Page 660 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 660
Summary
Designing secure computing systems is a complex task, and many
security engineers have dedicated their entire careers to
understanding the innermost workings of information systems and
ensuring that they support the core security functions required to
safely operate in the current environment. Many security professionals
don’t necessarily require an in-depth knowledge of these principles,
but they should have at least a broad understanding of the basic
fundamentals that drive the process to enhance security within their
own organizations.
Such understanding begins with an investigation of hardware,
software, and firmware and how those pieces fit into the security
puzzle. It’s important to understand the principles of common
computer and network organizations, architectures, and designs,
including addressing (both physical and symbolic), the difference
between address space and memory space, and machine types (real,
virtual, multistate, multitasking, multiprogramming, multiprocessing,
multiprocessor, and multiuser).
Additionally, a security professional must have a solid understanding
of operating states (single-state, multistate), operating modes (user,
supervisor, privileged), storage types (primary, secondary, real,
virtual, volatile, nonvolatile, random, sequential), and protection
mechanisms (layering, abstraction, data hiding, process isolation,
hardware segmentation, principle of least privilege, separation of
privilege, accountability).
No matter how sophisticated a security model is, flaws exist that
attackers can exploit. Some flaws, such as buffer overflows and
maintenance hooks, are introduced by programmers, whereas others,
such as covert channels, are architectural design issues. It is important
to understand the impact of such issues and modify the security
architecture when appropriate to compensate.
