Security+ Architecture and Design Notes

This is what you need to know to pass the Security+ exam.

Use Cases, Frameworks, and Best Practices

Legislative and Regulatory Compliance

Criminal Law - Violations that can result in a jail sentance or other punishment

Civil Law - Resolve Disputes

Administrative Law - facilitate effective government

Private Regulations - Flow from Contractual Relationships

4^th Amendment - Right to be secure from unreasonable searches and seizures and arbitrary arrests. Law enforcement officials normally need a warrant to conduct these activities.
Federal Information Security Modernization Act (FISMA)
1. Security Frameworks - A collection of standards and practices designed to form a solid approach to information security
2. Reference Frameworks - A description of the specific controls that would achieve an organization's security objectives

NIST Cybersecurity Framework includes the following activities:

Identify - Assists in developing an organizational understanding to managing cybersecurity risk to systems, people, assets, data, and capabilities.
Protect - Outlines appropriate safeguards to ensure delivery of critical infrastructure services and supports the ability to limit or contain the impact of a potential cybersecurity event.
Detect - Defines the appropriate activities to identify the occurrence of a cybersecurity event.
Repond - Includes appropriate activities to take action regarding a detected cybersecurity incident and supports the ability to contain the impact of a potential cybersecurity incident.
Recover - Identifies appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident in a timely manner.

and does the following:

Provides a common language for cybersecurity risk
Helps identify and prioritize actions
Aligns security actions across control types
Offers different value to different organizations

Please see NIST's online learning of the five parts of their cybersecurity Framework for more information.

Reference Architecture is a a design for how data traverses networks or how to implement security on the network.

Defense in Depth - Organizations should use multiple, overlapping security controls to achieve each of their security objectives. This layered approach protects the integrity of organizational information assets against the following:

The failure of any single security control
Eavesdropping attacks
Malicious network traffic
Unauthorized access to resources

Vendor Diversity is a key to preventing vulnerabilities and failures of one vendor's products from compromising the network.
Control Diversity is diversity in cybersecurity (roles and vendors) and contains the following areas of control:

Technical - Logical controls (e.g. encryption, file permission settings, authentication and etcetera)
Administrative - Official activities to minimize security risks (e.g. background checks on prospective employees, implementing NonDisclosure Agreements [NDAs] and etcetera)
Physical - Tangible measures to protect organizational assets (e.g. Security Guards, fences, locks, security cameras and etcetera)

Security Education

Security Training - knowledge to protect the organization
Security Awareness - Reminders of concepts covered in security training

Customize training based upon user roles

Established Security Policies and Programs - detailed rules and instructions that management ratifies and activities to educate users on these rules and instructions
Training frequency - depends on organization's needs

Information Classification

Data Classification Policies - data handling
Labeling Requirements - Identify sensitive information
Securely dispose information on old devices

Compliance Training

Compliance Programs - Ensure information security controls are consistent with laws and regulations.
Include compliance obligations
- Laws - rules for everyone that are created by statutes that originate from legilative bills (e.g. Public Law 106 - 102 - Gramm-Leach-Bliley Act)
- Regulations - rules that are created by a government agency (e.g. HIPAA Home Security Rules)
- Standards - Detailed technical specifications for security and other controls (e.g. PCI DSS Agreement)
Begin implementing compliance obligations with a gap analysis
Implement Good User Habits, such as:
- Good Passwords
- Clean Desk Policies
- Physical Security Training
- Good BYOD policies
- Appropriate peer-to-peer and social media use

User-Based Threats

Phishing - Collecting user credentials by tricking users into giving out their credentials
Social Engineering - The art of manipulating people so they give up confidential information
Malware - Malicious software

Measuring Security Training

Simulated Phishing (e.g. PhishMe Simulator)
Security Awareness Surveys - Ask users how they feel about information security.
Measure how awareness changes over time - Analyzing survey answers over time.
Change tactics based on survey results - Adapting security training according to organizational needs and how well users know their part in maintaining information security.

Network Architecture

Security Zones

Extranets - Intranet segments extended to business partners
Intranet - Local Area Network (LAN) resources that is accessible only within the regular premises or by staff through a Virtual Private Network (VPN) connection, except for stateful connections (connections that originate from within the network).
DeMilitarized Zone (DMZ) - Contains part of the LAN that allow other services to run that do not normally run on workstations and internal servers, but does not contain private information that exists on the intranet (e.g. e-mail server or web server)
Honey Nets - Decoy networks designed to attract attackers, but does not contain any sensitive information
Ad Hoc Networks - Temporary networks that bypass security controls

Switches use Virtual LANs (VLANs) to segment networks at the Data Link layer. Network administrators should use a Network Border Firewall between security zones.

Public and Private Internet Protocol (IP) Addresses

Public - Routable through the internet
Private - Not routable through the internet, namely:
- Class A - 10.0.0.0/8
- Class B - 172.16.0.0/12
- Class C - 192.168.0.0/16

Network Address Translation (NAT) maps private IP addresses (nonroutable) to public (routable) addresses. Since there are a limited number of IP version 4 (IPv4) addresses, network administrators use Port Address Translation (PAT) to map a private IPv4 address to a Transmission Control Protocol (TCP) port.

Subnetting IP Addresses - divides an assigned IP address range into smaller subnetworks that represent business units.
For example, an agency assigned the 123.0.0.0/8 (up to 16,777,214 hosts) can divide their network, like this:

123.0.0.0/14 (up to 262,142 hosts) - Data Center
123.4.0.0/14 (up to 262,142 hosts) - Engineering

⋮ ↓	(up to 60 more 123.x.0.0/14 subnetworks, where x is a number evenly divisable by 4 and 8 ≤ x ≤ 244 with each subnetwork containing up to 262,142 hosts)

123.248.0.0/14 (up to 262,142 hosts) - Administration
123.252.0.0/14 (up to 262,142 hosts) - Sales

VLANs - Logical LANs based on roles (extends the broadcast domain)

Security Device Placement for the following items requires careful planning:

Network Border Firewall - A firewall which is on the perimeter of the network and does packet filtering and then applies rules from Access Control Lists (ACLs) to determine what is allowed into the LAN.
Network Traffic Collectors - Used to determine what traffic exists on a network by doing the following:
- Collect and analyze data flow
- Correlate data and unveil traffic patterns
- Pin point the cause of bottle necks and other security risks
Network Switched Port ANalyzer (SPAN) Ports - A port that a sniffer is attached to for netflow analysis.
Security Information and Event Management (SIEM) - Provides real-time analysis of security alerts generated by network hardware and applications to help network administrators respond to attacks faster and organize mountains of log data.
Proxy servers and content filters (normally in DMZ) - Evaluates web requests from users and forwards it to the internet. When the responses come back to the proxy server it will evaluate the responses and then forawrd it back to the user, if the responses are deamed acceptable.
VPN Concentrators - A type of networking device that provides secure creation of VPN connections and delivery of messages between VPN nodes (usually a router), built specifically for creating and managing VPN communication infrastructures.
SSL Accelerators - Maintain the security and encryption of data going through a large network while also making sure the application runs efficiently by going through the handshake process for Secure Socket Layer (SSL) process on behalf of web servers in a server farm (i.e. the SSL Accelerator will process encryption and decryption requests while the web servers render web content).
Load Balancers - Distribute network traffic across multiple servers
DDoS Mitigation Tools - Tools that prevent a Distributed Denial of Service (DDoS) attack on the network.

Software-Defined Networking (SDN) - makes the network programmable via the following means:

Network Functions
1. Control Plane - Data flow decisions made by switches and routers
2. Data Plane - Data simply being forwarded through routers and switches (no decisions made)
Security benefits
- Granular network configurations
- Respond to Security Incidents
Security Network Complexity - Need to monitor and act appropriately

Port isolation and private VLANs are the same thing, which isolates security issues via single port on a switch (e.g. hotel rooms)

Secure Systems Design - Appliances do the following:

Bundle together hardware and software to achieve a function
Often run full operating systems
Requires vendor support for updates

Note: Network Devices which run Special-purpose operating systems (Cisco IOS or Juniper JunOS) and Kiosk Devices require the same control as a workstation.

Data Encryption does the following:

Protects Data
Mostly uses software (e.g. aescrypt)
Full Disk Encryption (FDE) protects and entire hard drive (e.g. FileVault on Apple Mac)
Hardware Security Modules (HSMs) use dedicated hardware that is built for encryption and decryption (gold standard) and come in the following forms:
- Trusted Platform Modules (TPMs)
- Self-Encrypting Drives (SEDs)

Hardware and Firmware security principles

Basic Input and Output Systems (BIOS) • Vulnerable
Unified Extensible Firmware Interface (UEFI), which includes the following:
- Secure Boot
  1. Read the boot loader from disk
  2. Compute the hash of the boot loader
  3. Decrypt the boot loader's digital signature
  4. Verify that the signature is accurate
- Remote Atestation
Hardware Root of Trust - Verifies that the UEFI is good
Electromagnetic Magnetic Interference (EMI)
Peripheral Security - shoring up peripherals to protect agains attacks

Printer Security Practices - Recommendations

Patch Operating Systems
Secure printer's web server (i.e. change the administrative passwords from their defaults)
Encrypt print traffic
Secure wipe printer hard drives (e.g. DBAN [for personal use] or Blancco [for Enterprise use])

Information Technology Automation - Involves the following:

Use of scripts to deploy servers and workstations (e.g. DISM)
Distributive allocation refers to load balancing
Validate system configurations
Continuous monitoring for automation for analysis and response events

Nonpersistence - Servers and other devices are designed to fail

Automatic builds
System snapshots
Revert to known state
Live boot media

Secure Staging Deployment

Software Staging and Release - Deploy codes with the following process:

Development Environment - allows developers to create and modify code
Test Environment - facilitates testing
Staging Environment - Prepares code for release
Production - moves to live services to end users
1. Sensitive Data should be prohibited or tightly controlled in non-production environments
2. Code Deployment should be performed by someone other than a developer, particularly in production

Software Risk Analysis and mitigation

Risk Analysis
Intergrate Security with the SDLC - Security should be part of the development process from the start - Avoid bolt-on security!
Understand software security threats!
Mitigate Software Risks
- Perform input validation
- Encrypt sensitive data
- Enforce least privilege principle
- Test all code prior to development
Sandboxing - Isolates development code from production system until approved by system administrator (usually management)

Developing Security Baselines describes minimum security requirements for devices and network access.

Monitoring for deviations from security standards

Leveraging Industry Standards (e.g. NIST Security Standards for Apple OS X 10.10)
Security Benchmarks (e.g. benchmarks.cisecurity.org)

Customizing Security Standards

Use security baselines to establish any necessary changes
Document the reasons for any deviations from industry standards
Add, remove and modify controls to develop proprietary (customized) security standards

Software Baseline and Integrity Measurement

Baseline - A measurement or state (snapshot) at a point in time - Used to define normal usage
Development - Creating programs and solutions for users - Security professionals need to track changes made by developers
Integrity Measurement - A determination on how well a program or solution leaves the system in its original state after it ends, using Trusted Platform Module (TPM) which is a special tamper resistant hardware chip that provides cryptographic hash functions to fingerprint an executable - Used at load time (when code gets deployed) to verify the integrity.

While TPM collects information on the executable, TPM does not actually calculate the hash values. The following mechanisms are used to track changes to code after deployment and then calculate the hash values:
- Integrity Measurement Architecture (IMA) - Maintains a kernel trust chain
- Core-Root-of-Trust-Measurement (CRTM) - Measures the bootloader and then sends the hash value to the TPM for storage in a Platform Configuration Register (PCR) with an Attestation Identity Key (AIK)

Embedded Systems

Embedded System Security

Industrial Control Systems (ICS) - Computer systems that run community infrastructure and utility systems (i.e. electric power, natural gas, water, and etcetera...)
Supervisory Control And Data Acquisition (SCADA) - provide sensor data and remote control over a system. Therefore, this require remote monitoring of infrastructure and utility systems for signs of unauthorized activities (i.e. hacking and malware)
Distributed Control Systems (DCS) - uses a combnination of sensors to control and adjust processes as they receive feedback.
Programmable Logic Controllers (PLC) - designed to handle and respond to specialized input and output requirements reliability to ensure that the processes they support occur without interruption or delay.
Internet of Things (IoT) - Computer controlled devices that connect to the internet (i.e. smart devices)

Securing Smart Devices -

Patch (update) smart devices and other systems via
1. Automic updates - Device automatically searches for updates, installs them, and then applies them
2. Manual updates - Requires someone to search for updates, install them, and then apply them
Firmware Version Control
Security Wrappers (mini-firewall)
Used reduntant approach
Secure Networking for smart devices by using network segmentation - seperate from trusted network (i.e. DMZ)
Air gapped network - systems that are not connected to a computer - SneakerNet required to trasmit data from device
Application Firewalls - Software firewalls that filter data based on application services
Embedded device security controls are effective for mainframes as well.
Embedded Systems = Smart Devices that power IoT
System on a chip - companents on a system board
Real-Time Operating System (RTOS) technologies - Prioritizes processes

Secure Application and Deployment

Software Development Security - Defines software security requirements via any of the following Development Methodologies:

Software Development Life-Cycle (SDLC) - Uses the following process to produce high-quality software products:

Planning* - Analysis of customers, associates and industry experts and then subsequent assessment to plan the basic project approach and to conduct product feasibility study in the economical, operational and technical areas
Defining - to clearly define and document the product requirements and get them approved from the customer or the market analysts.
Designing - To propose more than one design approach for the product architecture and then document it in a Design Document Specification (DDS)
Building - the actual development starts and the product is built according to the DDS
Testing - Developers and Quality Assurance personnel test the product to verify whether or not it meets the requirements
Deployment - The product is formally released (deployed) in the appropriate manner
* Since updates are likely required, developers will likely need to return to the planning stage until the product or solution is deemed obsolete.

__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Waterfall Model (not common due to strictness) - Follows this process:

Requirement Analysis - All possible requirements of the system to be developed are captured
System Design - The requirement specifications from first phase are studied in this phase and the system design is prepared
Implementation - With inputs from the system design, the system is first developed in small programs called units, which are integrated in the next phas
Testing - All the units developed in the implementation phase are integrated into a system after testing of each unit
Deployment - Once all of the test results are satisfied, the product is deployed
Maintenance - Users are supported and issues which come up in the client environment get fixed with patches that are released

Spiral Model - moved through in an iterative manner in the following manner:

Planning* - Identifying the system requirements for continuous communication between the system analyst and the customer(s)
Risk Analysis - Identifying potential risks planning a mitigation strategy which must be finalized before going to the next step
Engineering - Testing, coding and deploying software to the customer(s)
Evaluation - Evaluation of software by the customer, identifying risks, mitigating issues and monitoring risks such as schedule slippage and cost overrun

* The planning stage starts again as issues and concerns come up or when updates or patches become necessary.

Agile (ajəl) - This is a good software development method because of its iteractive nature which uses the following process:
1. Concept - Projects are envisioned and prioritized
2. Inception - Team members are identified, funding is put in place, and initial environments and requirements are discussed
3. Construction Iterations - The development team works to deliver working software based on iteration requirements and feedback
4. Deployment - Quality Assurance (QA) testing, internal and external training, documentation development, and final release of the iteration into production
5. Production - Ongoing support of the software or solution
6. Retirement - End-of-life activities, including customer notification and migration
__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Maturity Models - provides a way for developers to compare their work benchmark standards

SoftWare - Capability Maturity Model (SW - CMM)
1. Initial - The software process is characterized as ad hoc, and occasionally even chaotic. Few processes are defined, and success depends on individual effort.
2. Repeatable - Basic project management processes are established to track cost, schedule, and functionality. The necessary process discipline is in place to repeat earlier successes on projects with similar applications.
3. Defined - The software process for both management and engineering activities is documented, standardized, and integrated into a standard software process for the organization. All projects use an approved, tailored version of the organization's standard software process for developing and maintaining software.
4. Managed - Detailed measures of the software process and product quality are collected. Both the software process and products are quantitatively understood and controlled.
5. Optimizing - Continuous process improvement is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies.

IDEAL Model
1. Initiating - The business reasons for undertaking the effort are clearly articulated.
2. Diagnosing - builds upon the initiating phase to develop a more complete understanding of the improvement work
3. Establishing - develop a detailed work plan by prioritizing work and developing an approach
4. Action - implement the work that has been conceptualized and planned in the previous three phases
5. Learning - continuously improve the ability to implement change

Operation, maintenance, and change management - Software development is never finished until it is decommissioned
- Change Management accomplishes two things, namely:
  1. Request For Control
  2. Release Control
- This is the Maintenance Process (Change Management)
  1. Request for Change* - Change requests come from users, customers or management
  2. Impact Analysis - a formal way of collecting data and supposition in support of the pros and cons in any change or disruption to business
  3. System Release Planning - software developers plan, develop, maintain, and replace software systems with a high degree of efficiency and quality
  4. Change Implementation - Software Developers prepare for deployment by testing their software, making all necessary adjustments and then getting management and customer approval to release the software
  5. System Release - Deploying the software and providing support for this software
*Since change is inevitable, developers will need to return to step 1 after system release for patching issues and software updates. This process keeps cycling through until the software is no longer used.
Developer Operations (DevOps) - The most common software development method because of its iteractive nature which builds collaboration & embraces automation for a secure and efficient development environment
- Infrastructure as Code - scripts the creation of resources in which infrastructure are provisioned and managed using code and software development techniques, such as version control and continuous integration
- Continuous Integration - developers regularly merge their code changes into a central repository, after which automated builds and tests are run
- Security Automation or Policy as Code - A component of Infrastructure as Code that allows organizations can monitor and enforce compliance dynamically and at scale
- Configuration Management - A component of Infrastructure as Code that allows Developers and system administrators use code to automate operating system and host configuration, operational tasks, and more
Code Access Systems (ability to edit)
- Immutable - Code cannot be changed
- Mutable - Code can be changed
Approaches to Application Control
- Blacklist - allows most software on a device unless it is explicitly prohibited
- Whitelist - Does not allow any software on a device unless it is explicitly permitted
Code Repositories - House keeping of development activities for consistence (e.g. git)
- Libraries - shared code objects
- Software Development Kits (SDKs) - a set of software development tools that allow developers to create applications, software or framework
- Application Programming Interfaces (APIs) - A specification of possible interactions with a software component
- Third-party code - computer programming code licensed to the Company or any of its Subsidiaries pursuant to a Contract identified on Schedule 4.19(e) or Schedule 4.19(f)
- Code Reuse - The practice of using already-existing code to perform a new function or to act in a new environment
- Dead Code - Code that is never executed
Code Signing
- Signing the Code - Developers
  1. Obtain digital certificates
  2. Creates digital signatures for code using the private keys associated with the certificates
- Verifying Code Signatures
  1. Users download the software
  2. The operating system uses the certificate public key to validate signatures
  3. The operating systems verifies that the signature hashes match the code
Code Reviews - Peer Analysis - access code
- Fagan Code Inspections (formal)
- Less formal processes
Compiled Code - Code that in converted to an executable program
Runtime Code - Code that is being executed
Software testing
1. Model Validation -
2. Software Verification -
  - Stress Testing
  - User Acceptance Testing (UAT) - Beta testing
  - Regression Testing
Code Tests - Uses technology to vet code - Code review, static testing, and dynamic testing are complementary, rather than competitors
1. Static Tests - A search for defects when the code is not running - This is considered white box testing since the code is available (see below).
2. Dynamic Tests - Executing the code to verify that it functions properly with synthetic transactions (inputs) - best not to use actual input data.
Software Vulnerability Testing - Software may run fine, except there may be vulnerabilities lurking in that software. Therefore, testing may be done with one of the following methods:
- Black Box Testing - The tester does not have access to the source code of the Application Under Test (AUT)
- Gray Box Testing - The tester has partial access to the source code of the Application Under Test (AUT)
- White Box Testing - The tester has full access to the source code of the Application Under Test (AUT)
Proper Input Validation - Requires the following activities:
1. Verify that the input does not contain an invalid characters that would cause a breach in security. Please watch Professor Messer's lecture on data code injections for more information.
2. Protect against any race condition which is a vulnerability that exists when multiple processes can access and manipulate the same data concurrently, and the outcome of the execution depends on the particular order in which the access takes place - A race condition allows an attacker to run an illegitimate script that processes data at the same time that the legitimate processes that same data with the hope of gaining unauthorized access to that data by "Winning the Race" against the legitimate process.
Fuzz testing - Automatically puts in input value to try to break the code (e.g. OWASP's Zed Attack Proxy [ZAP]) - Avoid looking like a hacker! here are a few different types of fuzzing:
- Application Fuzzing - Attack vectors within the application's input and output
- Protocol Fuzzing - Forged packets sent to the tested application which can act as a prozy and modify requests on the fly and then replay them
- File Format Fuzzing - Multiple malformed samples that are generated and then opened sequentially - When the program crashes then the debug information is kept for further investigation.
Code Execution
1. Interpreted Code - written in a higher level program
2. Compiled Code - Produces an executable file which runs in binary or machine language

Database security controls

Database Normal Forms (Normalization)
1. 1^st Normal Form (1NF) - You must define the data items
2. 2^nd Normal Form (2NF) - The data items should meet all the rules for 1NF and there must be no partial dependencies of any of the columns on the primary key
3. 3^rd Normal Form (3NF) - The following conditions are mandatory:
  - The data items are in second normal form and
  - All nonprimary field are dependent on the primary key
Encryption - Protect sensitive data (including development code) by ciphering the plain text so that it cannot be read by a normal human
Obfuscation and camouflage - Hide the locations of sensitive data (including development code)
Stored Procedures for data security - Write Sequential Query Language (SQL) code that can be reused over and over again to protect from SQL Injection attacks

Cloud and Virtualization

Cloud Computing and Virtualization

Virtualization - machines that exist logically on a physical server which runs a virtualization system (e.g. VMWare), but is not a physical host.
Hypervisors permit the instance (use) of one or many different Operating Systems (OSs) to run on single hosts, independently (e.g. VMWare or Microsoft Hyper-V). The different types of hypervisors include:
1. runs directly on physical hardware
2. runs on a hosted operating system that can run other applications, but are not directly connected to physical hardware
Virtual Security
- Virtual machine isolation is critical
- Each server must access to only its own memory and storage
- Patch the virtualization system to guard against Virtual Machine escape attacks which attempt to break out of the guest environment - Often the result of a Virtualized Environment Neglected Operations Manipulation (VENOM) attack or a Pwn2Own attack.
VM Sprawl - Lease to unused and unmaintained servers (need to patch virtualization systems)
Cloud computing models - running a logical computer on equipment owned by someone else
1. Public - Organization uses a shared tenancy infrastructure (i.e. computer exists in a remote site)
2. Private - Organization uses dedicated cloud infrastructure (i.e. computer exists on the organization's premesis)
3. Hybrid - A combination of Public and Private clouds
4. Community - Designed to accommodate the mutual needs of a particular business community
Public cloud tiers

Software as a Service (SaaS) - Software that runs on a server (e.g. Google Docs - Customer is responsible for the data & vendor takes care of the rest
Infrastructure as a Service (IaaS) - Customer is responsible for data, applications and Operating System & vendor is responsible for the hardware and the Data Center
Platform as a Service (PaaS) - Customer is responsible for the data and applications & vendor is responsible for the rest
Security as a Service (SecaaS) - Provides security tools and services, such as:
- Identity and Access Management (IAM)
- Email security
- Encryption
- Firewall management
- IDS/IPS
- SIEM
- Vulnerability and compliance assessments
- Website security

Cloud Storage Security - Apply the same security controls in the cloud
- Encryption - Prevents unauthorized users from access via ciphering plain text (need decryption keys)
- Access Control - Restrict Access to online computers
Security Service Providers
Managed Security Service Providers (MSSPs) = SECurity as a Service (SECaaS) which are IT service providers that provide organizations with some amount of cybersecurity monitoring and management services
Cloud Access Security Brokers (CASB) - Provides on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. The following are pillars of CASB:
- Visibility - The capability to see risk in the environment
- Compliance - The capability to meet regulatory requirements
- Data security - Identifying, monitoring, and securing sensitive data
- Threat protection - Protection against cloud-native malware and account compromise
The two types of CASBs are:
1. Network-Based
  - Broker intercepts traffic between the user and the cloud service, monitoring for security issues
  - Broker can block requests
2. API-Based
  - The broker queries the cloud service via API
  - Broker may not be able to block requests, depending upon API capabilities
Desktop and application virtualization
- Virtual Desktop Infrastructure (VDI) - Provides network-based access to a desktop computing environment
- Virtual Desktop Environments (VDEs) - Similar to server virtualization, except for the differences in their usage and the performance demanda made on them
- Containerization - Runs multiple apps on the same operating system with restricted resource access (Application cells = Containers)

____ Physical Security ____

Site and facility design
- Data Center -
- Data Storage and Media -
- Evidence Storage Locations -
- Wiring Closets -
- Operations Centers and other sensitive locations -
Data center environmental controls
Expanded Environmental Envelope
- Temperatives between 18º Centigrade (64.4º Fahrenheit) and 27º Centigrade (80.6º Fahrenheit)
- Appropriate Humidity - Dew Point Range between 5.5º Centigrade (41.9º Fahrenheit) and 10º Centigrade (50º Fahrenheit) ≈ 40% (± 5%) Humidity
  1. High Humidity - Leads to condensation that may damage electronic equipment
  2. Low Humidity - Leads to static electricity that may damage electronic equipment
- Heating, Ventilation and Air Conditioning (HVAC) layout of data centers with the hot aisle/cold aisle strategy
  1. The backs of racks face each other to create hot aisles where hot air is pumped out of the data center
  2. The fronts of racks face each other to create cold aisles where cold air is pumped into the data center
Data center environmental protection
- Fire - Class C (for electrical) is recommended for data centers
  - Water-based fire extinguishers (Class A)
    1. Wet Pipe Systems - Contain water in the pipes ready to deploy when a fire strikes
    2. Dry Pipe Systems - Do not contain water until a valve opens during a fire alarm or when manually opened
  - Flammable Liquids (Class B) - gasoline and oil - Deprive fires of oxygen
  - Electrical fires (Class C) - Data Centers - Deprive fires of oxygen
  - Heavy Metal fires (Class D) - Industrial applications - Deprive fires of oxygen
  - Kitchen fires (Class K) - Fats and Oils - Deprive fires of oxygen
- Floods
  - Plumbing - Need to design plumbing accordingly to reduce the likelihood of damage from leaks coming from damaged or busted water pipes
  - Natual Disasters - Data centers should be located where the likelihood of natural floods is low (i.e. building a Data Center on a hill or mountain is better than a Data Center next to a river, unless the Data Center can float)
  - Electro-Magnet Immissions (EMI) - Need to monitor - Faraday cages (used primarily used in highly classified Government facilities)
Physical security control types
- Categorizing by intended effect:
  - Deterrent controls - Deter unauthorized activity (e.g. Guard Dogs within a fenced area)
  - Preventive controls - Actually block intruders (e.g. biometrics, badges and etcetera...)
  - Detective controls - Alert authorized personnel of any successful breaches by intruders
- Categorizing by physical security controls by their mechanism of action - Good approaches use both types
  - Technical - Uses technology to deter, prevent or detect security violations
  - Administrative - Uses business processes that are designed to boister physical security
- Compensating Controls - Fill in known gaps in security (e.g. a security guard to monitor who comes through a turnstile gate)
Physical access control - Proper lighting increases the likelihood of security personnel noticing an intruder - Network distribution cables must also be secured
- Physical Perimeter Security - Physically protects the data, property and assets of the organization (more than just fences)
- Preset keys -
- Cipher Locks -
- Biometric locks -
- Access cards -
- Man traps - area between public area and secure area
- Video Surveillance Systems (can include infrared) -
- Fences -
- Bollards -
- Signs - Provides a legal basis
Visitor management
- Visitor procedures
- Camera - should let visitors know
Hardware physical security -
- Encryption protects sensitive data
- Cable locks provide good security - What's on the other end of the cable?
- Safe or locking cabinets
- Identifying tags

The navigation options for this page are:

Go back to Domain #2 → Technology and Tools,
Proceed to Domain #4 → Identity and Access Management,
Return to the main Security+ resources page,
Return to the main Nine Star training website, or
Go to the main Nine Star website.

Good luck!

____ Use Cases, Frameworks, and Best Practices ____