By the end of this course you will be able to
- Apply secure design principles (least privilege, separation of duties, secure defaults, fail securely, defense in depth) from the design phase onward.
- Distinguish and compare the main security models and their use cases.
- Interpret the criteria and methods used to evaluate system security.
- Assess the security capabilities of hardware and information systems.
- Identify vulnerabilities specific to cloud, virtualized, embedded, and IoT architectures, including the shared responsibility model.
- Select and combine cryptographic mechanisms (symmetric, asymmetric, hybrid, hashing) according to risk.
- Recognize the main cryptanalytic attacks and judge their real-world effectiveness.
- Design physical and environmental security controls (CPTED, early smoke detection, redundancy) integrated into the lifecycle.
Prerequisites : A solid grasp of Domain 1 (Security & Risk Management) is recommended: risk management principles and core security concepts are established there and drive the design choices covered here. Basic computing and networking knowledge helps with the cryptographic and architectural material.
Suggested path
This study plan distributes the 9 modules of Domain 3 across 5 progressive sessions, from design foundations through to cryptography and physical security. Plan on one session per coherent thematic block.
-
Session 1 - Principles & security models
MODULE 1 · MODULE 2
Secure design principles (least privilege, SoD, secure defaults, fail securely, defense in depth) and formal security models.
-
Session 2 - Evaluation & system capabilities
MODULE 3 · MODULE 4
Security evaluation criteria and methods, then the security capabilities of hardware and information systems.
-
Session 3 - Architecture vulnerabilities
MODULE 5
Architecture vulnerabilities (cloud with shared responsibility, virtualization, embedded, IoT) and countermeasures.
-
Session 4 - Cryptography
MODULE 6 · MODULE 7
Symmetric and asymmetric encryption, hybrid systems, hashing, key management, and the cryptographic lifecycle.
-
Session 5 - Crypto attacks & physical security/lifecycle
MODULE 8 · MODULE 9
Cryptanalytic attacks (and the weight of the human factor), then physical/environmental security (CPTED, VESDA) and end of lifecycle.
Secure Design Principles
Prerequisites : Be familiar with the development life cycle (SDLC) and the notions of threat, vulnerability and control covered in Domain 1.
Domain 3 opens with a guiding idea: security must be considered as early as possible in the design process, ideally from the initiation phase, and not bolted on after the fact. Building security in at the design level avoids costly rework, preserves performance and reduces unnecessary risk. Adding security late often forces changes to an existing design, which degrades performance and drives up costs.
This module covers the secure design principles that objective 3.1 asks you to explain (Key Area A). We start with threat modeling - a form of testing that adopts the attacker's mindset to locate vulnerabilities without fixing them itself - then work through least privilege, defense in depth, secure defaults, fail securely, separation of duties, keep it simple, trust but verify, zero trust, privacy by design and shared responsibility (cloud).
These principles are not isolated technical controls: they are rules of reasoning that the professional applies so that a system can "operate as efficiently as possible while not taking any unnecessary risks". The exam tests your ability to pick THE right principle for a given scenario, and to distinguish closely related concepts (for example trust but verify vs zero trust).
1.1 Threat modeling and the secure design mindset
Domain 3 starts from a posture: build security in as early as possible in any design process, preferably at the initiation phase. Designing security "at the design level and not as an afterthought" lets the system run as efficiently as possible without taking unnecessary risks. Conversely, adding security at later stages forces changes to the existing design, hurting performance and driving up costs.
Threat modeling (reviewed in Domain 1.10) has a role in every phase of the life cycle, from requirements analysis down to real-time attack detection and response. It gives a conceptual view of how the target functions by asking two questions: "What needs protection and what does it need protection from?". By breaking the organization into its parts (each business unit having its own standards, systems and technologies, hence its own vulnerabilities), you align possible threats with those elements and identify existing threats faster.
The core idea is to adopt the attacker's mindset. The manual illustrates it: give a new phone to an ordinary user and they think "What can it do?"; give it to a malicious actor and they think "What can I make it do?". Because we naturally test within our own mindset, it is essential to test using other mindsets - malicious ones, but also uninformed ones.
Key for the exam: threat modeling is a form of testing that identifies critical systems and services and reveals where vulnerabilities might exist, but it does NOT fix the problem. The organization must then feed the results into its remediation process. STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) is the reference methodology for categorizing threats during this exercise.
- Build security in from the initiation phase: lower cost, better performance.
- Threat modeling applies at every life-cycle phase, from requirements to real-time response.
- Two key questions: what needs protection, and from what?
- It identifies vulnerabilities but does not fix them: remediation still required.
- STRIDE categorizes threats; adopt alternative mindsets, including uninformed ones.
1.2 Least privilege, separation of duties and defense in depth
Least privilege means granting a user the minimum permissions necessary to perform their explicit job function. Mind the trap: it does NOT mean "low permissions". A system administrator needs a privileged account to do their job and gets one; a senior VP, although a trusted individual, does not need a privileged account to do theirs and so does not get one. The criterion is the function, not rank or degree of trust.
Separation of duties (SoD) requires that a single person, process or system cannot complete a sensitive process alone. There must be checks and balances: at least two independent means to verify the authorization of the action and of the actors. The goal is to reduce the chances of corruption and theft. Procurement example: with no SoD, a manager can get a quote, create a purchase order, issue a check and buy a product alone - they can easily exploit trust. With SoD, a purchasing manager signs the purchase order, then only an accountant can issue the check after receiving that signed order. SoD necessarily degrades operational efficiency but enhances security; it is often effective, inexpensive, yet remains underused.
Defense in depth (DiD), introduced by the NSA, is a layered approach to security posture, sometimes called the castle model: the crown jewels sit at the heart of the castle, protected by successive layers (guards, walls, a moat). Adding layers deters attackers and pushes them toward easier targets. The original model defines the layers: Data, Application, Host, Internal network, Perimeter, Physical, and Policies/procedures/awareness (administrative controls against insider threats).
Exam nuance: DiD is sometimes seen as outdated in the era of cloud, BYOD and edge/fog computing, and was historically very prone to insider threats (to the point some say "defense in depth is dead" as too static). As a concept of protecting the most prized assets under layers it remains useful, but must be re-rationalized to cover all control types - administrative, technological and physical.
- Least privilege = minimum needed for the function, not low privilege by default.
- A sysadmin may legitimately hold a privileged account; a trusted VP may not.
- SoD: at least two independent actors for a sensitive process (e.g. procurement).
- SoD reduces corruption/theft but degrades efficiency; underused as it is seen as costly.
- DiD = layers (Data, App, Host, Internal network, Perimeter, Physical, Policy); weak against insiders, needs re-rationalizing.
1.3 Secure defaults, fail securely and keep it simple
Secure defaults (secure by default) means the system's default configuration settings must be the most secure possible, even if this hurts the user experience. Security and user-friendliness are weighed through risk analysis and usability testing, and a balance is required to maintain security requirements while meeting business goals. The professional must advise and insist on secure defaults, whether on the vendor side or the customer side.
Fail securely: a system designed to fail securely (fail-secure) defaults to a secured state if it crashes, reducing potential data exposure and other risks. The fail-secure approach matters for systems with high exposure potential. Caution: human safety must be considered. The manual's example: for fire-evacuation procedures of a sensitive facility, human safety comes first, even at the expense of exposing sensitive data to evacuated personnel. This is the classic fail-secure vs fail-safe trade-off to know for the exam: human life first.
Keep it simple (KISS): security does not have to be complex. Clear, short, direct and easy-to-follow procedures clarify what acceptable behavior is and what is not; they are easier to execute correctly and harder to get wrong. Simple designs are also easier to test, validate and demonstrate correctness for, far more than complex, sophisticated designs. Complexity is an enemy of security.
- Secure defaults: the default setting is the safest, even if it inconveniences the user.
- Security/usability balance via risk analysis and usability testing.
- Fail-secure = secured state after a crash; but human safety outranks data.
- KISS: simplicity = fewer errors, easier to test and validate.
- Insist on secure defaults on both the vendor AND the customer side.
1.4 Trust but verify, zero trust, privacy by design and shared responsibility
Trust but verify is the traditional DiD-inherited posture: the user (human or not) is authenticated once on entry into the environment. Once authenticated, they roam freely across the building, campus or internal networks. Sensitive resources stay protected by permissions and authorization checks, but without additional firewalls or boundaries, no further authentication check (to confirm the ID is who or what it claims to be) is performed. Many small LANs operate this way.
Zero trust starts from the observation that, in a trust but verify environment, a user once inside has nearly unlimited ability to roam, locate assets and find exploitable vulnerabilities. By placing more firewalls or boundary-control devices throughout the network, you increase the chances of detecting a troublemaker before harm is done. Many architectures push this to the extreme with microsegmentation of internal networks, enforcing frequent reauthentication of the user ID. This is the exam distinction: trust but verify = one authentication at entry; zero trust = continuous verification and multiplied internal boundaries.
Privacy by design is a design approach published in 2009 by Ann Cavoukian, then Information and Privacy Commissioner of Ontario, Canada. It aims to ensure privacy is considered throughout a system's design and development stages. The concept was adopted by the GDPR, the U.S. FTC, the CPDP and other regulators, in step with growing privacy demands in global legislation. Corollary: privacy by default - the most privacy-protective settings are active without any user action.
Shared responsibility stems from the rise of cloud: maintaining security and compliance becomes a shared responsibility of the provider and the customer. The customer cannot control everything that happens in the cloud; but you cannot place all responsibility on the provider either, since it controls neither the stored data nor its use. Both sides must therefore do their part under defined terms. The contract (often a service-level agreement, SLA) specifies which responsibilities are exclusive to each party and which are shared.
- Trust but verify: a single authentication at entry, free movement afterward.
- Zero trust: continuous verification, microsegmentation, frequent reauthentication.
- Privacy by design (Cavoukian, 2009): privacy built in throughout design.
- Privacy by default: most protective settings active without user action.
- Shared responsibility: provider and customer share security; the SLA allocates roles.
1.5 Synthesis: choosing the right design principle
Objective 3.1 asks you to explain the significance of basic secure design principles. The manual's "Check Your Understanding" lists them together: least privilege, defense in depth, secure defaults, fail securely, separation of duties, keep it simple, trust but verify, zero trust, privacy by design and shared responsibility. On the exam you get a scenario and must name THE applicable principle, not recite a definition.
A few discrimination cues. A user holds too many rights "just in case": least privilege. A single actor can both initiate AND approve a payment: separation of duties. New equipment ships with every service enabled: secure defaults. A system must drop to a safe state on crash, but without trapping people: fail securely (with the human-safety trade-off). A procedure is so convoluted that users bypass it: keep it simple. A once-authenticated user roams everywhere: trust but verify; if instead you want to re-verify continuously and segment: zero trust. You want privacy built in from the start: privacy by design. Data goes to a cloud provider and you must clarify who secures what: shared responsibility via the SLA.
Two cross-cutting ideas unify these principles. First, security is built in early (initiation phase) and in layers: defense in depth gives the frame, the others are its facets. Second, each principle is a deliberate trade-off: SoD and secure defaults degrade efficiency or user experience but reduce risk - the professional's role is to arbitrate that trade-off knowingly.
- Objective 3.1 bundles 10 principles; the exam tests picking the right one per scenario.
- Defense in depth is the frame; the other principles are facets of it.
- SoD vs least privilege cue: who completes a process vs who holds too many rights.
- Trust but verify vs zero trust cue: one auth at entry vs continuous verification.
- Each principle is a deliberate efficiency/security trade-off to arbitrate.
Case studies
WLDR University: a defense-in-depth segmented network
Context : WLDR University is a Canadian multi-campus research institution with roughly 40,000 students, 2,500 staff and an IT team of 40. Terry, the new CISO, must design and manage a new secure network. The overall infrastructure must include separate networks: Guest, Student, Employee, Development, Research, PCI, Gaming and Athletics. These networks must be isolated from one another while still reaching critical services. This is exactly the manual's "Defense in Depth Strategy" scenario (3.1.3): how do firewalls, intrusion detection/prevention systems (IDS/IPS) and network segmentation create barriers against unauthorized access and lateral movement?
Question : How would you describe a defense-in-depth implementation across the university's network, and which other objective-3.1 principles reinforce isolation of segments like PCI and Research?
Show analysis and answer
Network segmentation realizes DiD at the Internal network layer: each population (Guest, Student, PCI, Research...) lives in its own segment, limiting lateral movement - an attacker compromising Guest does not directly reach the PCI segment. Internal firewalls filter inter-segment traffic by network least privilege (only the necessary flows to critical services are allowed), while IDS/IPS monitor and block unauthorized access attempts. The model's layers reappear: Perimeter (gateway firewalls, DMZ), Internal network (internal firewalls, NAC, IDS/IPS), Host (endpoint), down to Data.
The PCI segment illustrates the need for secure defaults and least privilege: it must expose only the strict minimum, with restrictive default rules (default-deny). Multiplying internal boundaries between segments tends toward a zero trust logic: rather than trusting anything "internal", you re-verify at boundaries and microsegment. The scenario shows that DiD is not a single product but a combination of technical controls (firewalls, IDS/IPS, segmentation) and administrative ones (per-network access policies).
A limit to remember: DiD is historically weak against insider threats. With 2,500 staff and a team of 40, Terry must complement segmentation with internal controls (SoD for sensitive actions, awareness) and monitoring, because a legitimate insider already crosses the first authentication layer.
Takeaway : DiD materializes through segmentation, internal firewalls and IDS/IPS that slow lateral movement; it combines with least privilege, secure defaults and zero trust, but still needs complementing against insider threats.
Least privilege is not "low privilege"
Classic trap: thinking least privilege means giving everyone few rights. The criterion is the explicit job function, not rank or trust. A system administrator legitimately gets a privileged account because the function requires it; a trusted senior VP does not, because their function does not require it. If an answer pits "trust" against "privilege", it is a decoy.
Trust but verify vs zero trust
Do not conflate the two. Trust but verify = a single authentication at entry, then free internal movement (the model of many small LANs). Zero trust = no internal trust; multiplied internal boundaries, microsegmentation and frequent reauthentication of the ID. Trigger words for zero trust in a stem: "reauthentication", "microsegmentation", "continuous verification".
Fail securely: human safety first
A fail-secure system drops to a secured state on crash to reduce data exposure. But the trap exception is human safety: for a fire evacuation of a sensitive facility, human life takes priority, even if it exposes sensitive data. If a scenario pits data protection against human life, human life wins (fail-safe).
Threat modeling fixes nothing
Threat modeling identifies critical systems and reveals where vulnerabilities might exist, but it does NOT fix the problem. An answer claiming it "remediates" or "eliminates" vulnerabilities is wrong: the organization must then feed the results into its separate remediation process.
Checkpoint — Checkpoint
-
During an architecture review, the team finds that a single accountant can, alone, create a purchase order, approve it and issue the matching check. Which design principle is violated?
- A Least privilege
- B Separation of duties
- C Secure defaults
- D Keep it simple
Answer & rationale
Answer : B — Separation of duties
Separation of duties (B): a single actor must not be able to complete a sensitive process; this is the manual's procurement example, requiring at least two independent actors. Least privilege (A) is about the volume of rights granted to a function, not splitting a process. Secure defaults (C) targets default configuration. Keep it simple (D) targets procedure simplicity, unrelated to the cross-check required here.
-
A vendor ships a network device with all management services enabled and exposed by default. The security professional insists the shipped configuration be the most restrictive possible, even at the cost of less convenience. Which principle is being applied?
- A Fail securely
- B Privacy by design
- C Secure defaults
- D Trust but verify
Answer & rationale
Answer : C — Secure defaults
Secure defaults (C): default settings must be the most secure possible, even at the expense of user experience, and the professional must insist on it on both vendor and customer sides. Fail securely (A) is about crash behavior, not shipped configuration. Privacy by design (B) targets privacy, not config hardening. Trust but verify (D) is an authentication posture, off-topic here.
-
An architect proposes to microsegment the internal network and enforce frequent reauthentication of each ID, rather than relying on a single authentication at entry. Which model is she moving toward?
- A Trust but verify
- B Zero trust
- C Defense in depth (castle model)
- D Shared responsibility
Answer & rationale
Answer : B — Zero trust
Zero trust (B): microsegmentation and frequent ID reauthentication are its exact markers. Trust but verify (A) is precisely the posture she is leaving (single auth at entry). Defense in depth / castle model (C) is the broader layered frame, but the microsegmentation + reauth detail points specifically to zero trust. Shared responsibility (D) is about cloud security sharing, unrelated to internal reauthentication.
-
After a threat modeling exercise, a manager states: "Good, our vulnerabilities are now fixed." Why is this statement incorrect?
- A Threat modeling applies only to the operations phase, not to design
- B Threat modeling identifies where vulnerabilities are but does not fix them; remediation still remains
- C Threat modeling only fixes network vulnerabilities, not application ones
- D Threat modeling replaces remediation with real-time detection
Answer & rationale
Answer : B — Threat modeling identifies where vulnerabilities are but does not fix them; remediation still remains
Answer B: threat modeling is a form of testing that identifies critical systems and reveals where vulnerabilities might exist, but it does not fix the problem; the organization must feed the results into its remediation process. A is false: it has a role in every life-cycle phase, from requirements to real-time response. C invents a non-existent limitation. D is false: it does not replace remediation, it feeds it.
Key takeaways
- Build security in from the initiation phase; threat modeling identifies vulnerabilities but does not fix them.
- Least privilege = minimum needed for the function (not low privilege); SoD = at least two independent actors for a sensitive process.
- Defense in depth = layered protection (castle model); weak against insiders, to complement and re-rationalize.
- Secure defaults (safest default config), fail securely (safe state on crash, but human life first), keep it simple (simplicity = fewer errors).
- Trust but verify (one auth at entry) vs zero trust (microsegmentation, reauth); privacy by design from the start; shared responsibility allocated by the SLA in the cloud.
Fundamental Security Models
Prerequisites : Be comfortable with subjects, objects, classification, clearance, and mandatory access control (MAC) covered in secure design principles.
A security model defines rules of behavior that an information system must enforce to uphold a security policy, most often a confidentiality policy, an integrity policy, or both. The model describes what is allowed; once implemented, technology enforces those rules to meet the security goals. This is the heart of Domain 3 Key Area B: being able to compare and contrast the key characteristics of the major academic models.
This module covers the most heavily tested models. Bell-LaPadula (BLP) protects confidentiality in a multilevel security (MLS) system with its no read up / no write down rules. Biba is its mirror for integrity: no read down / no write up. Clark-Wilson goes further on integrity at the transaction level with well-formed transactions, separation of duties, and the subject-program-object triple. Brewer and Nash (Chinese Wall) prevents conflicts of interest by changing a subject's rights based on its past behavior. Graham-Denning and Harrison-Ruzzo-Ullman (HRU) instead describe how subjects, objects, and rights are created, assigned, and revoked.
The recurring exam trap is to confuse the BLP and Biba rules, or to swap the simple property with the star property. The discipline to build: for each model, know whether it targets confidentiality or integrity, and recite its exact rules without hesitation.
2.1 What a security model is
A security model defines rules of behavior for an information system in order to enforce security policies, which typically concern confidentiality, integrity, or both. The model sets the allowable behavior for one or more aspects of system operation. Once implemented, technology enforces those rules to ensure the security goals are met.
The model must be distinguished from its implementation. The model is a conceptual, mathematical framework: BLP, for instance, defines no technical construct or solution. It merely states a high-level set of rules that, correctly implemented, prevent the exposure or unauthorized disclosure of information in a system processing multiple classification levels. That is why the manual notes that modern operating systems implement elements of these models, but never perfectly: they aim at a practical implementation consistent with one or more models.
Two families structure this module. The first gathers lattice-based, multilevel models that control information flow between classification or integrity levels: BLP and Biba are the archetypes. The second gathers models that describe how subjects, objects, and rights are created, assigned, and revoked at the most basic level, where other models simply assumed that control existed: Graham-Denning and HRU.
In the exam, the first question to ask about any model is always the same: does it target confidentiality or integrity? That compass avoids most mistakes.
- A model states rules; technology enforces them once implemented.
- The model is conceptual: BLP defines no technical solution.
- Modern OSes implement elements of the models, never perfectly.
- First exam question: confidentiality or integrity?
2.2 Bell-LaPadula: confidentiality
The Bell-LaPadula (BLP) model addresses confidentiality in a multilevel security (MLS) system. It defines two primary constructs: subjects (active parties) and objects (passive parties). Subjects are given clearances defining the access modes (read, write) they may use against objects. The BLP system uses labels to track clearances and classifications and applies a set of rules limiting subject-object interactions. It was an early model: it provides no one-to-one mapping of individual subjects and objects, which is a fundamental requirement for building a practical operating system.
BLP defines three properties. The Simple Security property (SS): a subject cannot read or access an object of higher classification, that is no read up. The Star property (written *): a subject can only save or write to an object of equal or higher classification, that is no write down. The Strong Star property: a subject can only write to objects at the same classification level as itself, that is lateral write only (no write down AND no write up).
The logic is intuitive once confidentiality is the goal. Forbidding read up stops a low-cleared subject from reading a secret above its level. Forbidding write down stops a cleared subject from copying a secret down to a lower level where less-cleared subjects would read it. BLP defines no technical constructs: it states high-level rules that, well implemented, prevent the exposure or unauthorized disclosure of information in a multilevel system.
The property names, such as the Star (*), originate in predicate calculus and set theory, where they apply to sets like mathematical operators. For the exam, hold the pairing BLP = confidentiality = no read up / no write down.
- BLP = confidentiality in an MLS system.
- Simple Security = no read up; Star = no write down.
- Strong Star = lateral write only (neither up nor down).
- BLP offers no one-to-one mapping, a limit for a practical OS.
2.3 Biba: integrity, the mirror of BLP
The Biba model addresses data integrity; it does not address confidentiality. Like BLP, it is a lattice-based, multilevel model that describes subject-object interactions. One vocabulary difference: Biba speaks of observe and modify where BLP speaks of read and write. Above all, Biba assigns integrity levels to subjects and objects based on their trustworthiness, instead of BLP's confidentiality levels. The core of the model is a multilevel approach to integrity meant to stop unauthorized subjects from modifying objects and to keep objects' current integrity state as subjects interact with them.
Biba defines three properties. The Simple Integrity property (simple integrity axiom): a subject cannot read or observe an object of lower integrity, that is no read down. The Star property (*): a subject cannot modify an object of higher integrity, that is no write up. The Invocation property: a subject of lower integrity cannot request access to a higher-integrity object; it can only address objects of equal or lower level.
The contrast with BLP is the single most tested item. BLP protects confidentiality: no read up, no write down. Biba protects integrity: no read down, no write up. The rules are inverted because the goals are. In integrity, no read down keeps a high-integrity subject from being contaminated by untrustworthy data; no write up keeps an untrustworthy subject from corrupting a high-integrity object. BLP's Strong Star does not exist in Biba, and the Invocation property does not exist in BLP.
Mnemonic: for integrity, you do not read below yourself (don't get dirty) and you do not write above yourself (don't dirty others).
- Biba = integrity, not confidentiality.
- Simple Integrity = no read down; Star = no write up.
- Invocation property is unique to Biba (absent from BLP).
- Mirror rules of BLP because the goals are inverted.
2.4 Clark-Wilson and Brewer-Nash
Biba covers only one of the three key integrity goals. The Clark-Wilson model improves on it by targeting integrity at the transaction level and addressing three major integrity goals in a commercial environment. For the second goal, Clark and Wilson realized they needed to stop authorized subjects from making undesirable changes. This required that an authorized subject's transactions be evaluated by another party before being committed to the system: this is separation of duties, the authorized subject's power being limited by another subject empowered to evaluate and complete the transaction.
For internal consistency, Clark and Wilson recommend a strict definition of well-formed transactions: the set of steps in a transaction must be carefully designed and enforced, and any deviation from the expected path makes the transaction fail so that integrity is not compromised. To control every subject-object interaction, the model establishes a system of subject-program-object bindings (the access triple): the subject no longer has direct access to the object; it goes through a program that arbitrates all access, authenticates and identifies the subject, and limits access to the objects under its control. Each interaction then follows a defined set of rules.
The Brewer and Nash model, or Chinese Wall, targets a different problem: preventing conflict of interest when a subject accesses sensitive-information objects belonging to two competing parties. The principle is that a user must not access the confidential information of a client AND one of its competitors. At first, the subject may access either set of objects; but once it accesses an object tied to one competitor, it is instantly prevented from accessing any object on the opposite side, to keep it from sharing information inappropriately, even unintentionally.
These ethical walls are common in financial services, for example to isolate corporate advisory from brokerage and reduce both the opportunity and the temptation to abuse insider information. Brewer-Nash is unusual: its access control rules change based on the subject's behavior (the accesses already made).
- Clark-Wilson: integrity at the transaction level, 3 commercial goals.
- Access triple: subject -> program -> object, never direct access.
- Well-formed transactions + separation of duties at the model's core.
- Brewer-Nash: anti conflict of interest, rules vary with the subject's behavior.
2.5 Graham-Denning and HRU: rights management
Where BLP and Biba assume that control over subjects and objects exists, the Graham-Denning model focuses precisely on how subjects and objects are created, how rights (or privileges) are assigned to subjects, and how ownership of objects is managed. It describes the control of subjects and objects at the most basic level.
The Graham-Denning model has three parts: a set of objects, a set of subjects, and a set of rights. A subject is made of two things: a process and a domain; the domain is the set of constraints controlling how subjects may access objects. A subject can also be an object at specific times. The set of rights governs how subjects manipulate passive objects. The model describes eight primitive protection rights, called commands, that subjects execute to influence other subjects or objects. The eight basic rules are: create objects securely, delete objects securely, create subjects securely, delete subjects securely, provision read-access rights securely, provision grant-access rights securely, provision delete-access rights securely, and provision transfer-access rights securely.
The term primitive protection rights plays the role of other models' permissions or privileges. Example: deleting an object is an action done by a subject (often via a task, process, or other software entity); the access control system must not allow it unless the subject has the right. Whether that right is granted for all objects, a subset, or per object depends on the chosen access control model (DAC or MAC, covered in Domain 5).
The Harrison-Ruzzo-Ullman (HRU) model is very close to Graham-Denning: it comprises a set of generic rights and a finite set of commands, and is also concerned with situations where a subject must be kept from gaining particular privileges, by preventing it from accessing the programs or subroutines that execute a given command (for example granting read access).
- Graham-Denning: how to create/assign/manage subjects, objects, rights.
- Eight secure primitive protection rights (commands).
- HRU is very close: generic rights + a finite set of commands.
- Neither targets confidentiality or integrity directly.
Case studies
A consultancy serving two rival banks
Context : A consultancy assigns an analyst who can access the confidential files of several clients. Two of those clients, bank Alpha and bank Beta, are direct competitors in the same market. Management fears that one consultant working for both could leak, even unintentionally, strategic information from one client to the other. The security team must pick a security model whose rules structurally prevent this conflict of interest, without barring the analyst from serving non-competing clients.
Question : Which model fits the need, and how do its rules behave from the analyst's first access?
Show analysis and answer
The fitting model is Brewer and Nash, the Chinese Wall, designed precisely to prevent conflict of interest between two competing parties. At first the analyst may access either set of objects: nothing is locked yet. The barrier is built dynamically.
As soon as the analyst accesses an object tied to bank Alpha, the model instantly prevents access to any bank Beta object. This is Brewer-Nash's singular property: the access control rules change based on the subject's past behavior, not on a static label. The analyst remains free to serve other non-competing clients, since the wall rises only between conflicting objects.
Neither BLP nor Biba would fit: they reason by classification levels (confidentiality) or integrity levels, not by conflict of interest between peers at the same level. This is the textbook ethical-walls scenario in financial services, where corporate advisory is isolated from brokerage.
Takeaway : Conflict of interest between competitors = Brewer-Nash; its rules depend on the subject's prior accesses.
Do not swap BLP and Biba
The most frequent trap: confusing the rules. BLP targets confidentiality: no read up, no write down. Biba targets integrity: no read down, no write up. The read and write directions are inverted between the two models because the goals are. Anchor confidentiality (BLP) on no read up and integrity (Biba) on no write up, then derive the rest.
Simple property vs star property
The simple property always concerns READING (read/observe); the star property (*) always concerns WRITING (write/modify). In BLP: simple = no read up, star = no write down. In Biba: simple = no read down, star = no write up. The strong star (lateral write only) exists only in BLP; the invocation property exists only in Biba. Do not mix these properties across the two models.
Biba does not cover all of integrity
Classic trap: believing Biba covers all of integrity. The manual states that Biba addresses only one of the three key integrity goals. It is Clark-Wilson that addresses the three goals in a commercial environment, through well-formed transactions, separation of duties, and the subject-program-object triple. If the question mentions transactions, separation of duties, or indirect access via a program, the answer is Clark-Wilson, not Biba.
Checkpoint — Checkpoint
-
An MLS system must prevent a subject cleared "Confidential" from reading a "Secret" object. Which property of which model enforces this rule?
- A Bell-LaPadula Simple Security property (no read up)
- B Biba Star property (no write up)
- C Biba Simple Integrity property (no read down)
- D Biba Invocation property
Answer & rationale
Answer : A — Bell-LaPadula Simple Security property (no read up)
Reading a more classified object = read up, forbidden by BLP's Simple Security property (confidentiality). Biba's Star concerns writing, not reading. Biba's Simple Integrity forbids read down, not read up, and targets integrity. The Invocation property concerns service requests to a higher-integrity object.
-
To preserve integrity, a low-integrity subject must not be able to corrupt a high-integrity object. Which Biba rule prevents this?
- A No read up
- B No write up (Star property)
- C No write down
- D No read down (Simple Integrity)
Answer & rationale
Answer : B — No write up (Star property)
Corrupting a higher-integrity object = writing up: Biba's Star property forbids write up. No read up and no write down are BLP (confidentiality) rules. No read down is Biba's Simple Integrity but concerns reading, not the corrupting write described here.
-
A banking application must ensure authorized subjects never access records directly, but always through a program that authenticates and arbitrates each access. Which model describes this mechanism?
- A Bell-LaPadula
- B Graham-Denning
- C Clark-Wilson (subject-program-object triple)
- D Brewer-Nash
Answer & rationale
Answer : C — Clark-Wilson (subject-program-object triple)
Clark-Wilson's subject-program-object triple inserts an arbitrating program between subject and object, removing direct access. BLP handles confidentiality by levels. Graham-Denning is about creating/assigning rights. Brewer-Nash handles conflict of interest between competitors, not indirect access.
-
Which statement correctly describes the scope of the Graham-Denning model?
- A It defines confidentiality levels with no read up / no write down.
- B It describes how subjects and objects are created and how rights are assigned and managed.
- C It prevents conflict of interest between two competing parties.
- D It ensures transactional integrity via well-formed transactions.
Answer & rationale
Answer : B — It describes how subjects and objects are created and how rights are assigned and managed.
Graham-Denning is about creating subjects/objects, assigning rights, and managing ownership, via eight primitive protection rights. Level-based confidentiality is BLP. Conflict of interest is Brewer-Nash. Well-formed transactions are Clark-Wilson.
-
An analyst first accesses one client's files, then tries to open a direct competitor's files; the system instantly refuses. Which model, and which peculiarity, are at play?
- A Biba, because the competitor's integrity would be compromised
- B Brewer-Nash, whose access rules change based on the subject's past behavior
- C Bell-LaPadula, because the competitor is at a higher classification level
- D HRU, because the subject lacks the required command
Answer & rationale
Answer : B — Brewer-Nash, whose access rules change based on the subject's past behavior
Brewer-Nash (Chinese Wall) prevents conflict of interest: once an object on one side is accessed, the opposite side is blocked. Its peculiarity is that access rules depend on the subject's prior accesses. Biba and BLP reason by levels, not conflict. HRU concerns rights/commands, not this dynamic blocking.
Key takeaways
- A model states rules; for each, first ask: confidentiality or integrity?
- BLP = confidentiality = no read up (Simple Security) / no write down (Star); Strong Star = lateral write.
- Biba = integrity = no read down (Simple Integrity) / no write up (Star); plus the Invocation property.
- Clark-Wilson: transactional integrity via well-formed transactions, separation of duties, and the subject-program-object triple.
- Brewer-Nash = conflict of interest (dynamic rules); Graham-Denning and HRU = creating and managing rights.
Control Selection and Evaluation Criteria
Prerequisites : Familiarity with risk, security policy, and the system development life cycle (SDLC) notions covered in earlier Domain 3 modules.
Selecting controls is not picking measures at random: it starts from a set of recognized engineering standards, then tailors them to the organization's context to serve its mission. The CISSP selects systems engineering controls that serve the context of an organization; choosing appropriate standards as a starting point, then tailoring them, provides confidence that the organization is following a mature path aligned with its mission.
This module covers three pillars drawn from section 3.3 of the ISC2 reference. First, security engineering as a discipline and its sources of standards (INCOSE Systems Engineering Handbook, NIST SP800-160, ISO/IEC 15026, ISO/IEC/IEEE 15288). Then the security engineering processes defined by NIST SP800-160, grouped into four families: Technical, Technical Management, Enabling, and Agreement processes. Finally, the role of change management and configuration management, and the link between security policies, models, and architecture.
Exam focus: NIST SP800-160 is engineering-driven, meaning it infuses systems security engineering techniques into systems and software engineering activities rather than bolting security on afterward.
Once a system is designed and built, you still need to objectively measure how much trust it deserves. That is the role of security evaluation criteria: formal frameworks that rate a product against functions and an assurance level. The module therefore adds the historical TCSEC (Orange Book) and ITSEC criteria, their international successor Common Criteria (ISO/IEC 15408), and finally the certification and accreditation pair that leads to an Authorization to Operate (ATO). These concepts, part of the official exam outline, complement the select-then-tailor logic with a logic of evaluation and formal risk acceptance.
3.1 Selecting and tailoring standards to context
Section 3.3 starts from a simple idea: you select systems engineering controls that serve the organization's context. The mechanism has two steps. First, you choose appropriate standards as a starting point; then you tailor them to the organization's own context. This two-step move provides confidence that the organization follows a mature path serving its mission, rather than blindly applying a generic catalogue.
Security engineering itself is defined as the use of generally accepted engineering methods to apply systems security theories to specific situations, problems, or needs in practical and effective ways. Two authorities recognize it as a specialty engineering discipline of systems engineering: the International Council on Systems Engineering (INCOSE) and NIST.
The classic trap: assuming a standard deploys as-is. It does not - the standard is a starting point, and tailoring makes it relevant to the context (mission, constraints, risk). This is the same logic as scoping/tailoring seen elsewhere in the curriculum: start from a recognized baseline, then adjust.
- Selection = recognized standard as a starting point, then tailoring to context.
- Goal of tailoring: follow a mature path that serves the mission.
- Security engineering = applying systems security theories in a practical way.
- INCOSE and NIST recognize security engineering as a specialty engineering discipline.
3.2 Sources of security engineering standards
Section 3.3 lists commonly accepted sources of engineering and security engineering. The INCOSE Systems Engineering Handbook presents systems engineering principles in terms of affordability and performance, in the context of formal and informal project management structures.
NIST SP800-160 (Systems Security Engineering) addresses the engineering-driven actions necessary to develop more secure and survivable systems, including the components that compose them and the services that depend on them. It starts from a set of well-established international standards for systems and software engineering (published by ISO, IEC, and IEEE) and infuses systems security engineering techniques, methods, and practices into them. That is the precise meaning of engineering-driven: security is built into engineering activities, not added afterward.
Two ISO families round out the picture. ISO/IEC 15026 (Systems and Software Engineering series) focuses on assurance, integrity, and security concepts for systems and software. ISO/IEC/IEEE 15288 provides an overall systems engineering life cycle model; it is an outgrowth of earlier models from various U.S. military standards. Exam trap: do not confuse 15026 (assurance/integrity/security) with 15288 (overall life cycle model).
- INCOSE Handbook: SE principles (affordability, performance, project management).
- SP800-160: engineering-driven, more secure and survivable systems, builds on ISO/IEC/IEEE standards.
- ISO/IEC 15026: assurance, integrity, security of systems/software.
- ISO/IEC/IEEE 15288: overall systems engineering life cycle model.
3.3 Security engineering processes per SP800-160
NIST SP800-160 defines general security engineering processes, consistent with the INCOSE Systems Engineering Handbook and easily related to ISO-based standards, with some minor differences. They fall into four families.
The Technical Processes handle the system itself: business and mission analysis (understand scope and asset-loss consequences), stakeholder needs and requirements definition, system requirements definition, architecture definition, design definition, system analysis, implementation, integration, and verification (produce evidence that the system satisfies its security requirements with the applicable level of assurance). The Technical Management Processes steer the project: project planning, project assessment and control, decision management, risk management (identify, analyze, treat, and monitor security risks), configuration management, information management, measurement, and quality assurance.
The Enabling Processes support the organization: life cycle model management, infrastructure management, portfolio management, human resources management, quality management, and knowledge management. Finally, the Agreement Processes govern contractual relationships: the acquisition process ensures the acquirer's protection needs are covered by its requirements; the supply process ensures the delivered product or service provides the security functions while meeting the constraints expressed by the acquirer. Trap: recognizing which family a given process belongs to (e.g., configuration management = Technical Management; acquisition = Agreement).
- Four families: Technical, Technical Management, Enabling, Agreement.
- Verification = evidence that security requirements are met at the right assurance level.
- Risk management and configuration management are Technical Management Processes.
- Acquisition (acquirer side) and supply (supplier side) are Agreement Processes.
3.4 Change management, configuration management, policies and models
The reference stresses up front that engineering, as a discipline, embraces change management and configuration control. Whatever the engineering activity, it revolves around managing the information about the system being brought into existence. Mission or business needs for safety, security, reliability, and performance dictate (or should dictate) how detailed and formal those change management processes must be. Management must determine the right mix of formal change management and flexibility/responsiveness, according to the overall risk management strategy.
In the WLDR University case from the reference, configuration management is ad-hoc across campus IT groups: there is no standard configuration, nor the ability to quickly deploy controls during an incident. The expected answer is to implement configuration management processes to ensure the secure configuration of all systems and network devices based on their unique requirements.
Finally, security policies, models, and architecture connect in development. Systems usually start from statements of business or mission needs, often expressed as policies. A security policy defines what "security" means for a given system, which almost always reflects a compromise between security, operability, cost, and risk impact. Models represent experience gained from building similar systems (equations, flow diagrams, task sequences); engineers use them as starting points to iteratively develop an architecture for the desired system.
- Engineering inherently embraces change management and configuration control.
- Change management formality depends on mission needs (safety, security, reliability, performance).
- Ad-hoc configuration management = no baseline and no fast incident response (WLDR case).
- Policy then models then architecture: the policy expresses the trade-off, models guide the architecture.
3.5 Historical evaluation criteria: TCSEC and ITSEC
Before today's international standards, two families of evaluation criteria shaped how the trust of a security product was rated. The Trusted Computer System Evaluation Criteria (TCSEC), nicknamed the Orange Book, was published by the U.S. Department of Defense. It builds on the Bell-LaPadula confidentiality model and primarily evaluates the confidentiality protection of a multi-user operating system. Its main weakness: it bundles functionality and assurance into a single rating, and addresses neither integrity nor availability.
TCSEC ranks systems into hierarchical divisions. Division D denotes minimal protection (a failed evaluation). Division C covers discretionary protection with C1 (discretionary security protection) and C2 (controlled access protection). Division B covers mandatory protection with B1 (labeled security protection), B2 (structured protection), and B3 (security domains). Division A, with A1 (verified design), requires a formally verified design. The Red Book, or Trusted Network Interpretation (TNI), extends these ideas to networks, whereas the Orange Book only covered standalone systems.
The Information Technology Security Evaluation Criteria (ITSEC) is the European answer. Its decisive contribution is to separate what TCSEC conflated: on one side functionality, rated F1 to F10, describing what the product does; on the other side assurance, rated E0 to E6, describing the confidence that it does so correctly. ITSEC also addresses confidentiality, integrity, and availability, where TCSEC was limited to confidentiality.
Exam trap: remember that TCSEC = confidentiality only, functionality and assurance bundled, based on Bell-LaPadula; ITSEC = functionality (F) AND assurance (E) separated, European, full CIA. The Red Book is not a level but the network extension of TCSEC.
- TCSEC (Orange Book) = DoD, based on Bell-LaPadula, confidentiality, functionality and assurance bundled.
- TCSEC divisions: D, C1/C2, B1/B2/B3, A1 (from minimal to verified design).
- Red Book = Trusted Network Interpretation, network extension of TCSEC.
- ITSEC = European, separates functionality (F1-F10) and assurance (E0-E6), covers CIA.
3.6 Common Criteria (ISO/IEC 15408)
The Common Criteria (CC), standardized as ISO/IEC 15408, replaces and unifies the earlier national approaches, including the U.S. TCSEC and the European ITSEC. Its goal is to provide a common, repeatable language to evaluate the security of IT products, and to enable mutual recognition of evaluations across signatory countries through the Common Criteria Recognition Arrangement (CCRA): a product evaluated in one country is recognized in the others, avoiding repeated evaluation.
The CC vocabulary is central for the exam. The Target of Evaluation (TOE) is the product or system being evaluated. The Protection Profile (PP) expresses generic, product-independent security needs, written on the customer or user-community side: it is the demand ("here is what a class of products needs"). The Security Target (ST) is written on the vendor side: it contains the security claims for a specific product and explains how it meets, where applicable, one or more PPs. It is the offer ("here is what my product does").
The content of the claims breaks down into two requirement types. Security Functional Requirements (SFRs) describe the expected security functions (what the product does). Security Assurance Requirements (SARs) describe the verification activities performed to gain confidence in those functions (how thoroughly it was checked). This functionality/assurance split is directly inherited from the spirit of ITSEC.
The overall assurance level is summarized by an Evaluation Assurance Level (EAL), on seven steps: EAL1 (functionally tested), EAL2 (structurally tested), EAL3 (methodically tested and checked), EAL4 (methodically designed, tested, and reviewed), EAL5 (semiformally designed and tested), EAL6 (semiformally verified design and tested), and EAL7 (formally verified design and tested). Central trap: an EAL measures the RIGOR of the evaluation (assurance), not the amount of functionality nor absolute security. A high EAL against a weak PP does not guarantee an absolutely secure product.
- Common Criteria = ISO/IEC 15408, replaces TCSEC and ITSEC, mutual recognition via CCRA.
- TOE = evaluated product; PP = generic needs (customer); ST = claims (vendor).
- SFR = security functions; SAR = assurance/verification activities.
- EAL1 (functionally tested) to EAL7 (formally verified design and tested): EAL measures assurance, not functionality.
3.7 Certification, accreditation, and Authorization to Operate (ATO)
Evaluating a product with the Common Criteria is not enough to authorize its use in an organization: a decision process is needed. That process rests on two steps the exam often contrasts. Certification is the technical evaluation: a detailed verification that a system's security controls satisfy a given set of requirements in a specific operating context. Certification produces evidence, not a decision.
Accreditation (or authorization) is the management act that follows: a designated authority, the Authorizing Official (AO), reviews the certification results and the residual risk, then formally accepts that risk on behalf of the organization. It is a risk management decision, not a technical analysis. The classic trap swaps the two: certification looks at the technical side, accreditation accepts the risk. Without accreditation, a certified system is not authorized.
The NIST Risk Management Framework (RMF) now frames this logic for U.S. federal systems, with its steps (categorize, select, implement, assess, authorize, monitor). The "authorize" step leads to a formal AO decision called the Authorization to Operate (ATO). Three outcomes are possible: a granted ATO (the system may go into service), a conditional ATO (authorization granted provided certain weaknesses are corrected within a defined timeframe, sometimes via an action plan), or a denial of authorization to operate (refusal: the residual risk is judged unacceptable and the system must not operate).
Finally, an authorization is never eternal. The RMF requires continuous monitoring and periodic reassessment: significant changes to the system, to the threat environment, or expiry of the authorization trigger a new assessment and a new AO decision. Trap: an ATO is not a permanent blank check; it is time-bound and revisable.
- Certification = technical evaluation (evidence); accreditation = formal acceptance of residual risk by the AO.
- The Authorizing Official accepts risk on behalf of the organization; it is not a technical decision.
- NIST RMF: categorize, select, implement, assess, authorize, monitor; the authorize step yields the ATO.
- Outcomes: granted ATO, conditional ATO (timed fixes), denial; periodic reassessment is mandatory.
Case studies
WLDR University: ad-hoc configuration management
Context : At WLDR University, configuration management is implemented ad-hoc across campus and facility IT groups. As a result, there is no standard configuration for university computers, nor the ability to quickly deploy security controls in case of an incident.
Question : How could the university implement configuration management processes to ensure the secure configuration of all systems and network devices based on their unique requirements?
Show analysis and answer
The root problem is the absence of a baseline: with no standard configuration, each IT group improvises, and the organization loses the ability to react quickly. In SP800-160, configuration management is a Technical Management Process that ensures security considerations are addressed in the management and control of system elements, configurations, and associated data over the whole life cycle.
The expected approach applies the select-then-tailor logic: start from a recognized standard as a starting point, define secure configuration baselines per device type, then tailor each baseline to the unique requirements of the systems concerned. The formality of the associated change management should be calibrated to mission needs (safety, security, reliability, performance) and to the university's risk management strategy.
The intended effect is twofold: a secure and consistent configuration, and the ability to quickly deploy controls during an incident thanks to known and controlled baselines.
Takeaway : Configuration management = secure baselines per device type, tailored to unique requirements, under change management whose formality follows mission needs.
Engineering-driven is not security add-on
NIST SP800-160 is described as engineering-driven: it infuses systems security engineering techniques INTO systems and software engineering activities. The trap is treating it as a security layer added afterward. No: security is built in from the engineering itself, starting from existing ISO/IEC/IEEE standards.
ISO/IEC 15026 vs ISO/IEC/IEEE 15288
15026 (Systems and Software Engineering series) covers assurance, integrity, and security concepts. 15288 provides an overall systems engineering life cycle model, an outgrowth of U.S. military standards. Do not swap them: one targets assurance/integrity/security, the other the overall life cycle.
Place each process in the right family
Exam questions often test which SP800-160 family a process belongs to. Anchors: configuration management and risk management = Technical Management; verification, architecture definition, implementation = Technical; acquisition and supply = Agreement; portfolio, HR, knowledge = Enabling.
A standard is only a starting point
Selecting a recognized standard is not enough: without tailoring to context (mission, constraints, risk), the control stays generic. Maturity comes from adjustment, not from raw adoption of the catalogue.
Protection Profile vs Security Target, and what an EAL measures
Two classic confusions about the Common Criteria. First, the Protection Profile (PP) expresses generic security needs on the customer or community side (the demand), while the Security Target (ST) holds the claims of a specific product on the vendor side (the offer): do not swap them. Second, an Evaluation Assurance Level measures the level of ASSURANCE, that is the rigor of verification (EAL1 functionally tested up to EAL7 formally verified design and tested), not the amount of functionality nor any "absolute security." A high EAL against a weak PP does not prove a product is secure in absolute terms.
Certification is not accreditation
Certification is the technical evaluation of a system's controls against requirements; it produces evidence. Accreditation is the management act by which the Authorizing Official formally accepts the residual risk and authorizes operation (ATO). The trap is believing a certified system is automatically authorized: without the AO's accreditation decision, it is not. And the ATO is not permanent: it can be conditional, denied, and must be periodically reassessed.
Checkpoint — Checkpoint
-
A CISO wants to build security into the design of more survivable systems, leveraging existing ISO/IEC/IEEE standards rather than adding security afterward. Which publication best describes this engineering-driven approach?
- A NIST SP800-160 (Systems Security Engineering)
- B INCOSE Systems Engineering Handbook
- C ISO/IEC/IEEE 15288 alone
- D An organizational security policy
Answer & rationale
Answer : A — NIST SP800-160 (Systems Security Engineering)
SP800-160 addresses engineering-driven actions for more secure and survivable systems, infusing security engineering into existing ISO/IEC/IEEE standards. The INCOSE Handbook lays out general SE principles (affordability, performance) without being security engineering-driven. 15288 provides the life cycle model but not the security infusion described. A security policy defines what security means; it does not describe an engineering approach.
-
An architect must produce evidence demonstrating that the system satisfies its security requirements at the applicable assurance level. Which SP800-160 process is this, and which family does it belong to?
- A Verification process, Technical Processes family
- B Risk management process, Technical Management family
- C Acquisition process, Agreement family
- D Knowledge management process, Enabling family
Answer & rationale
Answer : A — Verification process, Technical Processes family
The verification process produces sufficient evidence that the system satisfies its security requirements at the applicable assurance level: it is a Technical Process. Risk management (Technical Management) identifies and treats risks, not conformance evidence. Acquisition (Agreement) concerns the acquirer's needs. Knowledge management (Enabling) handles security knowledge.
-
An organization adopts a recognized security engineering standard and deploys it as-is across all systems, with no adaptation. What is the main flaw of this approach per section 3.3?
- A The standard must be tailored to context to serve the mission in a mature way
- B Recognized standards are forbidden as a starting point
- C Only models, never standards, should guide selection
- D Configuration management removes any need for a standard
Answer & rationale
Answer : A — The standard must be tailored to context to serve the mission in a mature way
The section describes selection as a recognized standard as a starting point THEN tailoring to context: it is the adjustment that ensures a mature path serving the mission. Recognized standards are in fact recommended as a starting point. Models and standards coexist. Configuration management is a control process; it does not replace choosing a standard.
-
On the WLDR campus, configuration management is ad-hoc: no standard configuration and no fast control deployment during incidents. Which action fixes the root cause?
- A Define secure configuration baselines per device type, tailored to unique requirements, under formalized change management
- B Leave each configuration to each local IT group's judgment
- C Remove change management to gain responsiveness
- D Wait for an incident to decide configuration case by case
Answer & rationale
Answer : A — Define secure configuration baselines per device type, tailored to unique requirements, under formalized change management
The root cause is the missing baseline. The fix is to establish secure baselines per device type, tailored to unique requirements, under change management whose formality follows mission needs. Leaving it to local judgment perpetuates the problem. Removing change management worsens risk. Waiting for the incident is exactly the flaw described.
-
A vendor advertises that its firewall is Common Criteria EAL4 certified. A buyer concludes the product offers more security features than an EAL2 product and that it is "absolutely secure." What should you tell them?
- A The EAL measures the rigor of verification (assurance), not the amount of functionality nor absolute security
- B An EAL4 guarantees more functionality than an EAL2
- C A high EAL proves the product is secure in absolute terms
- D The EAL removes the need to define a Security Target
Answer & rationale
Answer : A — The EAL measures the rigor of verification (assurance), not the amount of functionality nor absolute security
An EAL rates the assurance level, that is how rigorously the product was verified (EAL1 functionally tested to EAL7 formally verified design and tested). It says nothing about the number of functions: functions belong to the Security Target's SFRs. A high EAL against weak claims proves no absolute security. The EAL does not replace the ST: it precisely summarizes the result of evaluating the ST/PP.
-
A hospital consortium writes a document describing the generic security needs any patient-record system must meet, without targeting a specific product. A vendor responds with a document describing how ITS software meets those needs. Which Common Criteria artifacts do these respectively correspond to?
- A The consortium produces a Protection Profile (PP), the vendor a Security Target (ST)
- B The consortium produces a Security Target (ST), the vendor a Protection Profile (PP)
- C Both documents are Targets of Evaluation (TOE)
- D The consortium sets the EAL, the vendor defines the PP
Answer & rationale
Answer : A — The consortium produces a Protection Profile (PP), the vendor a Security Target (ST)
The PP expresses generic, product-independent needs on the customer/community side: exactly what the hospital consortium writes. The ST holds the claims of a specific product on the vendor side and explains how it meets a PP: that is the vendor's document. Swapping PP and ST is the classic mistake. The TOE is the evaluated product itself, not these documents. The EAL is an assurance level resulting from the evaluation, not an artifact written by the customer.
-
A technical team has finished the detailed evaluation of a new system's controls and documented a residual risk. The system still cannot go into service. Which step is missing and who is responsible for it?
- A Accreditation: the Authorizing Official must formally accept the residual risk and issue the ATO
- B A new technical certification by the same team
- C Nothing: a certified system is automatically authorized to operate
- D Writing a Protection Profile by the technical team
Answer & rationale
Answer : A — Accreditation: the Authorizing Official must formally accept the residual risk and issue the ATO
Certification (technical evaluation) is done, but authorization is a matter of accreditation: the Authorizing Official reviews the residual risk and formally accepts it, which yields the ATO (granted, conditional, or denial). Redoing certification does not address the missing management decision. A certified system is not automatically authorized: that is exactly the trap. A Protection Profile belongs to the Common Criteria on the product-needs side, unrelated to authorizing this system to operate.
Key takeaways
- Selecting = start from a recognized standard, then tailor it to context to serve the mission.
- Key sources: INCOSE Handbook, NIST SP800-160, ISO/IEC 15026 (assurance/integrity/security), ISO/IEC/IEEE 15288 (life cycle).
- SP800-160 is engineering-driven: security is infused into engineering, not added afterward.
- Four process families: Technical, Technical Management, Enabling, Agreement.
- Change management and configuration management are intrinsic to engineering; their formality follows mission needs.
- Historical criteria: TCSEC (Orange Book, confidentiality, Bell-LaPadula, functionality+assurance bundled) and ITSEC (European, F1-F10 and E0-E6 separated).
- Common Criteria (ISO/IEC 15408): TOE, PP (customer needs), ST (vendor claims), SFR/SAR, EAL1 to EAL7; the EAL measures assurance, not functionality.
- Certification (technical) vs accreditation (risk acceptance by the AO); the ATO can be granted, conditional, or denied and must be reassessed.
Security Capabilities of Information Systems
Prerequisites : Be familiar with the notions of subject/object, security policy, and trusted computing base introduced in the earlier Domain 3 modules.
Every secure system rests on hardware and operating-system foundations the CISSP must understand (Key Area D). The guiding principle of the manual is simple: compromise of any one layer can lead to compromise of the whole system. Deploying secure configurations that actually deliver these theoretical constructs is therefore key to building and operating secure systems.
This module starts with the conceptual security models designers have used over time - the state machine model, information flow model, noninterference model, and ring model - which emphasize different security properties using the concepts of subjects and objects. It then moves to the hardware realization of these ideas: processor states, privileged mode instructions, and the protection ring model (Ring 0 to Ring 3).
The module then covers the native features expected of any element intended for a secure system: memory management, abstraction layers, code/data isolation, file system attributes, and the security kernel, along with their extensions (access control, virtual machines, sandboxing, cryptographic systems). It closes with hardware roots of trust: the Trusted Platform Module (TPM) and the broader family of hardware security modules (HSM).
Two classic exam pillars complete the picture: the trusted computing base (TCB), reference monitor, and security kernel that formalize who mediates access, and the secure boot, measured boot, and trusted execution chain that establishes a hardware root of trust at startup.
4.1 Conceptual security models: state machine, information flow, noninterference
Over time, designers have used different security models that emphasize distinct security properties. Many rely on the concepts of subjects and objects: a subject is a process that performs actions on an object, and an object can be a set of data, a hardware or software resource, or a person - which means an object can itself be a subject.
The state machine model identifies the system's starting condition and the end state it must be in once a process completes. The manual's example: a security policy may require that copying an object introduce no deviation from the original; comparing a secure hash of the original and the copy demonstrates the operation met that policy.
The information flow model extends the state machine model by focusing on the movement of information throughout the system. It describes how the privileges granted to subjects constrain their access to objects and the transformations they may apply to those objects. Security is therefore assessed in terms of permitted or forbidden flows, not just states.
The noninterference model ensures that objects and subjects at one level of sensitivity do not inappropriately interact with those at other levels. Each data access attempt is independent of all others and approved, if appropriate, by the security architecture. Crucially, the system's outputs should not disclose the security decisions or the inputs that generated them: a login process should not disclose the input values (login ID, password) in the authentication that results from a successful login.
- State machine: security verified by comparing states (e.g. hash of original vs copy).
- Information flow: security seen as control of information flows between subjects and objects.
- Noninterference: one level must not influence another; outputs do not disclose inputs.
- All three models rest on the subject/object relationship, the common basis of security models.
4.2 Protection rings and processor states (Ring 0 to Ring 3)
The ring model emphasizes the interactions between the underlying hardware's security capabilities and their use by the software layers. Depending on the hardware, software, and system design, a different number of rings may be needed; in many cases four rings are sufficient. The manual's figure shows the ring model from the software perspective: the hardware layers and their burnt-in firmware are contained within Ring 0.
Process isolation increases the farther out the software runs from Ring 0. In addition, every time a service request crosses a ring boundary, the request should be evaluated against the security policy to determine whether it is appropriate. So an application's request to save a file to storage receives more scrutiny from the OS and the security kernel than the OS's decision to scavenge unused memory locations.
Ring 0 hosts the most sensitive OS functions, typically "trusted" functions subject to limited oversight; the security kernel monitors the overall operation of the OS and can terminate processing when it detects a possible compromise (Windows' Blue Screen of Death is one manifestation). Ring 1 hosts device drivers with direct hardware access, often requiring certification to meet the OS's security requirements. Ring 2 offers better performance and capability than Ring 3 applications, for tasks limited to users with broad privilege (formatting disks, establishing network connections) or for services rendered to applications (e.g. messaging APIs).
Ring 3 is where applications run; strict process isolation and rigorous authorization of service requests should be enforced there. The failure of an application at Ring 3 does not affect other processes or system functions, and the system can recover gracefully. Caution: these examples are strictly illustrative - some implementations support four rings but do not use Rings 1 and 2, or reserve Ring 1 for hypervisor-related tasks. The theoretical model does not always fully describe a given environment, and taking advantage of it requires implementation in both hardware and software. These levels rely on processor states: privileged mode instructions can directly alter the state of the hardware or of a running task, via special flag bits in the CPU indicating the privilege level of the current task.
- Process isolation increases from Ring 0 toward Ring 3.
- Every ring boundary crossing is evaluated against the security policy.
- Ring 0 = sensitive OS + security kernel + hardware/firmware; Ring 3 = applications.
- The model is a metaphor: some implementations do not use Rings 1 and 2.
- Rings rely on the CPU's processor states and privileged mode instructions.
4.3 System foundations: memory management, isolation, virtualization, and sandboxing
As early as the 1960s, security engineers had identified a list of critical features needed to build systems able to meet their security policy. These architectural elements have a dual nature: they represent lower-level security policies that components must have, and they offer high-level design templates for achieving the required behavior.
The native capabilities expected of any element intended for a secure system include: memory management (efficient RAM use, support for virtual memory, and segregation of a task's code and data spaces); abstraction layers, which prevent logic at one layer from interfering with or observing the detail of another, decoupling design and easing maintenance; code/data isolation and segregation, enforced by hardware and OS, which prevent one process from reading or writing another's code or data space, prevent execution of instructions loaded into data spaces and writing of instructions into a code space (even its own); file system attributes (read-only, execute-only) associating protective permissions with objects (under Unix/Linux every device is treated as a file); and the security kernel, which monitors all executing programs, including OSs, for errors or alarms signaling a breach, and can force a program into a safe state, stop it, or even shut the system down.
Once these features are present, vital extensions can be added. Access control authenticates a subject's connection requests or authorizes access to objects, with detailed accounting of attempted actions. Virtual machines encapsulate an entire operational system, including its interfaces to peripherals and networks; hardware and OS security and virtualization features then enforce the required isolation of processes, data, and devices.
Sandbox environments leverage virtualization for isolated testing and assessment, whether of systems under development or suspected malware. Finally, cryptographic systems enhance code/data isolation, provide digital signatures for code and data, and protect code and data at rest, in transit, or in use, via a combination of hardware and software elements. Each of these architectural elements links back to one or more security models.
- Core features have a dual nature: low-level policy and high-level design template.
- Code/data isolation prevents execution in data space and corruption of a code space.
- The security kernel can force a safe state, stop a program, or shut down the system.
- VMs and sandboxes rely on virtualization to encapsulate and isolate.
- Each architectural element links back to one or more security models.
4.4 Hardware roots of trust: TPM and HSM
The Trusted Platform Module (TPM) is a special type of hardware security module (HSM) designed for integration into other products and compliant with a specific standard from the Trusted Computing Group. Most, but not all, servers and end-user devices can be obtained with a TPM chip.
The TPM specification requires the module to include: secure key generation, secure storage, hashing algorithms, a random number generator, and an onboard cryptoprocessor able to perform the functions defined by the standard. The TPM designation further requires a device-unique identity key used for device identification.
The term TPM refers strictly to a module that complies with the TPM standard. Many other manufacturers create equivalent modules referred to as secure elements, secure enclaves, or similar terms. Leveraging the key storage facilities and cryptographic functions of the TPM chip can speed processing and increase a device's security posture. The HSM is the broader category: a hardware module dedicated to cryptographic security (protected key generation, storage, and use), of which the TPM is a standardized, embedded variant. This hardware root of trust anchors the cryptographic capabilities raised in the earlier lessons and is examined further in the subdomains devoted to cryptography.
- The TPM is an embedded HSM, compliant with the Trusted Computing Group standard.
- Mandated functions: secure key generation, secure storage, hashing, RNG, cryptoprocessor.
- The TPM designation requires a device-unique identity key to identify the device.
- Secure elements and secure enclaves are non-standardized equivalents under other names.
- Leveraging the TPM speeds processing and strengthens the security posture.
4.5 Trusted Computing Base, reference monitor, and security kernel
The trusted computing base (TCB) is the set of components - hardware, software, and firmware - that are critical to a system's security: they are what enforce the security policy. Everything inside the TCB is trusted, because its failure could compromise the entire policy; everything outside the TCB need not be trusted. The boundary that separates the TCB from the rest of the system is the security perimeter. Keeping the TCB small and well defined is a major design goal: the smaller it is, the more it can be verified and protected.
The reference monitor is an abstract concept: it is the component that mediates ALL accesses by subjects to objects. No reference to an object may escape its control. Three classic properties are required of it: complete mediation (it is always invoked and cannot be bypassed), tamperproof (it is isolated and protected against any unauthorized modification), and verifiable (it is small and simple enough to be analyzed, tested, and proven correct - small enough to test). The related but distinct Common Criteria NEAT mnemonic lists four requirements of its own: Non-bypassable, Evaluable, Always invoked, Tamperproof.
The security kernel is the concrete implementation of the reference monitor within the TCB: it is the set of hardware, firmware, and software mechanisms that actually enforce access mediation. Where the reference monitor is the idea, the security kernel is the code and the circuitry. It is what, at Ring 0, monitors and enforces access decisions. The distinction is a recurring exam trap.
Even a system with a well-designed TCB can leak information through covert channels: communication paths not intended by the design. A storage covert channel conveys information by writing to a storage location (a file attribute, a disk sector) that another process reads; a timing covert channel modulates the timing of an observable event (response time, CPU usage) to signal bits to a collaborator. Covert channels bypass normal mediation and are a classic theme of trusted-system models.
- The TCB = all trusted components that enforce the policy; its boundary is the security perimeter.
- Reference monitor = abstract concept mediating ALL subject->object accesses.
- Reference monitor properties: complete mediation (always invoked), tamperproof (isolated), verifiable (small enough to test); Common Criteria NEAT mnemonic = Non-bypassable, Evaluable, Always invoked, Tamperproof.
- Security kernel = concrete implementation of the reference monitor in the TCB - do not confuse concept and code.
- Covert channels: storage (via a storage location) vs timing (via observable timing) bypass mediation.
4.6 Secure boot, measured boot, and trusted execution
A system's security begins before the OS even loads: if the boot chain is compromised (bootkit, malicious firmware), all the software protections built on top become moot. Hence the notion of root of trust: a trusted component, ideally anchored in hardware, from which trust propagates step by step along the boot chain (chain of trust).
Secure boot verifies the digital signature of each component of the boot chain before executing it. In the UEFI ecosystem, the firmware loads a bootloader, then a kernel, only if their signature matches a trusted key enrolled in the firmware. An unsigned or modified component is rejected: secure boot prevents the execution of unapproved code. Key point: secure boot VERIFIES SIGNATURES and blocks anything that does not match; it does not necessarily keep a record of what was loaded.
Measured boot, by contrast, MEASURES: it computes the hash of each stage (firmware, bootloader, kernel, drivers) and extends the TPM's Platform Configuration Registers (PCRs) with those measurements. Measured boot does not block anything by itself; it produces a reliable cryptographic record of the boot state. That record enables remote attestation: the machine can prove to a third party (attestation server, network access control) that its boot chain is in a known, approved state, by presenting the PCR values signed by the TPM. This is the direct link to the TPM seen in the previous lesson.
The trusted execution environment (TEE) extends the idea to run time: it is an enclave isolated from the rest of the system, where sensitive code and data run shielded even from a compromised OS. Intel SGX (application enclaves) and ARM TrustZone (secure/normal worlds) are the canonical examples. The TEE relies on a hardware root of trust to guarantee the confidentiality and integrity of the code that runs in it. Together, root of trust, secure boot, measured boot, and TEE form a continuous chain of trust, from boot to execution.
- Root of trust: hardware anchor from which the boot chain of trust starts.
- Secure boot VERIFIES signatures (UEFI) and blocks unapproved code.
- Measured boot MEASURES/hashes each stage and extends the TPM's PCRs; it does not block, it attests.
- Remote attestation: prove a known boot state to a third party via signed PCRs.
- TEE: isolated runtime enclave (Intel SGX, ARM TrustZone) relying on a hardware root of trust.
Case studies
Ring Model activity: the junior staff's questions
Context : In a meeting, Terry uses the ring model as a metaphor to discuss the balance between performance and security of WLDR University's systems. A junior staff member, who has just been reading about the model, comes with a few clarifying questions about where software components sit in the rings.
Question : Where does the application itself run in a database system? Where does a type 1 hypervisor operate? And in which ring would a user-mode rootkit run?
Show analysis and answer
The application itself operates at Ring 3: this is the ring responsible for application isolation. All application logic, including the application layer of a database system, runs there with strict process isolation.
A type 1 (bare metal) hypervisor directly controls the host system's hardware and therefore operates at Ring 0, within the kernel: it drives the resource and memory allocation of the virtual machines and provides the interface for monitoring and managing the VMs. Watch the trap: it is not within the device drivers nor the system utilities.
A user-mode rootkit would run at Ring 3. A user-mode rootkit does not need access to low-level system processes and runs in the applications ring. By contrast, a kernel-mode rootkit would target Ring 0 - hence its greater danger and harder detection.
Takeaway : Applications and user-mode code = Ring 3; type 1 hypervisor and the most sensitive OS functions = Ring 0. The ring determines privilege, isolation, and the severity of a compromise.
Noninterference vs information flow
Do not confuse the two. The information flow model addresses information movement and permitted flows between subjects and objects. The noninterference model addresses isolation between sensitivity levels: one level must not influence another, and above all outputs must not disclose inputs or security decisions (e.g. a login does not reveal the entered password). If the stem mentions outputs betraying inputs, think noninterference.
The ring model is a metaphor, not an implementation truth
In the exam as in practice, remember that the theoretical model does not always fully describe a real system. Some hardware supports four rings but does not use Rings 1 and 2; others reserve Ring 1 for hypervisor tasks. Many OSs reduce to user mode (Rings 1-2-3 in the manual's split) and kernel mode (Ring 0). Do not assume all four rings are always used.
TPM is not a generic synonym for HSM
The TPM is a special type of HSM: embedded, compliant with the Trusted Computing Group standard, and equipped with a device-unique identity key. Not every HSM is a TPM. And the term TPM refers strictly to a standard-compliant module; equivalent modules from other vendors are called secure elements or secure enclaves, not TPM. If the stem stresses device-unique identity and standard compliance, it is the TPM.
Reference monitor (concept) vs security kernel (implementation), and a small TCB
Classic trap: the reference monitor is an abstract concept - the idea that a component mediates ALL subject->object accesses. The security kernel is its concrete implementation (hardware + firmware + software) within the TCB. If the stem speaks of a concept or of requirements (complete mediation/always invoked, tamperproof/isolated, verifiable/small enough to test), it is the reference monitor; if it speaks of the mechanisms that actually enforce mediation, it is the security kernel. Also remember why the TCB must stay small: only a small TCB is verifiable and testable enough - this is the reference monitor's verifiable property applied to the whole trusted set.
Secure boot VERIFIES signatures, measured boot MEASURES and attests
Do not confuse the two stages of trusted boot. Secure boot verifies the digital signature of each component and BLOCKS the execution of unapproved code (UEFI); its purpose is prevention. Measured boot blocks nothing: it MEASURES (hashes) each stage and extends the TPM's PCRs, producing a record used for remote attestation (proving a known boot state). If the stem mentions blocking an unsigned bootloader, it is secure boot; if it mentions proving state to an attestation server via the TPM's PCRs, it is measured boot.
Checkpoint — Checkpoint
-
During an audit, an analyst finds that an application's login process shows a different message depending on whether the login ID exists, thereby revealing information about the inputs. Which security model is violated?
- A State machine model
- B Information flow model
- C Noninterference model
- D Ring model
Answer & rationale
Answer : C — Noninterference model
The noninterference model requires that the system's outputs not disclose the security decisions or the inputs that generate them: a login must not reveal the entered values. The state machine compares states (e.g. a hash); information flow concerns the movement of information between subjects/objects; the ring model deals with hardware/software privilege levels, not input disclosure.
-
An application requests to save a file to storage. Per the ring model, why does this request receive more scrutiny than the OS's decision to scavenge unused memory locations?
- A Because the application runs at Ring 0 and the OS at Ring 3
- B Because the request crosses a ring boundary and must be evaluated against the security policy
- C Because the security kernel ignores the OS's internal operations
- D Because saving a file is always a privileged mode instruction
Answer & rationale
Answer : B — Because the request crosses a ring boundary and must be evaluated against the security policy
Every time a service request crosses a ring boundary it must be evaluated against the security policy; a request from an application (Ring 3) to storage crosses several boundaries and thus gets more scrutiny than an internal OS operation near Ring 0. A inverts the rings. C is false: the security kernel does monitor the OS. D overgeneralizes.
-
A vendor states that its chip includes secure key generation, secure storage, hashing, an RNG, an onboard cryptoprocessor, complies with the Trusted Computing Group standard, and carries a device-unique identity key. Which component is it?
- A A security kernel
- B A Trusted Platform Module (TPM)
- C An abstraction layer
- D A type 1 hypervisor
Answer & rationale
Answer : B — A Trusted Platform Module (TPM)
This is the exact definition of the TPM: an embedded HSM compliant with the Trusted Computing Group standard, mandating secure key generation, secure storage, hashing, an RNG, an onboard cryptoprocessor, and a device-unique identity key. The security kernel is software that monitors programs; the abstraction layer is a design principle; the type 1 hypervisor virtualizes hardware.
-
A team wants to analyze a suspected malware sample and test a system under development without risk to production. Which native capability, relying on virtualization, best meets this need?
- A A sandbox environment
- B A read-only file system attribute
- C A privileged mode instruction
- D A security kernel
Answer & rationale
Answer : A — A sandbox environment
The sandbox environment leverages virtualization for isolated testing and assessment, whether of systems under development or suspected malware: exactly the described use. A read-only file system attribute provides no isolated execution environment; a privileged mode instruction alters hardware/task state; the security kernel monitors programs but is not the isolated test environment.
-
An architect describes the theoretical component that must mediate ALL subject accesses to objects, never be bypassable, be protected against tampering, and stay small enough to be tested and proven correct. What is being described, and how is this component realized in a system?
- A The security kernel; it is realized by the reference monitor within the TCB
- B The reference monitor; it is concretely realized by the security kernel within the TCB
- C The security perimeter; it is realized by a covert channel
- D The TPM; it is realized by a type 1 hypervisor
Answer & rationale
Answer : B — The reference monitor; it is concretely realized by the security kernel within the TCB
The description matches the reference monitor and its three properties: complete mediation (mediates all accesses, always invoked/cannot be bypassed), tamperproof (protected against tampering), verifiable (small enough to be tested and proven correct). Its concrete implementation within the TCB is the security kernel. A inverts concept and implementation. The security perimeter is merely the TCB boundary, and a covert channel is a leak, not a realization. The TPM is a hardware root of trust, unrelated to access mediation, and a type 1 hypervisor virtualizes hardware.
-
Before admitting a host to the network, an access-control server requires the machine to prove that its firmware, bootloader, and kernel are in a known, approved state, by presenting measurements signed by its TPM chip. Which mechanism provides this proof, and how does it differ from secure boot?
- A Secure boot; it extends the TPM's PCRs to enable attestation
- B Measured boot; it measures/hashes each stage and extends the TPM's PCRs for remote attestation, whereas secure boot verifies signatures and blocks unapproved code
- C A trusted execution environment; it blocks any unsigned bootloader
- D A security kernel; it signs the PCRs for the server
Answer & rationale
Answer : B — Measured boot; it measures/hashes each stage and extends the TPM's PCRs for remote attestation, whereas secure boot verifies signatures and blocks unapproved code
This is measured boot: it measures (hashes) each boot stage and extends the TPM's PCRs, which enables remote attestation - proving a known boot state to a third party via TPM-signed values. Secure boot instead verifies each component's signature and blocks unapproved code; it does not itself provide the attestable record (A conflates the two roles). A TEE is an isolated runtime enclave and does not block bootloaders (C). The security kernel enforces access mediation and does not sign PCRs (D).
Key takeaways
- Three conceptual models to distinguish: state machine (states), information flow (flows), noninterference (outputs do not reveal inputs across levels).
- The ring model translates hardware capabilities: Ring 0 (sensitive OS, security kernel, hardware) to Ring 3 (applications); every boundary crossing is evaluated against the security policy.
- System foundations (memory management, code/data isolation, security kernel) are both low-level policies and design templates.
- Virtualization: VMs encapsulate entire systems, sandboxes test in isolation; access control and cryptographic systems extend the architecture.
- The TPM is an embedded HSM, compliant with the Trusted Computing Group, with a device-unique identity key, secure key generation/storage, hashing, RNG, and a cryptoprocessor.
- TCB = trusted components that enforce the policy (boundary = security perimeter); reference monitor (concept, NEAT) implemented by the security kernel; watch for storage/timing covert channels.
- Trusted boot: secure boot VERIFIES signatures (UEFI), measured boot MEASURES and extends the TPM's PCRs (remote attestation), the TEE isolates execution (SGX/TrustZone), all anchored on a root of trust.
Vulnerabilities of Security Architectures
Prerequisites : Familiarity with security models (Bell-LaPadula, Biba) and secure design principles, plus basic knowledge of virtualization and hypervisors.
Every system architecture inherits the vulnerabilities already present in its hardware, firmware, software and operational uses. Hardware can fail, communication links can suffer noise, interference or interruption, and users as well as designers can make mistakes. Assessing and then mitigating these vulnerabilities (Key Area E) requires understanding the characteristics specific to each type of architecture in order to apply the right controls to it.
This module reviews the major families of architectures described by the ISC2 manual: client/server systems and distributed systems; databases and their aggregation, inference and polyinstantiation attacks; ICS/SCADA, IoT and embedded systems; the cloud (IaaS/PaaS/SaaS models, NIST essential characteristics vs ISO/IEC 17788, VM sprawl); containers, microservices and serverless; and finally edge vs fog computing, HPC and distributed systems.
For each architecture, the approach stays the same: identify the distinctive characteristic, deduce the attack surface from it, then select the appropriate mitigations. General strategies (robust logical and physical access control, network segmentation, prompt patching, configuration management, user training) apply everywhere, but each architecture imposes its own exam pitfalls.
5.1 Client, server, and distributed systems
Client-based systems are traditionally the endpoints through which users access centrally provided services: workstations, laptops, point-of-sale terminals, or personal devices. They are labeled thick or thin depending on the complexity of the applications and OS they run locally; a thick client has its own storage and connectivity. The line between thick and thin is blurred and shifting. These clients inherit the vulnerabilities of their hardware, OS, and applications (malware, misuse, accidents) and are exposed to theft or loss, endangering residual data. Exploiting them can serve as a springboard to attack the servers they connect to. Mitigations are endpoint management matters: host-based anti-malware and IDS/IPS, endpoint management combined with MDM to handle patches and loss/theft, and network protections (segmentation, firewalls, IDS) that isolate client and network from each other.
Server-based systems fulfill a specific purpose (application, file, print, DNS servers). They are centralized, with limited access, and process far higher data throughput than a workstation, generating massive log volumes to analyze. A major pitfall: they are often kept in service for many years, sometimes with out-of-support software, for lack of redundancy allowing them to be taken offline to apply patches - even critical ones. Being networked exposes them to remote attacks; physical access to the server and its interconnection fabric opens an almost unlimited range of attacks, as does the logistics supply chain. The key mitigation for servers not migrated to the cloud is adding affordable redundancy, which removes the need to defer maintenance downtime and thus shortens the lag between receiving and applying a patch.
In a distributed environment, nodes and processors operate independently; storage and processing are spread across multiple components that synchronize via messaging. Nearly all forms of cloud are distributed systems, as is peer-to-peer. They often offer high redundancy (geographic data replication) and dynamic load balancing providing graceful degradation on failure. Their vulnerabilities: simpler distributed systems may lack the monitoring and control capabilities to detect failures or compromises in time, and the access control to support multiple classification levels. The mitigation is to strengthen access control, health monitoring, and IDS if the infrastructure supports it; otherwise, to isolate the distributed system physically, logically, and administratively.
- An exploited client serves as a springboard to attack connected servers.
- The server pitfall: kept in service out-of-support for lack of redundancy to patch.
- Physical access to a server opens an almost unlimited range of attacks.
- Distributed systems often lack monitoring and multi-level access control.
5.2 Databases: aggregation, inference, polyinstantiation
A database system is built around a DBMS (database management system) and the compute and storage resources hosting it. It can run on an endpoint, a thick client, servers, or clusters, and most now operate in cloud or distributed environments. A database inherits its platform's vulnerabilities and adds database-specific ones: malformed inputs, denial of service, and bypassing access controls. Because they hold large quantities of valuable information and require high transaction throughput, databases are very high-value targets.
Aggregation is the assembling of several pieces of information, each non-sensitive on its own, whose combination reveals sensitive information. A user with legitimate access to several innocuous fields may, by aggregating them, reconstruct a secret they should not have. Inference is more subtle: the subject deduces sensitive information from data they can access, by reasoning, without ever accessing it directly. The classic exam pitfall is confusing the two: aggregation combines data to reach a sensitive total; inference deduces what is not explicitly present.
Polyinstantiation is the flagship countermeasure against inference (and deductive aggregation). It allows multiple instances (versions) of the same record, differentiated by the classification level of the subject viewing it. A low-level user sees a plausible but decoy version, while the real record stays reserved for the cleared level. By presenting divergent values depending on clearance, polyinstantiation prevents the low-level subject from deducing the existence or value of the classified data, and from spotting an inconsistency that would betray a secret.
- Database-specific vulnerabilities: malformed inputs, DoS, bypassing access controls.
- Aggregation = combine; inference = deduce. Do not confuse them.
- Polyinstantiation counters inference by exposing different versions per clearance.
- Databases are very high-value targets (data volume and value).
5.3 ICS/SCADA, embedded systems, and IoT
Industrial control systems (ICS) monitor and control industrial machinery and critical infrastructure. For them, safety requirements often outrank security ones. Seen top-down, they comprise three components: SCADA (supervisory control and data acquisition), event-driven assemblies of equipment automating geographically distributed processes (power grid, pipelines, water treatment, rail); DCS (distributed control systems), confined to an area or plant and process-oriented; and PLCs (programmable logic controllers), ruggedized real-time industrial controllers driving sensors and actuators. Vulnerabilities specific to the embedded components of ICS: limited functionality and protection, long service life (10 to 20 years), high susceptibility to DoS and improper input, and above all attacks that can produce physical effects on the real world. They are often unattended in remote sites. Mitigations: isolated network infrastructure (air gaps or firewalls), connection restrictions and monitoring, highly segmented or microsegmented networks (zero trust), protected channels, and robust configuration control.
Embedded systems are microcontrollers built directly into mechanical, electrical, or hydraulic devices (cars, planes, medical devices, appliances). The boundary with ICS is blurred: an ICS often contains embedded systems, and the ICS itself may be embedded. Their operational risk is high: failure can render the host system inoperable, and their code sometimes resides in non-updatable read-only memory. Vulnerabilities: programming errors, exposed web interfaces, weak authentication or hard-coded credentials, poor cryptography, reverse engineering, malware, and eavesdropping. Stuxnet demonstrated sophisticated attackers' ability to target these systems. Mitigations: integration into the risk management framework with full inventory, patching within support limits, secure coding, and third-party risk management since they often come from vendor products.
IoT extends the miniaturization of embedded systems combined with ubiquitous wireless connectivity. These devices, from a simple status sensor to a calibrated device with safety-of-life implications, are no longer isolated on their own networks and thus present an expanded attack surface. Vulnerabilities: DoS worsened by reliance on wireless protocols (weak standard or proprietary ones) and multi-infrastructure transit; device physical security (theft, data remanence, reverse engineering, manipulation of the monitored environment); and cryptographic limits, since not all devices have the computing horsepower required.
- ICS = SCADA (supervision) + DCS (process) + PLC (real-time control).
- For ICS, safety often outranks security.
- ICS/embedded attacks = real physical effects; flagship mitigation = air gap / microsegmentation.
- Embedded: often non-patchable code, hard-coded credentials, surface worsened by wireless IoT.
5.4 Cloud: service models, essential characteristics, VM sprawl
Securing a cloud service means assessing every element of the provider's (CSP's) organization and technology. To stay efficient, one relies on standard audits by accredited third parties, supplementing as the organization's circumstances require. NIST defines cloud as a model for on-demand network access to a shared pool of configurable resources that can be rapidly provisioned and released with minimal management effort; the ISO/IEC 17788 definition is similar. NIST states five essential characteristics: on-demand self-service, broad network access, resource pooling (multi-tenant), rapid elasticity, and measured service. ISO/IEC 17788 keeps the five and adds a sixth: multi-tenancy, where physical or virtual resources are allocated and controlled so that processing and data of different tenants are isolated from and inaccessible to one another. This is exactly what Quiz Q3 targets.
Service models describe the split of management between CSP and consumer. NIST identifies three models, ISO/IEC 17789 four categories; the first three coincide. In SaaS, the consumer uses the provider's application without managing the underlying infrastructure. In PaaS, they deploy their own applications built with the provider's languages and tools, without managing the infra but controlling their applications. In IaaS, they provision compute, storage, and network to run arbitrary software (including OSs), with control over OS, storage, and applications. This gradient defines shared responsibility: the further down toward IaaS, the larger the consumer's share. ISO/IEC 17789 adds NaaS (Network as a Service), and offerings extend to IDaaS, SECaaS, CaaS, CompaaS, DSaaS. Deployment models (private, community, public, hybrid, plus GovCloud) describe the business relationships.
Three cloud vulnerabilities deserve attention: increased exposure to external communications; misconfiguration, since many organizations lack the skills and wrongly assume the CSP covers all security, when the consumer remains responsible for their own storage and processing; and becoming outdated, the SLA needing to clarify what the CSP maintains versus the consumer. On the virtualization side, VM sprawl (image management) is a classic pitfall: without control mechanisms and policies, VM images can be loaded and left running, copied to other areas, or exfiltrated (Quiz Q2). Other vulnerabilities: VM escape (an actor exploits a VM's credentials to attack the environment), hypervisor hardware weaknesses (Meltdown/Spectre type), and knowledge gap. Mitigations: change management applied to VMs and granular IAM (RBAC/ABAC) protecting the hypervisor from production workloads.
- NIST = 5 characteristics; ISO/IEC 17788 adds the 6th: multi-tenancy.
- SaaS -> PaaS -> IaaS: the consumer's security share grows.
- Misconfiguration: the consumer stays responsible for their storage/processing, not the CSP for everything.
- VM sprawl: images left running, copied, or exfiltrated for lack of control.
5.5 Containers, microservices, and serverless
Containerization provides a layer of shared OS services to reduce the size and complexity of individual VMs in a cloud environment. It lowers resource needs, shortens process startup time, and standardizes OSs. Open-source technologies like Docker and Kubernetes sit alongside proprietary approaches; adoption has been fast thanks to container portability across clouds. Vulnerabilities: insecure images (a vulnerable base image makes the container insecure), containers with excessive privilege (privileged flag), unrestricted communication between containers, malicious processes, and improper isolation from the host. Mitigations: image management (limit the number and configuration of images against image sprawl), immutable infrastructure (never patch a running instance but regenerate from a master image), granular security (minimal privileges per container), microsegmentation and firewalls, and proper configuration by trained staff, all the more so as platforms keep evolving.
Microservices are an implementation of service-oriented architecture (SOA) for the cloud: lightweight protocols carry information between highly isolated applications. Converting an application to microservices means breaking a large program into objects managed as separate execution threads, following the principle of "do one thing and do it well." Benefits: simplified maintenance (limited scope per service), conversion of batch processing into real-time without full redesign, and dynamic scaling far easier than on monolithic systems. Vulnerabilities: authorization (a poorly built microservice often runs at high privilege for convenience, dangerous if compromised), quality of service (a poorly structured microservice consumes more resources, e.g. spinning up a whole VM for an ephemeral service), and DoS (reliance on lightweight protocols like REST exposes any protocol weakness). Mitigations: authentication/authorization services (OAuth 2.0, SAML) with least privilege on service accounts, running in containers or serverless, and API gateways to protect access.
Serverless architecture extends the CSP's responsibilities to fully abstract the physical and logical infrastructure. Often called Function as a Service (FaaS), it makes the CSP responsible for elasticity, reallocating resources to match load. Services are accessed as functions reacting to events (other functions, external requests, file update, log entry, database transaction), often via an API gateway. A cloud newcomer, many of its attack patterns match those of other architectures (the topic is detailed by the Cloud Security Alliance). Specific vulnerabilities: malicious injection into the function (malformed inputs causing DoS or disclosure), insecure configuration (options multiplied by vendors to differentiate), and cross-execution data persistency (data kept between executions, unprotected and unpurged). Mitigations: train staff on configuring the vendor environment and apply secure coding with static, dynamic, and interactive testing.
- Containers: shared OS, beware insecure images and the privileged flag.
- Immutable infrastructure: regenerate from the master image, do not patch in place.
- Microservices: key risk = excessive privilege of compromised services.
- Serverless (FaaS): function injection and cross-execution data persistency.
5.6 Edge vs fog computing, HPC, and distributed systems
For the cloud to offer virtualized resources at reduced cost, information must move to the data center, which imposes high latency and raises confidentiality concerns. Edge and fog computing bring processing closer to the data sources to address this. Fog computing places a layer of compute resources closer to the input sources, providing application hosting and device management, and thus optimizes the movement of information into the cloud. Edge computing also encompasses endpoints, often embedded systems, at the network's edge; first at fixed locations, it now includes mobile devices via wireless.
The distinction, formalized by NIST SP 500-325, concerns the level of processing. Fog is hierarchical: it runs applications in a multi-layer architecture that decouples and meshes hardware and software functions, allowing dynamic reconfigurations, and it addresses, beyond compute and networking, storage, control, and processing acceleration. Edge runs specific applications in a fixed logical location and provides a direct transmission service, limited to a small number of peripheral devices. The exam pitfall (Quiz Q5): fog = hierarchical and multi-layer; edge = local, fixed, few devices. Their vulnerabilities: network compromise (edge relies heavily on the network; DoS and physical disruption of connectivity) and increased attack surface (multiplying devices raises the risk that a single misconfigured one becomes a bridgehead). Mitigations: stronger network monitoring and incident response, and hardened inventory/accountability to limit sprawl and rogue or obsolete devices.
High-performance computing (HPC) addresses problems demanding far more resources than usual: modeling nuclear explosions, climate change, or earthquakes, via massive numbers of processors working simultaneously. Long reserved for government agencies, it is now offered commercially, often coupled with the cloud, by maximizing productive use of resources - which may lead to compromising some traditional security controls to gain performance. The particular challenges lie in integrity and availability. Vulnerabilities: latency constraints (traditional tools like IDS/IPS or firewalls would impose unacceptable latency on parallel processes) and improper workloads (a compromised HPC may have its time consumed by unauthorized loads, like the Russian supercomputer diverted to mine Bitcoin in 2018). Mitigations: proper architectural design (secure compute enclaves, perimeter detection to offset reduced internal controls) and suitable monitoring/logging despite their compute cost. Finally, distributed systems (seen in L1) underpin nearly all these cloud architectures and remain a cross-cutting thread.
- Fog = hierarchical, multi-layer, compute + storage + control.
- Edge = local, fixed, small number of devices, direct transmission.
- HPC: the chase for performance can weaken controls; integrity/availability stakes.
- Edge/fog: increased surface, one misconfigured device becomes a bridgehead.
Case studies
Stuxnet: the attack that crossed into the physical world
Context : Stuxnet is cited by the ISC2 manual as the demonstration of sophisticated attackers' capabilities against embedded systems. The worm targeted PLCs driving precise industrial processes, exploiting the fact that these systems are lucrative targets when one seeks to disrupt a business process. The targeted facility was isolated from the network (air gap), which was supposed to protect it. The worm nonetheless reached the controllers: carried on removable media, it crossed the isolation, then manipulated the commands sent to the equipment while reporting normal readings back to operators, illustrating eavesdropping and undetected transaction manipulation.
Question : If the air gap was not enough, which characteristics of ICS/embedded systems did Stuxnet exploit, and what mitigations does the manual recommend beyond isolation?
Show analysis and answer
Stuxnet exploits structural traits of ICS and embedded systems described in the manual: the possibility that attacks produce physical effects, sensitivity to improper input, and the fact that eavesdropping coupled with weak cryptographic protections allows undetected transaction manipulation. The air gap is a real mitigation (isolated network infrastructure), but it does not cover the removable-media vector nor the trust placed in internal commands.
The manual recommends defense in depth: beyond isolation, robust network connection restrictions, access control, and monitoring; highly segmented or microsegmented networks following zero trust principles; communication channels protected against interception and alteration of control flows; and robust configuration control detecting unauthorized changes to the ICS software, configuration data, and security parameters. On the embedded side, add integration into the risk management framework with full inventory, patching within support limits, secure coding, and third-party risk management.
The case shows that for an ICS, safety and security converge: protecting the integrity of commands also protects lives and equipment. No single control suffices; it is the combination of segmentation + configuration control + protected channels that reduces risk.
Takeaway : An air gap is not enough for an ICS: defense in depth is needed (segmentation/microsegmentation, configuration control, protected channels) because attacks on these systems have physical effects.
Aggregation vs inference
Recurring pitfall. Aggregation COMBINES several innocuous pieces of data to reach explicitly reconstructable sensitive information. Inference DEDUCES sensitive information by reasoning, without ever accessing or directly reconstructing it. Spot the scenario's verb: "assemble/combine" points to aggregation; "deduce/conclude" points to inference. The typical countermeasure against inference is polyinstantiation (different versions per clearance).
Edge vs fog computing
Often confused (NIST SP 500-325 distinguishes them). FOG is HIERARCHICAL and multi-layer, and addresses compute, networking, storage, control, and processing acceleration. EDGE is LOCAL and FIXED, runs specific applications at a fixed logical location with direct transmission, and is limited to a small number of peripheral devices. Mnemonic: Fog = layered cloud above; Edge = the rim, pointwise.
Proprietary embedded systems = security through obscurity
Assessing the security characteristics of proprietary control systems is often difficult, forcing the organization to rely on the vendor's assurances. Relying on secrecy of design (security through obscurity) is a risk, not a control: hard-coded credentials, poor cryptography, and firmware reverse engineering precisely expose those secrets. The pitfall: believing a closed system is safe because it is opaque. The correct answer involves third-party risk management and inventory, not blind trust.
Checkpoint — Checkpoint
-
An uncleared analyst separately reads a site's headcount, its logistics budget, and its delivery schedule - all unclassified. By cross-referencing them, he reconstructs the timeline of a classified operation. Which threat is this, and which countermeasure best prevents it?
- A Inference, prevented by encryption at rest
- B Aggregation, prevented by polyinstantiation or access control at the aggregate level
- C Polyinstantiation, prevented by aggregation
- D Denial of service, prevented by redundancy
Answer & rationale
Answer : B — Aggregation, prevented by polyinstantiation or access control at the aggregate level
This is aggregation: combining several innocuous pieces of data to reconstruct sensitive information. Polyinstantiation or access control applied at the aggregate level mitigate it. A describes inference (deduction), not the combination present here. C inverts the concepts (polyinstantiation is a defense, not a threat). D does not address confidentiality.
-
A DevOps team finds hundreds of running VM images, some copied into unknown accounts, with no record of who launched them. Which virtualization risk is at play and which mitigation applies?
- A VM escape, fixed by a hypervisor patch
- B VM sprawl (image management), fixed by change management and image control policies
- C Multi-tenancy, fixed by encryption
- D Knowledge gap, fixed by an SLA
Answer & rationale
Answer : B — VM sprawl (image management), fixed by change management and image control policies
Images loaded, left running, copied, or exfiltrated without control describe VM sprawl, mitigated by change management and image control policies. A (VM escape) is about breaking out of a VM toward the hypervisor, not image proliferation. C (multi-tenancy) is a cloud characteristic, not this risk. D (knowledge gap) is another virtualization risk, not described here.
-
An architect is looking for the essential cloud characteristic that appears in ISO/IEC 17788 but NOT in NIST's list of five. Which one?
- A Rapid elasticity
- B Measured service
- C Multi-tenancy
- D On-demand self-service
Answer & rationale
Answer : C — Multi-tenancy
ISO/IEC 17788 keeps the five NIST characteristics and adds a sixth: multi-tenancy (isolation of tenants sharing resources). A, B, and D are among the five essential characteristics defined by NIST, hence common to both standards.
-
A manufacturer deploys proprietary process controllers and claims they are safe because their design is secret and undecipherable. Which security reasoning is flawed?
- A Secrecy of design (security through obscurity) is a sufficient control
- B Proprietary systems must be integrated into third-party risk management
- C Firmware reverse engineering can expose the design
- D Hard-coded credentials are a backdoor risk
Answer & rationale
Answer : A — Secrecy of design (security through obscurity) is a sufficient control
The flawed claim is A: secrecy of design (security through obscurity) is not a sufficient control. The manual stresses that reverse engineering (C) exposes the design and that hard-coded credentials (D) open backdoors; both are accurate. B is the good practice: unable to assess a proprietary system, one relies on third-party risk management rather than blind trust.
-
A plant wants hierarchical, multi-layer processing near the sources, handling compute, networking, storage, control, and acceleration, with dynamic reconfiguration. Which paradigm fits, as opposed to the one limited to a few devices at a fixed location?
- A Edge computing, as opposed to fog computing
- B Fog computing, as opposed to edge computing
- C HPC, as opposed to serverless
- D Containerization, as opposed to microservices
Answer & rationale
Answer : B — Fog computing, as opposed to edge computing
Fog computing is hierarchical and multi-layer and addresses, beyond compute and networking, storage, control, and processing acceleration, with dynamic reconfiguration - this is the NIST SP 500-325 definition. Edge (A) is local, fixed, and limited to a small number of peripheral devices: it is the opposite described. C and D concern other architecture families unrelated to hierarchical proximity to sources.
Key takeaways
- Each architecture inherits the vulnerabilities of its hardware, firmware, software, and use; identify its distinctive characteristic before choosing controls.
- Databases: aggregation = combine, inference = deduce; polyinstantiation counters inference.
- ICS/embedded: attacks have physical effects; air gap, microsegmentation, and configuration control as defense in depth (cf Stuxnet).
- Cloud: NIST = 5 characteristics, ISO/IEC 17788 adds multi-tenancy; security responsibility grows from SaaS toward IaaS; beware VM sprawl.
- Fog = hierarchical multi-layer; edge = local and fixed; HPC sometimes trades controls for performance (integrity/availability stakes).
Cryptography: Foundations and Algorithms
Prerequisites : Familiarity with the CIA triad and basic data protection notions (data states, classification).
Cryptography is at the heart of almost every digital action: it protects confidentiality and contributes to integrity, authenticity, non-repudiation and access control. The CISSP does not need to know the mathematics behind the algorithms, but must have a solid grasp of the core concepts in order to choose, deploy and manage cryptographic solutions (Key Area F).
A warning frames the whole domain: designing a correct cryptographic system demands deep theoretical, mathematical and software expertise. Amateurs produce ciphers that are easily bypassed and, worse, a false sense of security. The engineering rule is therefore to use proven, tested and validated off-the-shelf systems, and never to design your own algorithm or your own key management scheme.
This module lays the foundations: the vocabulary (plaintext, ciphertext, algorithm, key, work factor, cryptosystem, cryptovariable), the distinction between encoding, encryption and hashing, then the two major families of algorithms (symmetric and asymmetric), their hybrid combination, the problem of the number of keys, hashing and random number generation. Certificates, signatures and the key life cycle are covered in the next module.
6.1 Vocabulary and foundations: from plaintext to cryptosystem
At the heart of any encryption system, an original set of data, the plaintext, is transformed into an unintelligible form, the ciphertext. The plaintext can be anything that is digitally representable (executable files, images, queries, database records): it is not necessarily human-readable text. Be careful not to confuse plaintext with cleartext, which refers to information deliberately left in the clear (for example IP packet headers).
An encryption system (or cryptosystem) is the whole set of hardware, software, algorithms, control parameters and operational methods that provide encryption services. The algorithm is the transformation method; the key is the secret parameter that configures that method. Older cryptographers called these parameters the cryptovariables of a system: the key is the cryptovariable par excellence.
The work factor is the effort an attacker must expend to break the encryption. It is tied to the size of the key: a 16-bit key defines a key space of 65,536 values, a 256-bit key a 78-digit number in base 10. But size alone is not enough: Elliptical curve cryptography provides comparable strength with a much shorter key. Key strength therefore results from the combination of key length AND algorithm.
Two founding principles frame the discipline. Kerckhoffs's principle: a well-designed system must remain secure even if everything but the key is known to the adversary; security by obscurity is inherently flawed. Claude Shannon's corollary (1949) sums it up: the enemy knows your system. Only the keys can be protected, and that is precisely what must be done.
- Plaintext is not necessarily readable; do not confuse it with cleartext (deliberately left in the clear).
- A cryptosystem is far more than the algorithm: hardware, parameters, operational methods.
- Work factor grows with key size, but real strength = key length + algorithm.
- Kerckhoffs and Shannon: only the key must be secret; security by obscurity is flawed.
6.2 Encoding vs encryption vs hashing
These three transformations are regularly confused on the exam, even though they meet distinct needs. Encoding is a simple mapping of symbols to numbers or to another format: assigning A=0, B=1 ... Z=25, or using a character set such as Unicode-8 or Unicode-16. Encoding does NOT aim for secrecy: it is reversible without a key and provides no confidentiality or integrity.
Encryption transforms plaintext into ciphertext using an algorithm AND a key. It aims for confidentiality (and, depending on the scheme, contributes to authenticity or non-repudiation). It is reversible ONLY with the correct key: it is possession of the key that distinguishes the one who can decrypt from the one who cannot.
Hashing applies a one-way function that produces, from a message of arbitrary length, a fixed-length output called a message digest. Hashing does NOT use a cryptographic key (even though we speak of cryptographic hashing) and is not reversible: it aims for integrity, not confidentiality. Integrity is verified by recomputing the digest and comparing it: a single changed bit changes the digest.
Two properties are essential. The hash must be collision resistant: it must be hard to find two different inputs producing the same digest. And it must be deterministic: the same input always produces the same digest. Symmetrically, encryption must guarantee the absence of collisions (two distinct plaintexts yield two distinct ciphertexts) and deterministic decryption (a ciphertext yields only a single plaintext).
- Encoding = format, no secrecy, reversible without a key (protects nothing).
- Encryption = confidentiality, reversible with the key.
- Hashing = integrity, one-way, keyless, fixed-length output.
- Classic exam trap: confusing these three transforms in a scenario.
6.3 Symmetric encryption: DES, 3DES, AES, modes, and the one-time pad
Symmetric encryption uses the same key to encrypt and decrypt; decryption is simply the exact inverse of encryption. All classical algorithms are symmetric and often combine substitution (replacing bits with others according to a cryptovariable) and transposition (changing the position of the bits). Two architecture characteristics define these systems: block versus stream. A stream system encrypts one symbol at a time; a block system processes fixed-length groups (the block size is typically measured in 8-bit bytes).
The history of the standards is illuminating for the exam. The Data Encryption Standard (DES), submitted by IBM, was adopted in 1977 as the federal standard for unclassified documents. Its overly short key (56 bits) doomed it: 3DES (Triple DES) extended DES but was to be retired (around 2023 according to NIST). NIST launched the Advanced Encryption Standard (AES) competition in 2000; in November 2001, FIPS 197 approved a variant of the Rijndael algorithm. AES remains the only publicly published cryptographic algorithm capable of protecting data classified up to top-secret level in the United States.
Other symmetric algorithms are worth knowing: Blowfish and Twofish (Bruce Schneier), RC4 (stream, used in WEP and SSL/TLS, banned from TLS by RFC 7465 in 2015), RC5 and RC6 (Ron Rivest, configurable), IDEA (128-bit key, 64-bit blocks), CAST and SAFER (a variant used as a block cipher in Bluetooth). The running key cipher illustrates the use of modular arithmetic: Ciphertext = plaintext + key (modulo 26) for the Latin alphabet.
The one-time pad (Vernam cipher) is the only system considered unbreakable if correctly implemented: the key is as long as the message, perfectly random and used only once. The session keys used on the internet are a form of one-time pad. Advantages of symmetric: fast, lightweight, memory-efficient. Major drawbacks: it depends entirely on a key generation and distribution infrastructure, and it cannot, on its own, ensure either integrity or non-repudiation.
- Symmetric = single key, fast and lightweight, but key distribution hard at scale.
- DES (56-bit) obsolete, 3DES retired, AES (Rijndael) is the current standard.
- Block processes blocks; stream processes symbol by symbol.
- The one-time pad is unbreakable but needs a random key, as long as the message, used once.
- Symmetric alone provides neither integrity nor non-repudiation.
6.4 Asymmetric encryption: RSA, ECC, Diffie-Hellman-Merkle, ElGamal
Asymmetric encryption uses a fundamentally different algorithm and key to encrypt and decrypt. It relies on trapdoor functions (one-way functions): easy to compute in one direction, extremely costly in the other. Two families of mathematical problems underpin common algorithms: discrete logarithms (used by ECC, ElGamal, Diffie-Hellman-Merkle and others) and prime factoring (factoring very large prime numbers, used only by RSA).
Each party holds a key pair: a private key kept secret and a public key that can be freely distributed. The principle is one of zero prior knowledge: two parties with no shared secret can nonetheless establish a shared secret. Diffie, Hellman and Merkle published in 1976 the first key exchange algorithm based on this principle (patent 1977, now expired). RSA (Rivest, Shamir, Adleman, 1977) offers encryption AND signatures, and provides non-repudiation, integrity and source authentication. ElGamal builds on Diffie-Hellman but adds confidentiality and signatures.
Elliptic Curve Cryptography (ECC) has the highest strength per bit of key length of all asymmetric algorithms. This property is central to the exam: ECC achieves equivalent security with much shorter keys. As an example from the manual, a top-secret classification requires a 384-bit ECC key where RSA requires 7680 bits. Hence the value of ECC for smart cards, wireless and any context limited in power, bandwidth or storage.
Advantages of asymmetric: it solves the key distribution problem (exchange over an untrusted channel without prior sharing), it scales well (each party only needs its own key pair) and it provides non-repudiation, access control and integrity. Major drawback: it is very slow, hence impractical for encrypting large amounts of data (inefficient beyond roughly 64 KB). It is reserved for integrity, authentication and non-repudiation.
- Asymmetric = different keys (private/public), trapdoor functions.
- RSA = prime factoring; ECC, ElGamal, Diffie-Hellman = discrete logarithms.
- ECC has the highest strength per bit: 384-bit ECC equals 7680-bit RSA (top-secret).
- Advantages: solves key distribution and scales (one key pair per party).
- Drawback: slow, impractical for large volumes (beyond about 64 KB).
6.5 Hybrid encryption and the key-count problem
Neither family is ideal on its own: symmetric is fast but struggles to distribute its keys, asymmetric distributes well but is slow. Hybrid encryption combines the strengths of both. The typical scheme: asymmetric encryption is used to produce and transport a session key, which then serves to symmetrically encrypt the content for that session only. SSL and TLS are hybrid systems; almost every internet user invokes their services on every secure page.
Concrete walkthrough (Alice to Bob): Alice encrypts the message with a symmetric key, without worrying about size since symmetric is fast. She produces a ciphertext message (CTM). To transmit the symmetric key over an untrusted channel, she encrypts it with Bob's public key, producing a ciphertext key (CTK). Bob decrypts the CTK with his private key, recovers the symmetric key, then decrypts the CTM. This yields both the speed of symmetric AND the distribution security of asymmetric.
The problem of the number of keys explains why symmetric alone does not scale. In a purely symmetric system, each pair of users needs its own unique key. For N users, the number of keys required is N(N-1)/2. The growth is quadratic: an organization of 10,000 users would need nearly 500 million keys, a management nightmare. Asymmetric solves this problem: each party only needs its own key pair, which is linear growth.
A final operational point: key distribution is done either in-band (over the same channel as the encrypted traffic) or out-of-band (by another means). Historically, many so-called military-grade systems were not broken by attacking the keys themselves, but by subverting the distribution process. This is a risk in both cases, and it is a reminder that security lies in key management, not in the secrecy of the algorithm.
- Hybrid = asymmetric for the session key + symmetric for content (SSL/TLS).
- Pure symmetric: N(N-1)/2 keys; 10,000 users = about 500 million keys.
- Asymmetric: one key pair per party, linear growth.
- In-band vs out-of-band distribution: the weak link is often distribution, not the algorithm.
6.6 Hashing, collisions, and random number generation
A hash function applies a one-way operation that produces, from a message of arbitrary length, a fixed-length message digest. Recomputing the digest on a copy and comparing it allows integrity to be verified: if a single bit has changed, the digest differs. Hash functions do not use a cryptographic key; they are strengthened by random number generators via seed values or salt values.
A hash function must satisfy five requirements: be uniformly distributed (unpredictable output), collision resistant (hard to find two inputs giving the same digest), impossible to invert (irreversible), computed on the entire message, and deterministic (same input, same output). Collision is the central risk: two messages producing the same digest. Increasing the size of the digest improves resistance to collisions.
Examples of algorithms to know: MD5 (Rivest, 1992, 128-bit digest) is now deprecated because collisions in it are computable, which makes it unfit for secure communications and signatures. SHA-1 (NIST, 160-bit digest) is more robust than MD5 but has also been subjected to collision attacks. The SHA-2 family (SHA-224 to SHA-512) offers digests of 224 to 512 bits; SHA-3 (2015) has a very different structure and can substitute for SHA-2 if needed.
Random and Pseudorandom Number Generators (RNG/PRNG) are a recurring source of problems. Most cryptographic processes rely on random numbers as seeds, salts or other cryptovariables, for key generation as well as for hash functions. Yet software cannot produce true randomness: a PRNG only provides a sequence with a reasonably random probability of occurrence. PRNG vulnerabilities (clumping, predictability of the next value) have caused many exploits. Hardware implementations exploit physical phenomena (thermal noise, radioactive decay, cosmic ray impacts) to approach true randomness.
- Hashing targets integrity: one-way, keyless, fixed-length output.
- Five requirements: uniform, collision resistant, irreversible, over the whole message, deterministic.
- MD5 and SHA-1 are weakened by collision attacks; prefer SHA-2/SHA-3.
- PRNGs are not truly random; their weaknesses have caused many exploits.
- Hardware uses physical phenomena to approach true randomness.
Case studies
Choosing a crypto architecture for an enterprise messaging system
Context : An organization of 20,000 employees wants to encrypt the internal messages exchanged among all users. The team first proposes a purely symmetric scheme: a single key per pair of users, distributed in advance. The security architect asks for an estimate of the number of keys to generate and manage, then a recommendation of an architecture that takes into account speed, key distribution and the need to prove the origin of messages. Users send both short text messages and large attachments. Some contractual exchanges require non-repudiation.
Question : How many keys would a purely symmetric scheme require for 20,000 users, and what architecture should be recommended?
Show analysis and answer
For N users, the number of unique symmetric keys is N(N-1)/2. With N = 20,000: 20000 x 19999 / 2 = 199,990,000, that is nearly 200 million keys to generate, distribute, store and rotate. Since the growth is quadratic, the purely symmetric scheme is unmanageable at this scale: this is precisely the key distribution problem that motivated the invention of asymmetric.
The answer is neither all symmetric nor all asymmetric, but hybrid. Asymmetric encryption is used to transport a symmetric session key: each user manages only its own key pair (linear growth), while the content, including the large attachments, is encrypted quickly in symmetric. Asymmetric alone would be too slow beyond roughly 64 KB.
For the non-repudiation of the contractual exchanges, symmetric alone is not enough: an asymmetric mechanism is required (the content will be covered in the next module via signatures and PKI). The need to prove the origin confirms that an asymmetric component is indispensable. On the algorithm side, AES for symmetric, and ECC if short keys are wanted (mobile devices, smart cards) with high strength per bit.
Takeaway : At scale, pure symmetric explodes in key count (N(N-1)/2); hybrid combines symmetric speed with asymmetric distribution and non-repudiation.
Encoding, encryption, and hashing are not interchangeable
A recurring trap pits these three transforms against each other. Encoding (e.g., Unicode, Base64) provides NO secrecy: it is reversible without a key. Encryption provides confidentiality and is reversible only with the key. Hashing provides integrity, is one-way, and uses no key. If a scenario asks to protect confidentiality, encoding is wrong; if it asks to verify integrity without being able to reconstruct the data, hashing is the answer.
ECC: highest strength per bit, hence shorter keys
A classic question asks which asymmetric algorithm offers the highest strength per key bit: ECC. Do not conclude that ECC is weaker because its keys are short: it is the opposite. A 384-bit ECC key equals a 7680-bit RSA key (NSA-acceptable for top-secret). This efficiency makes ECC ideal for smart cards, wireless, and environments limited in power, bandwidth, or storage.
Computing the number of symmetric keys: N(N-1)/2
For the number of unique symmetric keys in a group of N users, apply N(N-1)/2, not N squared or N(N-1). Manual example: 10,000 users need about 500 million keys; 20,000 users need nearly 200 million pairs (20000 x 19999 / 2). The quadratic growth shows why pure symmetric does not scale and why asymmetric (one key pair per person) solves scalability.
Checkpoint — Checkpoint
-
A team must verify that a downloaded file has not been altered, without needing to reconstruct it or share a key. Which transformation should they choose?
- A Encoding (e.g., Base64)
- B Hashing (one-way function)
- C Symmetric encryption
- D Asymmetric encryption
Answer & rationale
Answer : B — Hashing (one-way function)
Hashing produces a fixed-length, one-way message digest with no key: recomputing and comparing the digest proves integrity. Encoding provides no security guarantee. Encryption (symmetric and asymmetric) targets confidentiality, requires a key, and allows reconstructing the data, which is not the need here.
-
A 20,000-user organization considers a purely symmetric system where each pair of users shares a unique key. How many keys must it manage?
- A 20,000
- B About 400 million (N squared)
- C About 200 million (N(N-1)/2)
- D 40,000 (2N)
Answer & rationale
Answer : C — About 200 million (N(N-1)/2)
The number of unique symmetric keys for N users is N(N-1)/2, i.e., 20000 x 19999 / 2 = 199,990,000, about 200 million. N squared and 2N are classic formula errors; 20,000 (one per user) corresponds to asymmetric, not pairwise symmetric. The quadratic growth shows why pure symmetric does not scale.
-
A designer must deploy asymmetric encryption on smart cards limited in power and storage, while keeping high security. Which algorithm offers the highest strength per key bit?
- A RSA
- B 3DES
- C ECC (Elliptic Curve Cryptography)
- D Diffie-Hellman-Merkle
Answer & rationale
Answer : C — ECC (Elliptic Curve Cryptography)
ECC has the highest strength per bit of any asymmetric algorithm: a 384-bit key equals a 7680-bit RSA key, saving power, bandwidth, and storage (ideal for smart cards). RSA requires much longer keys. 3DES is symmetric, off-topic here. Diffie-Hellman-Merkle handles key exchange but lacks ECC's strength per bit.
-
Alice wants to send Bob a large attachment over an untrusted channel, quickly and confidentially. Which approach is most appropriate?
- A Encrypt the whole attachment with asymmetric using Bob's public key
- B Encrypt the attachment with symmetric, then send the session key encrypted with Bob's public key (hybrid)
- C Encode the attachment in Base64 before sending
- D Hash the attachment and send only the digest
Answer & rationale
Answer : B — Encrypt the attachment with symmetric, then send the session key encrypted with Bob's public key (hybrid)
Hybrid encryption fits the need exactly: fast symmetric for the large content, asymmetric to carry the session key over the untrusted channel. Asymmetric alone is too slow beyond about 64 KB. Encoding provides no confidentiality. Hashing does not let Bob reconstruct the attachment.
-
During an audit, the pseudorandom number generator of a cryptosystem is found to produce predictable values. What is the main risk?
- A The encryption algorithm becomes public
- B Keys, seeds, and salts become predictable, lowering the attacker's work factor
- C The message digest becomes longer than expected
- D The encryption automatically switches to block mode
Answer & rationale
Answer : B — Keys, seeds, and salts become predictable, lowering the attacker's work factor
Cryptographic processes rely on random numbers as seeds, salts, and for key generation. A predictable PRNG (or one with clumping) lets an attacker guess the next value, shrinking the search space and the attacker's work factor: a major source of exploits. The algorithm's secrecy is not the issue (Kerckhoffs: only the key is secret). Digest length and block/stream mode do not depend on the PRNG.
Key takeaways
- Vocabulary: plaintext to ciphertext via algorithm + key; work factor measures attacker effort; the key is the central cryptovariable.
- Encoding (format, no secrecy) vs encryption (confidentiality, with key) vs hashing (integrity, keyless, one-way).
- Symmetric: fast, single key, but N(N-1)/2 keys at scale; AES replaces DES/3DES.
- Asymmetric: key pair, solves distribution and scalability, slow; ECC has the highest strength per bit, RSA rests on factoring.
- Hybrid (TLS) combines both; security rests on key management (Kerckhoffs), not on the secrecy of the algorithm.
PKI, Digital Signatures and Key Management
Prerequisites : Comfortable with the fundamentals of symmetric/asymmetric encryption and hashing (earlier Domain 3 modules).
Encryption solves confidentiality, but it does not tell you WHO owns a public key, nor how to guarantee that a message has not been altered and that its sender cannot later deny it. This module covers the services that meet these needs (Key Area F): digital signatures, public key infrastructure (PKI), and key lifecycle management.
Two ideas frame the whole topic. First the digital signature: you hash the message, then encrypt the digest with the sender's private key, which simultaneously provides integrity, source authentication, and non-repudiation. Then PKI: a set of protocols, software, and authorities (CA, RA, VA) that binds a public key to an identity through a signed X.509 certificate.
Finally, the real security of a cryptosystem does not rest on the algorithm - assumed public under Kerckhoffs - but on protecting the keys. Key management (generation, storage, distribution, expiry, revocation, destruction/archival) is the most critical activity, governed by NIST SP 800-57, ISO 11770, and ANSI X9.24. Most successful compromises exploit poor key management, not an algorithmic weakness.
7.1 Digital Signatures and Non-repudiation
A digital signature is a block of data produced in two steps: first you hash the message with a hash function, yielding a content-dependent digest (message digest); then you encrypt that digest with the sender's private key. This encrypted digest is the signature. It is appended to the cleartext (unencrypted) message and sent to the recipient.
On receipt, the verifier decrypts the signature with the sender's public key to recover the original digest, then independently recomputes the digest of the received message and compares bit by bit. If they match, three properties hold at once: integrity (the message has not been altered, even by a single bit), source authentication (only the holder of the private key could have produced the signature), and non-repudiation (the sender cannot deny having signed).
Signing must not be confused with encrypting. Signing does NOT protect confidentiality: the message stays readable, and anyone holding the sender's public key can decrypt the digest. To get confidentiality AND proof of origin, you nest two operations (sign with your private key, then encrypt the whole with the recipient's public key). Non-repudiation in the strict sense requires digital signatures: symmetric encryption alone cannot provide it, because the key is shared.
Non-repudiation delivers three services: preventing the sender from denying they sent the message, verifying integrity, and preventing the recipient from claiming they received a different message. NIST published FIPS 186-4 (Digital Signature Standard, DSS), which standardizes the terminology and approved algorithms. Uses are numerous: vendor-signed software updates validated by a trusted installer, signed device drivers, smart contracts, documents and contracts, apostille/notario processes, and chain of custody preservation in digital forensics.
- Signing = hash the message THEN encrypt the digest with the sender's PRIVATE key.
- A signature provides integrity + source authentication + non-repudiation, but NOT confidentiality.
- Verifying = decrypt with the sender's PUBLIC key and compare to the recomputed digest.
- Symmetric encryption alone cannot provide non-repudiation (shared key).
7.2 PKI: CA, RA, VA and the Chain of Trust
A public key is just a string of numbers: by itself it has no link to a person or organization. The problem is therefore to reliably assure that a public key truly corresponds to the signer's private key and to their identity. The public key infrastructure (PKI) solves this: it publishes the public keys tied to an entity, certifies that a public key is bound to an individual or organization, and verifies that a public key is valid and correct. The heart of PKI is its certificate mechanism.
The certificate authority (CA) is the trusted third party that attests a certificate owner truly holds a given public key. To do so, the CA digitally signs the entity's certificate with its own private key. There is one root CA in a PKI system; it can delegate authority to subordinate CAs to share the workload of issuing and validating. This delegation establishes a hierarchy of trust: a user trusts a subordinate CA because that trust ultimately flows back up to the root CA. This is the chain of trust.
The registration authority (RA) accepts and validates the identification information submitted by a user requesting a public key and certificate. The RA may be part of the CA's team or a separate organization; it does not sign certificates. Another entity, the validation authority (VA), provides authentication of a certificate's validity (that it has not expired or been revoked).
PKI rests on the trust placed in the CA. The DigiNotar case (2011) shows the risk: an attacker issued dozens of fraudulent certificates, used for man-in-the-middle attacks against Gmail users in Iran. When a root CA is compromised, all derived trust collapses, forcing browsers and organizations to push emergency patches and update revocation lists. PKI uses the Diffie-Hellman-Merkle key negotiation algorithm to let two parties derive a shared secret (a session key) without transmitting it.
- The CA signs the certificate with its private key; trust flows up to the root CA.
- The RA validates the requester's identity; it does not sign certificates.
- The VA confirms a certificate's validity (not expired, not revoked).
- Compromising a root CA collapses the entire chain of trust (cf. DigiNotar).
7.3 X.509 v3 Certificates and Revocation
ITU standard X.509, part of the X.500 family for directories, defines how to issue certificates, their contents, and their expiration and revocation processes; it also defines how to verify that a public key truly belongs to the certificate owner. X.509 version 3 is the most widely used today.
An X.509 certificate contains, among other fields: the algorithm used for the signature, the issuer name (the CA's X.500 name), the period of validity (start and end dates), the subject's name (owner of the public key), the subject's public key information (key, algorithm, parameters), optional unique identifiers for issuer and subject, an Extensions field that allows user-defined extensions to certificates - a key feature of v3 - and finally the CA's digital signature, that is, the hash of the certificate encrypted with the CA's private key.
An issued certificate can become unreliable: for example if the subscriber misrepresented their identity to the CA, or if the holder believes their private key was lost or compromised. In that case the CA revokes (permanently invalidates) the certificate and publishes a revocation notice. Typical reasons are: compromised key, changed purpose, the organization ceasing to trade, or a name change.
Two revocation mechanisms coexist. The certificate revocation list (CRL) is a list of revoked certificates the client periodically downloads from the CA to compare serial numbers; its drawback is growing size (bandwidth, latency), so many browsers no longer support it by default. The online certificate status protocol (OCSP) queries the CA for a single certificate and returns a status (good, revoked, unknown, or an error code); more efficient than the CRL, it is nonetheless not fully secure - vulnerable to man-in-the-middle and prone to introducing delays.
- X.509 v3 is the dominant format; its Extensions field allows user-defined extensions.
- The certificate's signature is the hash of the certificate encrypted with the CA's private key.
- Revocation reasons: compromised key, changed purpose, ceasing trade, name change.
- CRL = downloaded list (heavy); OCSP = per-certificate query (efficient but MITM-vulnerable).
7.4 Key Lifecycle, Escrow and Recovery
Key management covers everything involved in generating, recording, transcribing, distributing, installing, storing, changing, and using keys, down to disposing of the equipment that retains key-related data. It is the total control of cryptographic keys. Under Kerckhoffs' principle the algorithm is public: it is the keys that make the system strong. That is why key management is the most critical activity - attacks against keys are far more likely and more effective than attacks against algorithms. Three bodies of practice frame it: NIST SP 800-57 (management practices, governance, implementation details across Parts 1 to 3), ISO 11770 (generation, storage, distribution, deletion, archival of keying material), and ANSI X9.24 for banks and financial institutions.
The lifecycle follows stages. Generation: preferably by automated systems that ensure strong keys and policy enforcement; the quality of random number generators (RNG/PRNG) is critical because predictable seeds or salts weaken everything. Storage: tamperproof hardware security modules (HSMs), passphrase-protected smart cards, key wrapping of session keys with KEKs, splitting and storing in separate locations, with some devices self-destructing under attack. Distribution: the key must be delivered without a third party deducing it (the key distribution problem); a session key is protected with a key encrypting key (KEK) via key wrapping, either in-band (same channel as the encrypted traffic) or out-of-band (a different channel). Expiry: every key must have an expiration date to limit the time available for cryptanalysis. Revocation then destruction: at end of life the key must be destroyed so it cannot be reconstructed; archived encrypted data, however, requires the keys to remain available and backed by valid certificates as long as the data has value.
The session key is an ephemeral symmetric key, used once for one session (a form of one-time pad); it is preferably generated automatically through negotiation between endpoints (Diffie-Hellman-Merkle, KINK). Reusing a session key for too long jeopardizes it: too much ciphertext under one key eases attack. At the end, session keys must be destroyed to prevent recovery.
Key recovery is a backup mechanism ensuring the organization keeps continued access to its own encrypted data if a key is lost or damaged. Key escrow is one form: keys are vaulted with a trusted third party or an RA. Multiparty key recovery splits a key into parts entrusted to separate entities (dual control). Caution: a recovery mechanism mandated by a government (backdoor or lawful code breaking) means the algorithm is no longer secure for everyone, which has been widely rejected.
- The system's strength lies in the keys (Kerckhoffs): key management is the most critical activity.
- Standards: NIST SP 800-57, ISO 11770, ANSI X9.24 (banks).
- Every key has an expiration date; at end of life it is destroyed to prevent reconstruction.
- Escrow = deposit with a third party; recovery = restoration; a recovery backdoor makes the algorithm insecure.
Case studies
Choosing and Deploying a Certificate Authority
Context : Terry runs a SETA session on certificate authorities. The organization must decide between an enterprise (internal) CA and a third-party CA, then define the enrollment model. For public-facing websites, self-declaring that your site is safe is not enough: a user cannot take the company at its word. The team must also assign roles: the CA (certificate types, CSR requirements), the RA (authenticating the requester's identity), and the revocation team (reasons and the checking method, CRL or OCSP).
Question : When is a third-party CA needed rather than an enterprise CA, which enrollment model suits machine certificates, and which revocation-checking method should be preferred?
Show analysis and answer
For a public-facing service, the third-party CA provides independent verification: it attests to everyone that a site is what it claims to be, something an internal CA cannot credibly do for external users. Internally, the best model is often an enterprise-generated, auto-enrolled certificate. Automatic enrollment suits machine certificates (placed automatically in the certificate store), whereas user certificates are more often requested manually.
The RA matches the verification level to the certificate type: a free certificate needs little checking, but an SSL/TLS certificate requires additional checks such as proof of domain ownership. A CSR conveys, in standardized form, the common name, key type (often RSA), and key size (2048-bit minimum).
For revocation, OCSP is generally preferable to the CRL: the browser need not download an entire list to check a single site, which cuts latency. The CRL remains heavy and is increasingly unsupported by default. Depending on the certificate's type and function, you must build in integrity checking, proof of origin, proof of destination, and non-repudiation.
Takeaway : Third-party CA for public trust (independent attestation), auto-enrolled enterprise CA internally; prefer OCSP over CRL; the RA scales its checks to the certificate's purpose.
Cryptographic Management Checklist
Context : An organization of 10,000 users is drafting its crypto policy. For N users under symmetric encryption, the number of unique keys is N(N-1)/2: here nearly 500 million keys, a management nightmare. The team also wants to secure emergency backups (gold disks) that are symmetrically encrypted and signed, and that must remain accessible years later.
Question : How should the key lifecycle be governed to tame this combinatorial explosion while guaranteeing future access to the encrypted archives?
Show analysis and answer
Do not design your own key management scheme: the IETF and NIST are explicit that this is specialist work. Rely on NIST SP 800-57, ISO 11770, and, for finance, ANSI X9.24. Automated generation systems ensure strong keys, policy enforcement, and management at scale; they handle end-of-life key destruction cleanly. For mass distribution, KEKs and key wrapping protect session keys, and public-key certificates make keys portable and easier to manage than out-of-band exchange.
For archives, the trap is expiry: backups are symmetrically encrypted and signed, but the session keys for decryption and the public/private keys for verification must remain available and backed by valid certificates when the archives are read back. HSMs reduce this risk by guaranteeing that emergency copies stay decryptable and intact.
Storage should combine tamperproof HSMs, passphrase-protected smart cards, key splitting across separate locations, and key expiry. Multiparty key recovery (parts entrusted to several entities, dual control) and requiring two administrators present for critical tasks provide backup without creating a single point of compromise.
Takeaway : Don't reinvent key management: use standards (SP 800-57, ISO 11770, X9.24), automated generation and distribution via KEKs/certificates, and keep archive keys valid as long as the data has value.
Signing means encrypting the digest with YOUR private key
Classic trap: thinking you sign by encrypting the MESSAGE, or by using the public key. A signature hashes the message then encrypts the DIGEST with the sender's PRIVATE key. Verification uses the sender's PUBLIC key. Signing does not provide confidentiality (the message stays readable); confidentiality = encrypt with the recipient's public key.
Key escrow is not key recovery
Key recovery is the overall backup mechanism that restores access to data if a key is lost. Key escrow is one implementation: vaulting keys with a trusted third party or an RA. In other words, escrow is a MEANS of recovery, not a synonym. Multiparty key recovery (split parts, dual control) is another implementation.
A recovery backdoor makes the algorithm insecure
A mandated recovery mechanism (built-in lawful code breaking or backdoor, often proposed by governments) implies the encryption has an exploitable weakness. That makes the system insecure for EVERYONE, not just for the authorities, which is why such schemes have been widely rejected. On the exam: legitimate recovery = internal organizational backup; backdoor = compromised safety.
RA registers, CA signs, VA validates
Don't confuse PKI roles. The RA authenticates the requester's identity but does NOT sign certificates. The CA signs the certificate with its private key. The VA confirms validity (not expired, not revoked). Revocation is via CRL (heavy downloaded list) or OCSP (per-certificate query, more efficient but vulnerable to man-in-the-middle).
Checkpoint — Checkpoint
-
Alice wants Bob to prove a contract truly came from her and was not modified, without keeping it secret. What does she do?
- A She encrypts the contract with Bob's public key.
- B She hashes the contract and encrypts the digest with her own private key.
- C She encrypts the contract with a shared symmetric key.
- D She hashes the contract and encrypts the digest with Bob's public key.
Answer & rationale
Answer : B — She hashes the contract and encrypts the digest with her own private key.
A digital signature = hash the message then encrypt the digest with the sender's PRIVATE key; it gives integrity + authentication + non-repudiation, with no confidentiality (which matches the need). A and D protect confidentiality (Bob's public key) but do not sign. C (shared symmetric) cannot provide non-repudiation because the key is common.
-
An auditor reviews an X.509 v3 certificate and asks where organization-specific attributes can be added. Which field?
- A The Subject's name field.
- B The Period of validity field.
- C The Extensions field (user-defined extensions).
- D The Digital signature of CA field.
Answer & rationale
Answer : C — The Extensions field (user-defined extensions).
The X.509 v3 Extensions field is precisely what allows user-defined extensions, the hallmark of v3. Subject's name identifies the key owner; Period of validity holds the dates; Digital signature of CA is the certificate hash encrypted with the CA's private key - none of these three holds custom attributes.
-
A PKI deploys a root CA and several subordinate CAs. An RA processes requests. Which statement is correct?
- A The RA signs certificates instead of the CA to share the load.
- B A subordinate CA's trust flows up to the root CA (chain of trust).
- C The VA issues certificates and the root CA revokes them.
- D Compromising a subordinate CA never affects overall trust.
Answer & rationale
Answer : B — A subordinate CA's trust flows up to the root CA (chain of trust).
Delegation creates a hierarchy: you trust a subordinate CA because trust flows up to the root CA. A is false: the RA validates identity but never signs. C is false: the CA issues and revokes; the VA only attests validity. D is false: compromising a CA (cf. DigiNotar) propagates risk along the chain.
-
An organization wants to recover its own encrypted data if a key is lost, without creating a single point of failure. Which approach fits?
- A Build a lawful-code-breaking backdoor into its encryption.
- B Set up multiparty key recovery, each part held by a separate entity (dual control).
- C Disable key expiry so keys are never lost.
- D Distribute all session keys out-of-band by email.
Answer & rationale
Answer : B — Set up multiparty key recovery, each part held by a separate entity (dual control).
Multiparty key recovery splits the key into parts held by separate entities: this is dual control, restoring access without a single point of compromise. A makes the algorithm insecure for everyone (rejected backdoor). C removes an essential protection (every key must expire to limit cryptanalysis). D exposes keys and is not a recovery mechanism.
Key takeaways
- Digital signature = digest encrypted with the sender's PRIVATE key: integrity + authentication + non-repudiation, never confidentiality.
- PKI: the CA signs (root CA and subordinates, chain of trust), the RA registers identity, the VA validates.
- X.509 v3 is the dominant format; its Extensions field allows user-defined extensions; revocation via CRL or OCSP.
- Security rests on the keys (Kerckhoffs): the lifecycle (generation, storage, distribution, expiry, revocation, destruction) is governed by NIST SP 800-57, ISO 11770, ANSI X9.24.
- Key escrow is a MEANS of key recovery; a session key is ephemeral; a recovery backdoor makes the algorithm insecure.
Cryptanalytic Attacks
Prerequisites : Familiarity with symmetric and asymmetric encryption, hashing, and the notion of work factor.
Cryptanalysis is the analytical study of cryptographic systems, algorithms, and their operational use to understand their strengths, weaknesses, and characteristics. It combines reverse engineering, number theory, and algebraic manipulation, but also physical observations (side channel) such as mechanical noise, heat, or electromagnetic emissions. Depending on the analyst's intent, the discipline serves equally to build stronger cryptosystems and to develop exploits against existing ones: it is a tool, lawful and ethical or not.
Key Area G requires you to describe defenses against common cryptanalytic attacks. To do this, you must CLASSIFY each attack by what it truly targets: the key or algorithm (brute force, frequency analysis, chosen plaintext/ciphertext attacks, linear/differential), the implementation (side channel, fault injection, temporary files, weak RNG), or the system and the human (social engineering, ransomware, MITM, replay, birthday attack).
The central pitfall of the domain: the mathematical strength of an algorithm protects neither the implementation nor the people. This is why, in practice, the most successful attack is almost never the most mathematical one. The 2011 compromise of RSA Corporation (two phishing emails, a booby-trapped Excel spreadsheet, roughly 66 million dollars to replace every SecurID token) demonstrates this.
8.1 Attacks on the key and the algorithm
Ciphertext-based attacks begin by gathering copies of encrypted messages intercepted in transit. Nearly all media (radio, digital networks, PSTN, even printed material) can be intercepted and copied, often without trace. Their two goals: reveal the protected plaintext and recover the key.
The ciphertext-only attack is one of the hardest because the attacker holds only unintelligible data suspected to be an important encrypted message. It gets easier by collecting enough ciphertext to look for patterns and statistics. Frequency analysis is decisive here: it exploits the known frequencies of letters and words of a language (in English, "e" dominates, "the" is the most common trigram). Described as early as the 9th century by Al-Kindi, it remains the weapon of choice against substitution ciphers.
The known plaintext attack assumes the attacker holds both the plaintext and the ciphertext of the same message. Since the algorithm is always assumed known, the goal is to find the relationship between the two: the key. A recovered key decrypts every message encrypted with it. The chosen plaintext attack goes further: the attacker chooses the plaintext and obtains the matching ciphertext, knowing the algorithm or having the cryptosystem. Its adaptive variant lets inputs be modified repeatedly. The historical example: the Midway ruse in 1939-1945, where the Navy had a fake plaintext message broadcast ("Midway is low on fresh water") to confirm that "AF" meant Midway.
The chosen ciphertext attack is the mirror image: the attacker accesses the decryption device and submits chosen ciphertexts to observe the plaintexts and deduce the key; the adaptive version allows modifying the ciphertext before each pass (lunchtime attacks, at very low work factor). Finally, linear cryptanalysis (a known plaintext using a linear approximation of the block cipher) and differential cryptanalysis (a chosen plaintext introducing minor plaintext changes to observe ciphertext changes) target the algorithm structure directly; combined, they raise the odds of success. The algebraic attack, in turn, exploits the mathematical structure of certain block ciphers.
- Ciphertext-only is the hardest because the attacker starts from almost nothing.
- Frequency analysis mainly supports ciphertext-only attacks against substitutions.
- Known plaintext requires both plaintext AND ciphertext; the goal is always the key.
- Chosen plaintext/ciphertext assume access to the cryptosystem; adaptive variants are iterative.
- Linear and differential cryptanalysis target the block cipher structure.
8.2 Attacks on the implementation
Implementation attacks are today among the most common and popular, because they are easy and rely on system elements OUTSIDE the algorithm. Often the weakness lies not in the math but in how the cryptography is implemented.
The brute force attack tries one key after another in the key space, hoping to hit the right one before spending too much time. The longer the key, the more the key space (number of possible values) explodes, and the higher the work factor: beyond 128 bits the attack often becomes impractical. Yet a large key's security is deceptive: weak PRNGs that clump keys, massive VM/botnet cracking in the cloud, sloppy session key management, known algorithm weaknesses, sheer luck, quantum computing, and social engineering all reduce the real work factor. The dictionary attack and the rainbow table (a sorted table of precomputed hashes) sharply speed up attacks on poorly protected hashed password files. The factoring attack targets RSA specifically by factoring the product of large primes, and Shor's 1994 work suggests quantum would make it formidable.
Side channel attacks are passive attacks exploiting a PHYSICAL attribute of the implementation (power consumption, electromagnetic emanations). The timing attack measures variations in operation duration to infer internal structure and shrink the search space; its typical defense is to PAD messages to a standard length so all operations run in constant time, regardless of the secret handled. The probing attack watches (or alters) the circuitry around the cryptographic module to extract clues about the key or algorithm.
The fault analysis attack forces the system into an error state, then compares erroneous results with good ones to guess the key. Fault injection feeds known faulty data or, on hardware, noise on the input/output/power lines, even radio waves into the circuits. Attacking the random number generator exploits a too-predictable RNG to anticipate initialization vectors. Finally, temporary files: every cryptosystem writes temporary files; if they are not securely deleted and overwritten after each operation, they may be read and compromise the cryptanalysis.
- An implementation attack targets what surrounds the algorithm, not the algorithm itself.
- Brute force is the slowest; beyond 128 bits it is often impractical.
- A large key is deceptive: weak RNG, quantum, social engineering shrink the work factor.
- Side channel = passive and physical; a timing attack's defense is constant-time padding.
- Temporary files and weak RNGs are implementation vectors in their own right.
8.3 Attacks on the system and the human
Every cryptosystem, like every security control, ultimately depends on humans to be implemented and operated correctly. This is one of the greatest vulnerabilities. Social engineering is the use of deception or intimidation (coercion, bribery, deception) to get a person to provide information they are not authorized to disclose, with no technical means. Historically it is the most SUCCESSFUL attack against cryptographic systems, and it remains central to an advanced persistent threat's (APT) plan. The 2011 RSA compromise proves it: two phishing emails, an Excel spreadsheet exploiting an Adobe Flash zero-day, an installed backdoor, then the network of several U.S. defense contractors hit, and roughly 66 million dollars to replace every SecurID token. The only defense is constant vigilance: awareness, education, training.
The birthday attack rests on the birthday paradox: in a group of 23 people, the probability that two share the same date exceeds 50%. Applied to hashing, it seeks two messages producing the SAME message digest (a collision). The key idea: it is far easier to find TWO messages that collide than to find a message matching a given digest (preimage). Experts consider it a type of brute force, since the attacker hashes messages until a collision appears; strong hash algorithms resist this as much as possible.
The man-in-the-middle (MITM) attack inserts a hostile third party into the channel between sender and recipient to intercept, tamper with data, or masquerade as one to the other, remaining undetected. Ideally the attacker inserts BEFORE the session begins: a public-key request can be hijacked by returning the attacker's own public key. It targets symmetric, asymmetric, and hybrid systems. The replay attack resends captured files or inputs to disrupt processing; without timestamps, one-time tokens, or sequence codes, the system processes duplicates and grants access. Pass the hash is a variant: NTLM/SMB once passed credentials in cleartext, then harvested hashes were replayed during a challenge-response handshake (TGS/TGT included).
Finally, ransomware and ransom attacks: between 2016 and 2018 they rose by more than 350% and are recognized as the second greatest threat after insiders. The response rests on four families of strategies: Denial (clean, verified backups, anti-malware, training), Detection (behavior monitoring, signatures, decoys), Containment (prevent spread and reinfection), and Response and recovery (the major strategic decision: pay or not, to be decided WITH legal counsel before the incident, because paying a sanctioned actor can trigger strict liability). Some attacks are "living off the land," without dedicated malware (e.g., Bitlocker abused).
- Social engineering is the most successful attack in practice: it targets the human, not the math.
- Birthday attack = collision (two messages, same digest), easier than a preimage.
- MITM ideally inserts BEFORE the session and can substitute a public key.
- Replay is countered by timestamps, one-time tokens, and sequence codes.
- Ransomware is handled via Denial, Detection, Containment, Response/recovery; paying can trigger strict liability.
Case studies
RSA 2011: breaking 2FA without breaking the cryptography
Context : RSA Corporation's SecurID tokens provide two-factor authentication: possession of the token is required to authenticate. The technology holds only if the 2FA mechanism stays secure. In 2011, the attackers did not attack the algorithm: they sent two phishing emails luring an employee into opening an attached Excel spreadsheet. The spreadsheet exploited an Adobe Flash zero-day and installed a backdoor. The result compromised the network security of several U.S. defense contractors. RSA first minimized the incident, then replaced every token in service, at a cost of roughly 66 million dollars.
Question : Which attack category was actually used, and which defense would have been most relevant?
Show analysis and answer
No mathematical cryptanalysis occurred: no brute force, no chosen plaintext, no side channel. The attack is social engineering, hence the system/human category. The targeted link is neither the token's algorithm nor its implementation, but the user, exploited by phishing and then by an application vulnerability.
This directly illustrates the exam principle: a cryptosystem, like any control, ultimately depends on humans. SecurID's strength was not bypassed by mathematics but by the trust placed in an email. This is also why the official quiz holds social engineering to be the most successful attack in practice.
The relevant defense is not a longer key or a better algorithm: it is a permanent awareness, education, and training program, complemented by patch management (the Flash flaw) and attachment filtering. Technology alone is not enough when the human is the target.
Takeaway : Against a human target, no key length protects: the defense is awareness, education, training.
Designing robust cryptographic protection and anticipating attacks
Context : A team must secure the exchange of large files between a client and a server. A developer proposes encrypting each file directly with the server's RSA public key, using AES in ECB mode for speed, reusing the same symmetric key for all exchanges, and has even written a custom in-house signature algorithm.
Question : What design errors does this proposal contain, and which cryptographic architecture would you recommend?
Show analysis and answer
Four classic errors. (1) Encrypting large files directly with RSA (asymmetric) is slow and bounded by key size: use HYBRID encryption - AES (symmetric, fast) for the data, and RSA only to transport the AES session key. (2) ECB mode reveals patterns (identical blocks yield identical ciphertext): prefer an authenticated mode like GCM (or at least CBC with a random IV). (3) Reusing the same symmetric key for every exchange breaks confidentiality over time and prevents perfect forward secrecy: generate a unique session key per exchange (ideally via ephemeral Diffie-Hellman). (4) Rolling your own crypto must be avoided: use standard, proven, correctly implemented primitives.
Recommended architecture: ephemeral key exchange (ECDHE) for PFS, AES-256-GCM for data (confidentiality + integrity), signatures with a standard algorithm (RSA-PSS or ECDSA) and a strong hash (SHA-256+) for authenticity and non-repudiation, all anchored in a PKI for key trust.
Against attacks: this design resists MITM (key authentication via PKI), downgrade (reject weak suites), pattern attacks (GCM mode), and brute force (sufficiently long keys). Stay vigilant about side-channel attacks at the implementation level.
Takeaway : Hybrid encryption (AES for data, RSA/ECDHE for the key), authenticated mode, unique session key, standard primitives: never reinvent crypto.
- Hybrid encryption combines symmetric speed with asymmetric key distribution.
- ECB mode reveals patterns: use an authenticated mode (GCM).
- A unique session key per exchange enables perfect forward secrecy.
- Don't roll your own crypto: always use standard, proven primitives.
- PKI authenticates keys and defeats MITM; rejecting weak suites blocks downgrade.
Birthday attack is not pure brute force
The birthday attack targets hash COLLISIONS: finding two messages with the same digest, which is far easier than recovering a message matching a given digest. Experts class it under brute force because you hash until a collision, but in the exam do not confuse it with classic brute force on a key: if the question asks for the SLOWEST attack, that is brute force (exhaustive key search), not the birthday.
Side channel attacks the implementation, not the algorithm
A side channel attack (timing, power, emanations) is PASSIVE and exploits a physical attribute of the implementation: the algorithm may be mathematically perfect. If the question mentions timing, power, or electromagnetic emissions, classify the attack as implementation, not as a key/algorithm attack. Typical defense for a timing attack: constant-time padding.
The most successful attack in practice: social engineering
When a question asks for the most SUCCESSFUL attack in practice (not the slowest, hardest, or most mathematical), the answer is social engineering: it bypasses cryptography entirely by targeting the human. Do not pick brute force (the slowest) or a sophisticated mathematical attack.
Checkpoint — Checkpoint
-
During a post-incident debrief, an analyst must name the historically most successful attack against cryptographic systems. Which does she choose?
- A The brute force attack
- B Social engineering
- C The ciphertext-only attack
- D Differential cryptanalysis
Answer & rationale
Answer : B — Social engineering
Social engineering is the most successful attack in practice because it targets the human, the ultimate link of any cryptosystem, and bypasses cryptography entirely (RSA 2011 case). Brute force is the SLOWEST, not the most successful. Ciphertext-only is the HARDEST (little information). Differential cryptanalysis is a sophisticated mathematical attack but far less effective in practice than human manipulation.
-
An attacker measures tiny variations in a hardware module's decryption time to shrink the key search space. How is this attack classified and which defense applies?
- A Algorithm attack; fix the mathematical primitive
- B Implementation attack (side channel/timing); constant-time padding
- C Known plaintext attack; lengthen the key
- D Replay attack; add timestamps
Answer & rationale
Answer : B — Implementation attack (side channel/timing); constant-time padding
Measuring execution time is a timing attack, a side channel subtype: a PASSIVE attack on a physical attribute of the implementation, independent of the algorithm's strength. The typical defense is padding messages to a standard length for constant time. Fixing the algorithm is pointless since it is not at fault; lengthening the key does not mask the timing leak; replay and known plaintext describe other mechanisms.
-
A cryptanalyst seeks two distinct documents producing exactly the same digest in order to forge a signature. Which attack is this and what does it rely on?
- A A ciphertext-only attack relying on frequency analysis
- B A birthday attack relying on the birthday paradox (collisions)
- C A factoring attack relying on large primes
- D A chosen plaintext attack relying on access to the cryptosystem
Answer & rationale
Answer : B — A birthday attack relying on the birthday paradox (collisions)
Seeking two messages with the same digest is a collision: this is the birthday attack, based on the birthday paradox (>50% collision probability from just 23 items). Finding a collision is far easier than finding a preimage. Ciphertext-only and frequency analysis attack ciphertext, not hashes. Factoring targets RSA. Chosen plaintext works on the plaintext/ciphertext relationship, not hash collisions.
-
Four attacks are cited in a report. Which is typically the SLOWEST for an attacker to execute?
- A A ciphertext-only attack
- B A brute force attack
- C A birthday attack
- D A man-in-the-middle attack
Answer & rationale
Answer : B — A brute force attack
Brute force tries every key permutation in turn; with large keys (beyond 128 bits) it becomes extremely time consuming and often impractical, hence the slowest. Ciphertext-only seeks patterns and is very slow but technically faster than brute force. The birthday targets hash collisions. MITM compromises operations by intercepting information, with no exhaustive search.
Key takeaways
- Classify the attack by target first: key/algorithm, implementation, or system/human.
- Social engineering = most successful in practice; brute force = slowest; ciphertext-only = hardest.
- Side channel/timing attack the implementation (physical attribute), not the mathematical strength; defense: constant-time padding.
- The birthday attack targets hash collisions; finding a collision is easier than a preimage.
- A large key is deceptive: weak RNG, cloud/quantum, and social engineering reduce the real work factor.
Physical Site Security and System Life Cycle
Prerequisites : Familiarity with defense in depth, confidentiality-integrity-availability, and a general idea of a software development life cycle.
Information security rests on physical foundations that are too often overlooked: a well-designed site, a data center that is powered, cooled, protected from fire, and whose access is controlled. Key Area H requires you to apply security principles to site and facility design (3.8) and then to design physical and environmental security controls (3.9). Protection of human life remains the top priority: no security plan should create undue risk to people, especially during emergencies.
The guiding thread of the physical side is CPTED (Crime Prevention through Environmental Design): preventing crime through passive, deterrent design elements - natural surveillance, natural access control, and territorial reinforcement - rather than through technology alone. Around this core come site and alternate-site design, server rooms and data centers (Uptime Tier, ANSI/TIA, EN 50600 standards), HVAC (ASHRAE range), power (UPS, generators, dual-feed redundancy), and fire prevention-detection-suppression (5 classes A-K, VESDA detection, water- or gas-based agents).
Key Area I shifts from concrete to software: managing the information system life cycle (3.10). From eliciting stakeholder needs to decommissioning, by way of requirements analysis, architectural design, secure development, integration, verification and validation, deployment under change control via CI/CD, and then operations and maintenance. The CISSP safeguards the integrity and security of the end-to-end process: the code that reaches production must match the tested code.
9.1 CPTED and site design
CPTED (Crime Prevention through Environmental Design) addresses crime through organizational means (people), mechanical means (technology and hardware), and natural means (architecture and circulation flow). Its logic is passive: by directing the flow of people, signaling through discreet cues who should and should not be in a space, and providing visibility into otherwise hidden areas, you reduce the likelihood that a crime will be committed there. CPTED is associated with the broken windows concept: where neglect prevails, crime increases; conversely, an orderly, well-maintained space discourages bad behavior.
Three principles structure the approach. Natural surveillance makes areas visible - lighting, especially around doors, and clear sight lines - so that any abnormal behavior is detected. Natural access control channels visitors: direct them to a single entrance with a reception able to determine the purpose and destination of the visit; shrubbery and hedges deter people from taking certain paths. Territorial reinforcement, also called territoriality, distinguishes public from private spaces through doors and locks, signage, staff uniforms, and the placement of reception and guard desks; this sense of perceived ownership signals that the owners are paying attention.
Design should remain welcoming without turning the facility into a fortress: water and vegetation are both attractive and useful for safety. Critical areas (server rooms) must be isolated from public and employee traffic by placing them off the beaten path. Beware of false controls: a door opened by a guard via a switch can be defeated through intimidation or social engineering, and contact alarms signal a door held open.
Site planning also covers the alternate site: it must be far enough not to suffer the same disaster as the primary site, yet close enough for key personnel to reach in a crisis. It must be geographically distinct, provide processing capability, and undergo its own risk assessment (natural disasters, structural failures, hostile attacks). The security team should be engaged at the design phase (concept of operations), before the building is acquired: the later security is involved, the higher the cost of remediation.
- CPTED = passive deterrence through design, not technology alone.
- Three principles: natural surveillance, natural access control, territorial reinforcement.
- Human life comes first: no control should create undue risk in an emergency.
- The alternate site must be geographically distinct and subject to its own risk assessment.
- Engaging security at the design stage greatly reduces remediation cost.
9.2 Server room and data center: HVAC and power
A server room demands a higher level of physical protection than the rest of the facility. Its human traffic is higher: access point security and monitoring/recording of entries are critical. When the space is shared between units or businesses, rack- or equipment-level locking becomes essential. Beware of repurposing: converting an office into a server room without reinforcing floors or sizing cooling endangers the building and its occupants. The cable plant must be inventoried, labeled, and protected: a poorly managed cable plant increases fire load and can cause cable trays to fail.
Data center standards allow facilities to be evaluated and compared. The Uptime Institute Tier Classification System rates from Tier I (basic infrastructure) to Tier IV (fault-tolerant site); it is a de facto standard, not legally mandated. ANSI/TIA 942-A focuses on cabling and network reliability (rated 1 to 4). ANSI/BICSI 002 covers the MEP trades (mechanical, electrical, plumbing) plus fire protection. The European standard EN 50600 rates an Availability Class on four levels, in several parts (construction, power distribution, environmental control, cabling, security systems).
HVAC maintains the temperature range recommended by ASHRAE for uptime and hardware life: between 18 C and 27 C (64 F to 81 F). ASHRAE recommends three temperature sensors per rack (top, middle, bottom), because cooling is often more than half of a data center's operating cost. Airflow also manages contaminants (dust, fumes) and breathable air (CO2 sensors, fresh air intakes).
Power must be delivered constantly and at constant quality: fluctuations shorten system life, outages stop them. Resilience rests on two complementary building blocks. The UPS supplies battery power for the time it takes generators to start and stabilize: it is SHORT-term coverage. Backup generators, sized for the critical load (compute resources) and supporting infrastructure, provide the LONG term as long as fuel is available. Dual-feed redundancy (two supplies from separate substations, transfer switches) further increases resilience. As with data backups, failover to backup power must be tested.
- Server room = reinforced access protection and monitoring, rack-level locking if shared.
- Uptime Tier (I-IV) rates availability; de facto, not legal, standard.
- ASHRAE range: 18-27 C, three sensors per rack; cooling dominates costs.
- UPS = short term (battery), generator = long term (fuel): they are complementary.
- Failover to backup power must be tested like a data backup.
9.3 Fire: classes, detection, and suppression
Fire control follows a layered approach - prevention, detection, suppression - assessed at the building, room, and enclosure (rack) levels. Prevention is the most important: compliance with building codes, reduction of fire load (paper, clutter, flammable materials), regular inspections, no-smoking policies. Data centers face additional requirements due to their specific hazards.
Detection begins with spot-type detectors: ionization measures the electrical current between two charged plates as smoke passes, photoelectric measures light changes due to particles. Newer models combine ionization, photoelectric, carbon monoxide, heat, and flame to broaden detection and reduce false alarms. Aspirating detectors continuously breathe in an air sample: these VESDA (Very Early Smoke Detection Apparatus) systems are integrated into return air and the plenum beneath raised floors; their extreme sensitivity allows several alarm levels - a low threshold triggers an annunciator, a high threshold initiates full suppression.
Fire is grouped into five classes (letters vary by country): Class A (ordinary combustible solids: paper, wood, plastic), Class B (flammable liquids), Class C (electrical fires), Class D (flammable metals), Class K (commercial cooking equipment). For data centers and offices, the main concerns are A, B, and C. Choosing the right agent for the class is crucial: an unsuitable agent is ineffective or dangerous.
Two broad suppression families. WATER-based systems, mainly effective on Class A, safe for people and inexpensive, but they damage equipment: wet pipe (water in pipes, heat-activated heads, the most common), dry pipe (pressurized gas, water released after a head activates, useful against freezing), pre-action (combines wet and dry, often requires both a sensor AND a head), deluge (open heads, all activated simultaneously), and AFFF foam. GAS-based systems are effective against Classes A, B, and C: they inhibit the chemical reaction, reduce heat, or above all lower oxygen; they require people to evacuate and doors to close (suffocation risk). Examples: FM-200, CO2, Argonite, Inergen, hydrofluorocarbons, and the older Halon (withdrawn from commerce). For occupied equipment spaces, nonconductive, nontoxic liquids such as Novec 1230 protect Classes A, B, and C without water damage or suffocation. Pre-engineered rack systems locate the source and concentrate suppression on the affected area.
- Layered approach: prevention (most important), detection, suppression.
- 5 classes: A solids, B liquids, C electrical, D metals, K cooking.
- VESDA = very early aspirating detection with graduated alarm levels.
- Water = Class A, safe for humans but damages equipment.
- Gas/clean agent = A, B, C; clean agent (Novec, FM-200) for occupied equipment rooms.
9.4 Perimeter, mantraps, and physical access control
Physical defense is organized in successive layers, like a medieval castle: a strong fence forms the first line, the building entrance the second, then internal segmentation (a floor, level, or section with restricted access) forms the third. As at Conwy Castle, the moat restricts approach paths and funnels them into a predefined route, allowing defense to be concentrated on specific areas rather than defending the whole site. A single entry point creates a bottleneck that lets staff identify visitors and authorize or deny entry.
Physical access controls favor robust elements. Doors should be solid core: hollow-core doors offer little security, are easily breached, and are poor fire barriers. Windows should not be adjacent to doors (a broken pane would give access to the lock); use laminated glass and protections (grills, screens). Key locks remain the most common way to secure a space. Turnstiles and mantraps (airlocks) are a cost-effective method to control access and limit flow: a mantrap opens the second door only after the first has closed, which prevents tailgating.
Restricted work areas protect spaces where highly sensitive work occurs. SCIFs (Sensitive Compartmented Information Facilities) impose extreme protections: solid or metal-clad doors that resist penetration and deaden sound, electrical connections dedicated solely to the secure environment, ductwork that is isolated or protected against intrusion and audio/RF monitoring, acoustic protections preventing external eavesdropping, visual protections (nondescript exteriors, windows discouraged and treated against visual, acoustic, and RF observation), and IDS with sensors in walls, floors, and ceilings. Born from national security work, these measures also protect companies' most sensitive intellectual property.
Evidence storage rooms are strictly limited-access, heavily monitored areas, with individual lockers or containers per investigation, to guarantee the chain of custody. A break in the chain of custody can render evidence inadmissible in court. As for utility services (electricity, telecom, water, gas), their compromise can render the facility unusable: provide appropriate redundancy, building controls with leak sensors and alarms, and contingency plans that prioritize essential systems.
- Layered defense: fence (1st line), entrance (2nd), internal segmentation (3rd).
- Single entry point = bottleneck to identify and screen visitors.
- Solid-core doors, laminated glass, windows kept away from doors.
- Mantrap/airlock prevents tailgating; turnstiles limit flow cheaply.
- SCIF = extreme protections; evidence room = monitored chain of custody.
9.5 Life cycle: from need to secure deployment
Information system life cycle management is the long-term, holistic management of the capabilities an organization needs. Even a successful system will eventually require rearchitecture and rewriting, because needs change. The life cycle covers the activities to create, manage, and ultimately retire and replace a system.
Everything starts from stakeholder needs and requirements. Software security documentation includes a stakeholder map and a requirements traceability matrix. Functional requirements capture business processes and abuse cases; nonfunctional requirements carry security and performance requirements, many of which come from privacy laws and standards. Requirements analysis adds misuse cases: unlike use cases, they require adopting the perspective of a malicious actor.
Architectural design weighs solutions by their ability to satisfy requirements; the system should be self-defending. Threat modeling enumerates the attacks to defend against. Secure architecture principles apply here: open design (security must not rely on secrecy of design), complete mediation (every access request is vetted, a foundation of zero trust), least common mechanism (minimize mechanisms shared among subjects, which are sources of unauthorized exchange), compartmentalization, and reuse of proven libraries with a secrets manager to avoid hard-coded credentials. Microsegmentation and zero trust (NIST SP 800-207) seek a balance between the discouraged authenticate once, trust forever model and the extreme trust nothing.
Development structures the environment for success: up-to-date, verified libraries, an IDE with a linter, a code repository that automatically applies static analysis (SCA/SAST) for immediate feedback to the developer - fixing a bug at writing time costs orders of magnitude less than in production. Up-to-date, safe languages (type safe, no buffer overflow), secure coding training (OWASP Top 10). Integration verifies correct execution between upstream and downstream systems; legacy systems can expand the attack surface and benefit from isolation in network enclaves. Verification and validation adds test evidence against each requirement in the traceability matrix: SAST, DAST, penetration tests, leveraging the OWASP ASVS. Finally, transition/deployment pushes tested code to production under change control, increasingly via CI/CD: continuous integration builds and tests on each merge; continuous delivery moves code between environments with manual production deployment, while continuous deployment automatically releases every change that passes all tests. The CISSP's fundamental question: does the code that reached production match the tested code?
- The life cycle runs from stakeholder needs to retirement and replacement.
- Traceability matrix + misuse cases anchor security in the requirements.
- Threat modeling and principles (open design, complete mediation, least common mechanism) at design.
- Verification = SAST, DAST, pentest against each requirement (OWASP ASVS).
- Deployment under change control; CI/CD: delivery = manual to prod, deployment = automatic.
9.6 Operations, change/configuration management, and decommissioning
Once the system is in production, operations and maintenance/sustainment aim to monitor the health of the application, including monitoring for fraud and other attacks. Release notes list known errors and their workarounds, enabling support to respond to users. Service managers' processes embed the new system's incident response plan within a full ITSM wrapper (backup, recovery tests, DR). During production, all new code must be tested via the same processes that transition capability into production: security is never finished.
Change control governs any modification pushed to production. It is the central safeguard of the life cycle: it ensures changes are assessed, approved, traced, and reversible. Deployment passes through it, increasingly automated by the CI/CD pipeline. But the CISSP stays focused on the integrity and security of the end-to-end process: the fundamental question remains whether the code that reached production matches the tested code, and security controls on code control systems must reflect the highest data classification the code processes.
Configuration management relies, as zero days emerge, on a configuration management database (CMDB). It inventories components and their versions, so that as soon as a vulnerability is published, affected systems can be identified quickly and their remediation organized. Without a CMDB, the organization does not know where its vulnerable assets are.
Finally, decommissioning (retire and replace). The life cycle explicitly includes retiring and replacing the system when needs have changed. On the data side, 3.9 reminds us that physical copies must be suitably destroyed at the end of their retention period and useful life. Protection therefore does not stop at operations: a decommissioned asset must have its media secured or destroyed, its encryption keys managed and retired, and its access revoked. The guiding principle stays constant across the whole cycle: confidentiality, integrity, and availability must be preserved from design through to destruction.
- Operations = monitoring health/fraud/attacks, release notes, ITSM wrapper.
- Change control governs every production push; verify that prod code = tested code.
- The CMDB lets you locate affected assets when a zero day emerges.
- The life cycle explicitly includes retiring and replacing the system.
- Decommissioning = media destroyed/sanitized, keys retired, access revoked.
Case studies
Northgate Information Solutions and the Buncefield depot
Context : Northgate Information Solutions (NIS), a major supplier of software and outsourcing solutions to the public sector, is located in Hemel Hempstead, UK, once adjacent to the Buncefield oil storage depot. On December 11, 2005, a fire and then an explosion at the depot devastated the NIS site: collapse of the application and management system, 212 production systems down, voice, data, and email destroyed. The blast tore the main water tank from the roof - and that tank supplied the sprinkler system - so the building then caught fire. Papers, IT systems, and filing cabinets were blown into the parking lot. No serious injuries occurred. NIS had multiple layers of security and an excellent business continuity plan, which enabled rapid recovery.
Question : Beyond the loss of systems, what additional security concerns does this disaster reveal, and what should have been prepared?
Show analysis and answer
The first lesson is the interdependence of controls: an external factor (the neighboring depot) destroyed not only the systems but the fire defense itself, since the sprinkler's water tank was carried away. Physical security cannot be designed in isolation from the surroundings and external risks: site selection and external threat assessment should have weighed this industrial risk.
The second concern is information security amid chaos. Confidential documents were physically blown off site. Yet emergency services, focused on the fire, would neither let civilians in nor care about the sensitive nature of the documents. The organization should have had enough pre-vetted personnel for an extreme event and coordination established in advance with emergency services and local organizations, so security professionals could access the site to secure NIS data.
Finally, the urgent need for staff forced rapid engagement of temporary personnel: how were these newcomers vetted? Business continuity is not just about restoring systems; it must plan for governance of access and emergency staff, or it creates a human gap during recovery.
Takeaway : A site's security depends on its environment and the interdependence of controls: a BCP must plan for pre-vetted staff, coordination with emergency services, and physical protection of information during the crisis.
CPTED applied to a research site
Context : Terry is involved in designing a new high-security facility intended for research activities at WLDR University. She recommends CPTED to analyze the physical environment, direct the flow of people, signal through passive means who should and should not be in a space, and provide visibility into hidden areas. To illustrate, she uses Conwy Castle, a 13th-century Welsh castle.
Question : Which design elements of the castle illustrate CPTED principles, and how do they translate to the modern research facility?
Show analysis and answer
The moat restricts approach paths and funnels visitors and intruders into a predefined route: this is natural access control. By concentrating defense on specific areas, it is more efficient than defending the entire perimeter. For the modern site, the security fence plays this first-line role, and the single entrance is the second.
The towers and thick, high walls provide good visibility and monitoring, helping staff identify and handle impending incidents: this is natural surveillance, the purpose of preventive structures. The single entrance creates a bottleneck to identify visitors and authorize or deny access, while reducing the space available to an attacker.
Finally, the inner and outer wards illustrate internal segmentation. In a modern facility, this translates to restricted access to a given floor, level, or section. Though ancient, the castle shows how awareness of one's surroundings and possible incidents informs a design that mitigates potential problems.
Takeaway : CPTED is timeless: moat/fence (access control), towers/sight lines (surveillance), wards/internal segmentation are the same ideas a modern facility applies in passive layers.
The fire class dictates the suppression agent
Common mistake: applying water (mainly effective on Class A) to an electrical fire (Class C). It is ineffective, even dangerous, and a sprinkler is inappropriate for a server room. For A, B, and C fires in an occupied equipment space, prefer a nonconductive, nontoxic clean agent (gas such as FM-200, or liquid such as Novec 1230). Remember the mapping A solids / B liquids / C electrical / D metals / K cooking, and choose the agent accordingly.
CPTED is passive and deterrent, not an active control
The trap is to classify CPTED among active technical controls (cameras, badges, alarms). CPTED works through environmental design: lighting, sight lines, signage, landscaping, placement of reception desks. Its role is to deter and passively signal who belongs where. If a question contrasts a control that actively detects/blocks with one that discourages through design, the latter is CPTED.
UPS short term, generator long term
Do not confuse their roles. The UPS (battery) covers the critical load for a brief moment, the time for generators to start and stabilize: short-term protection against outages and fluctuations. The generator, sized for the critical load, takes over for the long term as long as fuel lasts. A question about continuity during a long outage expects the generator; a question about immediate, uninterrupted protection expects the UPS. And remember: failover must be tested.
Engage security early and verify tested code = production code
Two exam reflexes on the life cycle. First, security must be involved as early as possible, at the design phase (concept of operations), before acquisition or construction: the later it arrives, the more remediation costs. Second, the CISSP safeguards end-to-end integrity: the fundamental question is whether the code that reached production matches the tested code. Change control and the CMDB are the safeguards that ensure traceability and asset location against zero days.
Checkpoint — Checkpoint
-
An architect places reception and the guard desk at the single entrance, installs clear signage and staff uniforms to distinguish public from private areas. Which CPTED principle do these measures primarily reflect?
- A Territorial reinforcement
- B Natural surveillance
- C Active badge access control
- D Target hardening by armoring
Answer & rationale
Answer : A — Territorial reinforcement
Signage, uniforms, and placement of reception/guard desks create perceived ownership distinguishing public from private: this is territorial reinforcement. Natural surveillance is about visibility (lighting, sight lines). A badge is an active technical control, not CPTED. Target hardening (armoring) is not what these signaling measures are about.
-
An occupied server room must be protected against Class A, B, and C fires without damaging equipment or suffocating present staff. Which suppression solution is most suitable?
- A Nonconductive, nontoxic liquid such as Novec 1230 (clean agent)
- B Open-head deluge system
- C Conventional wet pipe system
- D Halon
Answer & rationale
Answer : A — Nonconductive, nontoxic liquid such as Novec 1230 (clean agent)
Novec 1230 is a nonconductive, nontoxic clean agent usable for A, B, and C fires in occupied equipment spaces without water damage. Deluge and wet pipe are water-based (mainly effective Class A) and damage equipment; water is inappropriate for an electrical fire. Halon has been withdrawn from commerce in most jurisdictions.
-
A grid power outage occurs; the data center must keep operating for several hours. Which component provides this long-term continuity, and what is the complementary role of the UPS?
- A The backup generator provides the long term; the UPS covers the critical load while it starts
- B The UPS provides the long term; the generator is a backup for a few seconds
- C Both provide only short term and must be duplicated
- D Dual-feed replaces both UPS and generator
Answer & rationale
Answer : A — The backup generator provides the long term; the UPS covers the critical load while it starts
The generator, sized for the critical load, provides the long term as long as fuel lasts; the UPS (battery) covers the load while the generator starts and stabilizes. Option 2 reverses the roles. The UPS is inherently short-term, so option 3 is wrong. Dual-feed is upstream supply redundancy; it replaces neither the UPS nor the generator.
-
During a production release via a CI/CD pipeline, which concern remains the CISSP's priority to ensure end-to-end process integrity?
- A Verify that the code that reached production exactly matches the tested code
- B Maximize the frequency of automatic deployments
- C Remove change control to speed up delivery
- D Reduce test coverage to save time
Answer & rationale
Answer : A — Verify that the code that reached production exactly matches the tested code
The CISSP's fundamental question is whether the code that reached production matches the tested code: this is the core of end-to-end process integrity. Speeding up deployments (2), removing change control (3), or reducing testing (4) all degrade security and traceability for the sake of speed alone.
-
A new zero day is published for a widely used library. Which life cycle management tool lets you quickly identify which production systems are affected?
- A The configuration management database (CMDB)
- B The requirements traceability matrix (RTM)
- C The IDE linter
- D The incident response plan
Answer & rationale
Answer : A — The configuration management database (CMDB)
The CMDB inventories components and their versions; as soon as a zero day emerges, it lets you locate affected assets and organize remediation. The RTM links requirements to tests, not deployed versions. The linter acts at development time. The incident response plan guides the reaction but does not provide the inventory of vulnerable components.
Key takeaways
- CPTED prevents crime through passive design: natural surveillance, natural access control, territorial reinforcement; human life always comes first.
- Data center: Uptime Tier/ANSI-TIA/EN 50600 standards, HVAC within the ASHRAE 18-27 C range, resilient power UPS (short term) + generator (long term) + dual-feed, all tested.
- Fire: layered approach; 5 classes A-K; VESDA detection; the agent (water Class A, gas/clean agent A-B-C) must match the class and preserve people.
- Layered perimeter (fence, single entrance, internal segmentation), solid-core doors, mantraps against tailgating, SCIF and chain of custody for the most sensitive areas.
- Life cycle: from need to retirement; security from design, threat modeling, verification (SAST/DAST), deployment under change control, monitoring, CMDB for zero days, secure decommissioning.
Domain summary
Domain 3 brings together the tools and techniques needed to design, build, and protect secure systems. It combines technical controls (cryptography, access controls), security models, testing and evaluation methodologies, and physical security measures that protect equipment from physical threats. All major frameworks are risk-based and encourage designing controls to reflect the outcomes of the risk management process.
Secure design should permeate every stage of development, from initial design to final implementation; acting early is generally more effective, simpler, and more cost-efficient. Cryptography is an essential instrument for protecting information from unauthorized access or modification: practitioners must know the strengths and limits of symmetric and asymmetric encryption, along with common algorithms and their proper use. Access controls (authentication, authorization, accounting) and security models round out the picture.
The lifecycle does not end at production: continuous security monitoring (ISCM), automation through CI/CD pipelines with bug bars, change management, and then controlled decommissioning (secure archiving of code and documentation, removal of configurations and credentials, license cancellation) reduce complexity and the risk of maintaining unsupported software.
Glossary (Terms & Definitions)
The key Domain 3 terms, to master in English for the exam.
| Term | Definition |
|---|---|
| Algorithm | A mathematical function, or set of instructions, governing the encryption and decryption processes, from the simplest to the most complex. |
| Asymmetric Encryption | Encryption that uses different keys for encrypting and decrypting, where the decryption key is computationally infeasible to derive from the encryption key or from plaintext/ciphertext pairs. |
| Block Mode Encryption | An encryption mode that processes plaintext in fixed-length blocks as the unit of operation. |
| Ciphertext | The transformed form of a plaintext message, unreadable to anyone but the intended recipient; the message turned into a secret. |
| Collision | A situation where a hash function produces the same output (same digest) for two different inputs. |
| Crime Prevention Through Environmental Design (CPTED) | An architectural approach to designing buildings and spaces that emphasizes passive features to reduce the likelihood of criminal activity. |
| Cryptanalysis | The study of techniques aimed at defeating cryptographic mechanisms and, more broadly, information security services. |
| Cryptographic Hash | A one-way function that transforms an input into a unique digest; it is computationally infeasible to recover the input from the digest (e.g., a message digest). |
| Cryptography | The study and application of methods that protect the meaning and content of messages or data, usually through disguise, obscuration, or other transformations. |
| Cryptosystem | The complete set of hardware, software, communication elements, and procedures enabling protected communication or storage by cryptographic means (algorithm, key, and key management included). |
| Cryptovariable | A parameter inherent to a cryptographic algorithm and its implementation, such as block size, key length, or number of rounds. |
| Decoding | The reverse of encoding, converting an encoded message back into its plaintext form. |
| Decryption | The reverse of encryption: converting ciphertext back to plaintext using the algorithm and the appropriate key (the same key as encryption in symmetric, a different key in asymmetric). Also called deciphering. |
| Encoding | Transforming a message into another format using a code; unlike encryption, encoded information remains readable by anyone who knows the process. |
| Encryption | The process of converting plaintext into ciphertext; sometimes called enciphering, the terms being used interchangeably. |
| Encryption System | The complete set of algorithms, processes, hardware, software, and procedures that together provide an encryption and decryption capability. |
| Frequency Analysis | A form of cryptanalysis that exploits the frequency of letters, words, or symbols in the plaintext to reduce the search space. |
| Hybrid Encryption System | A system that combines both symmetric and asymmetric encryption to leverage their respective strengths. |
| In Band | Transmitting control information (keys, cryptovariables) over the same channel or system that it protects. |
| Key | The input that drives the behavior of the cryptographic algorithm and enables reliable encryption and decryption of the message. |
| Key Escrow | Placing keys (symmetric or asymmetric) with a trusted agent for later retrieval; trust then rests entirely on that escrow agent. |
| Key Generation | The process of creating a new encryption or decryption key. |
| Key Management | All processes for creating, storing, distributing, expiring, and revoking keys for all users of an encryption system. |
| Key Pair | A matched set of one public and one private key in asymmetric encryption, generally tied to a single person, organization, or identity. |
| Key Recovery | Reconstructing a key from ciphertext alone (corrupted, lost, or forgotten key); a workable recovery process actually means the algorithm is not secure. |
| Key Space | The total number of possible key values in a cryptographic algorithm or other measure such as a password. |
| Message Digest | A compact representation of a message or file produced by a hash function, ensuring authentication and integrity, not confidentiality. |
| Modulo | Modular arithmetic where a number ranges from 0 up to a value called the modulus, the result being the remainder of integer division (e.g., 15 modulo 4 equals 3). |
| Non-repudiation | A security service that prevents the sender or recipient from denying participation in a communication (non-repudiation of origin and of delivery). |
| One-time Pad | A series of randomly generated symmetric keys, each used only once by sender and recipient. |
| Out-of-Band | Transmitting control information (keys, cryptovariables) over a channel or system separate from the one it protects. |
| Plaintext | A message or data in its natural, readable form, highly exposed from a confidentiality standpoint; to be distinguished from cleartext, which is readable but not meant to be protected. |
| Private Key | The part of an asymmetric key pair kept secret by its holder; the system's security depends entirely on protecting this key. |
| Public Key | The part of an asymmetric key pair that can be shared or published; its security does not depend on keeping this value secret. |
| Random/Pseudorandom Number Generators | Elements that supply values spread over a key space; true randomness requires hardware (thermal noise), whereas software pseudorandom generators often show exploitable bias. |
| Session Key | A symmetric key generated for one-time use, such as for a single internet session; usually requires a key encapsulation approach. |
| Stream Mode Encryption | Encryption that treats plaintext as a continuous stream of symbols, encrypting one symbol at a time, often with a streaming key. |
| Substitution Cipher | A cipher based on substituting the symbols of the message. |
| Symmetric Encryption | Encryption that uses the same key (or a simple transformation of it) for both encrypting and decrypting. |
| Transposition Cipher | A cipher based on transposition (rearranging the order) of the message symbols. |
| Very Early Smoke Detection Apparatus (VESDA) | A brand name for an air-sampling detector that continuously samples ambient air, deployable in a room or in HVAC ducts and plenum spaces. |
| Work Factor | The effort required to break a cryptographic system, usually measured in total elapsed time. |
Domain key takeaways
What you must remember
- Security architecture and engineering means designing and deploying controls to protect information and systems; all major frameworks are risk-based.
- Secure design principles must be integrated into every development phase; addressing them early is more effective and less costly.
- Cryptography protects against unauthorized access or modification; you must master symmetric and asymmetric encryption, their algorithms, and their uses.
- Access controls (authentication, authorization, accounting) are needed to prevent unauthorized access to systems.
- Security models are used to define and formalize consistent protection policies.
- Threat modeling (often STRIDE) is a form of testing: it identifies vulnerabilities but does not fix them; the organization must act on its findings.
- In the cloud, security and compliance are a shared responsibility between provider and customer.
- Secure defaults and fail securely: default settings should be the most secure possible and a failing system should fall back to a secure state.
- Least privilege and separation of duties limit abuse, at the cost of some operational efficiency but with greatly reduced risk.