Security+ Architecture and Design Notes

This is what you need to know to pass the Security+ exam.

____ Use Cases, Frameworks, and Best Practices ____

Legislative and Regulatory Compliance

NIST Cybersecurity Framework includes the following activities: and does the following:

Please see NIST's online learning of the five parts of their cybersecurity Framework for more information.

Reference Architecture is a a design for how data traverses networks or how to implement security on the network.

Defense in Depth - Organizations should use multiple, overlapping security controls to achieve each of their security objectives. This layered approach protects the integrity of organizational information assets against the following:

  1. The failure of any single security control
  2. Eavesdropping attacks
  3. Malicious network traffic
  4. Unauthorized access to resources
Vendor Diversity is a key to preventing vulnerabilities and failures of one vendor's products from compromising the network.
Control Diversity is diversity in cybersecurity (roles and vendors) and contains the following areas of control:
  1. Technical - Logical controls (e.g. encryption, file permission settings, authentication and etcetera)
  2. Administrative - Official activities to minimize security risks (e.g. background checks on prospective employees, implementing NonDisclosure Agreements [NDAs] and etcetera)
  3. Physical - Tangible measures to protect organizational assets (e.g. Security Guards, fences, locks, security cameras and etcetera)

Security Education

  1. Security Training - knowledge to protect the organization
  2. Security Awareness - Reminders of concepts covered in security training

Customize training based upon user roles

Information Classification

Compliance Training

User-Based Threats

Measuring Security Training

____ Network Architecture ____

Security Zones

  1. Extranets - Intranet segments extended to business partners
  2. Intranet - Local Area Network (LAN) resources that is accessible only within the regular premises or by staff through a Virtual Private Network (VPN) connection, except for stateful connections (connections that originate from within the network).
  3. DeMilitarized Zone (DMZ) - Contains part of the LAN that allow other services to run that do not normally run on workstations and internal servers, but does not contain private information that exists on the intranet (e.g. e-mail server or web server)
  4. Honey Nets - Decoy networks designed to attract attackers, but does not contain any sensitive information
  5. Ad Hoc Networks - Temporary networks that bypass security controls
Switches use Virtual LANs (VLANs) to segment networks at the Data Link layer. Network administrators should use a Network Border Firewall between security zones.

Public and Private Internet Protocol (IP) Addresses

Network Address Translation (NAT) maps private IP addresses (nonroutable) to public (routable) addresses. Since there are a limited number of IP version 4 (IPv4) addresses, network administrators use Port Address Translation (PAT) to map a private IPv4 address to a Transmission Control Protocol (TCP) port.

Subnetting IP Addresses - divides an assigned IP address range into smaller subnetworks that represent business units.
For example, an agency assigned the (up to 16,777,214 hosts) can divide their network, like this:

  1. (up to 262,142 hosts) - Data Center
  2. (up to 262,142 hosts) - Engineering

  3.  ⋮
    (up to 60 more 123.x.0.0/14 subnetworks, where x is a number evenly divisable by 4 and 8x244 with each subnetwork containing up to 262,142 hosts)

  4. (up to 262,142 hosts) - Administration
  5. (up to 262,142 hosts) - Sales

VLANs - Logical LANs based on roles (extends the broadcast domain)

Security Device Placement for the following items requires careful planning:

Software-Defined Networking (SDN) - makes the network programmable via the following means: Port isolation and private VLANs are the same thing, which isolates security issues via single port on a switch (e.g. hotel rooms)

Secure Systems Design - Appliances do the following:

Note: Network Devices which run Special-purpose operating systems (Cisco IOS or Juniper JunOS) and Kiosk Devices require the same control as a workstation.

Data Encryption does the following:

Hardware and Firmware security principles Printer Security Practices - Recommendations
  1. Patch Operating Systems
  2. Secure printer's web server (i.e. change the administrative passwords from their defaults)
  3. Encrypt print traffic
  4. Secure wipe printer hard drives (e.g. DBAN [for personal use] or Blancco [for Enterprise use])
Information Technology Automation - Involves the following: Nonpersistence - Servers and other devices are designed to fail

____ Secure Staging Deployment ____

Software Staging and Release - Deploy codes with the following process: Software Risk Analysis and mitigation

Developing Security Baselines describes minimum security requirements for devices and network access.

Customizing Security Standards Software Baseline and Integrity Measurement
  1. Baseline - A measurement or state (snapshot) at a point in time - Used to define normal usage
  2. Development - Creating programs and solutions for users - Security professionals need to track changes made by developers
  3. Integrity Measurement - A determination on how well a program or solution leaves the system in its original state after it ends, using Trusted Platform Module (TPM) which is a special tamper resistant hardware chip that provides cryptographic hash functions to fingerprint an executable - Used at load time (when code gets deployed) to verify the integrity.
    Trusted Platform Module
    While TPM collects information on the executable, TPM does not actually calculate the hash values. The following mechanisms are used to track changes to code after deployment and then calculate the hash values:

____ Embedded Systems ____

Embedded System Security Securing Smart Devices -

____ Secure Application and Deployment ____

Software Development Security - Defines software security requirements via any of the following Development Methodologies:
Database security controls

____ Cloud and Virtualization ____

Cloud Computing and Virtualization
____ Physical Security ____

The navigation options for this page are:

Good luck!