1

Chapter 1: Introduction

Brook S.E. Schoenfield

Department of Information Systems Security

Security Architecture and Design

January 12,2024
 2

When the security architect receives requirements from the assessor, such as clients or

stakeholders, the analysis should begin at the concept stage of the system development. When

the architect has the system design's requirements and scope, he/she starts the system

development assessment. This is crucial because, when designing complex security

architectures for organizations, the architect must understand whether the design is cost-

effective. If the architect doesn't thoroughly proceed with the structure design, he will

encounter many issues that result in system vulnerabilities and increased design costs. I've

read an article about the Sony Pictures hack in 2014. The incident was caused by a lack of

security measures during the design phase, allowing attackers to exploit

vulnerabilities(Ashford, 2014). If a security architect had implemented proactive security

earlier, many of these vulnerabilities could have been fixed before deployment, potentially

preventing the breach.

Risk assessment: is one of the many vital tasks carried out by the security architect. It

helps us anticipate and identify potential threats and vulnerabilities in the system. For

instance, Facebook restricted third-party app access controls after its internal risk assessment

team found vulnerabilities in its API(Isaac, 2018).

Designing Security Controls: Microsoft Azure implemented multilayer security

controls, such as multi factor authentication (MFA), to protect data from hackers. This is an

example of how we integrated security measures like encryption and intrusion detection into

the systems we developed (Chant, 2016).

Threat Modeling: This exercise helps us anticipate how hackers might penetrate the

system. For instance, in 2017, the WannaCry ransomware attack occurred, which brought

attention to the significance of threat modeling (Hern, 2017). Better modeling could have

identified these issues, but many organizations failed to implement them, apply the required
 3

patches, etc. The US Department of Defense's "hack the pentagon" program was created,

inviting many ethical hackers to test the security because it emphasizes the value of security

testing and serves as a model for ongoing security testing (Chappell, 2016). Security testing,

including vulnerability scans and penetration tests, is what we need to do.

The following knowledge domains are applied to the analysis:

Risk management: essentially, risk management provides insight into how to reduce

risks, as demonstrated by the 2018 Marriott data breach, which was caused by insufficient

third-party vendor risk management (Krebs, 2018).

Network security: Network security aids in protecting communication channels; for

instance, more robust network security measures could have prevented the Dyn DDoS attack.

Cryptography: Protecting data with encryption, like Apple's end-to-end encryption

in IMessage (Weisinger, 2015).

Incident Response: Creating and implementing strategies to control and limit

security breaches, as demonstrated by the NHS's reaction to the WannaCry attack, which

included deploying the required path and enhanced recovery plans.

Secure Coding Practices: Knowledge of secure development methodologies is

necessary for secure coding practices. Due to inadequate secure coding techniques, the Adobe

breach in 2014 was weak; however, those were later strengthened (Kawushika, 2014).

Legal Requirements and Compliance: Adhering to regulatory standards such as

GDPR, as evidenced by the redesigns implemented by Google and Facebook to meet the new

privacy regulations.
 4

The following are some strategies that make assessing the risk of security

architectures easier:

Understanding the business context: risk assessment ought to be in line with the

objectives and activities of the company. To prioritize the risks that affect services, it is

helpful to understand the business context. I will coordinate with business stakeholders to

learn about their main concerns. This will allow for a more targeted and risk-based

assessment (GurZeev, 2024).

Use an organized framework: Using an organized framework (e.g., NIST, ISO

27001, and others. The process is standardized, and these established frameworks cover all

pertinent security aspects in detail. Assessments can be consistent and comparable by

choosing a framework according to the organization's needs (Eliot, 2024).

Asset identification and classification: Make an inventory of your assets and group

them into high, medium, and low-priority categories according to their significance to the

company. This will help you identify where to concentrate your risk management efforts

because you'll be able to locate vital assets like intellectual property and Data Transfer and

Access Systems (GurZeev, 2024).

Threat Modeling and Automation:During the risk assessment phase, save time by

employing threat modeling, which involves systematically identifying potential threats using

tools such as STRIDE. When feasible, automate vulnerability scanning by integrating tools

such as Qualys and Neussus with risk management platforms. This eliminates human error

and boosts efficiency.

References

Ashford, W. (2014, December 4). Sony Hack exposes poor security practices: Computer

Weekly. ComputerWeekly.com.

https://www.computerweekly.com/news/2240236006/Sony-hack-exposes-poor-

security-practices

Chant, B. (2023, May 16). Key layers for developing a smarter SOC with CyberProof-

managed Microsoft Azure Security Services. Microsoft Security Blog.

https://www.microsoft.com/en-us/security/blog/2020/11/17/key-layers-for-

developing-a-smarter-soc-with-cyberproof-managed-microsoft-azure-security-

services/

Chappell, B. (2016, March 2). U.S. announces, “hack the Pentagon” Bug Bounty program.

NPR. https://www.npr.org/sections/thetwo-way/2016/03/02/468887190/u-s-

announces-hack-the-pentagon-bug-bounty-program

Eliot, D. (2024, September 27). NIST cybersecurity framework. NIST.

https://www.nist.gov/itl/smallbusinesscyber/nist-cybersecurity-framework-0

GurZeev, R. (2024, September 10). Cybersecurity Risk Management: Process, frameworks

& tips. CyCognito.

https://www.cycognito.com/learn/vulnerability-management/cybersecurity-risk-

management.php

Hern, A., & Gibbs, S. (2017, May 12). What is WannaCry ransomware and why is it

attacking global computers?. The Guardian.

https://www.theguardian.com/technology/2017/may/12/nhs-ransomware-cyber-

attack-what-is-wanacrypt0r-20
 6

Isaac, M., & Frenkel, S. (2018, September 28). Facebook security breach exposes accounts

of 50 million users. The New York Times.

https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html

Kawushika, B. (2024, July 7). Adobe Cyberattack 2013 case study. Adobe Cyberattack

2013. https://www.linkedin.com/pulse/adobe-cyberattack-2013-case-study-bulitha-

kawushika-hlrxc/

Krebs, B. (2018, December 1). What the marriott breach says about security. Krebs on

Security. https://krebsonsecurity.com/2018/12/what-the-marriott-breach-says-about-

security/

Weisinger, D. (2015, September 10). Apple iMessage’s end-to-end encryption stymies US

data request. Sophos News. https://news.sophos.com/en-us/2015/09/10/apple-

imessages-end-to-end-encryption-stymies-us-data-request/