)
- Drones/AVs
- Multifunction printer (MFP)
- Real-time operating system (RTOS)
- Surveillance systems
- System on chip (SoC)
- Communication considerations
- 5G
- Narrow-band
- Baseband radio
- Subscriber identity module (SIM) cards
- Zigbee
- Constraints
- Power
- Compute
- Network
- Crypto
- Inability to patch
- Authentication
- Range
- Cost
- Implied trust
Title
2.7 - Explain the importance of physical security controls
Content
- Bollards/barricades
- Mantraps
- Badges
- Alarms
- Signage
- Cameras - Motion recognition
- Object detection
- Closed-circuit television (CCTV)
- Industrial camouflage
- Personnel
- Guards
- Robot sentries
- Reception
- Two-person integrity/control
- Locks
- Biometrics
- Electronic
- Physical
- Cable locks
- USB data blocker
- Lighting
- Fencing
- Fire suppression
- Sensors
- Motion detection
- Noise detection
- Proximity reader
- Moisture detection
- Cards
- Temperature
- Drones/UAV
- Visitor logs
- Faraday cages
- Air gap
- Demilitarized zone (DMZ)
- Protected cable distribution
- Secure areas
- Air gap
- Vault
- Safe
- Hot aisle
- Cold aisle
- Secure data destruction
- Burning
- Shredding
- Pulping
- Pulverizing
- Degaussing
- Third-party solutions
Title
2.8 - Summarize the basics of cryptographic concepts
Content
- Digital signatures
- Key length
- Key stretching
- Salting
- Hashing
- Key exchange
- Elliptic-curve cryptography
- Perfect forward secrecy
- Quantum
- Communications
- Computing
- Post-quantum
- Ephemeral
- Modes of operation
- Authenticated
- Unauthenticated
- Counter
- Blockchain
- Public ledgers
- Cipher suites
- Stream
- Block
- Symmetric vs. asymmetric
- Lightweight cryptography
- Steganography
- Audio
- Video
- Image
- Homomorphic encryption
- Common use cases
- Low power devices
- Low latency
- High resiliency
- Supporting confidentiality
- Supporting integrity
- Supporting obfuscation
- Supporting authentication
- Supporting non-repudiation
- Resource vs. security constraints
- Limitations
- Speed
- Size
- Weak keys
- Time
- Longevity
- Predictability
- Reuse
- Entropy
- computational overheads
- Resource vs. security constraints