1.0 General Security Concepts

Key Escrow

Where cryptographic keys are securely stored

ensures access to encrypted data when needed

Used to facilitate data recovery, ensure compliance with law or maintain business continuity

Asymmetric key encryption

Each party has a public/private key pair

Public key is used to encrypt data

Private key is used to decrypt it

Ensures only the intended recipient can decrypt the message

Symmetric Key encryption

The sharing of a common key beforehand for both encryption and decryption

key must be shared and kept secret between parties

Scheduled downtime

setting aside a specific period during which the system can be taken offline or updated without significantly affecting normal business operations

IT can ensure necessary changes are made while minimizing the impact on users and business activities

Maintenance windows

similar to scheduled downtime but does not involve taking system offline

Predefined period in which changes are implemented

helps in reducing the impact on users and allows for more controlled and secure implementation

Data Obfuscation

the process of disguising confidential or sensitive data to protect it from unauthorized access

HSM (Hardware Security Module)

ideal choice for cloud service providers needing to secure applications with high encryption demands

Physical devices designed to secure cryptographic keys and perform cryptographic operations within a tamper resistant hardware device

provides more secure and efficient environment for key management processes than software based based solution

ensures cryptographic keys are generated, stored, and managed in a hardware backed secure manner

Technical security controls

implemented in hardware, software, or firmware that automate the process of preventing, detecting, and responding to security threats

includes:

AC mechanisms

Firewalls

Encryption

Antivirus/antimalware

VPNs

Managerial Security controls

policies, procedures, guidelines that governthe behavior of people within an organization

Includes:

Security policies and procedures

Risk management

Incident response and recovery plans

Business continuity and disaster recovery planning

Operational security controls

methods and procedures that are implemented by an organization to ensure and maintain the security of its information and assets

Includes:

Security awareness training

physical media protection

backup and recovery procedures

configuration management

media protection

log monitoring

TPM (Trusted platform module)

tool for securely storing cryptographic keys used for disk encryption on laptops

provides hardware based, security related functions, including generating, storing, and limiting the use of cryptographic keys

unlike HSMs which are typically used in data centers and enterprise environments for managing keys at a larger scale

Secure enclave

provides highly secure spac within a device where sensitive data can be stored and cryptographic operation can be performed

ensures that sensitive data (fingerprints, facial recognition, or cryptographic keys) are stored in a segregated environment from the OS

isolated from main OS and CPU

tamper resistant

embedded in apple and android devices

Tokenization

substituting sensitive data with non sensitive equivalents

safeguards sensitive data while maintaining usability for certain processes or applications

OCSP (Online certificate status protocol)

ensures browsers and clients are immediately aware that a compromised certificate is no longer valid

allows browsers and clients to check the revocation status of certificates in real time

CRL (certificate revocation list)

contains the serial numbers of certificates that have been revoked

may require downloading a list that may not be immediately updates

Key stretching

implemented to enhance the security of stored passwords (especially for brute force attacks)

involves applying hashing functions multiple times or using cryptographic algorithm to make the hashing process computationally more demanding

increases time and effort required to crack each password

CA (certificate authority)

trusted entities that issue and manage security credentials and public keys for message encryption

issue digital signature wrapper to secure public keys

Registration authority

Process request for digital certificates

checks credentials and authenticates the users identity

does not issue certificates

RoT (root of trust)

a source that can always be trusted

foundation of cryptographic system and the central point of the chain of trust that system

can be a piece of hardwre (hardware root of trust) or software based

important in PKI 

does not provide digital certififacates

stream cipher 

encrypts plaintext data one byte or bit at a time

suitable for scenarios where the total message length is unknown

combines plain text with a separate randomly generated message derived from the key and an initialization vector (IV) 

Block cipher

encrypts data in equal-sized blocks (typically 128-bit)

requires padding if the plaintext doesn’t match the block size

policy driven access control

part of ZERO TRUST

user access and permissions are set based on organizational policies, roles, or requirements, ensuring that users have the right level of access that aligns with their job functions or responsibilities

Vulnerability management 

an operational security control that involves identifying, assessing, and remediating vulnerabilities in systems and networks.

Can help prevent security breaches by ensuring that vulnerabilities are addressed in a timely manner

Policy Administrator

responsible for defining and managing the access control policies used by the policy engine

Risk assessments

a managerial security control that involves regularly evaluating the threats to systems and networks

can help company identify potential threats and take steps to mitigate them

Blockchain

employs an expanding list of transactional records, each referred to as a block, and each block validates the hash of the previous block

ensures that historical transactions remain untampered with

Adaptive identity

allows for more flexible and dynamic access controls by using contextual data to make dynamic access control decisions

PKI (public key infrastructure)

set of roles, policies, and procdures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public key encryption

Wildcard Certificate 

can be used to secure multiple subdomains under a single main domain

offers a convenient/cost-effective way to manage certificates for subdomains

PEP (policy enforcement point)

responsible for ensuring that security policies are enforced when a user or device tries to access resources on the network

acts as a gatekeeper, verifying identity and context of the access request against the policies set by the organization before allowing or denying access

Technical security controls

measures put in place to protect the confidentiality, integrity, and availability of a system or network

includes firewalls, IDS/IPS, encryption, and access controls

Managerial security controls

measures that involve directing and overseeing the overall security of an organization

includes risk assessments, security awareness training, incident response planning, and service acquisition

TDE (transparent data encryption)

database encryption technology that provide the capability to encrypt entire databases

record level encryption

encrypts individual records within a database

salting 

adds random data to the input of a hash function to increase security

data plane

oversees the conveyance of data within zero trust

once control plane grants access, this plane steps in to make certain that data is transmitted efficiently and arrives at its intended destination

processes and transmits data between systems

SRTP (secure real time transport protocol)

provides encryption, message authentication, and integrity for voice communications over IP

designed to protect RTP (real-time transport protocol) and RTPCP (real time control protocol) traffic

Volume encryption

allows for encryption of a specific volume or virtual drive

allows for encryption of virtual disk on HD without encrypting entire disk

threat scope

aims to minimize the possible avenues or channels that could be exploited as part of the zero trust model

reduces attack surface

TPM (trusted platform module)

hardware based storage system that contains keys, digital certificates, hashed passwords, and many other types of information used for authentication

embedded in device motherboards that use windows

microwave sensors

uses electromagnetic signals and measures their reflection to detect movement or the presence of objects

ECC (elliptic curve cryptography)

type of trapdoor function that is efficient with shorter key lengths

no known shortcuts to cracking it

stakeholders

individuals or entities that have an interest in a particular decision or project

often represents various departments or groups

their feedback is critical for comprehensive decision making

policy engine 

responsible for making access control decisions based on pre defined policies and contextual information about subject/system