Chapter 9: Enterprise Security Architecture
Configuration Management
ThisĀ topic is covered in depth by ITIL:
https://en.wikipedia.org/wiki/Configuration_Management_(ITSM)
Document Everything
Diagrams
Network diagrams
https://www.addictivetips.com/net-admin/it-inventory-management-tools/
Rack diagrams
Specifications
Baseline Configuration
Establish one
Perform regular Integrity Measurements Checks
Standard Naming Conventions
Includes Asset Tagging (TIA 606)
IP Address Schema
Data Sovereignty
Note the importance of venue: which country’s laws apply?
Data Protection
DLP: Data Loss Prevention
Masking
Look at your card number on a cash register receipt:
**** **** **** 4321
Hashing
Encryption
Data At Rest
-
-
-
-
-
- Bitlocker
- PGP disk encryption
-
-
-
-
Data In Transit / In Motion
-
-
-
-
-
- SSH
- SSL
- TLS
- IPsec
-
-
-
-
Data In Processing / In Use:
-
-
-
-
-
- Cluster tip wiping wipes sold data in unused file system slack. See the Microscope tool.
- Data field encryption eg. SSN field
-
-
-
-
Tokenization
Consider the transaction code for a credit card sale, which does not contain the card number or other data. A random value replaces confidential data.
Rights Management
DRM: Digital Rights Management
Geographical Considerations
How far from your main site should your backups be stored?
How far should your alternate business sites be?
Are your backups or recovery sites out of the USA?
Whose regulations apply?
Response and Recovery Controls
Incident Response
Document Beginning to End!
Identify the attack
Contain the attack
Prevent data exfiltration
Prevent access to sensitive data
DR: Disaster recovery
BC: Business continuity
SSL / TLS Inspection
This actually functions mostly the same as a forward proxy: a device serves as a go-between for the client and server, and the client is actually trusting that proxy’s certificate, not the end server’s certificate.
The big difference is that the proxy actually looks at the data being exchanged – unencrypted.
DLP: Data Loss Prevention
That’s right, a master encryption key, right on an edge device on your network. A very attractive target….
Hashing
Eg. Store passwords hashed, not encrypted.
API Considerations
Flaws in APIs are public, discoverable, and apply to all users.
https://resources.infosecinstitute.com/topic/api-security/
Site Resiliency
Hot Sites
Warm Sites
Cold Sites
Deception and Disruption
Honeypots
Honeyfiles
Honeynets
Fake Telemetry: synthetic network traffic
DNS Sinkhole:
This hack is the fix for WannaCry. DNS returns false results, blocking access to a C2 server. It can be defensive or offensive.
More Study
Professor Messer’s lesson on this topic is excellent.