Security+ SY0-601: 2.1 Enterprise Security Architecture

This entry is part 14 of 47 in the series [ Security+ SY0-601 ]

Chapter 9: Enterprise Security Architecture

Configuration Management

ThisĀ  topic is covered in depth by ITIL:

Document Everything


Network diagrams

Rack diagrams


Baseline Configuration

Establish one

Perform regular Integrity Measurements Checks

Standard Naming Conventions

Includes Asset Tagging (TIA 606)

Does your organization use a naming scheme in which user names are the same as email addresses? This is a BIG no-no.


IP Address Schema

Data Sovereignty

Note the importance of venue: which country’s laws apply?

Data Protection

DLP: Data Loss Prevention


Look at your card number on a cash register receipt:

**** **** **** 4321



Data At Rest

            • Bitlocker
            • PGP disk encryption

Data In Transit / In Motion

            • SSH
            • SSL
            • TLS
            • IPsec

Data In Processing / In Use:

            • Cluster tip wiping wipes sold data in unused file system slack. See the Microscope tool.
            • Data field encryption eg. SSN field


Consider the transaction code for a credit card sale, which does not contain the card number or other data. A random value replaces confidential data.

Rights Management

DRM: Digital Rights Management

Geographical Considerations

How far from your main site should your backups be stored?

How far should your alternate business sites be?

Are your backups or recovery sites out of the USA?

Whose regulations apply?

Response and Recovery Controls

Incident Response

Document Beginning to End!

Identify the attack

Contain the attack

Prevent data exfiltration

Prevent access to sensitive data

DR: Disaster recovery

BC: Business continuity

SSL / TLS Inspection

This actually functions mostly the same as a forward proxy: a device serves as a go-between for the client and server, and the client is actually trusting that proxy’s certificate, not the end server’s certificate.

The big difference is that the proxy actually looks at the data being exchanged – unencrypted.

DLP: Data Loss Prevention

That’s right, a master encryption key, right on an edge device on your network. A very attractive target….


Eg. Store passwords hashed, not encrypted.

API Considerations

Flaws in APIs are public, discoverable, and apply to all users.

Site Resiliency

Hot Sites

Warm Sites

Cold Sites

Deception and Disruption




Fake Telemetry: synthetic network traffic

DNS Sinkhole:

This hack is the fix for WannaCry. DNS returns false results, blocking access to a C2 server. It can be defensive or offensive.

More Study

Professor Messer’s lesson on this topic is excellent.

Series Navigation<< Security+ SY0-601: 2.0 Architecture and DesignSecurity+ SY0-601: 2.2: Virtualization and Cloud Security >>