Secure Design Principles … System and System Architecture

System and application development consists of following stages

  1. Design
  2. Development
  3. Test
  4. Deployment processes.

Security has to be addressed at every step in the development cycle. However, addressing security in the design stage itself is most critical. Since prevention is better than cure, addressing security at the design stage itself can facilitate preventative controls to address security issues.

Hence, In this post we will take a look at the some of the important design principles must be considered while designing Systems.

Before I begin with Secure design principles – Lets understand what is a “system”;


Well system is something composed of Hardware and software; which allow software to run to perform some operation.

This typically includes the physical components, the operating systems, and the programming languages used. From a physical and logical perspective, a number of possible frameworks or platforms are in use. 

Below picture depicts about some of the most common systems.


Hence, A system is a collection of elements that together produce desired results which are not possible to get by the individual components alone. In enterprise solution, a system may involve single or multiple computers or devices working together to achieve a particular result.

For example, an online shopping system may involve a web server, an e-commerce server, and a database server. However, these systems alone cannot provide necessary security for online transactions. An organization may need to include multiple switches, routers, firewalls, IPS, IDS, Proxy or other security mechanism to ensure that security is maintained end to end.

To understand engineering using secure design principles, organizations must understand the difference between objects and subjects and closed versus open systems. Refer to below figure for all required details.

Refer to below examples to get a better understanding.
Example – Subject & Object
Suppose “Gaurav” wants to access an application. In this case, Gaurav is a subject, and the application is an object. Suppose then that once Gaurav is given access to the application, the application needs to access information in a database called “mrcissp”. Then the application becomes the subject, and the database becomes the object.

Let’s take a look at another example which is selected from our official study guide “Sybex” as it is.
Example – Transitive Trust
Workers (A) do not have access to specific internet sites (C). However, if workers can access a web proxy, virtual private network (VPN), or any other anonymization service, then this can serve as a means to bypass the local network restriction. In other words, if workers (A) are accessing VPN service (B), and the VPN service (B) can access the blocked internet service (C); then A can access C through B via transitive trust exploitation.

System Architecture

The system architecture, in turn, is the overall design of the components -such as hardware, operating systems, applications, and networks of an information system.

Organizations must implement and manage systems engineering processes using secure design principles as discussed in Domain 1: Security & Risk Management.

ISO & IEC groups have developed standards for systems engineering: ISO/IEC 15288:2015 and NIST Special Publication (SP) 800-160, which supersedes NIST SP 800-27.

Please note: ISO/IEC 15288:2015 will be discussed in separate blog.

Hence, Below are the primary Secure design principles used in System Engineering.

  1. The Computer Architecture
  2. System security mechanism
  3. Trusted Computing Base
  4. Assurance

Each of them is quite a Big topic in itself and we will discussing them through a separate post.

Vulnerabilities of Security Architectures and Designs

Organizations must assess and mitigate the vulnerabilities of security architectures, designs, and solution elements. Insecure systems are exposed to many common vulnerabilities and threats. This post discusses the vulnerabilities of

  • Client-based systems
  • Server-based systems
  • Database systems
  • Cryptographic systems
  • Industrial control systems
  • Cloud-based systems
  • Large-scale parallel data systems
  • Distributed systems
  • Internet of Things
  • Grid Computing Systems
  • Mobile Systems
  • Web based System

Client-based system

Vulnerabilities in Client Based System
Vulnerabilities in Client Based System

Server-based system

 Vulnerabilities in Server Based System
Vulnerabilities in Server Based System

Database systems

Vulnerabilities in Database System
Vulnerabilities in Database System

Industrial control system

Vulnerabilities in Industrial Control System
Vulnerabilities in Industrial Control System

Cloud based system

 Vulnerabilities in Cloud Based System
Vulnerabilities in Cloud Based System

Large-scale Parallel Data System

Vulnerabilities in Large-scale Parallel Data System
Vulnerabilities in Large-scale Parallel Data System

Grid and P-2-P computing

Vulnerabilities in Grid and Peer to Peer Computing System
Vulnerabilities in Grid and Peer to Peer Computing System

Internet of Things

 Vulnerabilities in System
Vulnerabilities in IoT System

Please stay tuned for the update in this post for “Mobile Based system” and “Web Based System”.

Physical Security Requirements

Is it possible to secure an asset with securing Physical perimeter of your building? – answer is “No”.

If a malicious person can gain physical access to your facility or equipment, they can do just about anything they want, from destruction to disclosure or alteration. Physical controls are your first line of defense, and people are your last.

All physical security should be based in a layered defense model.


Crime Prevention Through Environmental Design (CPTED) refers to designing a facility from the ground up to support security. It is actually a broad concept that can be applied to any project. Some of key points mentioned in CPTED are as below.


Physical Security Plan

Another important aspect of site and facility design is the proper convergence between the physical layout and the physical security plan. Achieving all the goals of CPTED is not always possible, and in cases where gaps exist, the physical security plan should include policies and/or procedures designed to close any gaps. The plan should address the following issues.

Strategy for Physical Security
Strategy for Physical Security

The security controls implemented to manage physical security can be divided into three groups: administrative, technical, and physical.

Administrative Physical Security Control

For selection of site, a number of decision has to be made such as

  • Will the site be externally marked as a data center?
  • Is there shared tenancy in the building?
  • Where is the telecom demarc (the telecom demarcation point)?

Site selection should be based on the security needs of the organization. Below figure explain some of common questions which can help in Decision making.

Once site is selected; The support systems built into the building play critical role in overall physical security posture. Hence, there are multiple factors we need to look into while designing security.

Administrative Control
Administrative Control

Physical Control

Refer to below picture for all the physical controls used in an Organization

Technical Physical Control

Technical Physical Control
Technical Physical Control

Other Physical Security Requirements

In addition to the above mentioned control; there are few controls which are required for a specific area types such as Wiring closet, Data center, Server room, Media room etc.

In below figure we have discussed multiple controls for such special areas.

Specific Controls Based on Type of Area
Specific Controls Based on Type of Area

QUIZ TIME * – Practicing questions along with Concepts is Best way to Maintain Interest in Study. Hence, Please take some time for a small Quiz on Physical Security? – Please click on below image for quiz to start.

* The questions in these practice tests are listed to help you study information and concepts that are likely to be tested on CISSP certification and do not represent questions from any actual test. Your score on these practice tests is not meant to and will not correlate to any particular score on any test.

Equipment Failure

No matter the quality of the equipment your organization chooses to purchase and install, eventually it will fail.

Most IT professionals are used to talking about uptime, downtime, and system failure. But not everyone is entirely clear on the definition of the terms widely used in the industry. What exactly differentiates “mean time to failure” from “mean time between failures”? And how does “mean time to repair” play into it? Let’s get some definitions straight!

An SLA clearly defines the response time a vendor will provide in the event of an equipment failure emergency.

MTTF is the expected typical functional lifetime of the device given a specific operating environment.

MTTR is the average length of time required to perform a repair on the device.

MTBF is an estimation of the time between the first and any subsequent failures.

Refer to below picture for clear differences among MTTR, MTTF, MTBF


Make sure to schedule all devices to be replaced before their MTTF expires

Security Capability of Information System … Trusted Computing Base

In computer systems, establishing the level of assurance based on the defined security models so that the computer system can be trusted for use in critical infrastructure is called trusted computing.

The following are some of the concepts that relate to information security aspects of a trusted computing architecture:

Trusted Computing Base

It defines – How a vendor should develop its Hardware, Software, Firmware to establish some level of Trust on CIA – Originally Documented in Orange Book.

Trusted Computing Base
Trusted Computing Base

Organizations must understand the security capabilities of any information systems that they implement. This section discusses memory protection, virtualization, Trusted Platform Module, interfaces, and fault tolerance.

other security capabilities
other security capabilities

Organizations can implement different policy mechanisms to increase the security of information systems.

Policy Mechanism
Policy Mechanism

Assurance … System Security Evaluation Models

In information security, the term assurance means the level of trust or the degree of confidence in the satisfaction of security needs. There are many standards and guidelines published by the government and commercial organizations to evaluate the assurance aspects of computer systems.

In this post, organizations that have created such evaluation systems are discussed.

System Security Evaluation Model
System Security Evaluation Model

Computer Architecture e.g. CPU, Memory

While we discuss the way security is provided in an architecture, having a basic understanding of the components in computing equipment is very helpful. This post discusses those components and some of the functions they provide.


The central processing unit (CPU) is the hardware in the system that executes all the instructions in the code.

System Components CPU
System Component – CPU

Please note: Different Security Modes are not discussed here. For such details, please refer to our previous blog on Security Mode.


A computing system needs somewhere to store information, both on a long-term basis and a short-term basis.

System Components Memory & Storage
System Components – Memory & Storage

Input/Output Device

Input/output (I/O) devices are used to send and receive information to the system. Examples are the keyboard, mouse, displays, and printers. 

System Components I/O Device
System Components – I/O Device


Firmware is software that is stored on an EPROM or EEPROM chip within a device. While updates to firmware may become necessary, they are infrequent. Firmware can exist as the basic input/output system (BIOS) on a computer or device firmware.

System Components Firmware
System Components – Firmware

Cryptanalytic Attacks and Cryptography Lifecycle

Cryptography attacks are categorized as either passive or active attacks. A passive attack is usually implemented just to discover information and is much harder to detect because it is usually carried out by eavesdropping or packet sniffing. Active attacks involve an attacker actually carrying out steps, like message alteration or file modification. Cryptography is usually attacked via the key, algorithm, execution, data, or people. But most of these attacks are attempting to discover the key used.

Cryptography attacks that are discussed include the following:

Cryptanalytic Attack
Cryptanalytic Attack
Cryptanalytic Attack
Cryptanalytic Attack

QUIZ TIME * – Practicing questions along with Concepts is Best way to Maintain Interest in Study. Hence, Please take some time for a small Quiz on Cryptanalytic Attacks? – Please click on below image for quiz to start.

Cryptography Lifecycle

* The questions in these practice tests are listed to help you study information and concepts that are likely to be tested on CISSP certification and do not represent questions from any actual test. Your score on these practice tests is not meant to and will not correlate to any particular score on any test.


  • Cipher-text only attack
    • An attacker uses several “encrypted message” to figure out the key
    • Not much successful
  • Known plaintext attack
    • An attacker uses “Plaintext and Ciphertext” versions of a message to discover the key used
    • Attacker implements
      • Reverse engineering
      • Frequency analysis
      • Brute force
  • Chosen plaintext attack
    • Attacker select a Plaintext with a hope of getting Ciphertext; Then compare Plaintext and Ciphertext to get Key
  • Social Engineering
    • Intimidation
    • Enticement
    • Inducement
  • Brute Force
    • Requires considerable time and processing power
    • Rainbow Tables
    • Salting
  • Differential Cryptanalysis
    • Measures the execution times and power required by the cryptographic device
    • The measurements help to detect the key and algorithm used
  • Birthday Attack
    • Collision
  • Dictionary Attack
    • Requires considerable time and processing power
  • Replay attack
    • Intercept encrypted message
    • Most commonly for Authentication message
    • The Best countermeasure: Timestamp, Timeouts, Sequence Numbers
  • Analytic Attack
    • Attackers use known “structural weaknesses or flaws” to determine the algorithm used
  • Statistical Attack
    • Use known statistical weaknesses of an algorithm
  • Factoring Attack
    • Attack is carried out against the RSA algorithm by using the solutions of factoring large numbers
  • Meet-in-middle attack
    • An attacker tries to break the algorithm by encrypting from one end and decrypting from the other to determine the mathematical problem used
    • 2DES