Study Notes: Typical Domains of IT Infrastructure

7 Domains of IT Infrastructure

1. User Domain

o Includes all users accessing systems.

o Risks: Data deletion, malware from USB/CD, weak passwords.

2. Workstation Domain

o User's individual computers where work is done.

o Risks: OS/browser vulnerabilities, hardware failure.

3. LAN Domain (Local Area Network)

o Includes workstations, switches, routers; trusted zone.

o Risks: Malware spread, OS vulnerabilities, unauthorized access.

4. WAN Domain (Wide Area Network)

o Covers Internet and external networks.

o Risks: Network outages, DoS/DDOS attacks, illegal uploads via FTP.

5. LAN-to-WAN Domain

o Boundary between trusted (LAN) and untrusted (WAN); uses firewalls.

o Risks: Hackers, misconfigured firewalls.

6. Remote Access Domain

o Access through VPN by mobile/remote users.

o Risks: Unsecured communication, VPN outages.

7. System/Application Domain

o Includes critical systems like email, databases.

o Risks: SQL injection, data corruption, DoS attacks.

Types of Users in Windows

 • Local User: Account info stored on the PC.

• Domain User: Account info stored on a domain controller, allowing access across a
network.

Remote Access Methods

Method Pros Cons

Familiar, efficient, supports

IPSec VPN Needs pre-installed software, setup issues.
many users.

Easy to deploy, works on Higher firewall load, requires more config,

SSL VPN
mobile. license limits.

Microsoft Seamless, always-on Complex setup, IPv6 dependency, needs

DirectAccess connection. LAN changes.

Security Risks & Threats

Unauthorized Access

• Physical: Access to secure areas (server rooms, documents).

• Logical: Unauthorized system access (can be internal or external).

Software & Server Vulnerabilities

• Bugs or weaknesses can be exploited via malware or direct attacks.

Data Loss

• Caused by failure, theft, or cyberattack.

• Prevention: Backups, encryption, limited access.

Risk Reduction Measures

• Secure sensitive areas physically.

• Encrypt data and enforce access control.

 • Regularly back up systems.

• Keep software updated and patched.

• Follow acceptable use policies.

Cyber Ethics

• Follow the same rules online as in real life.

• Don’t: Cyberbully, plagiarize, hack, spread malware.

• Do: Respect privacy, copyrights, and others’ property.

Ethics Manifesto (Gerd Leonhard)

Human Right Description

Right to remain natural No need to embed tech in body to participate in society.

Right to be inefficient We can choose to act slower than machines.

Right to disconnect Freedom to go offline.

Right to be anonymous Use apps/platforms without being tracked.

Right to use people over machines Support human employment even if less efficient.

Code of Ethics for InfoSec Professionals

• Integrity: Act lawfully, responsibly, in public interest.

• Objectivity: Fair, unbiased, professional judgments.

• Professional Competence & Due Care: Stay skilled, diligent, and uphold standards.
Study Notes: Security Systems Engineering & Cryptography

Security Policy

Definition:

• A document defining how an organization protects its assets (physical, digital, etc.).

• It expresses intentions and conditions, not specific technologies.

Key Contributors:

• Board: Oversight and policy guidance.

• IT Team: Implements and adheres to technical standards.

• Legal Team: Ensures compliance with laws.

• HR Team: Manages employee training and acknowledgement.

Policy Structure and Types

Classification:

1. Physical Security – Secures premises (doors, surveillance).

2. Personnel Management – Guides employee behavior (passwords, info protection).

3. Hardware/Software – Specifies systems/network management protocols.

Common Issues in Policy Creation:

• Lack of need analysis.

• No clear lead or ownership.

• Skipping stakeholder input.

• No follow-up or monitoring.

Security Policy Lifecycle

1. Requirement Gathering

2. Proposal Definition
 3. Policy Development

4. Approval

5. Publication

Policy Awareness & Enforcement

• Regular employee training is essential.

• Enforcement ensures compliance and discourages violations.

• Awareness training mitigates human-related risks like leaks or social engineering.

Security Processes (8 Total)

1. Privileged Password Management – Controlled access to sensitive data.

2. Network Admin Daily Tasks – Routine checklist to ensure consistency.

3. Network Security Audit Checklist – Covers hardware, software, and human risks.

4. Firewall Audit – Documents rule sets and reviews access policies.

5. VPN Configuration – Secure remote access with checks from IT & HR.

6. Apache Server Setup – Securing the world’s most used web server.

7. Email Server Security – Preventing phishing and malicious access.

8. Penetration Testing – Simulated attacks to identify vulnerabilities.

Network Compliance

• Uses scanning/monitoring tools to maintain legal and regulatory standards.

• Helps identify misconfigurations and prevent service interruptions.

• Involves audit, compliance, and database servers with web-based reporting.

Cryptography Concepts

Types:
 1. Symmetric Key Cryptography

o One shared key.

o Fast, but key exchange is a risk.

2. Asymmetric Key Cryptography (Public Key)

o Uses public/private key pairs.

o Solves key distribution problem but slower.

3. Hashing

o Converts data into a fixed-length hash.

o Ensures data integrity (not reversible).

Cryptanalysis – Attacking Cryptosystems

Attack Types:

1. Classical Attack

o Brute Force: Try all key combinations.

o Analytical: Study algorithm internals.

2. Social Engineering

o Human-based trickery (e.g., phishing, fake support calls).

3. Implementation Attacks

o Exploits side-channel data (e.g., power usage, timing).

Classical Encryption Techniques (Handout 2)

1. Caesar Cipher

o Shifts letters (e.g., A → B, with shift = 1).

o Example: "DEFEND" → "EFGFOE"

2. Keyword Cipher

o Uses a keyword to reorder the alphabet.

 o Keyword “COLLEGE” results in a custom alphabet.

3. Giovanni’s Method

o Starts the keyword under a chosen letter.

o Unique variant of substitution cipher.

4. Transposition Technique

o Rearranges letters (e.g., Rail Fence).

o Example:

▪ Plaintext: MEET ME AFTER THE TOGA PARTY

▪ Ciphertext: MEMATRHTGPRYETEFETEOAAT

5. Polyalphabetic Cipher (Vigenère)

o Multiple Caesar ciphers with a keyword (e.g., “ATMOSPHERE”).

o Harder to crack than monoalphabetic ciphers.