Security Architecture And Design Assignment ESSAY

Security Architecture And Design Assignment

Chapter #5 from the textbook

Since we know that this particular instance of the AppMaker implements a customer-facing store that processes financial transactions, how does that influence which threat agents may be interested in attacking it?

Security Architecture And Design Assignment

Answer the question with a short paragraph, with a minimum of 300 words. Count the words only in the body of your response, not the references. APA formatting but do not include a title page, abstract or table of contents. Body and references only in your post.

A minimum of two references are required. One reference for the book is acceptable but multiple references are allowed. There should be multiple citations within the body of the paper. Note that an in-text citation includes author’s name, year of publication and the page number where the paraphrased material is located.
Securing Systems

Applied Security Architecture and Threat Models

Security Architecture And Design Assignment

Securing Systems

Applied Security Architecture and Threat Models

Brook S.E. Schoenfield Forewords by John N. Stewart and James F. Ransome

CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742

© 2015 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business

No claim to original U.S. Government works Version Date: 20150417

International Standard Book Number-13: 978-1-4822-3398-8 (eBook – PDF)

This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint.

Security Architecture And Design Assignment

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information stor- age or retrieval system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, please access www.copy- right.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that pro- vides licenses and registration for a variety of users. For organizations that have been granted a photo- copy license by the CCC, a separate system of payment has been arranged.

Security Architecture And Design Assignment

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe.

Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com

and the CRC Press Web site at http://www.crcpress.com

v

To the many teachers who’ve pointed me down the path; the managers who have sup- ported my explorations; the many architects and delivery teams who’ve helped to refine the work; to my first design mentors—John Caron, Roddy Erickson, and Dr. Andrew Kerne—without whom I would still have no clue; and, lastly, to Hans Kolbe, who once upon a time was our human fuzzer.

Each of you deserves credit for whatever value may lie herein. The errors are all mine.

Dedication

vii

Contents

Dedication v

Contents vii

Foreword by John N. Stewart xiii

Foreword by Dr. James F. Ransome xv

Preface xix

Acknowledgments xxv

About the Author xxvii

Part I Introduction 3

The Lay of Information Security Land 3 The Structure of the Book 7 References 8

Chapter 1: Introduction 9

1.1 Breach! Fix It! 11 1.2 Information Security, as Applied to Systems 14 1.3 Applying Security to Any System 21 References 25

Chapter 2: The Art of Security Assessment 27

2.1 Why Art and Not Engineering? 28 2.2 Introducing “The Process” 29

viii Securing Systems

2.3 Necessary Ingredients 33 2.4 The Threat Landscape 35

2.4.1 Who Are These Attackers? Why Do They Want to Attack My System? 36

2.5 How Much Risk to Tolerate? 44 2.6 Getting Started 51 References 52

Chapter 3: Security Architecture of Systems 53

3.1 Why Is Enterprise Architecture Important? 54 3.2 The “Security” in “Architecture” 57 3.3 Diagramming For Security Analysis 59 3.4 Seeing and Applying Patterns 70 3.5 System Architecture Diagrams and Protocol Interchange

Security Architecture And Design Assignment

Flows (Data Flow Diagrams) 73 3.5.1 Security Touches All Domains 77 3.5.2 Component Views 78

3.6 What’s Important? 79 3.6.1 What Is “Architecturally Interesting”? 79

3.7 Understanding the Architecture of a System 81 3.7.1 Size Really Does Matter 81

3.8 Applying Principles and Patterns to Specific Designs 84 3.8.1 Principles, But Not Solely Principles 96

Summary 98 References 98

Chapter 4: Information Security Risk 101

4.1 Rating with Incomplete Information 101 4.2 Gut Feeling and Mental Arithmetic 102 4.3 Real-World Calculation 105 4.4 Personal Security Posture 106 4.5 Just Because It Might Be Bad, Is It? 107 4.6 The Components of Risk 108

4.6.1 Threat 110 4.6.2 Exposure 112 4.6.3 Vulnerability 117 4.6.4 Impact 121

4.7 Business Impact 122 4.7.1 Data Sensitivity Scales 125

Contents ix

4.8 Risk Audiences 126 4.8.1 The Risk Owner 127 4.8.2 Desired Security Posture 129

4.9 Summary 129 References 130

Chapter 5: Prepare for Assessment 133

5.1 Process Review 133 5.1.1 Credible Attack Vectors 134 5.1.2 Applying ATASM 135

5.2 Architecture and Artifacts 137 5.2.1 Understand the Logical and Component Architecture

of the System 138 5.2.2 Understand Every Communication Flow and Any

Valuable Data Wherever Stored 140 5.3 Threat Enumeration 145

5.3.1 List All the Possible Threat Agents for This Type of System 146

5.3.2 List the Typical Attack Methods of the Threat Agents 150 5.3.3 List the System-Level Objectives of Threat Agents

Using Their Attack Methods 151 5.4 Attack Surfaces 153

5.4.1 Decompose (factor) the Architecture to a Level That Exposes Every Possible Attack Surface 154

5.4.2 Filter Out Threat Agents Who Have No Attack Surfaces Exposed to Their Typical Methods 159

5.4.3 List All Existing Security Controls for Each Attack Surface 160

5.4.4 Filter Out All Attack Surfaces for Which There Is Sufficient Existing Protection 161

5.5 Data Sensitivity 163 5.6 A Few Additional Thoughts on Risk 164 5.7 Possible Controls 165

5.7.1 Apply New Security Controls to the Set of Attack Services for Which There Isn’t Sufficient Mitigation 166

5.7.2 Build a Defense-in-Depth 168 5.8 Summary 170 References 171

Part I Summary 173

x Securing Systems

Part II Introduction 179

Practicing with Sample Assessments 179 Start with Architecture 180

A Few Comments about Playing Well with Others 181 Understand the Big Picture and the Context 183

Getting Back to Basics 185 References 189

Chapter 6: eCommerce Website 191

6.1 Decompose the System 191 6.1.1 The Right Level of Decomposition 193

6.2 Finding Attack Surfaces to Build the Threat Model 194 6.3 Requirements 209

Chapter 7: Enterprise Architecture 213

7.1 Enterprise Architecture Pre-work: Digital Diskus 217 7.2 Digital Diskus’ Threat Landscape 218 7.3 Conceptual Security Architecture 221 7.4 Enterprise Security Architecture Imperatives

and Requirements 222 7.5 Digital Diskus’ Component Architecture 227 7.6 Enterprise Architecture Requirements 232 References 233

Security Architecture And Design Assignment

Chapter 8: Business Analytics 235

8.1 Architecture 235 8.2 Threats 239 8.3 Attack Surfaces 242

8.3.1 Attack Surface Enumeration 254 8.4 Mitigations 254 8.5 Administrative Controls 260

8.5.1 Enterprise Identity Systems (Authentication and Authorization) 261

8.6 Requirements 262 References 266

Contents xi

Chapter 9: Endpoint Anti-malware 267

9.1 A Deployment Model Lens 268 9.2 Analysis 269 9.3 More on Deployment Model 277 9.4 Endpoint AV Software Security Requirements 282 References 283

Chapter 10: Mobile Security Software with Cloud Management 285

10.1 Basic Mobile Security Architecture 285 10.2 Mobility Often Implies Client/Cloud 286 10.3 Introducing Clouds 290

10.3.1 Authentication Is Not a Panacea 292 10.3.2 The Entire Message Stack Is Important 294

10.4 Just Good Enough Security 295 10.5 Additional Security Requirements for a Mobile and

Cloud Architecture 298

Chapter 11: Cloud Software as a Service (SaaS) 301

11.1 What’s So Special about Clouds? 301 11.2 Analysis: Peel the Onion 302

11.2.1 Freemium Demographics 306 11.2.2 Protecting Cloud Secrets 308 11.2.3 The Application Is a Defense 309 11.2.4 “Globality” 311

11.3 Additional Requirements for the SaaS Reputation Service 319

References 320

Part II Summary 321

Part III Introduction 327

Chapter 12: Patterns and Governance Deliver Economies of Scale 329

12.1 Expressing Security Requirements 337 12.1.1 Expressing Security Requirements to Enable 338 12.1.2 Who Consumes Requirements? 339

xii Securing Systems

12.1.3 Getting Security Requirements Implemented 344 12.1.4 Why Do Good Requirements Go Bad? 347

12.2 Some Thoughts on Governance 348 Summary 351 References 351

Chapter 13: Building an Assessment Program 353

13.1 Building a Program 356 13.1.1 Senior Management’s Job 356 13.1.2 Bottom Up? 357 13.1.3 Use Peer Networks 359

13.2 Building a Team 364 13.2.1 Training 366

13.3 Documentation and Artifacts 369 13.4 Peer Review 372 13.5 Workload 373 13.6 Mistakes and Missteps 374

13.6.1 Not Everyone Should Become an Architect 374 13.6.2 Standards Can’t Be Applied Rigidly 375 13.6.3 One Size Does Not Fit All, Redux 376 13.6.4 Don’t Issue Edicts Unless Certain of Compliance 377

13.7 Measuring Success 377 13.7.1 Invitations Are Good! 378 13.7.2 Establish Baselines 378

13.8 Summary 380 References 382

Part III Summary and Afterword 383

Summary 383 Afterword 385

Security Architecture And Design Assignment ESSAY

Write my Essay. Premium essay writing services is the ideal place for homework help or essay writing service. if you are looking for affordable, high quality & non-plagiarized papers, click on the button below to place your order. Provide us with the instructions and one of our writers will deliver a unique, no plagiarism, and professional paper.

Get help with your toughest assignments and get them solved by a Reliable Custom Papers Writing Company. Save time, money and get quality papers. Buying an excellent plagiarism-free paper is a piece of cake!

All our papers are written from scratch. We can cover any assignment/essay in your field of study.