CISSP domain 3: Security engineering CISSP – What you need to know for the exam

August 7, 2018 by Sumit Bhattacharya

Security Architecture and Engineering is a very important component of Domain #3 in the CISSP exam. It counts for a good chunk of it, as 13% of the topics in this domain are covered on the exam. But apart from that, the knowledge gained from this particular domain provides a crucial, fundamental background for any type or kind of cybersecurity professional.

The following is a list of knowledge areas that the aspiring CISSP-certified individual must have at least a baseline knowledge of.

Security engineering

As the CISSP exam questions are also scenario-based, you must be able to understand these principles and apply them:

Secure design principles

Incorporating security into the design process

Security engineers attempt to retrofit an existing system with security features designed to protect the confidentiality, integrity and availability of the data handled by that system.

Subject/object model

In this approach, every access request is seen as having two different components: a subject who is requesting some type of access and an object which is the resource being requested.

Failure modes

There are two possible failure modes:

  • Fail open system. If the security controls fail, they are automatically bypassed
  • Fail secure system. This is where a security control fails, and the system locks itself down to a state where no access is granted

Security models

This part of the domain can be considered more theoretical in nature. Nevertheless, you still should have an understanding of them, as the CISSP exam will cover them to some degree or another. It is important to note that this not an all-inclusive list of the security models; you should refer to your study book or boot camp notes to get all of the details of all of the relevant models.

  • Bell-LaPadula security model
  • Biba integrity model
  • Lattice-Based Access controls
  • Integrity models
  • Clark-Wilson
  • Information Flow model
  • Chinese Wall model
  • Noninterference model
  • Take-Grant Protection model
  • The Access Control Matrix
  • Zachman Framework for Enterprise Architecture
  • Graham-Denning model
  • Harrison-Ruzz-Ullman model

Security requirements

You also need to understand the following, regarding the approval process in an organization as to how a particular can be deployed and implemented:

  • Certification. This is the process of determining that a technology product meets the requirements of a certain level of certification. It is a government-wide decision that a product meets certain security requirements
  • Accreditation. This is a decision made after certification, and it is a specific decision as to whether a technology system may be used in a specific environment

Cloud computing and virtualization

As you prepare for the CISSP exam, you also need to understand the importance of the three families of cloud computing, which are as follows:

  • Private cloud
  • Public cloud
  • Hybrid cloud

Organizations adopting a hybrid cloud approach use a combination of public and a private cloud. In this model, they may use the public for some computing workloads, but they also operate their own private cloud for other workloads.

High availability and fault tolerance

For any security professional, the basics of having redundant systems and mitigating failures is of prime importance, and is reviewed as follows:

  • The core concept of high availability is having operationally redundant systems sometimes at different locations, for example having a cluster of web serves in place that can continue to operate even if a single server fails
  • Fault tolerance, on the other hand, helps protects a single system from failing in the first place by making it resilient in the conditions of technical failures

Client and server vulnerabilities

Most businesses and corporations have some sort of client-server network topology. This is where many workstations and wireless devices (the clients) are connected to a central server so that resources can be accessed quickly and easily. Given this level of importance in the real world, this is a rather heavily weighted component on the CISSP exam. You should have a firm grasp of the following concepts:

Client security issues

  • Applets. Applets written in languages like Java and Microsoft’s ActiveX come with some serious security issues, as they let a remote website run code on your computer. For this reason, most security professionals recommend against using applets
  • Local caching. A cache is a local store of information that browser uses to speed things up by eliminating redundant lookups. In an attack known as cache poisoning, an attacker inserts fake records in the DNS cache on a local computer which then redirects unsuspecting users of that computer to illegitimate websites. Similar types of attacks can happen for the address resolution protocol, and for files retrieved from the Internet

Server security issues

Security professionals must be aware of security issues that are particular to certain environments. All servers are affected by data flow control, while database servers must also be protected again aggregation, inference and other database-specific attacks.

There are two specific types of attacks that are specific to database servers, and are thus important to know for the CISSP exam:

  • Aggregation. Aggregation occurs when an individual with a low-level security clearance is able to piece together facts available at that low level to determine a very sensitive piece of information that he or she should not have access to
  • Inference. Inference occurs when an individual can figure out sensitive information from the facts available to him or her

Web security

For cybersecurity professionals, web security vulnerabilities are among the trickiest problems to tackle. The Open Web Application Security Project (OWASP) maintains a list of the top 10 web security vulnerabilities that the CISSP exam-taker should understand and should know the defense mechanism for the same. The current version of the OWASP top 10 was developed in 2017.

Mobile security

Given the importance of smartphones in both our personal and professional lives, keeping them secure from cyberattacks is a must. Given light of this, the CISSP exam covers key mobile security concepts which the candidate must be aware of, including the following. Please note that once again, this is not an all-inclusive list, so it is very important that you refer to your CISSP study book or boot camp material for more information.

Mobile device security

  • Mobile devices should be protected with one or more access control mechanisms, such as passcodes and biometric fingerprint authentication
  • Device encryption
  • Ability to remove the contents of your device over the network, also known as remote wiping.
  • Automatic screen-lock after certain period of inactivity
  • User lockout if an incorrect passcode is entered too many times

Mobile device management

Mobile device management (MDM) solutions provide organizations with an easy way to manage the security settings on many mobile devices simultaneously. Mobile device management is a powerful tool that allows security professionals to ensure that all devices used with an organization’s data have security settings in place that match the organization’s security policy.

Mobile application security

Smartphone and tablet apps offer users a powerful set of features that improve their productivity. But security professionals must be sure to carefully evaluate each app to ensure that its use of data meets the organization’s security policies. For the CISSP exam you should understand the following application security concerns:

  • Mobile application authentication
  • Encryption of sensitive information

Smart device security

Given that technology is becoming more advanced and more “intelligent” in nature, smart device security is a topic covered in the CISSP exam. The candidate should have a firm grasp in terms of understanding the following concepts:

Industrial control systems

Industrial control systems (ICS) are the devices and systems that control industrial production and operation. These systems monitor electricity, gas, water and other utility infrastructure and production operations. Attacks on these systems can disable a nation’s power grid and can even destroy parts of a city’s infrastructure. For security professionals, it’s mandatory to secure the following types of industrial control system.

  • Supervisory Control and Data Acquisition (SCADA)
  • Distributed Control Systems (DCS)
  • Programmable Logic Controllers (PLC)

Securing the IOT

Taking a layered approach to security and using multiple controls to achieve the same objectives improves the odds that your network will remain safe from embedded-device attacks. Following are some security measures for embedded devices:

  • Ensure regular security updates (manual or automated) for embedded devices
  • Implementing security wrappers for embedded devices
  • Network segmentation for embedded devices
  • Web-application firewall, as most of the embedded devices have web consoles

Whatever approach you choose, you should incorporate security, control, diversity and redundancy.


The basic thrust of the world of cybersecurity is ensuring that information and data will be rendered useless if intercepted by a third party while in transit. This is where the concepts of cryptography come into play, and in fact is an extremely weighted and heavily-covered topic not only in this particular domain, but on the CISSP exam as well. Therefore, the candidate must have a very deep understanding of these concepts. This is not all-inclusive, so once again, refer back to your CISSP training study book or boot camp training materials.

CISSP course exam takers should have an understanding of:

Symmetric cryptography

  • Data Encryption Standard (DES)
  • 3DES
  • AES, Blowfish, and Twofish
  • RC4
  • Steganography

Asymmetric cryptography

  • Rivest-Shamir-Adleman (RSA)
  • PGP and GnuPG
  • Elliptic-curve and quantum cryptography

Goals of cryptography

  • Confidentiality
  • Integrity
  • Authentication
  • Nonrepudiation

5 stages of cryptographic life cycle

  • Phase I – Initiation: Gathers the requirements for the new cryptographic system
  • Phase II – Development and Acquisition: Find an appropriate combination of hardware, software and algorithms that meets the organization security objectives
  • Phase III – Implementation and Assessment: Configure and test the cryptographic system
  • Phase IV – Operations and Maintenance: Ensure the continued secure operation of cryptographic system
  • Phase V – Sunset: Phase out the system and destroy/archive keying material

Digital rights management

DRM uses encryption to render content inaccessible to those who do not possess the necessary license to view the information. It thus provides content owners with the technical ability to prevent the unauthorized use of their content.

Public-key infrastructure

Public-key infrastructure can be defined as the set of roles, policies and procedures required to manage, create, use, distribute, store and revoke digital certificates and manage public-key encryption. Important functions include the following:

  • PKI and digital certificates
  • Hash functions
  • Digital signatures
  • How digital certificate is created
  • How digital certificate is revoked

Cryptanalytic attacks

For the CISSP exam, you should know following cryptanalytic attacks:

  • Brute-force attacks
  • Knowledge-based attacks

Physical security

In the world of security, we often think of it in terms of hardware, software, database, servers, wireless devices, smartphones and so forth. But we often forget that these items are stored in a physical place, and these kinds of premises must be protected as well. This is also an important part of the CISSP exam, and the candidate must have a baseline understanding of the following concepts:

  • Site and facility design
  • Data center environmental controls
  • Data center environmental protection
  • Physical security controls types
  • Physical access control
  • Visitor management

This concludes our review of CISSP Domain 3: Security Architecture and Engineering. Thank you for reading, and good luck on your exam!

Posted: August 7, 2018
Articles Author
Sumit Bhattacharya
View Profile

Leave a Reply

Your email address will not be published. Required fields are marked *