Cybersecurity Architecture Lecture Notes

Introduction

Defense in Depth
- Create multiple layers of security to protect against attacks.
- Example: medieval castles with thick walls, moats.
- Modern application includes multi-factor authentication, mobile device management, EDR, firewalls, and data encryption.
- Aim: No single point of failure.
Principle of Least Privilege
- Grant access only to those who need it, for a justified time.
- Regularly review and update access rights.
- Hardening systems by removing unnecessary services and default credentials.
- Eliminate privilege creep by running recertification campaigns.
Separation of Duties
- Prevent any single point of control to force collusion for compromise.
- Example: Two-lock door system requiring two people to open.
- IT Example: Separate requester and approver roles for access.
Secure by Design
- Integrate security from the design phase, not as an afterthought.
- Ensure security is considered at every stage from requirements to production.
- Everyone is responsible for security, but it begins with the designer.
Keep It Simple Stupid (KISS)
- Avoid overly complex security systems that frustrate users.
- Ensure security is effective yet simple enough not to deter good user behavior.
- Avoid complex password rules that lead users to unsafe practices.

Security by Obscurity
- Do not rely on secrecy for security.
- Rely on open, observable systems with the secrecy limited to the key (Kirchhoff's Principle).
- Avoid proprietary black box systems that are claimed to be unbreakable.