Designing Secure Systems
- Length: 220 pages
- Edition: 1
- Language: English
- Publisher: CRC Press
- Publication Date: 2021-09-23
- ISBN-10: 0367700018
- ISBN-13: 9780367700010
- Sales Rank: #0 (See Top 100 Books)
Modern systems are an intertwined mesh of human process, physical security, and technology. Many times, an attacker will leverage a weakness in one form of security to gain control over an otherwise protected operation.
Designing Secure Systems takes a theory-based approach to concepts underlying all forms of systems, from padlocks to phishing to enterprise software architecture. In this book, we will discuss similarities in how a weakness in one part of a process enables vulnerability to bleed into another by applying standards and frameworks used in the cybersecurity world to assess the system as a complete process including people, processes, and technology.
In Designing Secure Systems, we begin by describing the core concepts of access, authorization, authentication, and exploitation. We then break authorization down into five interrelated components and describe how these aspects apply to physical, human process, and cybersecurity.
In the second portion of the book, we discuss how to operate a secure system based on the NIST Cybersecurity Framework (CSF) concepts of identify, protect, detect, respond, and recover.
Other topics covered in this book include The NIST National Vulnerability Database (NVD), MITRE Common Vulnerability Scoring System (CVSS), Microsoft’s Security Development Lifecycle (SDL), and the MITRE ATT&CK Framework.
Cover Half Title Title Copyright Dedication Contents Acknowledgments Chapter 1 Introduction What Is Security? What Is a System? Example: If Physical Security Was Like Technology Security A Look Ahead Part 1 Secure System Concepts Chapter 2 Access Capability Directionality Indirect Access Direct Access Proxy Access Asymmetric Access Access and Layers Chapter 3 Authorization Fundamentals of Authorization Principles of Authorization Domains Principals Securables Groups and Membership Trust User and Administrative Authorization Least Privilege Authorization and Relativity Cryptography Hashing Cryptographic Hashing Fuzzy Hashing Encryption Digital Signature Chapter 4 Authentication The Authentication Process The Value of a Credential Valuing a Physical Key Valuing Personal Credentials Credential Exposure Credential Value and Exposure in Enterprise IT Multifactor Authentication Attributes of a Credential Secret Subject Endorsements Restrictions Issuing Domain Validity Period Revocation Information Credential Translation Performance Differing Credentials Differing Authorization Account Provisioning Risks of Credential Translation Revocation Status Validity Period Credential Types Symmetric Credentials Asymmetric Credentials Combining the Technologies Public Key Infrastructure Certificates Certificate Chaining Revocation Constraining Use Certificate Authorities Authentication Protocols Basic Authentication Hash or Digest Protocols Challenge Response Protocols Federated Authentication Protocols Chapter 5 Weakness, Vulnerability, and Exploitation Weakness Versus Vulnerability Weakness Vulnerability Common Vulnerability Scoring System (CVSS) Semantics Understanding Vulnerability Types of Vulnerability Logic Vulnerabilities Implementation Vulnerabilities Limitation Chapter 6 Impact Vulnerabilities and Impact Vulnerability and Impact Example: Webshell Persistence The Impact of Persistence Authorization Persistence Authentication Persistence Access Persistence Tamper Supply Chain Attacks Fraud Reflective Attacks Theft and Espionage Credential Theft Destruction Wiper Cryptographic Ransom Vulnerability Chaining Back to Our Webshell Example Access Authorization Authentication Part 2 Designing and Operating a Secure System Chapter 7 Identify What to Classify Data Services Principals How to Classify Confidentiality Sensitivity Integrity Sensitivity Availability Sensitivity Measuring Impact Direct Impact Indirect Impact Measuring Loss Expectancy Inheritance Sponsorship Example: US Department of Defense Information Classification Chapter 8 Protect Identifying Edges From Monolithic Design to Microservices Multi-Session Components The Three Basic Protection Strategies Using an Access Control on the Service Using an Access Control on the Service Paired With an Authorization Control Using an Authorization Control on the Information The Three States of Information Protecting Confidentiality The Bell–LaPadula Model No Read Up No Write Down The Star Security Property Example of a Confidentiality Breach Protecting Confidentiality Using Access Controls Protecting Confidentiality Using Access Controls Paired With Authorization Controls Protecting Confidentiality Using Authorization Controls on Information Protecting Integrity The Biba Integrity Model No Read Down No Write Up The Invocation Property Example of an Integrity Breach Protecting Integrity Using Access Controls Protecting Integrity Using Access Controls Paired With Authorization Controls Protecting Integrity Using Authorization Controls on the Information Protecting Availability Redundancy The “n” System Fault Domains Georedundancy Scalability Recoverability The ACID Test Protecting Authorization Control Protecting Domain Integrity Protecting Trust Integrity Protecting Membership Integrity Ensuring Principal Integrity Credential Issuance Principal Integrity Credential Confidentiality Credential Strength Credential Validity Period Credential Revocation Authenticating Domain Integrity Protecting Securable Integrity Protecting Administrative Authorization Time-Limited Authorization Access Control List Integrity Risk-Based Authorization Control The Process of Creating and Maintaining a Secure System Microsoft’s Security Development Lifecycle Provide Training User Training Administrator Training Developer or Architect Training Define Security Requirements Define Metrics and Compliance Reporting Perform Threat Modeling Establish Design Requirements Specific Measurable Attainable Realizable Traceable Define Use and Cryptography Standards Manage the Security Risk of Using Third-Party Components Use Approved Tools Perform Static Analysis Security Testing (SAST) Perform Dynamic Analysis Security Testing (DAST) Perform Penetration Testing Establish a Standard Incident Response Process Chapter 9 Detect The Security Uncertainty Principle Types of Analysis Dynamic Analysis Static Analysis Types of Detection Signature Anomaly Volume Over Time Low-Count Analysis Key-Value Pair Analysis Chronological Anomaly Analysis Geographic Distance Analysis Machine Learning Signal-to-Noise Ratio Detection Confidence Levels Tuning for Suppression or Amplification Improving Signal-to-Noise Ratio by System Design Standardization Simplification The D.I.E. Triad Using Edges to Improve Detection What to Monitor Access Across an Edge Authentication Authorization Translation and Detection Exceptions, Faults, and Failures Chapter 10 Respond Targeting The Phases of an Attack Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact Performing a Coordinated Response Operational Security (OPSEC) The ABCs of Incident Response Authentication Actual Identity Stolen Credentials Illegitimate Identities Proxied or Impersonated Identities Backdoor Abuse of a Legitimate Form of Access Abuse of a Legitimate Component Malicious Form of Access Communication Data Persistence and Exposure Compromised Exposed Scoping the Compromise Tracking Monitoring Attacker Assets Monitoring Compromised Accounts, Systems, and Components Monitoring Tactics, Techniques, and Procedures The Art of Response Forensic Integrity Example: Catching Suspicious Activity on Camera Example: Cyberattack Chapter 11 Recover Documenting Recovery Processes Preparing for System and Component Recovery Dependencies Document Build Steps Preparing for Information Recovery Backup Metrics Traditional Backups Journaling Lag Copies Versioning Protecting Your Backups Service Design Backup Location Planning for Authentication Recovery Identifying Illegitimate Principals Planning for Credential Control Invalidating the Current Credential Credential Reissuance Credential Multiplicity Validating Trusts Planning for Authorization Recovery Know Where Authorization Can Be Granted Compare Suspect Systems and Components to a Trusted Baseline Verify Legitimate Authorization Test Incident Response and Recovery Plans Seek Outside Perspective The Recovery Process Normal Recovery Process Emergency Recovery Process Interception Intercepting Communications Intercepting Authentication Intercepting Backdoors Operational Recovery Assessing Impact Critical Hardening Restoring Identity Scoping Identity Recovery Recovering a Compromised Domain Recovering Compromised Systems and Components Recovering Components Recovering Systems Restoring Data Chapter 12 Closing Index About the Author
Donate to keep this site alive
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.