CISSP Domain 3: Security Architecture and Engineering Guide

Created by A F M Bakabillah

CISSP Domain 3, "Security Architecture and Engineering," accounts for 13% of the CISSP exam. This domain focuses on the principles, methodologies, and techniques used to design, implement, and secure information systems and architectures. It covers security models, cryptography, physical security, and the integration of security throughout the system development lifecycle.

Key Areas of CISSP Domain 3: Security Architecture and Engineering

1. Implement and Manage Engineering Processes Using Secure Design Principles

This section covers the foundational principles for designing and engineering secure systems, focusing on integrating security from the ground up.

1.1 Security Design Principles

Least Privilege: Granting users/systems only the minimum necessary access to perform their functions.
Separation of Duties: Dividing critical tasks among multiple individuals to prevent fraud or error.
Defense in Depth: Employing multiple layers of security controls to protect assets.
Fail-Safe Defaults: Systems should default to a secure state in the event of failure.
Economy of Mechanism: Keeping security mechanisms as simple and small as possible.
Complete Mediation: Ensuring all access attempts to objects are checked for authorization.
Open Design: Security should not depend on the secrecy of its design (Kerckhoffs's Principle).
Psychological Acceptability: Security mechanisms should not unduly burden users.
Modularity: Breaking down systems into smaller, independent components.
Layering: Organizing security controls in layers.
Abstraction: Hiding complex details to simplify security analysis.
Data Hiding: Concealing sensitive data or internal implementation details.
Minimizing the Attack Surface: Reducing the number of potential entry points for attackers.

1.2 Security Models

Bell-LaPadula Model (BLP): Focuses on Confidentiality. Rules: No Read Up (Simple Security Property), No Write Down (*-Property).
Biba Model: Focuses on Integrity. Rules: No Read Down (Simple Integrity Property), No Write Up (*-Integrity Property).
Clark-Wilson Model: Focuses on Integrity for commercial applications. Uses well-formed transactions and separation of duties.
Brewer-Nash (Chinese Wall) Model: Prevents conflicts of interest by restricting access to data that would create a conflict.
Non-Interference Model: Ensures actions of one group of users do not affect the system state visible to another group.
State Machine Model: Ensures system always operates in a secure state.

Example: A highly classified government system implements the Bell-LaPadula Model to ensure that users with "Secret" clearance cannot read "Top Secret" documents (No Read Up) and cannot write "Secret" information into "Top Secret" files (No Write Down). Simultaneously, the system uses Defense in Depth by having firewalls, intrusion detection systems, and strong access controls.

2. Understand the Security Capabilities of Information Systems

This section explores the security features inherent in various system components and how they contribute to overall security.

2.1 System Components and Architectures

Trusted Computing Base (TCB): The totality of all protection mechanisms within a computer system, including hardware, firmware, and software, that are responsible for enforcing the security policy.
Security Kernel: The hardware, firmware, and software elements of a TCB that implement the reference monitor concept.
Reference Monitor: An abstract machine that mediates all access attempts to objects by subjects. It must be Tamperproof, Always Invoked, and Verifiable.
Security Architectures: Open vs. Closed systems, Distributed systems, Cloud-based systems (IaaS, PaaS, SaaS).

2.2 Virtualization and Cloud Computing Security

Hypervisor (VMM): Software that creates and runs virtual machines. Type 1 (bare metal) vs. Type 2 (hosted).
Cloud Security Challenges: Shared responsibility model, data locality, vendor lock-in, API security, multi-tenancy.
Cloud Service Models:
- Infrastructure as a Service (IaaS): Provides virtualized computing resources over the internet (e.g., VMs, networks). Customer manages OS, applications.
- Platform as a Service (PaaS): Provides a platform for developing, running, and managing applications without the complexity of building and maintaining the infrastructure. Customer manages applications.
- Software as a Service (SaaS): Software applications hosted by a vendor and made available to customers over the internet (e.g., Gmail, Salesforce). Vendor manages everything.

Example: A company migrates its entire customer relationship management (CRM) system to Salesforce, which is a SaaS offering. This means Salesforce is responsible for the underlying infrastructure, operating system, and application security, while the company is primarily responsible for user access management and data within the application (as per the Shared Responsibility Model).

3. Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements

This section covers identifying and addressing weaknesses in system designs and components.

3.1 Web-Based System Vulnerabilities

OWASP Top 10: Common web application security risks (e.g., Injection, Broken Authentication, Cross-Site Scripting (XSS)).
Server-Side Request Forgery (SSRF): An attacker can induce the server-side application to make HTTP requests to an arbitrary domain.
XML External Entities (XXE): Vulnerabilities in XML parsers that can lead to information disclosure or remote code execution.

3.2 Mobile System Vulnerabilities

Insecure Data Storage: Sensitive data stored insecurely on the device.
Insecure Communication: Data transmitted without encryption.
Side-Channel Attacks: Exploiting information leaked from the physical implementation of a cryptosystem.

3.3 Embedded and IoT Device Vulnerabilities

Default/Hardcoded Credentials: Common in IoT devices.
Lack of Secure Update Mechanisms: Inability to patch vulnerabilities.
Resource Constraints: Limited processing power or memory for robust security.

Example: A smart home camera (IoT device) is found to have default administrative credentials that are widely known. This is a critical vulnerability as it allows unauthorized access. The manufacturer also has no mechanism for over-the-air firmware updates, meaning any discovered flaws cannot be easily patched, increasing the risk of compromise.

4. Understand and Apply Cryptography

This is a highly critical area, covering the foundational concepts and practical applications of cryptographic techniques.

4.1 Cryptographic Concepts

Symmetric Key Cryptography: Uses a single, shared secret key for both encryption and decryption (e.g., AES, DES, 3DES). Fast, good for bulk encryption.
Asymmetric Key Cryptography (Public Key Infrastructure - PKI): Uses a pair of mathematically related keys (public and private). Public key encrypts, private key decrypts (e.g., RSA, ECC). Slower, used for key exchange, digital signatures, non-repudiation.
Hashing: One-way function that produces a fixed-size string (hash/message digest) from input data. Used for integrity verification (e.g., SHA-256, MD5 - avoid MD5 for integrity).
Digital Signatures: Provides authenticity, integrity, and non-repudiation using asymmetric cryptography and hashing.
Digital Certificates: Binds a public key to an identity, issued by a Certificate Authority (CA).
Key Management: Secure generation, distribution, storage, rotation, and destruction of cryptographic keys.
Cryptographic Attacks: Brute-force, chosen-plaintext, known-plaintext, ciphertext-only, replay, rainbow table.

4.2 Cryptographic Protocols and Applications

TLS/SSL: Secures communication over networks (e.g., HTTPS).
IPsec: Secures IP communications by authenticating and encrypting each IP packet.
SSH: Secure shell for remote command-line access.
PGP/GPG: Email and file encryption.
Quantum Cryptography: Emerging field using quantum mechanics principles.
Homomorphic Encryption: Allows computations on encrypted data without decrypting it.

Example: When you visit a website using HTTPS, your browser and the web server perform a TLS handshake. This involves using asymmetric cryptography (RSA or ECC) to securely exchange a symmetric key (e.g., AES). All subsequent communication is then encrypted using the faster symmetric key. The server's digital certificate, issued by a Certificate Authority (CA), verifies the server's identity.

5. Design and Implement Physical Security

This section covers environmental and physical controls to protect information assets from tangible threats.

5.1 Site and Facility Design

Layered Physical Security (Defense in Depth): Perimeter, building exterior, building interior, data center.
Crime Prevention Through Environmental Design (CPTED): Natural surveillance, territoriality, access control, maintenance.
Site Selection: Avoiding flood zones, fault lines, flight paths, high-crime areas.

5.2 Physical Access Controls

Fencing, Gates, Lighting: Deterrence and detection.
Locks (Mechanical, Electronic, Biometric): Preventing unauthorized entry.
Mantraps/Access Control Vestibules: Double-door systems to control entry.
Guards, Dogs, CCTV: Deterrence, detection, and response.
Alarms: Detection of unauthorized activity.

5.3 Environmental Controls

HVAC (Heating, Ventilation, Air Conditioning): Temperature, humidity, positive/negative pressure.
Fire Suppression Systems:
- Water-based: Sprinklers (wet pipe, dry pipe, pre-action, deluge).
- Gas-based: FM-200, Novec 1230, CO2 (dangerous to humans).
- Detection: Smoke, heat, flame detectors.
Power Protection: UPS (Uninterruptible Power Supply), Generators, Surge Protectors.
Water Detection: Sensors for leaks or floods.

Example: A data center is designed with layered physical security. It has a perimeter fence with CCTV, a guard station at the entrance, mantraps to enter the server room, and biometric access controls on individual server racks. Inside, the HVAC system maintains optimal temperature and humidity, and a pre-action fire suppression system is installed, which requires two detection events before water is released, minimizing accidental damage.

Key Points to Remember (Exam Tips)

Security Models are Key: Understand the core focus of Bell-LaPadula (Confidentiality) and Biba (Integrity) and their "no read/write" rules. Know Clark-Wilson for commercial integrity. (e.g., If a question involves preventing a "top secret" user from accidentally writing to a "secret" file, think Bell-LaPadula's No Write Down.)
Reference Monitor Concept: Remember its three requirements: Tamperproof, Always Invoked, and Verifiable. This is a fundamental security concept. (e.g., A security kernel is the implementation of a reference monitor; it must always mediate access.)
Cloud Shared Responsibility Model: Crucial for understanding cloud security. Know what the provider is responsible for vs. the customer for IaaS, PaaS, and SaaS. (e.g., For SaaS, the vendor handles almost everything below the application layer, while the customer is responsible for data and user access.)
Cryptography Fundamentals: Differentiate Symmetric (speed, bulk encryption, shared key) from Asymmetric (key exchange, digital signatures, non-repudiation, public/private keys). Understand Hashing for integrity. (e.g., AES is symmetric, RSA is asymmetric. Hashing verifies a file hasn't been tampered with.)
Digital Signatures vs. Encryption: Digital signatures provide *authenticity, integrity, and non-repudiation*. Encryption provides *confidentiality*. They are distinct. (e.g., You sign a document with your private key to prove you sent it and it hasn't changed. You encrypt it with someone's public key so only they can read it.)
Physical Security Layers: Think "Defense in Depth" for physical security. Multiple layers of controls are always better. (e.g., A fence, then a guard, then a mantrap, then a biometric lock on the server rack – each is a layer.)
Fire Suppression Types: Know the difference between water-based (wet pipe, dry pipe, pre-action, deluge) and gas-based systems (FM-200, Novec 1230, CO2 - dangerous). Pre-action is often preferred for data centers. (e.g., A pre-action system won't accidentally spray water on your servers unless two independent sensors trigger.)
OWASP Top 10: Be familiar with the common web application vulnerabilities. (e.g., SQL Injection is when an attacker inserts malicious SQL code into input fields.)
Embedded/IoT Security Challenges: Understand why these devices are often insecure (default credentials, lack of updates, resource constraints). (e.g., A smart thermostat with a hardcoded admin password is a major vulnerability because it's rarely updated.)

Quiz Time!

Choose the best answer for each question.

Question 1: Which security design principle states that a system should default to a secure state in the event of failure?

A) Least Privilege B) Fail-Safe Defaults C) Economy of Mechanism D) Complete Mediation

Question 2: The Bell-LaPadula security model is primarily concerned with which of the following?

A) Integrity B) Availability C) Confidentiality D) Non-repudiation

Question 3: Which component of a Trusted Computing Base (TCB) is responsible for mediating all access attempts to objects by subjects?

A) Security Kernel B) Reference Monitor C) Hypervisor D) Operating System

Question 4: In the Shared Responsibility Model for cloud computing, who is typically responsible for the security of the operating system and applications in an IaaS (Infrastructure as a Service) environment?

A) The Cloud Provider B) The Customer C) A Third-Party Auditor D) Both the Provider and Customer equally

Question 5: Which type of cryptography uses a single, shared secret key for both encryption and decryption and is generally faster for bulk data encryption?

A) Asymmetric Cryptography B) Hashing C) Symmetric Cryptography D) Quantum Cryptography

Question 6: What is the primary security concern addressed by a digital signature?

A) Confidentiality B) Availability C) Integrity and Non-repudiation D) Performance

Question 7: A data center uses a fire suppression system that requires two independent detection events before water is released. Which type of sprinkler system is this?

A) Wet Pipe B) Dry Pipe C) Pre-Action D) Deluge

Question 8: Which OWASP Top 10 vulnerability involves an attacker injecting malicious code into data inputs to be executed by the web application?

A) Broken Authentication B) Cross-Site Scripting (XSS) C) Injection D) Security Misconfiguration

Question 9: The Biba security model is primarily focused on which security property?

A) Confidentiality B) Integrity C) Availability D) Accountability

Question 10: Which security design principle suggests that security mechanisms should be kept as simple and small as possible to reduce the likelihood of errors?

A) Least Privilege B) Defense in Depth C) Economy of Mechanism D) Open Design

Question 11: What is the primary purpose of a "mantrap" in a physical security design?

A) To detect unauthorized network intrusions. B) To provide a secure, double-door entry system to prevent tailgating. C) To physically destroy hard drives. D) To regulate temperature and humidity.

Question 12: Which cloud service model gives the customer the MOST control over the operating system, applications, and data?

A) SaaS (Software as a Service) B) PaaS (Platform as a Service) C) IaaS (Infrastructure as a Service) D) FaaS (Function as a Service)

Question 13: What is the primary purpose of using hashing in cryptography?

A) To encrypt data for confidentiality. B) To ensure data integrity. C) To exchange symmetric keys securely. D) To provide non-repudiation for transactions.

Question 14: Which security model is specifically designed to prevent conflicts of interest in commercial organizations?

A) Bell-LaPadula Model B) Biba Model C) Clark-Wilson Model D) Brewer-Nash Model

Question 15: What is a significant security challenge commonly found in IoT (Internet of Things) devices?

A) Overly complex user interfaces. B) Abundance of processing power for advanced security. C) Frequent and robust security updates from vendors. D) Use of default or hardcoded credentials.

Question 16: Which of the following is NOT one of the three requirements for a Reference Monitor?

A) Tamperproof B) Easily Configurable C) Always Invoked D) Verifiable

Question 17: What is the primary benefit of "Defense in Depth"?

A) To rely on a single, strong security control. B) To simplify security management. C) To employ multiple layers of security controls to protect assets. D) To reduce the overall cost of security implementation.

Question 18: Which fire suppression system is generally considered safest for data centers because it requires two conditions to be met before water is released?

A) Wet Pipe Sprinkler System B) Deluge Sprinkler System C) Pre-Action Sprinkler System D) CO2 Gas Suppression System

Question 19: What is the main characteristic of a Type 1 Hypervisor?

A) It runs as an application on a host operating system. B) It runs directly on the host's hardware (bare metal). C) It is primarily used for desktop virtualization. D) It provides a complete software development environment.

Question 20: Which cryptographic concept provides authenticity, integrity, and non-repudiation for a message or document?

A) Encryption B) Hashing C) Digital Signature D) Symmetric Key Exchange

Question 21: The Clark-Wilson security model is primarily concerned with maintaining which security property in commercial applications?

A) Confidentiality B) Availability C) Integrity D) Privacy

Question 22: Which security design principle is best exemplified by having multiple layers of security controls, such as a firewall, an IDS, and endpoint protection, all protecting the same asset?

A) Least Privilege B) Defense in Depth C) Separation of Duties D) Economy of Mechanism

Question 23: In the context of physical security, what is CPTED primarily focused on?

A) Developing complex electronic access control systems. B) Using environmental design to deter criminal activity. C) Implementing biometric authentication for all entry points. D) Rapid response to physical security breaches.

Question 24: Which of the following is a common vulnerability in web applications that involves an attacker manipulating SQL queries through user input?

A) Cross-Site Request Forgery (CSRF) B) Cross-Site Scripting (XSS) C) SQL Injection D) Broken Access Control

Question 25: What is the primary function of a Certificate Authority (CA) in a Public Key Infrastructure (PKI)?

A) To generate symmetric encryption keys. B) To encrypt data for secure communication. C) To issue and manage digital certificates, binding public keys to identities. D) To perform hashing for integrity verification.

Question 26: Which of the following is a key security challenge in multi-tenant cloud environments?

A) Physical access to servers. B) Data locality and regulatory compliance. C) The risk of one tenant's activities affecting another tenant's security. D) High initial capital expenditure.

Question 27: The principle of "Least Privilege" dictates that users or systems should be granted:

A) Full administrative access by default. B) Only the minimum necessary access to perform their functions. C) Access based on their job title, regardless of specific tasks. D) Temporary elevated privileges for all tasks.

Question 28: Which of the following cryptographic attacks attempts to find the original plaintext by comparing known plaintext-ciphertext pairs?

A) Brute-Force Attack B) Chosen-Plaintext Attack C) Ciphertext-Only Attack D) Known-Plaintext Attack

Question 29: What is the primary purpose of an Uninterruptible Power Supply (UPS) in a data center?

A) To generate electricity during prolonged power outages. B) To provide temporary power during short power interruptions and allow for graceful shutdown. C) To reduce electricity consumption. D) To regulate room temperature.

Question 30: Which type of fire detector is designed to respond to the rapid increase in temperature rather than a specific temperature threshold?

A) Fixed-Temperature Detector B) Rate-of-Rise Detector C) Smoke Detector D) Flame Detector

Quiz Answers:

Question 1:

B) Fail-Safe Defaults

Explanation: Fail-safe defaults ensure that if a system component fails, it defaults to a secure state, minimizing potential vulnerabilities.

Question 2:

C) Confidentiality

Explanation: The Bell-LaPadula model is a state machine model that enforces confidentiality, preventing subjects from reading information at a higher security level or writing information to a lower security level.

Question 3:

B) Reference Monitor

Explanation: The Reference Monitor is an abstract concept that mediates all access attempts by subjects to objects to ensure authorization. The Security Kernel is the actual implementation of the reference monitor concept.

Question 4:

B) The Customer

Explanation: In an IaaS model, the cloud provider is responsible for the underlying infrastructure (physical security, virtualization), while the customer is responsible for the operating system, applications, data, and network configuration within their virtual machines.

Question 5:

C) Symmetric Cryptography

Explanation: Symmetric cryptography uses a single, shared secret key for both encryption and decryption. It is significantly faster than asymmetric cryptography for encrypting large amounts of data.

Question 6:

C) Integrity and Non-repudiation

Explanation: Digital signatures provide assurance that the message has not been altered (integrity) and that the sender cannot deny sending it (non-repudiation). They also provide authenticity. Confidentiality is achieved through encryption.

Question 7:

C) Pre-Action

Explanation: Pre-action systems are designed to prevent accidental discharge. They require a two-step process: a detection event (e.g., smoke detector) and then activation of the sprinkler heads, typically by a second detection or manual intervention.

Question 8:

C) Injection

Explanation: Injection flaws, such as SQL Injection, occur when untrusted data is sent to an interpreter as part of a command or query. XSS (B) involves injecting client-side scripts.

Question 9:

B) Integrity

Explanation: The Biba model is a state machine model that enforces integrity, specifically preventing subjects from writing to objects at a higher integrity level or reading from objects at a lower integrity level.

Question 10:

C) Economy of Mechanism

Explanation: Economy of Mechanism dictates that security mechanisms should be as simple and small as possible, making them easier to design, implement, and verify, thus reducing the potential for errors.

Question 11:

B) To provide a secure, double-door entry system to prevent tailgating.

Explanation: A mantrap is a physical security control consisting of two interlocking doors, designed to allow only one person to enter at a time, preventing unauthorized individuals from following authorized ones (tailgating).

Question 12:

C) IaaS (Infrastructure as a Service)

Explanation: IaaS provides virtualized computing resources, giving the customer control over the operating system, applications, and data. PaaS gives less control, and SaaS gives the least.

Question 13:

B) To ensure data integrity.

Explanation: Hashing creates a fixed-size unique digest of data. Any alteration to the data will result in a different hash, thus verifying data integrity. It does not provide confidentiality (A) or key exchange (C).

Question 14:

D) Brewer-Nash Model

Explanation: The Brewer-Nash (Chinese Wall) model is designed to prevent conflicts of interest by dynamically changing access rights based on previous access.

Question 15:

D) Use of default or hardcoded credentials.

Explanation: IoT devices are often shipped with default or hardcoded credentials, making them highly vulnerable to attacks. They also often lack robust security updates and have resource constraints.

Question 16:

B) Easily Configurable

Explanation: The three requirements for a Reference Monitor are that it must be Tamperproof, Always Invoked, and Verifiable. "Easily Configurable" is not a formal requirement.

Question 17:

C) To employ multiple layers of security controls to protect assets.

Explanation: Defense in Depth is a strategy that uses multiple, overlapping security controls to protect assets, so that if one control fails, others are still in place.

Question 18:

C) Pre-Action Sprinkler System

Explanation: Pre-action systems are ideal for data centers as they require both a fire detection event and a sprinkler head activation before water is released, minimizing the risk of accidental water damage. CO2 systems (D) are effective but dangerous to humans.

Question 19:

B) It runs directly on the host's hardware (bare metal).

Explanation: Type 1 hypervisors (bare-metal hypervisors) run directly on the host hardware, providing better performance and security isolation compared to Type 2 (hosted) hypervisors.

Question 20:

C) Digital Signature

Explanation: Digital signatures provide authenticity (who sent it), integrity (it hasn't been changed), and non-repudiation (the sender cannot deny sending it). Encryption (A) provides confidentiality. Hashing (B) provides integrity.

Question 21:

C) Integrity

Explanation: The Clark-Wilson model focuses on integrity for commercial applications, using well-formed transactions and separation of duties to maintain data integrity.

Question 22:

B) Defense in Depth

Explanation: Defense in Depth is the strategy of using multiple, overlapping security controls to protect assets. If one control fails, another layer of defense is still in place.

Question 23:

B) Using environmental design to deter criminal activity.

Explanation: CPTED (Crime Prevention Through Environmental Design) focuses on designing physical environments to reduce opportunities for crime and deter malicious activity.

Question 24:

C) SQL Injection

Explanation: SQL Injection is a common web vulnerability where an attacker manipulates SQL queries by injecting malicious code through user input fields, often to bypass authentication or extract data.

Question 25:

C) To issue and manage digital certificates, binding public keys to identities.

Explanation: A Certificate Authority (CA) is a trusted entity in a PKI that issues digital certificates, verifying the identity of the certificate holder and binding their public key to that identity.

Question 26:

C) The risk of one tenant's activities affecting another tenant's security.

Explanation: In multi-tenant cloud environments, the primary security challenge is ensuring proper isolation between tenants to prevent a compromise in one tenant from affecting others (known as the "noisy neighbor" or "cross-tenant" issue).

Question 27:

B) Only the minimum necessary access to perform their functions.

Explanation: The principle of Least Privilege states that subjects (users, processes) should be granted only the essential permissions required to perform their authorized tasks, nothing more.

Question 28:

D) Known-Plaintext Attack

Explanation: In a known-plaintext attack, the attacker has access to both the plaintext and its corresponding ciphertext, which they use to deduce the key or the encryption algorithm.

Question 29:

B) To provide temporary power during short power interruptions and allow for graceful shutdown.

Explanation: A UPS provides immediate, short-term power during outages or fluctuations, giving systems time to shut down gracefully or for generators (A) to start.

Question 30:

B) Rate-of-Rise Detector

Explanation: Rate-of-rise heat detectors trigger when the temperature increases rapidly over a short period, regardless of the absolute temperature. Fixed-temperature detectors (A) trigger at a specific temperature. Smoke (C) and flame (D) detectors react to different fire characteristics.