Cyber Security Strategy and Architecture

Models and Frameworks

• Perimeter security

• • Became inefficient due to client side attacks

• Defense in Depth

• ○ Endpoints

• ○ Applications

• ○ Network

• ○ Physical

• ○ Policies, Procedures

• ○ Security Awareness

• Zero Trust (lease privileges)

• What are zero trust principles, pillars and capabilities

• • Organization policies

  • Security Policies

  • Device Inventory

  • User identities

  • • User risk assessment

• Data

• • Classification

  • Labeling

  • Encryption

• Application

• • Usage

  • Permissions

• Access control and management

• • End point/threat protection

• Defensible Security Architecture and Engineering:

• • Zero trust for Hybrid Enterprise

  • Build

  • • Detection

    • Prevention

    • Response

• • Enterprise security Architecture

  • Security models

• What is cyber security framework

• • security

  • • Security frameworks used by specific industries

    • ISO 27001/2

    • NIST 800/53

    • NIST Cyber security framework

    • NIST maturity model framework to measure progress

    • COBIT

    • Cyber Security Maturity Model

    • CIS Controls

    • • Which are CIS Critical controls

      • CIS Templates

      • CIS Checklist

• • Privacy

  • • GDPR

  • Risk

  • • RMF

    • NIST 800-37

• Evaluation Criteria

• • Independent evaluations

  • Certification

  • Accreditation

• Trusted Computing Base (TCB)

• • Reference monitor concept

• Fine tuning and security assessment

• • Risk assessment

  • • What are our assets, which threats and vulnerabilities associated with process

  • Vulnerability Management

  • • Known vulnerabilities

  • Penetration testing/purple teaming

  • • Unknown vulnerabilities

• Security design principles

• • Cyber security models

  • Cyber security controls and countermeasures

• Security engineering core areas:

• • Virtualization

  • Microservices

  • Containerization

  • Serverless

  • Industrial Control Systems (ICS)

  • Embedded systems

  • Database security

  • Cloud Security

  • SCADA

  • OT

  • IOT

  • Cryptography

  • • Symmetric

    • Asymmetric

    • Hash

    • Quantum

    • PKI

    • Digital signatures

    • Non-repudiation

    • Salts

    • Rainbow tables

    • Pass the hash

    • Cryptanalysis

    • Fault injection

    • Implementation attacks

• References:

• 1. https://www.auditscripts.com/free-resources/critical-security-controls/

  2. https://www.auditscripts.com/free-resources/collective-risk-project/

  3. https://www.cisa.gov/uscert/sites/default/files/c3vp/smb/DHS-SMB-Road-Map.pdf

  4. https://www.microsoft.com/en-us/security/business/zero-trust

  5. https://download.microsoft.com/download/f/9/2/f92129bc-0d6e-4b8ea47b-288432bae68e/Zero_Trust_Vision_Paper_Final%2010.28.pdf

  6. NIST zero trust: https://www.nist.gov/publications/zero-trust-architecture

  7. CISA zero trust: https://www.cisa.gov/publication/zero-trust-maturity-model

  8. https://docs.microsoft.com/en-us/security/zero-trust/deploy/endpoints

  9. https://www.crowdstrike.com/cybersecurity-101/zero-trust-security/

  10. https://purplesec.us/learn/cyber-security-strategy/