What type of Algorithms was used in History when converting plaintext to ciphertext. It was mainly based on Ciphers.
The two main component of any cryptosystem are
In this section; we will be exploring some of the common Ciphers used in Cryptosystem. We will also discuss their Advantage and disadvantages. Refer to below figure for all details about different Cipher.
Is it enough to secure Just the Device? – Answer is “No”
Is not it important to secure the Data on the Device? – Answer is “It is extremely important”.
Therefore, Organizations must also secure the data as it resides on the devices and as it is transmitted over the network. Cryptography involves using algorithms to protect data.
In this section & subsequent blogs We shall discusses cryptography concepts, cryptography history, goals of cryptography, cryptosystem features, cryptographic mathematics, and cryptographic life cycle.
A security professional should understand many terms and concepts related to cryptography.
All cryptographic algorithms involve the use of mathematics. The fundamental mathematical concepts for cryptography are discussed in the below mindmap
A security model maps the desires of the security policy makers to the rules that a computer system must follow.
We can also say; It lays out the framework and mathematical models that act as security-related specifications for a system architecture.
Different model types exhibit various approaches to achieving this goal. Below are the models discussed in this section.
Refer to below mindmap to know more details about these models.
In our previous blog we discussed about Open and Closed system. Continuing with our discussion on Domain 3; Lets understand the security mechanism used in such system.
A mandatory access control (MAC) system operates in different security modes at various times, based on variables such as
There are four different modes.
Refer to below picture for detail descriptions of these modes.
Organizations must understand what they need to secure, why they need to secure it, and how it will be secured. This is also one of important domain to focus for CISSP exam. Out of 100% of the exam, this domain carries an weight of 12~13%. Following topics are discussed in this domain.
Security engineering is based on design principles, practices, and models to ensure confidentiality, integrity, and the availability requirements of information assets. The end result could be the development of a product or supporting organizational processes. Further, the product could be hardware, software, or a combination of both.
Sensitive assets need protection from unauthorized disclosure or tampering. The sensitivity of assets is determined by confidentiality and integrity requirements and the impact of compromise on the corporation or national security. Cryptographic methods and solutions provide assurance to protect assets from compromise.
Refer to below picture for better clarity
For many forward-thinking organizations, physical security considerations begin during site selection and design. These companies have learned that building in security is easier than patching the security after the fact. In this section, site selection and site building practices that can lead to increased physical security are covered.
Above both picture are taken from book “CISSP in 21 days” written by “M.L. Srinivasan”.
Now that the higher-level architectural principles behind Cisco Digital Network Architecture are clear, this blog provides an overview of the main architectural components, i.e. Cisco DNA infrastructure, automation, analytics, and cloud integration.
The critical blocks of Cisco DNA are shown in below figure, which illustrates how the principles of openness, extensibility, programmability, software driven, policy-based networking, security, and cloud integration (all discussed in the previous blog) drive the overall architecture. This blog will explain how these components interact/collaborate to deliver the requirements (outlined in the previous blog “Value Proposition for Cisco DNA”). Let’s understand all of these blocks in more details
The infrastructure component in Cisco DNA represents all those functions that participate in carrying network traffic between users, devices, and applications. This piece of the network is built with traditional data plane and control plane functions needed to transport traffic across the network to connect users, applications, and devices with each other.
Cisco DNA still relies on the existing proven distributed forwarding techniques that are successfully deployed in every network today! So what is “New” in Cisco DNA? – Well, the first answer is “Improvement in Physical Infrastructure with Programmable ASICs”.Then the next questions come; why do we need such ASICs?
The second answer is “Addition of virtual component in Cisco DNA Infrastructure” to meet Cisco DNA principles of openness, software driven, programmability, and security. For example;
Virtualization plays another major role in the Cisco DNA infrastructure because it is a very crucial mechanism to deploy services fast and with minimal dependencies on the underlying hardware infrastructure. The virtualization architecture can be broken down into two main components:
Again, what’s new in “Transport Virtualization” – according to me Its nothing, It is the same technology i.e. Segmentation which has been around us with multiple decades such as VLANs, VRF.
Typically, a service connects endpoints or endpoint groups; therefore, the service may be not only application-aware but also a user (identity) aware. The logical segmentation of groups of users and applications, then, is an essential component of the enterprise fabrics overlay architecture, augmenting the traditional concepts of VLANs and VRF.
Network function virtualization (NFV) is part of the architecture that can enable network functions to run anywhere in the network infrastructure based on the availability of computing resources.
The operating systems of the network elements in Cisco DNA are enhanced to support this virtualization, providing the ability to spin up or tear down network functions within minutes, to monitor their status, and to redeploy, restart, or even support their move from one location or server to the next. For example
Third answer is “App Hosting” – Note that in Cisco DNA, applications can also be hosted within the infrastructure. Some of the examples could be traffic generators, troubleshooting or monitoring tools, print servers or other business support functions.
Workload of such application could run efficiently in a container so as not to require an additional layer of operating system (which is the case in a virtual machine–based deployment).
It is one of the most frequently used terms in Cisco DNA. Hence, I thought it is worth spending some time on it. To understand this; let’s consider our typical enterprise infrastructure which is composed of Campus, Data Center, WAN that connects all users and end points to respective applications. The idea behind such segregation was primarily motivated by different requirement, technologies & Enterprise structures.
However, in Cisco DNA domain is more flexible in the sense a domain can also be created for all network elements in Campus and WAN, under the governance of a single controller instance. As per Cisco, in Cisco DNA domains are Categorized in one of the four Category as shown in below figure.
Due to this post length; Rest of the Three blocks, i.e. automation, analytics, and cloud integration will be discussed in next page. Till then please stay tuned, let me know if you have any questions and comments.
References:
https://www.cisco.com/c/dam/global/ru_kz/solutions/enterprise-networks/digital-network-architecture/pdf/white-paper-c11-736842.pdf.
An Asset is something which has any worth to an Organization. It includes people, partners, equipment, facilities, reputation, and information. A through details on Asset was discussed in Domain 1: Security & Risk Management also in our previous blog. Refer to mentioned hyperlink for more details.
As discussed in previous blogs in the context of Risk Management While every asset needs to be protected, this blog focuses on protecting information assets. Information/Data is typically the most valuable asset and lies at the center of every information system, so precision focus on its protection makes much sense.
Let’s understand – What is “Information” – In simple words; we can say “A Data that is combined to form some meaning.” Once information is created; It goes through complete life-cycle in an Organization. Hence, we will begin with Information life-cycle. Data goes through multiple phases. Therefore, the CIA should be ensured at every step.
To address the CIA effectively and economically, We need to understand sensitive Information for the interest of our Organization.
Thus, the first step in Asset Security is to Classify and Label the asset.
Refer to below mindmap for Information Life-cycle, Sensitive Data, Data Classification, and Its Procedure.
Please note: Category of Data Classification is not discussed here. For such details, please refer to our previous blog on Data Classification as discussed in Domain 1: Security & Risk Management.
Once we have classified Data and Assets, It is imperative to understand the Roles and Responsibility of different Individual’s, importance of Data Security Policies & different states of data in the Organization
Please note: Different Roles and responsibilities are not discussed here. For such details, please refer to our previous blog on Organizational Roles and Responsibilities as discussed in Domain 1: Security & Risk Management.
Next step is to understand how to Label, Store & destroy any sensitive information Asset.
Beginning with where we left off, let’s understand “Data Retention Policy” & some of the security controls used for Protecting Sensitive Assets and Data.
Case Study: PII data on a SQL server
Suppose an organization stores all the PII data it retains on a SQL server located on the organization’s demilitarized zone (DMZ). If the organization decides to replace the SQL server with a new Windows Server 2016 computer, it will be necessary to take back up the PII from the old server and restore it to the new server. Also, the organization may want to retain the backup of the PII and store it in a safe or other secure location, in case the organization should ever need it. Then the organization must ensure that the PII cannot be retrieved from the hard drive on the old server. Thus may require physical destruction of the hard drive.
