Security Architecture

00:01

everyone. Welcome to domain To lesson two of the S S C P exam print.

00:07

I'm your host, Peter Simple. In

00:10

so far in lesson in domain tombs are we've looked at the code of ethics, which is the standard for acceptable behavior. We examined the C I A. Triad, which is the most important aspect of stocks. Security. CIA track consist of confidentiality, integrity

00:30

and availability.

00:31

Now, in this lesson, we take a look at security architecture,

00:35

which is the practice of designing a framework for security systems.

00:40

We look at controls

00:43

which are safeguards implemented to deal with risk.

00:47

And we examined system security plans which are comprehensive documents, he telling the security requirements and controls off a system.

00:57

Let's get started.

01:00

A security architecture is the practice of designing a framework for the structure and function off all information security systems in the organization.

01:10

And when designing a security architecture, it's always very important to use best practices whenever possible.

01:17

Best practices for a security architecture of things like defence in depth,

01:21

risk based controls, please privilege, authorization and accountability and separation duties.

01:27

Let's take a look at each one of these components in more detail.

01:32

Defence in depth is the implementation of multiple controls, so that successful penetration and compromise is more difficult to eight to obtain.

01:42

Security's not perfect. We all knew this. That's why it's important to add layers that make up for the imperfections. In security defense.

01:52

Overlapping defenses

01:53

are effective because it minimizes the different ways and attack can occur. So when there are email security for email, tak factors led security for browser attack factors. And so

02:07

this also applies to outside in attacks and inside out attacks. So, in other words,

02:15

defensive depth prevents attacks on the outside coming in your organization and also insider threats. Employees in the organization who want to attack the organization.

02:29

These defenses back each other up, and they avoid single point of failure so that even if one defense goes down for whatever reason, there are plenty of other defenses to protect the organization.

02:40

Second type

02:43

oh,

02:44

component or security architecture are risk based controls,

02:49

so risk is defined as

02:51

the combination off threats,

02:54

vulnerabilities and the impact of both

02:58

Where is basically shoes?

03:00

The damage that could be done if security controls do not exist?

03:06

Controls are definitely needed because all organizations face prints.

03:09

Now there are tangible and intangible consequences

03:15

if this risk is not dealt with, um, you can have things such as stolen assets

03:22

as a tangible risk. Or you can have off of investor confidence

03:28

as an intangible risk.

03:30

Controls are implemented based on risk assessments and analysis

03:36

and the value of the assets. The management decides what controls are necessary, but to do that, they need tohave correct risk information. They need to be able to correctly assess the risk

03:47

using a standard process, which is needed for consistent results.

03:53

That's why there are things such as

03:54

doctors

03:55

and Cobra.

03:58

These two are standard processes for

04:01

determining risk and provide consistent results time after time.

04:06

Accurate results are consistent. Success factor in getting an organization's buying for security measures,

04:15

please progress. We talked a little bit about this in the last lesson, but at least privilege is the concept of need to know

04:21

people can only access enough information to do their jobs properly.

04:27

Leave privilege reduces the number off authorized users doing things they shouldn't be doing,

04:31

but it also reduces the number of accidental errors to, For example, you can't delete a file that you don't have access to

04:41

least privilege is great because it makes Actor's job much more difficult. So, for example, in an organization, if a hacker breaks into the payroll system, they would only have access to things in payroll. They would not have access to anything in marketing anything from the legal department

05:00

or in the I T department.

05:02

So with least privilege,

05:04

their ability a hacker's ability to move about the organization's network is much harder

05:12

at three. Part about these privilege is that it can be implemented at different security levels, such as the operating system level, the application process file or physical levels.

05:25

Least privilege is usually set by groups, which is great, too. So everyone has the group off

05:31

billing.

05:32

If everyone has a building label, they only have access to materials needed. Four. Building

05:40

authorization and accountability

05:43

authorization determines what's a person can do. Once authenticated,

05:46

it is the third step in the access control system, and authorization records are kept for validation purposes.

05:56

These records were kept to determine if the process of accessing data is working as intended.

06:02

They're also kept for determining breaches or any type of forensic evidence.

06:10

Accountability is a principle that ties users to their actions.

06:15

This is enforced through user account and event box.

06:19

Always protect your credentials from unauthorized use.

06:24

Anything done with your account credentials will be attributed to you, even if it was, even if it wasn't you. If your account credentials were used to do something you shouldn't have been doing, it will always be traced back to you.

06:38

Separation of duties. A security mechanism for preventing fraud and unauthorized use that requires two or more individuals to complete the task or perform a specific function.

06:49

So this is when a task is broken up into two separate parts

06:54

and two people are required to complete the entire task. So one person, just one part and the other person does the other part.

07:03

This isn't This is an important concept off internal control.

07:09

This is also different from dual control in the sense

07:13

that dual control you need two people to perform the same thing at the same time, whereas with separation of duties you do not. So, for an example,

07:25

with separation of duties,

07:27

if a person submits an access request to look at a document, they cannot be the same person to approve that request to look at the document. It needs to be two separate people, one person that request it and the other person to grant that access.

07:44

Dual control. The best example of dual control is nuclear codes. I don't know if you ever seen the movies where two people have to turn the key at the same time in order to send off the nuclear missile.

07:58

Separation of duties is also used with dual control, as we mentioned mandatory vacation, which is

08:03

thio required by the organization to take some time off and job rotation where different employees in the organization take turns doing different functions.

08:13

Controls are safeguards and counter measures which are created and implemented to deal with risk their group together depending on their function. So there's three major

08:26

rooms of controls. There are management,

08:30

technical and operational.

08:33

Let's take a look at these in more detail.

08:35

Management controls

08:37

our controls that are based upon the management off systems on dhe security.

08:45

These air control's made by people there decided by people, and they usually exist in the form of policies and procedures,

08:54

technical controls, our controls that are executed by the system itself. There is no actual human involvement. The only human involvement in the technical control would be setting enough oven that the execution of that control is done by the system.

09:11

An example of a technical control. Access control, which you are all professionals and fair. Familiar with

09:18

the last type of control is an operational control. This these air any tough controls that are operated or done by people. So personal security. There's a security guard

09:30

outside of the door who's checking badges to make sure no one gets in

09:35

to an organization that would be an example of an operational control.

09:41

Within the three control categories are different control types. So in each category, management,

09:48

technical and operational there are seven different types of controls.

09:54

The controls are directive which specify acceptable rules. Be here.

09:58

Deterrent, which discourages people from violating security directions.

10:03

Preventive

10:05

controls for stopping a security incident.

10:07

Compensating,

10:09

which are substitute controls

10:11

for a loss of primary controls.

10:15

Corrective controls which are implemented to mitigate any damage.

10:20

Detective controls, which signal warning when something has been breached, and recovery controls which restore conditions

10:28

back to normal.

10:31

The table on this slide is a great example of how controlled types and control groups and intermingle. So just random example. If we have a technical control

10:46

with a detective type,

10:48

we can determine that. An example of that would be logs logs would determine whether or not somebody had broken into the system or whether or not a breach had happened.

10:58

System security plants.

11:01

So systems security plans are comprehensive document that details the requirements

11:07

or a system controls established to meet those requirements and the responsibility of those administrating or accessing the system.

11:16

The rules of responsibilities

11:18

off a system security plan are the system owner, which is the person responsible for the creation of the system, the implementation, the integration in the maintenance. He has the overall responsibility for the cyst.

11:33

The information owner who has the overall authority on the information stored process. They're transmitted by the system.

11:41

The security officer who is responsible for coordinating development review and the acceptance off the security plans,

11:50

and the AUTHORISING official, which is usually a manager or a senior executive with the authority to assume full responsibility

11:58

for the system covered in the system Security point.

12:05

Parts of a system security plan include people of their roles, which we just mentioned

12:11

contacts of people who have knowledge of the configuration or operation of the system,

12:16

their requirements,

12:18

which are the requirements for confidentiality, integrity and availability off. The resource is of that system

12:26

any type of controls which have been implemented to back up and force the requirements of the system

12:35

and procedures for maintenance and review.

12:39

In summary today, we look at security architectures, which are the framework for developing security systems and their components. We looked at controls, which are the safeguards,

12:52

um, to deal with risk. And we looked at system security plans,

12:56

which are comprehensive documents that provide detail for a specific security system.

13:03

It was time

13:03

this type of control was activated when the existing controls do not work.

13:09

A compensating

13:11

be corrective

13:13

The preventative,

13:15

the directive,

13:18

the correct answer is a compensating controls.